Wim Van Grembergen
University of Antwerp, Belgium
Steven De Haes
University of Antwerp Management School, Belgium
Erik Guldentops
IT Governance Institute, USA
Copyright 2004, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
In many organisations, Information Technology (IT) has become crucial in the support, the sustainability and the growth of the business. This pervasive use of technology has created a critical dependency on IT that calls for a specific focus on IT Governance. IT Governance consists of the leadership and organisational structures and processes that ensure that the organisation's IT sustains and extends the organisation's strategy and objectives. This introductory chapter records and interprets some important existing theories, models and practises in the IT Governance domain and aims to contribute to the understanding of IT Governance and its structures, processes and relational mechanisms.
Information Technology (IT) has become pervasive in current dynamic and often turbulent business environments. While in the past, business executives could delegate, ignore or avoid IT decisions, this is now impossible in most sectors and industries (Peterson, 2003; Duffy, 2002; Van Der Zee & De Jong, 1999). To emphasise this pervasiveness, Broadbent and Weill (1998) refer to three layers of the 'new infrastructure': local IT for business processes, firm IT infrastructure and public IT infrastructures (Figure 1).
Figure 1: The New Infrastructure
The Public Infrastructure (Figure 1) is the foundation of the New Infrastructure, which is in turn linked to external industry infrastructures such as Internet, EDI networks, etc. This enables the business to communicate and do business with customers, suppliers, partners, etc. Together with the Firm Information Technology Infrastructure, such as e-mail, customer databases, etc., these infrastructures make up the New Infrastructure. The New Infrastructure, plus the local IT needed to perform business processes, can be defined as the Firm Information Technology Portfolio.
The Information Technology Portfolio not only has the potential to support existing business strategies, but also to shape new strategies (Henderson, Venkatraman, & Oldach, 1993; Henderson & Venkatraman, 1993; Guldentops, 2003). In this mindset, IT becomes not only a success factor for survival and prosperity, but also an opportunity to differentiate and to achieve competitive advantage. IT also offers a means for increasing productivity. Leveraging IT successfully to transform the enterprise and create products and services with added value has become a universal business competency (Guldentops, 2003). In this viewpoint, the IT department moves from a commodity service provider to a strategic partner, as illustrated by Venkatraman (1999) (Table 1).
Service provider |
Strategic partner |
---|---|
|
|
Venkatraman, N. (1999). Valuing the IS Contribution to the Business. Computer Sciences Corporation. |
The dependency on IT becomes even more imperative in our knowledge-based economy, where organisations are using technology in managing, developing and communicating intangible assets such as information and knowledge (Patel, 2003). Corporate success can of course only be attained when information and knowledge, very often provided and sustained by technology, is secure, accurate, and reliable, and provided to the right person, at the right time, at the right place (ITGI, 2000; Kakabadse & Kakabadse, 2001).
This major IT dependency also implies a huge vulnerability that is inherently present in certain complex IT environments (ITGI, 2001; Duffy, 2002). System and network downtime has become far too costly for any organisation in these days of doing business globally around the clock. Take for example the impact of downtime in the banking sector or in a medical environment. The risk factor is accompanied by a wide spectrum of external threats, such as errors and omissions, abuse, cybercrime and fraud.
Information Technology often entails large capital investments in organisations while companies are faced with multiple shareholders that are demanding the creation of business value through these investments. The question of the 'productivity paradox', why Information Technologies have not provided a measurable value to the business world, has puzzled many practitioners and researchers (Kakabadse & Kakabadse, 2001; ITGI, 2000, 2001; Lie, 2001; Henderson & Venkatraman, 1993; Duffy, 2002; Strassman, 1990; Brynjolfsson, 1993; Brynjolfsson & Hitt, 1998).
All the issues described above point out that the critical dependency on IT calls for a specific focus on IT Governance. This is needed to ensure that the investments in IT will generate the required business value and that risks associated with IT are mitigated. This chapter records and interprets some important existing theories, models and practises on IT Governance and its structures, processes and relational mechanisms. The chapter is based on relevant academic and professional publications and integrates also the main contributions of the other chapters in this book (whenever the text references to one of the other chapters, the reference is printed in bold).
The first section provides a definition of IT Governance and draws a link with the Corporate Governance principles. The second part elaborates on the core issues in the IT Governance domain: strategic alignment, value delivery, risk management and performance management. The third part delivers an overview of some important structures, processes and relational mechanisms that can be helpful when designing and implementing an IT Governance framework. The final section describes a model for assessing and diagnosing IT Governance implementations.
IT, and its use in business environments, has experienced a fundamental transformation in the past decades. Since the introduction of IT in organisations, academics and practitioners conducted research and developed theories and best practises in this emerging knowledge domain (Peterson, 2003). This resulted in a variety of IT Governance definitions, some of which are formulated in Table 2.
|
The Ministry of International Trade and Industry (1999) |
|
IT Governance Institute (2001) |
|
Van Grembergen (2002) |
Although the definitions in Table 2 differ on some aspects, they are all mainly focused to the same issues, such as the link between business and IT. The definition of the IT Governance Institute (ITGI), however, also explicitly states that IT Governance is an integral part of enterprise governance, which is in our opinion a very important premise. The IT Governance definition of ITGI will therefore be used as the reference in this chapter, even though it should be recognised that the link with enterprise governance is implicitly present in Van Grembergen's definitions as well.
An important (implicit) common concern in the definitions of Table 2 is certainly the link of IT with the present and future business objectives. This goes back to the not always that clear difference between IT Governance and IT Management, which is visualised in Figure 2. IT Management is focused on the internal effective supply of IT services and products and the management of present IT operations. IT Governance in turn is much broader, and concentrates on performing and transforming IT to meet present and future demands of the business (internal focus) and the business' customers (external focus) (Peterson, 2003). "This does not undermine the importance and complexity of IT management, …, but whereas elements of IT Management and the supply of (commodity) IT services and products can be commissioned to an external provider, IT Governance is organisation specific, and direction and control over IT can not be delegated to the market" (Peterson, 2003).
Figure 2: IT Governance and IT Management
The definition of IT Governance as proposed by the IT Governance Institute (Table 2) expresses that "IT Governance is the responsibility of the Board and Executive Management and that IT Governance should be an integral part of enterprise governance." How can we explain this relationship between IT Governance, Corporate Governance (or Enterprise Governance) and the Board?
Enterprise Governance is the system by which entities are directed and controlled. The business dependency on information technology has made it so that the enterprise governance issues cannot be solved without considering Information Technology. As shown in the first part of Figure 3, enterprise governance should therefore drive and set IT Governance. Information Technology in its turn can influence strategic opportunities as outlined by the enterprise and can provide critical input to strategic plans. In this way, IT Governance enables the enterprise to take full advantage of its information, and can be seen as a driver for enterprise governance. Looking at this interplay in more depth (second part of Figure 3), enterprise activities require information from IT activities to meet business objectives, and IT must be aligned with enterprise activities to take full advantage of its information (ITGI, 2000). IT Governance and Enterprise Governance can therefore not be considered as pure distinct disciplines, and IT Governance needs to be integrated into the overall enterprise governance structure, as denoted by several authors and entities (Guldentops, 2003; ITGI, 2001; Peterson, 2003; Duffy, 2002).
Figure 3: Enterprise Governance and IT Governance
The close relationship between corporate and IT Governance can also be derived from Shleifer and Vishny's definition of Corporate Governance (1982): Corporate Governance "deals with the ways in which suppliers of finance assure themselves of getting a return on investment." According to Shleifer and Vishny (1997), typical Corporate
Governance questions are: (1) How do suppliers of finance get managers to return some of the profits to them? (2) How do suppliers of finance make sure that managers do not steal the capital they supply or invest it in bad projects? (3) How do suppliers of finance control managers? The business dependency on IT means that the Corporate Governance issues cannot be solved without considering IT. To make sure that the Corporate Governance matters are covered, IT needs to be governed properly first. This relationship can be made more eloquent by translating the Corporate Governance questions into specific IT Governance questions (Table 3) which discloses that Corporate Governance issues cannot be addressed without considering IT Governance issues.
Corporate Governance questions |
⇨ |
IT Governance questions |
---|---|---|
How do suppliers of finance get managers to return some of the profits to them? |
⇨ |
How does top management get their CIO and IT organisation to return some business value to them? |
How do suppliers of finance make sure that managers do not steal the capital they supply or invest it in bad projects? |
⇨ |
How does top management make sure that their CIO and IT organisations do not steal the capital they supply or invest in bad projects? |
How do suppliers of finance control managers? |
⇨ |
How does top management control their CIO and IT organisation? |
Adapted from: Shleifer, A. & Vishny, W. (1997). A survey on corporate governance. The Journal of Finance, 52(2). |
As IT Governance becomes an integral part of Corporate Governance, it is of course a responsibility of the Board of Directors. The composition of the Board varies widely from organisation to organisation, but generally involves a mix of executive directors (those who are employed directly by the business) and non-executive or 'independent' directors (those who are appointed from outside the business). There are also important differences between countries regarding the role, composition and modus operandi of the Board (Duffy, 2002). These differences naturally lead to variations in expectations, emphasis, etc., but the fundamental responsibilities of the Board do not change and attention should be paid to the close link between technology management and the achievement of business goals (Duffy, 2002). Moreover, market analysts state that investors are willing to pay more for the shares of a well-governed company. Although hypothetical premiums are difficult to measure, there is little question that good governance makes a difference to corporate value (ITGI, 2002; Duffy, 2002).
The definitions in Table 2 implicitly or explicitly underline that an important aspect of IT Governance is the alignment of Information Technology with the business, often referred to as strategic alignment. Strategic alignment is an important driving force to achieve business value through investments in IT (ITGI, 2001; Guldentops, 2003). These two elements of IT Governance — strategic alignment and the achievement of business value through IT — will be discussed in more detail in the following paragraphs. Additionally, two related elements — risk management and performance management — will be described.
What do we exactly mean by strategic alignment between the business and IT? Duffy (2002) formulated the following definition: "the process and goal of achieving competitive advantage through developing and sustaining a symbiotic relationship between business and IT." The idea behind strategic alignment is very comprehensive, but the question is how organisations can achieve this ultimate goal. Henderson and Venkatraman (1993) developed a Strategic Alignment Model to conceptualise and direct the area of strategic management of Information Technology (Figure 4). They were the first to describe in a clear way the interrelationship between business strategies and IT strategies in their well-known Strategic Alignment Model (SAM) (Smaczny, 2001). Many authors used this model for further research, including Luftman and Brier (1999), Burn and Szeto (2000) and Smackzny (2001).
Figure 4: Strategic Alignment Model
The concept in Figure 4 is based on two building blocks: strategic fit and functional integration. Strategic fit recognises that the IT strategy should be articulated in terms of an external domain — how the firm is positioned in the IT marketplace — and an internal domain — how the IT infrastructure should be configured and managed. The position of an organisation in the IT marketplace (external IT domain) involves three decisions: (1) Information Technology scope (those specific information technologies, such as local and wide area networks, that support business strategy initiatives or could shape new business strategy initiatives for the firm), (2) systemic competencies (those attributes of IT strategy, e.g., cost-performance levels and flexibility, that could contribute positively to the creation of new business strategies or better support of existing business strategy), (3) IT Governance (selection and use of mechanisms, e.g., strategic alliances, for obtaining the required IT competencies). The internal IT domain must address three components: (1) IT architecture (choices that define the portfolio of applications, the configurations of hardware, software and communications, and the data architecture that collectively define the technical infrastructure), (2) IT processes (choices that define the work processes central to the operations of the IT infrastructure, e.g., systems development maintenance), (3) IT skills (choices pertaining to the acquisition, training and development of the knowledge and capabilities of the individuals required to effectively manage and operate the IT infrastructure). Henderson and Venkatraman (1993) argue that the external and the internal domains are equally important, but that managers traditionally think of IT strategy in terms of the internal domain, since historically IT is viewed as a support function less essential to the business. Relating this to the difference between IT Governance and IT management as referred to in Figure 1, the historical internal view coincides with the IT management perspective, which is focused on the internal domain (while the IT Governance perspective is focused on both the internal and the external domains).
Strategic fit is equally relevant within the business domain, as is also illustrated in Figure 3: the business strategy should take as well the internal as the external domain into account. The attributes are similar, but focussed to business: business scope (choices regarding the product-market offerings in the output market), distinctive competencies (those attributes that contribute to a competitive advantage), business governance (make-vs-buy decisions, inter-company relationships), administrative architectures (roles, responsibilities, authority), business processes (that support and shape the firm's ability to execute business strategies) and business skills (required to execute a given strategy).
In the functional integration dimension of the Strategic Alignment model, the authors propose two types of integration which consider how choices made in the IT domain enhance or threaten those made in the business domain and vice versa. Strategic integration is the link between business strategy and IT strategy reflecting the external components, which is as important as IT and for many companies has emerged as a source of strategic advantage. The second type, operational integration, covers the internal domain and deals with the link between organisational infrastructure and processes, and IT infrastructure and process. This emphasises the importance of internal coherence between the requirements and expectations of the business and the capability of IT to deliver against it.
An important premise of the Strategic Alignment model is that effective governance of IT requires a balance among the choices made in all the four domains of Figure 4. Henderson and Venkatraman (1993) describe two cross-domain relationships in which business strategy plays the role of driver, and two relationships where IT strategy is the enabler (Figure 5). The strategic execution perspective is probably the most widely understood, as it is the classic, hierarchical view of strategic management. The perspective starts from the premise that business strategy is articulated and that this strategy is the driver for the choices in organisational design and the design in IT infrastructure. The technology transformation perspective also starts from an existing business strategy, but focuses on the implementation of this strategy through appropriate IT strategy and the articulation of the required IT infrastructure and processes. The competitive potential perspective allows the adaptation of business strategy through emerging IT capabilities. Starting from the IT strategy, the best set of strategic options for business strategy and a corresponding set of decisions regarding organisational infrastructure and processes are determined. The service level perspective focuses on how to build a world-class IT service organisation. This requires an understanding of the external dimensions of IT strategy with the corresponding internal design of the IT infrastructure and processes.
Figure 5: Strategic Alignment Domains
Henderson and Venkatraman (1993) stress that alignment is not a one-point-in-time action. The challenge is to ensure the continual assessment of the trends across the four domains and to evolve from one perspective to another based on shifts in the business environment, both internal and external.
Although the Strategic Alignment model clearly recognizes the need for continual alignment, it does not provide a practical framework to implement this (Van Der Zee & De Jong, 1999). In that case, the question of how to realize strategic alignment is still not solved. Van Der Zee and De Jong (1999) propose the Balanced Scorecard as an implementation solution (see next section).
Another approach for the practical implementation of strategic alignment is provided by Luftman (2000) and Luftman and Brier (1999), who state that achieving alignment in environments of dynamic business strategies and continuously evolving technologies is very hard to accomplish. According to them, strategic alignment should be viewed as a process, and they propose a six-step approach (Table 4) that incorporates organisational assessment using a strategic alignment based on the Henderson and Venkatraman model (Luftman & Brier, 1999).
Set the goals and establish a team Understand the business-IT linkage Analyse and prioritise gaps Specify the actions (project management) Choose and evaluate success criteria Sustain alignment |
Luftman, J. & Brier, T. (1999). Achieving and sustaining business-IT alignment. California Management Review, 42(1), 109–122. |
Guldentops (2003) also promotes some pragmatic practises to achieve alignment, and makes a distinction between vertical and horizontal alignment (Figure 6). According to this author, there are two types of practises, re-enforcing the point that alignment is not only needed at the strategic level but also at the operational level. Vertical alignment is primarily driven by repeatedly communicating an integrated Business and IT strategy down into the organisation, and translating it at each organisational layer into the language, responsibilities, values and challenges at that level. Furthermore, this 'cascading down' of the strategic objectives should be clearly linked to performance measures that are reported upwards. Horizontal alignment is primarily driven by cooperation between Business and IT on integrating the strategy, on developing and agreeing on performance measures (e.g., SLAs and IT BSC) and on sharing responsibilities (e.g., IT project co-responsibility) (Guldentops, 2003).
Figure 6: Vertical and Horizontal Alignment Practises
A study of Burn and Szeto (2000) revealed that only 50% of the business managers and 60% of IT managers indicated that the matching of business and IT strategies in their companies was either successful or highly successful. In this study, the key success factors for alignment were identified as 'top management selections of appropriate alignment approach to accomplish business objectives' and 'matching the internal IT with external market'.
Broadbent and Weill (1998) described different difficulties (barriers) that organisations have experienced in aligning business with IT. The expression barriers arise from the organisation's strategic context and from senior management behaviour, including lack of direction in business strategy, changing strategic intents, etc. This results in insufficient understanding of and commitment to the organisation's strategic focus by operational management. Specification barriers arise from the circumstances of the organisation's IT strategy (such as lack of IT involvement in strategy development, business and IT management conducting two independent monologues, etc.), which ends up in a situation where business and IT strategies are set in isolation and not adequately related. The nature of the organisation's current IT portfolio creates implementation barriers, which arise when there are technical, political, or financial constraints (e.g., difficulties in integrating legacy systems) on the current infrastructure.
Luftman (2000) and Luftman and Brier (1999) have also identified some enablers and inhibitors (Table 5) that help and hinder this alignment process. These points for attention should be closely monitored by management in their effort of aligning the business and IT.
ENABLERS |
INHIBITORS |
---|---|
Senior executive support for IT |
IT/business lack close relationships |
IT involved in strategy development |
IT does not prioritise well |
IT understands the business |
IT fails to meet commitments |
Business-IT partnerships |
IT does not understand the business |
Well-prioritised IT projects |
Senior executives do not support IT |
IT demonstrates leadership |
IT management lack leadership |
Luftman, J. & Brier, T. (1999). Achieving and sustaining Business-IT alignment. California Management Review, 42(1), 109–122. |
Insight into the key success factors, barriers, enablers and inhibitors can be very helpful when an organisation strives for a more mature strategic alignment process. To be able to measure its alignment maturity, organisations can use a maturity model (Figure 7). This is a method of scoring that enables the organisation to grade itself from non-existent (0) to optimised (5). This tool offers an easy-to-understand way to determine the "as-is" and the "to-be" (according to enterprise strategy) position, and enables the organisation to benchmark itself against best practises and standard guidelines. In this way, gaps can be identified and specific actions can be defined to move towards the desired level of strategic alignment maturity (ITGI, 2000, 2001; Guldentops, 2003).
Figure 7: Generic Maturity Model (CobiT's Framework)
Good examples of strategic alignment maturity models are developed by Luftman (2000), Duffy (2002) and the IT Governance Institute (ITGI, 2000). Each of these models uses criteria composed of a variety of attributes to build different levels of maturity.
Luftman (1993) defines five maturity levels using the criteria and attributes described in the first two columns of Table 6. The last two columns of Table 6 indicate the characteristics or values of each attribute to obtain a level 1 or level 5 of the maturity model. When doing this maturity assessment, it is important to comply with the basic principles of maturity measurement: One can only move to a higher maturity when all conditions described in a certain maturity level are fulfilled. This implies that, in order to obtain a maturity level 5, all attributes must have the values described in the last column of Table 6.
Criteria |
Attribute |
Characteristics level 1 |
Characteristics level 5 |
---|---|---|---|
Communications |
Understanding of business by IT Understanding of IT by business Inter/intra-organisational learning Protocol rigidity Knowledge sharing Liaison(s) breadth/effectiveness |
Minimum Minimum Casual, ad-hoc Command and control Ad-hoc None or ad-hoc |
Pervasive Pervasive Strong and structured Informal Extra-enterprise Extra-enterprise |
Competency/value measurement |
IT metrics Business metrics Balanced metrics ServiceLevel Agreements Benchmarking Formal assessments/reviews Continuous improvement |
Technical, not related to business Ad-hoc, not related to IT Ad-hoc unlinked Sporadically present Not generally practised None None |
Extended to external partners Extended to external partners Business, partner, & IT metrics Extended to external partners Routinely performed with partners Routinely performed Routinely performed |
Governance |
Business strategic planning IT strategic planning Reporting/organization structure Budgetary control IT investment management Steering committee(s) Prioritization process |
Ad-hoc Ad-hoc Central/decentral, CIO report to CFO Cost center, erratic spending Cost based, erratic spending Not formal/regular Reactive |
Integrated across, external Integrated across, external CIO reports to CEO, federated Investment center, profit center Business value Partnership Value added partner |
Partnership |
Business perception of IT value Role of IT in strategic business planning Shared goals, risks, rewards/penalties IT program management Relationship/trust style Business sponsor/champion |
IT perceived as a cost of business No seat at the business table IT takes risk with little reward Ad-hoc Conflict/minimum None |
IT co-adapts with business Co-adaptive with business Risks & rewards shared Continuous improvement Valued partnership At the CEO level |
Scope and architecture |
Traditional enabler/driver, external Standards articulation Architectural integration
Architectural transparency, flexibility |
Traditional (e.g. accounting, email) None or ad-hoc No formal integration None |
External scope, business strategy driver/enabler Inter-enterprise standards Evolve with partners
Across the infrastructure |
Skills |
Innovation, entrepreneurship Locus of Power Management style Change readiness Career crossover Education, cross-training Attract and retain best-talent |
Discouraged In the business Command and control Resistant to change None None No program |
The norm All executives, including CIO Relationship based High, focused Across the enterprise Across the enterprise Effective program for hiring and retaining |
Luftman, J. (2000). Assessing business-IT alignment maturity. Communications of AIS, 4. |
Duffy (2002) developed a similar maturity model (Table 7) which is composed of four maturity levels. Although this maturity model differs from the previous example, it aspires to the same goal, i.e., providing a tool to help management in their journey to alignment between the business and IT. This maturity model states that in level one, there is a fundamental disconnect between the technology executive and the rest of corporate management. A maturity level of four (the highest level in this model), however, implies that IT and business are inextricably entwined and there is only one single strategy that incorporates both business and IT.
Maturity Level One: "Uneasy Alliance" In this stage, there is a fundamental disconnect between the technology executive and the rest of corporate management. IT responds to business demands with little understanding of how the technology can contribute to value. IT is viewed primarily as something to make the company more efficient. Business units have little understanding of technology and prefer to hold the IT organisation accountable for the success and/or failure of any IT-related project. |
Maturity Level Two: "Supplier/Consumer Relationship" If IT has a strategic plan it is developed in response to the corporate strategy. IT is probably viewed as a cost center and there is little appreciation for the value that IT contributes to corporate success. In this stage, IT is still not viewed as a strategic tool and IT executives are unlikely to be involved in developing corporate strategy. |
Maturity Level Three: "Co-dependence/Grudging Respect" In this stage, the business is dependent on IT and there are early signs of recognition that it is a strategic tool. CIOs are becoming more knowledgeable about crossfunctional business processes because of ERP, CRM, etc. The Internet and interest in e-business forces some level of IT/business alignment. CEO's begin to recognize that IT is a competitive tool. |
Maturity Level Four: "United we succeed, divided we fail" In this stage, IT and business are inextricably entwined. Business executives have less time to prove they can deliver. Business cannot continue without IT and IT has little real value if it is not to support the corporate strategy. There is only a single strategy and it incorporates both IT and business. Whether the business is a pure play Internet company, or a "bricks 'n clicks" company, IT and business move in lockstep. |
Duffy, J. (2002). IT/Business alignment: Is it an option or is it mandatory? IDC document # 26831. |
The third example of an alignment maturity model is provided by the IT Governance Institute (ITGI, 2000). One of the products developed by ITGI is the open standard CobiT (Control Objectives for IT and related Technologies). The CobiT Framework identifies 34 IT processes within an IT environment. For each process, it provides a high-level control statement and between three and thirty detailed control objectives. With CobiT third edition, a management layer was added — called Management Guidelines — providing critical success factors, key performance indicators and maturity models for each of the processes. The first process identified by CobiT is 'define a strategic Information Technology plan'. As this process "satisfies the business requirement to strike an optimum balance of Information Technology opportunities and IT business requirements" (ITGI, 2000), this process plays a very important role in strategic alignment. In the maturity model for this process (Table 8), maturity level one entails that the need for IT strategic planning is known by IT management, but there is no structured decision process in place. To achieve the highest maturity level in this model, IT strategic planning should at least be a documented and a living process, continuously be considered in business goal setting and result in discernable business value through investments in IT.
0 |
Non-existent |
IT strategic planning is not performed. There is no management awareness that IT strategic planning is needed to support business goals. |
|
1 |
Initial/Ad Hoc |
The need for IT strategic planning is known by IT management, but there is no structured decision process in place. IT strategic planning is performed on an as needed basis in response to a specific business requirement and results are therefore sporadic and inconsistent. IT strategic planning is occasionally discussed at IT management meetings, but not at business management meetings. The alignment of business requirements, applications and technology takes place reactively, driven by vendor offerings, rather than by an organisation-wide strategy. The strategic risk position is identified informally on a project-by-project basis. |
|
2 |
Repeatable but Intuitive |
IT strategic planning is understood by IT management, but is not documented. IT strategic planning is performed by IT management, but only shared with business management on an as needed basis. Updating of the IT strategic plan occurs only in response to requests by management and there is no proactive process for identifying those IT and business developments that require updates to the plan. Strategic decisions are driven on a project-by-project basis, without consistency with an overall organisation strategy. The risks and user benefits of major strategic decisions are being recognised, but their definition is intuitive. |
|
3 |
Defined Process |
A policy defines when and how to perform IT strategic planning. IT strategic planning follows a structured approach, which is documented and known to all staff. The IT planning process is reasonably sound and ensures that appropriate planning is likely to be performed. However, discretion is given to individual managers with respect to implementation of the process and there are no procedures to examine the process on a regular basis. The overall IT strategy includes a consistent definition of risks that the organisation is willing to take as an innovator or follower. The IT financial, technical and human resources strategies increasingly drive the acquisition of new products and technologies. |
|
4 |
Managed and Measurable |
IT strategic planning is standard practice and exceptions would be noticed by management. IT strategic planning is a defined management function with senior level responsibilities. With respect to the IT strategic planning process, management is able to monitor it, make informed decisions based on it and measure its effectiveness. Both short-range and long-range IT planning occurs and is cascaded down into the organisation, with updates done as needed. The IT strategy and organisation-wide strategy are increasingly becoming more coordinated by addressing business processes and value-added capabilities and by leveraging the use of applications and technologies through business process reengineering. There is a well-defined process for balancing the internal and external resources required in system development and operations. Benchmarking against industry norms and competitors is becoming increasingly formalised. |
|
5 |
Optimised |
IT strategic planning is a documented, living process, is continuously considered in business goal setting and results in discernable business value through investments in IT. Risk and value added considerations are continuously updated in the IT strategic planning process. There is an IT strategic planning function that is integral to the business planning function. Realistic long-range IT plans are developed and constantly being updated to reflect changing technology and business-related developments. Short-range IT plans contain project task milestones and deliverables, which are continuously monitored and updated, as changes occur. Benchmarking against well-understood and reliable industry norms is a well-defined process and is integrated with the strategy formulation process. The IT organisation identifies and leverages new technology developments to drive the creation of new business capabilities and improve the competitive advantage of the organisation. |
|
ITGI (2000). CobiT: Governance, control and audit for information and related technology. Available online: www.itgi.org. |
As already mentioned, maturity models can be a very comprehensive tool to benchmark the organisation through time or against other organisations (in specific sectors and geographies, and from specific sizes). To be able to benchmark against other organisations, ISACA (Information Systems Audit and Control Association) conducted a maturity survey in 2002, asking the respondents to assign a maturity score for 15 of the 34 IT processes identified in CobiT. To establish this self-assessment, respondents were asked to use the maturity models that are described within CobiT for each process, as the one for 'IT strategic planning' in Table 8. The main conclusion of the survey is that, on average, the maturity of enterprises in controlling the 15 identified CobiT IT processes fluctuates between 2.0 (repeatable but intuitive) and 2.5. The average maturity score for IT strategic planning was also situated in this range. Filtering the results by geography, size or industry revealed that global working organisations, large organisations and financial institutions attain on average higher maturity levels for their IT processes, mostly within the bracket of 2.5 and 3.0 (defined process) (Guldentops, Van Grembergen, & De Haes, 2002).
Although strategic alignment is complex, multifaceted and - perhapsnever completely achieved, it remains a worthwhile ambition because there is a real concern about the value of the IT investment, i.e., the creation of business value (ITGI, 2001; Broadbent & Weill, 1998). "The value that IT adds to the business is a function of the degree to which the IT organisation is aligned with the business and meets the expectations of the business" (ITGI, 2001). The question is how investments in IT will results in measurable value for the entire business. The basic principles of IT value are delivery on time, within budget and with the benefits that were promised (ITGI, 2001; Guldentops, 2003). "In business terms, this is often translated into: competitive advantage, elapsed time for order/service fulfilment, customer satisfaction, customer wait time, employee productivity and profitability. Several of these items are either subjective or difficult to measure, something all stakeholders need to be aware of" (ITGI, 2001).
Different levels of management and users will perceive the value of IT differently. Broadbent and Weill (1998) refer in this context to the 'business value hierarchy'. This hierarchy is composed of four layers: firm-wide IT infrastructure business value, business unit IT applications business value, business unit operational business value and business unit financial business value (Figure 8).
Figure 8: Business Value Hierarchy
Very successful investments in Information Technology will have a positive impact on all those levels of the business value hierarchy. Less successful investments will not be strong enough to impact the higher levels and will only have an influence on the lower levels. The higher one goes in the measurement hierarchy, the more dilution will occur by factors such as pricing decisions and competitor's moves. This also means that measuring the impact of an IT investment is much easier at the bottom of the hierarchy than at the top, where many factors dilute the effect. (Broadbent & Weill, 1998; ITGI, 2001).
"The first level of business value is provided by firm-wide Information Technology infrastructure, with measures such as infrastructure availability (e.g., percentage of downtime), and cost per transaction and workstation. The second level of business value is provided by business-unit Information Technology performance of the business, with measures such as time and cost to implement new applications. The third level is provided by the operational performance of the business, with measures such as quality and time to market for new products. The top and most important level is the financial performance of the firm, with measures such as return on assets (ROA) and revenue growth. Investments in Information Technology are made at the bottom two levels in the hierarchy by both information systems departments and line managers. Measuring Information Technology investments at the bottom two levels and performance at all four levels is key to assessing business value. Then we can track the impact of Information Technology investments up this hierarchy of business value, providing solid evidence and insight on how value is or is not created" (Broadbent & Weill, 1998).
At the top of the hierarchy, the financial measures are typically lagging measures of business value. This means that they only focus on past performance of the enterprise. An indication or prediction of future business value can be obtained by looking at the measures of operational performance, which are leading indicators of business value. The measures of IT performance and Information Technology infrastructure performance track in their turn the efficiency of using IT assets (Broadbent & Weill, 1998).
To be successful, an organisation also needs to be aware that a different strategic context requires different indicators of value. A commercial enterprise, for example, will have different value drivers/indicators compared to a governmental institution (ITGI, 2001; Broadbent & Weil, 1998; Luftman, 2000).
But how can business value now pragmatically be achieved through IT? Weill (2002) identified some emerging management practises that lead to IT-enabled business value. Implementing these practises implies the use of a number of mechanisms, as shown in Figure 9.
Figure 9: Management Practises that Lead to IT-Enabled Business Value
We have now studied two important elements of IT Governance: value delivery (which is the end goal) and strategic alignment (which is the means). The IT Governance Institute (ITGI, 2001) introduces two related IT Governance elements — risk management and performance management — and links them all together as follows: "Fundamentally, IT Governance is concerned about two things: that IT delivers value to the business and that IT risks are mitigated. The first is driven by strategic alignment of IT with the business. The second is driven by embedding accountability into the enterprise. Both need measurement, for example, by a Balanced Scorecard. This leads to the four main focus areas for IT Governance, all driven by stakeholder value. Two of them are outcomes: value delivery and risk mitigation. Two of them are drivers: strategic alignment and performance measurements." These relationships can be visualised as illustrated in Figure 10.
Figure 10: Alignment, Value Delivery, Risk Management and Performance Management
This relationship introduces two associated elements (risk management and performance measurement) that are not directly referred to in the definitions of Table 2, but that play an important role in the governance of IT. The relevance of a performance measurement system, such as the Balanced Scorecard, was already mentioned in the section on IT strategic alignment, where it was identified as a mechanism to achieve strategic alignment. The Balanced Scorecard concept is discussed in more detail in the following section. "Risk management concerns itself with safeguarding assets and preparing for disaster. Risk management establishes IT security to protect assets and enable business recovery from it failures. It ensures privacy for users and builds resilience into systems. Risk management knows the importance of establishing trust in the enterprise's services and among its partners. It manages internal and external threats — internal from misuse and errors and external from deliberate attacks, market volatility and the pace of change" (Guldentops, 2002). Effective risk management begins with a clear understanding of the organisation's appetite for risk and the risk exposure. Depending on the type of risk and its significance to the business, management can walk different paths to manage this risk. The risk can be mitigated by, e.g., acquiring and deploying security technology to protect the IT infrastructure. Other possibilities are the transfer of risk, i.e., sharing the risk with partners or transferring to insurance to cover, and the acceptance of risk, i.e., formally acknowledging that the risks exists and monitoring it (ITGI, 2000, 2001). While value delivery (addressed in the previous section) is focused on the creation of business value, risk management is focused on the preservation of business value.
We now have a better understanding of what IT Governance is. The question now arises of how enterprises can pragmatically implement an IT Governance structure. The decision to implement an IT Governance framework can sometimes be initiated by a specific issue or major critical problems. This was, for example, the case at NB Power in Canada, where the decision to implement an IT Governance framework was taken at a time when the Y2K problem required a lot of attention, a major SAP implementation project was running and an endless list of requests for IT support needed to be managed urgently (Callahan & Keyes, 2003).
An IT Governance framework can be deployed using a mixture of various structures, processes and relational mechanisms. When designing IT Governance, it is important to recognise that it is contingent upon a variety of sometimes conflicting internal and external factors. Determining the right mechanisms is therefore a complex endeavour and it should be recognised that what strategically works for one company does not necessarily work for another (Patel, 2003), even if they work in the same industry sector. A good example of the latter is given by Suomi and Thkk (2003), who revealed that the differences in public and private health care have an impact on the appropriate (IT) governance structure to follow. Although working in the same sector, the difference between the public versus private environment (e.g., private sector organisations are typically more flexible in terms of budget allocation, personnel decisions and organisational procedures, while public organisations are more characterized by rigid procedures, structured decision making, dependency on politics, etc.) has a great impact on the IT Governance Framework to follow and its outcomes. The analogous conclusion is made by Ribbers, Peterson and Parker (2002), who point out that environmental contingencies will impact the outcomes of the IT Governance processes (Figure 11).
Figure 11: IT Governance Contingencies
However, it is not because IT Governance is a complex matter that it should be separated from the overall governance responsibilities. Dividing a complex problem into smaller pieces and solving each problem separately does not always solve the complete problem (Peterson, 2003). A holistic approach towards IT Governance acknowledges its complex and dynamic nature, consisting of a set of interdependent subsystems that deliver a powerful whole (Samamurthy & Smud, 1999; Peterson, 2003; Patel, 2003; Duffy, 2002). Moreover, taking the context of hypercompetition and fluctuating economic conditions into account, IT Governance within an organisation cannot be a static model. It should address both the current and emerging requirements and thus be able to continuously evolve (Patel, 2003).
To be able to place IT Governance structures, processes and relational mechanisms in a comprehensible relationship to each other, we propose the framework displayed in Table 9, which is based on Peterson's framework (Peterson, 1996). Structures involve the existence of responsible functions such as IT executives and accounts, and a diversity of IT committees. Processes refer to strategic IT decision-making and monitoring. The relational mechanisms include business/IT participation and partnerships, strategic dialogue and shared learning.
Integration strategy |
Structures |
Processes |
Relational |
mechanisms |
---|---|---|---|---|
Tactics |
IT Executives & accounts |
Strategic IT decision -making |
Stakeholder participation |
Strategic dialogue |
Committees & councils |
Strategic IT monitoring |
Business-IT partnerships |
Shared learning |
|
Mechanisms |
|
|
|
|
Based on: Peterson (2003). Information strategies and tactics for Information Technology governance. In W. Van Grembergen (Ed.), Strategies for Information Technology Governance. Hershey, PA: Idea Group Publishing. |
Table 9 provides a rich overview of mechanisms that can support IT Governance. The paragraphs below will discuss in more detail some of these mechanisms — with primarily a focus on the IT Governance structures and processes, respectively the roles and responsibilities of the major participants, the IT strategy committee, IT steering committees, the IT organisation structure, the Balanced Scorecard (BSC), the Strategic Information Systems Planning (SISP), COBIT's framework and ITIL, Service level agreements (SLA), and Information Economics. An overall IT Governance maturity model will be presented in the next session, and the strategic alignment model (SAM) and the business/IT alignment model are already covered in the preceding section.
Clear and unambiguous definitions of the roles and the responsibilities of the involved parties are a crucial prerequisite for an effective IT Governance framework. It is the role of the Board and Executive management to communicate these roles and responsibilities and to make sure that they are clearly understood throughout the whole organisation (ITGI, 2001; Duffy, 2002). The Board as well as the business and IT management have to play an important role in assuring the governance of IT. The CIO is certainly not the only and primary stakeholder in the process. "IT Governance effectiveness is only partially dependent on the CIO and other IT executives, and should be viewed as a shared responsibility and enterprise-wide commitment towards sustaining and maximising IT business value" (Peterson, 2003). The CEO has singular responsibility for carrying out the strategic plans and policies that have been established by the Board, and the CEO should ensure that the CIO is included and accepted in the seniorlevel decision-making process (Duffy, 2002). The CIO and the CEO should report on a regular basis to the Board, and the Board in its turn has to play the role of independent overseer of business performance and compliance (Duffy, 2002). The Board members should keep their knowledge up-to-date of current business models, management techniques, technologies, and of course the potential risks and benefits associated with each of them. This enables them to ask the right questions (ITGI, 2001; Duffy, 2002). The establishment of an IT Strategy Committee (cf., infra) at Board level can be a very helpful mechanism to achieve these goals. In the Appendix, a more detailed description is provided of the responsibilities of the CEO, the CIO and the Board, as proposed by IDC (Duffy, 2002).
As mentioned earlier in this chapter, IT Governance should be an integral part of enterprise governance, and in this way it is a concern of the Board of Directors that is responsible for governing the enterprise. Many Boards carry out their governance duties through committees that oversee critical areas such as audit, compensation and acquisitions (COSO, 1992). Taking the criticality of IT into account, IT should be managed with the same commitment and accuracy, and the set-up of an IT committee at Board level — the IT Strategy Committee — can be an important mechanism to achieve this goal. The IT Strategy Committee, composed of Board and non-Board members, should assist the Board in governing and overseeing the enterprise's IT-related matters. The Committee should ensure that IT is a regular item on the Board's agenda and that it is addressed in a structured manner. In addition, the Committee must ensure that the Board has the information it needs to achieve the ultimate objectives of IT Governance (ITGI, 2001, 2003; COSO, 1992; Callahan & Keyes, 2003).
The IT Strategy Committee should of course work in close partnership with the other Board committees and management (committees) to provide input to, review and amend, the aligned corporate and IT strategies (ITGI, 2002; Duffy, 2002). The detailed implementation of the IT strategy will be the responsibility of Executive Management, assisted by one or more IT "Steering" Committees. Typically, such a Steering Committee has the specific responsibility for overseeing a major project or managing IT priorities, IT costs, IT resource allocation, etc. While the IT Strategy Committee operates at Board level, the IT Steering Committee is situated at Executive level, which of course implies that these committees have different membership and a different authority (Table 10) (ITGI, 2002).
IT Strategy Committee |
IT Steering Committee |
|
---|---|---|
Authority |
|
|
Membership |
|
|
ITGI (2002). IT Strategy Committee. Available online: www.itgi.org. |
Luftman and Brier (1999) provide a list of Critical Success Factors for sustaining a Steering Committee (Table 11). In practise, the terminology used and roles and responsibilities described to define these Strategy and/or Steering Committees can vary a lot. Most important is that the concepts and rationale of these mechanisms is applied and customised to the specific organisational environment (Callahan & Keyes, 2003; ITGI, 2002).
Bureaucracy |
Focus on reduction/elimination to expedite opportunities to leverage IT |
'Career Building |
Opportunities for participants to learn and expand responsibilities |
Communication |
Primary vehicle for IT and business discussions and sharing knowledge across parts of the organisation |
Complex Decisions |
Do not get involved in 'mundane areas' |
Influence/Empowerment |
Authority to have decisions carried out |
Low hanging fruit/Quick hits |
Immediate changes carried out when appropriate |
Marketing |
Vehicle for 'selling' the value of IT to the business |
Objective Measurement |
Formal assessment and review of IT's business contributions |
Ownership |
Responsible/accountable for the decisions made |
Priorities |
Primary vehicle for selecting what is done, and how much resources to allocate |
Relationships |
Partnerships of business and IT |
Right Participants |
Cooperative, committed, respected team members with knowledge of business and IT |
Share risks |
Equal accountability, recognition, responsibility, rewards, and uncertainty |
Structure, facilitator |
Processes and leadership to ensure the right focus |
Luftman, J. & Brier, T. (1999). Achieving and sustaining business-IT alignment. California Management Review, 42(1), 109–122. |
The possibility of effective governance over IT is of course also determined by the way the IT function is organised and where the IT decision-making authority is located in the organisation. Regarding the former, it should however be noted that "given the widespread proliferation and infusion of IT in organisations, involving, e.g., technical platforms, shared IT services centres, and local business-embedded applications, the notion of a single homogenous IT function is obsolete" (Peterson, 2003). A lot of research has been performed with regard to the location of the decision-making authority (e.g., Zambamurthy & Smud, 1999; the Ministry on International Trade and Industry, 1999; Peterson, 2003; Gottschalk, 2003) and several models of modes are developed, such as centralised, decentralised and federal. The adoption of a particular mode is influenced by different determinants, such as history, size, economies of scale, Corporate Governance model, business strategy and absorptive capacity (i.e., the ability of employees to develop relevant knowledge, recognise valuable external information, make appropriate decisions, etc.) (Peterson, 2003; Zambamurthy & Smud, 1999). Peterson (2003) summarised the empirical findings of several authors, which determine the choice for a centralised or a decentralised organisation, as shown in Table 12.
Centralized |
Decentralized |
|
---|---|---|
Business strategy |
Cost focus |
Innovation focus |
Business governance |
Centralised |
Decentralised |
Organisation size |
Small |
Large |
Information intensity |
Low |
High |
Environment stability |
High |
Low |
Business competency |
Low |
High |
Peterson (2003). Information strategies and tactics for Information Technology Governance. In W. Van Grembergen (Ed.), Strategies for Information Technology Governance. Hershey, PA: Idea Group Publishing. |
However, studies indicate that a federal structure (i.e., a hybrid design of centralised infrastructure control and decentralised application control), is the dominant model in many contemporary enterprises. This model tries to achieve the 'best of both worlds', i.e., efficiency and standardisation under centralisation, and effectiveness and flexibility under decentralisation (Peterson, 2003; Ribbers, Peterson, & Parker, 2002).
Kaplan and Norton (1992) have introduced the Balanced Scorecard (BSC) at enterprise level. Their fundamental premise is that the evaluation of a firm should not be restricted to a traditional financial evaluation but should be supplemented with measures concerning customer satisfaction, internal processes and the ability to innovate. Results achieved within these additional perspective areas should assure future financial results and drive the organisation towards its strategic goals while keeping all four perspectives in balance. For this balanced measurement framework, they proposed a three-layer structure for each of these four perspectives: mission, objectives and measures from which targets would be set and initiatives created (Kaplan & Norton, 1992, 1993, 1996a, 1996b). This Balanced Scorecard has been applied in the IT function and its processes (Gold, 1994; Willcocks, 2002; Van Grembergen & Saull, 2001; Van Grembergen & Van Bruggen, 1997). Recognising that IT is an internal service provider, the proposed perspectives of the Balanced Scorecard should be changed accordingly, with the following perspectives: corporate contribution, customer (user) orientation, operational excellence, and future orientation. By using a "cascade or waterfall of Balanced Scorecards," a method for business and IT fusion and control mechanisms are provided to top management. To achieve this, the IT Development Balanced Scorecard and the IT Operational Balanced Scorecard are defined as enablers for the Strategic Balanced Scorecard that is in turn the enabler of the Business Balanced Scorecard. This relationship is shown in Figure 12.
Figure 12: Cascade of Balanced Scorecards
Linking the business BSC and the IT BSCs is a supportive mechanism for IT Governance. Van Der Zee and De Jong (1999) argue that the Balanced Scorecard technique is uniquely placed to address two main problems in business and IT management. The first problem is the time lag between business and IT planning process. The second is the lack of common 'language' between business and IT management. When using the BSC concepts in this way, it becomes an alignment method: business goals and the drivers of business success are identified, including specific IT drivers.
A major Canadian Financial group, who implemented the IT Balanced Scorecard, accomplished more alignment through the Balanced Scorecard by establishing cause-and-effect relationships between the different domains of the scorecard. This is visualised in Figure 13: building the foundation for delivery and continuous learning and growth (future orientation perspective) is an enabler for carrying out the roles of the IT division's mission (operational excellence perspective) that is in turn an enabler for measuring up to business expectations (customer expectations perspective), that eventually must lead to ensuring effective IT Governance (corporate contribution perspective) (Van Grembergen and Saull, 2001; Van Grembergen, Saull & De Haes, 2003).
Figure 13: Alignment through the IT Balanced Scorecard
According to Earl (1993) Strategic Information Systems Planning (SISP) has four components: aligning IT with business goals, exploiting IT for competitive advantage, directing efficient and effective management of IT resources, and developing technology policies and architectures. A broad variety of governance mechanisms for the two high level components — alignment and competitive advantage — have been developed and are used by organisations to achieve the business/IT fusion: Business Systems Planning (Rockart, 2001), Critical Success Factors (Rockart, 1979), the competitive forces model and the value chain models of Porter (1980, 1985) and the Business Process Reengineering approach (Hammer & Champy, 1993; Van Grembergen et al., 1997). Recently, Porter adapted his models to the e-business phenomenon in his "Strategy and the Internet" article (Porter, 2001) concluding that "the internet per se will rarely be a competitive advantage" and "many of the companies that succeed will be ones that use the internet as a complement to traditional ways of competing, not those that set their internet initiatives apart from their established operations."
As already explained, CobiT provides for 34 IT processes their corresponding high-level control objectives and management guidelines, including their maturity models and their scorecards in the form of key goal indicators and key performance indicators. As illustrated in other sections of this chapter, the maturity models and scorecards enable organisations to implement an IT Governance structure (Guldentops, 2003).
The CobiT control objectives also can help to support IT Governance within an enterprise. The control objectives of the "Assist and advise IT customers" process, e.g., consist of establishing a help desk, registration of the customer queries, customer query escalation, monitoring of clearance, and trend analysis and reporting (ITGI, 2000). These high-level control objectives can be implemented through the use of the IT Infrastructure Library (ITIL) of Central Computer and Telecommunications Agency (UK). Its help desk module (CCTA, 1998), e.g., complements and provides details on the help desk process including the planning, implementation, post-implementation, benefits and costs, and tools. So, CobiT tells what is to be done and ITIL explains in detail how it is to be done.
In a maturing IT Governance environment, Service Level Agreements (SLAs) and their supporting Service Level Management (SLM) process need to play an important role. The functions of SLAs are (1) the definition of what levels of service are acceptable by users and are attainable by the service provider and (2) the definition of mutually acceptable and agreed upon set of indicators of the quality of service. The SLM process includes the definition of a SLA framework, establishing SLAs including levels of service and their corresponding metrics, monitoring and reporting on the achieved services and problems encountered, reviewing SLAs, and establishing improvement programs. The major governance challenges are that the service levels are to be expressed in business terms and that the right SLM/SLA process has to be put in place (Hiles, 2000).
The information economics method developed by Benson and Parker (Parker, 1996) can be used as an alignment technique whereby both business and IT people score IT projects and in this way prioritise and select projects. It departs from the Return on Investment (ROI) of a project and different non-tangibles such as "strategic match of the project" (business evaluation) and "match with the strategic IT architecture" (IT evaluation). In essence, information economics is a scoring technique resulting in a weighted total score based on the scores for the ROI and the non-tangibles (Figure 14). Typically scores from 0 to 5 are attributed whereby 0 means no contribution and 5 refers to a high contribution; the values obtain a positive score and the risks a negative score.
Figure 14: Information Economics
Another prior mechanism for IT Governance is an effective two-way communication and a good participation/collaboration relationship between the business and the IT department, because often there is little business awareness on the part of IT or little IT appreciation on the part of the business. Ensuring ongoing knowledge sharing across departments and organisations is paramount for attaining and sustaining business-IT alignment (Luftman, 2000; Broadbent & Weill, 1998; Henderson, Venkatraman & Oldach, 1993; Callahan & Keyes, 2003). It is important to facilitate the sharing and the management of knowledge by using mechanisms such as career cross-over (IT staff working in the business unit; business staff working in IT), continuous education, cross-training, etc. (Luftman & Brier, 1999; Luftman, 2000). To support a Knowledge Management initiative in the organisation, the Balanced Scorecard framework can be extended in terms of its perspectives to cover specific Knowledge Management metrics, as described by Fairchild (2003).
To implement and improve an IT Governance framework, organisations need to have a self-diagnosing tool to be able to assess IT Governance effectiveness and to identify opportunities for improvement (ITGI, 2001; Peterson, 2003).
An easy to understand method to self-asses and benchmark the IT Governance performance is the use of maturity models. The basic principles of maturity models are already addressed in the section on strategic alignment. The IT Governance Institute (2001) recently developed a detailed IT Governance maturity model, which identifies six (from 0 to 5) levels of maturity, from 'non-existent' to 'optimised' (ITGI, 2001).
According to this model, organisations that are situated in level zero are characterised by a complete lack of any recognisable IT Governance process. To move up to level one, the organisation at least needs to recognise the importance of addressing IT Governance issues. Maturity level five at least implies an advanced and forward-looking understanding of IT Governance issues and solutions, supported by an established framework and best practises of structures, processes and relational mechanisms. As mentioned before, this maturity model provides a comprehensive tool for determining the 'as-is' and the 'to-be' position. It should be recognised that the desired 'to-be' position should be identified in function of the context where one operates in (industry, geography, size, etc.) and of the enterprise strategy. When the 'as-is' and 'to-be' positions are known, gaps can be determined, projects defined and specific actions be taken.
This introductory chapter to Strategies for Information Technology Governance described relevant structures, processes and relational mechanisms for IT Governance. At the same time, this chapter introduced the main contributions of the remaining chapters in this book
A major conclusion is that governing the enterprise's Information Technology is becoming more and more important in our knowledge-based and complex society. Key elements in IT Governance are the alignment of the business and IT that must lead to the achievement of business value through IT. These high level goals of IT Governance can be achieved by acknowledging IT Governance as a part of Corporate Governance and by setting up an IT Governance framework and its corresponding best practises. Such a framework and practises should be composed of a variety of structures, processes and relational mechanisms. In a complex and turbulent business environment, this framework and the practises will also be influenced by a number of external variables. IT Governance is therefore a very complex and broad concept that can be best approached as a holistic system.
0 |
Non-existent |
There is a complete lack of any recognisable IT Governance process. The organisation has not even recognised that there is an issue to be addressed and hence there is no communication about the issue. Governance, such as it is, is predominantly centralised within the IT organisation, and IT budgets and decisions are made centrally. Business unit input is informal and done on a project basis. In some cases, a steering committee may be in place to help make resource decisions. |
|
1 |
Initial /Ad Hoc |
The organisation has recognised that IT Governance issues exist and need to be addressed. There are, however, no standardised review processes, but instead management considers IT management issues on an individual or case-by-case basis. Management's approach is unstructured and there is inconsistent communication on issues and approaches to address the problems that arise. Although it is recognised that the performance of the IT function ought to be measured, there are no proper metrics in place -- reviews are based on individual managers' requests. IT monitoring is implemented only reactively to an incident that has caused some loss or embarrassment to the organisation. Governance is difficult to initiate and the central IT organisation and business units may even have an adversarial relationship. The organisation is trying to increase trust between IT and the business and there are normally periodic joint meetings to review operational issues and new projects. Upper management is involved only when there are major problems or successes. |
|
2 |
Repeatable but Intuitive |
There is awareness of IT Governance objectives, and practices are developed and applied by individual managers. IT Governance activities are becoming established within the organisation's change management process, with active senior management involvement and oversight. Selected IT processes have been identified for improvement that would impact key business processes. IT management is beginning to define standards for processes and technical architectures. Management has identified basic IT Governance measurements, assessment methods and techniques, but the process has not been adopted across the organisation. There is no formal training and communication on governance standards and responsibilities are left to the individual. An IT steering committee has begun to formalise and establish its roles and responsibilities. There is a draft governance charter (e.g., participants, roles, responsibilities, delegated powers, retained powers, shared resources and policy). Small and pilot governance projects are initiated to see what works and what does not. General guidelines are emerging for standards and architecture that make sense for the enterprise and a dialogue has started to sell the reasons for their need in the enterprise. |
|
3 |
Defined Process |
The need to act with respect to IT Governance is understood and accepted. A baseline set of IT Governance indicators is developed, where linkages between outcome measures and performance drivers are defined, documented and integrated into strategic and operational planning and monitoring processes. Procedures have been standardised, documented and implemented. Management has communicated standardised procedures and informal training is established. Performance indicators over all IT Governance activities are being recorded and tracked, leading to enterprise-wide improvements. Although measurable, procedures are not sophisticated, but are the formalisation of existing practices. Tools are standardised, using currently available techniques. IT balanced business scorecard ideas are being adopted by the organisation. It is, however, left to the individual to get training, to follow the standards and to apply them. Root cause analysis is only occasionally applied. Most processes are monitored against some (baseline) metrics, but any deviation, while mostly being acted upon by individual initiative, would unlikely be detected by management. Nevertheless, overall accountability of key process performance is clear and management is rewarded based on key performance measures. The IT steering committee is formalised and operational, with defined participation and responsibilities agreed to by all stakeholders. The governance charter and policy is also formalised and documented. The governance organisation beyond the IT steering committee is established and staffed. |
|
4 |
Managed and Measurable |
There is full understanding of IT Governance issues at all levels, supported by formal training. There is a clear understanding of who the customer is and responsibilities are defined and monitored through service level agreements. Responsibilities are clear and process ownership is established. IT processes are aligned with the enterprise and with the IT strategy. Improvement in IT processes is based primarily upon a quantitative understanding and it is possible to monitor and measure compliance with procedures and process metrics. All process stakeholders are aware of risks, the importance of IT and the opportunities it can offer. Management has defined tolerances under which processes must operate. Action is taken in many, but not all cases where processes appear not to be working effectively or efficiently. Processes are occasionally improved and best internal practices are enforced. Root cause analysis is being standardised. Continuous improvement is beginning to be addressed. There is limited, primarily tactical, use of technology, based on mature techniques and enforced standard tools. There is involvement of all required internal domain experts. IT Governance evolves into an enterprise-wide process. IT Governance activities are becoming integrated with the enterprise governance process. There is a fully operational governance structure that addresses a consistent architecture for re-engineering and interoperation of business processes across the enterprise, and ensures competition for enterprise resources and ongoing incremental investments in the IT infrastructure. IT is not solely an IT organisational responsibility but is shared with the business units. |
|
5 |
Optimised |
There is advanced and forward-looking understanding of IT Governance issues and solutions. Training and communication is supported by leading-edge concepts and techniques. Processes have been refined to a level of external best practice, based on results of continuous improvement and maturity modeling with other organisations. The implementation of these policies has led to an organisation, people and processes that are quick to adapt and fully support IT Governance requirements. All problems and deviations are root cause analysed and efficient action is expediently identified and initiated. IT is used in an extensive, integrated and optimised manner to automate the workflow and provide tools to improve quality and effectiveness. The risks and returns of the IT processes are defined, balanced and communicated across the enterprise. External experts are leveraged and benchmarks are used for guidance. Monitoring, self-assessment and communication about governance expectations are pervasive within the organization and there is optimal use of technology to support measurement, analysis, communication and training. Enterprise governance and IT Governance are strategically linked, leveraging technology and human and financial resources to increase the competitive advantage of the enterprise. The governance concept and structure forms the core of the enterprise IT governing body including provisions for amending the structure for changes in enterprise strategy, organisation or new technologies |
|
ITGI (2001). Board briefing on IT Governance. Available online: www.itgi.org. |
Broadbent, M., & Weill, P. (1998). Leveraging the new infrastructure - How market leaders capitalize on Information Technology. Harvard Business School Press.
Brynjolfsson, E. (1993). The productivity paradox of Information Technology. Communications of the ACM, 36(12).
Brynjolfsson, E., & Hitt, L.M. (1998). Beyond the productivity paradox. Communications of the ACM, 41(8).
Burn, J.M., & Szeto, C. (2000). A comparison of the views of business and IT management on success factors for strategic alignment. Information &Management, 37.
Callahan, J., & Keyes, D. (2003). The evolution of IT Governance @ NB Power. In W. Van Grembergen (Ed.), Strategies for Information Technology Governance. Hershey, PA: Idea Group Publishing.
CCTA (1998). Help desk, The Stationary Office.
Committee of Sponsoring Organisations of the Treadway Commission (COSO) (1992). Internal Control - Integrated Framework.
Duffy, J. (2002). IT/Business alignment: Is it an option or is it mandatory? IDC document # 26831.
Duffy, J. (2002). IT Governance and business value part 1: IT Governance - An issue of critical importance. IDC document # 27291.
Duffy, J. (2002). IT Governance and business value part 2: Who's responsible for what? IDC document # 27807.
Earl, J.M. (1993). Experiences in strategic information systems planning. MIS Quarterly, 17(1).
Fairchild, A.M. (2003). A view on knowledge management: Utilizing a balanced scorecard methodology for analyzing knowledge metrics. In W. Van Grembergen (Ed.), Strategies for Information Technology governance. Hershey, PA: Idea Group Publishing.
Gold, C. (1994). US measures - A balancing act. Boston, MA: Ernst & Young Center for Business Innovation.
Gottschalk, P. (2003). Managing IT functions. In W. Van Grembergen (Ed.), Strategies for Information Technology Governance. Hershey, PA: Idea Group Publishing.
Guldentops, E. (2002). Knowing the environment: Top five IT issues. Information Systems Control Journal, 4, 15–16.
Guldentops, E. (2003). Governing Information Technology through CobiT. In W. Van Grembergen (Ed.), Strategies for Information Technology Governance. Hershey, PA: Idea Group Publishing.
Guldentops, E. (2003). IT Governance: Part and parcel of corporate governance. CIO Summit, European Financial Management & Marketing (EFMA) Conference, Brussels.
Guldentops, E.,Van Grembergen, W., & De Haes, S. (2002). Control and Governance Maturity survey: Establishing a reference benchmark and a self-assessment tool. Information Systems Control Journal, 6.
Hammer, M., & Champy, J. (1993). Reengineering the corporation. A manifesto for business revolution. New York: Harper Business.
Henserson, J.C., & Venkatraman, N. (1993). Strategic alignment: Leveraging Information Technology for transforming organizations. IBM Systems Journal, 32(1).
Henserson, J.C.,Venkatraman, N., & Oldach, S. (1993). Continuous strategic alignment. Exploiting Information Technology Capabilities for Competitive Success. European Management Journal, 11(2), Business Quarterly, 55(3).
Hiles, A. 2000. The complete guide to IT service level agreements. Brookfield, CT: Rothstein Associates.
ITGI (2000). CobiT: Governance, Control and Audit for Information and Related Technology. Available online: www.itgi.org.
ITGI (2001). Board briefing on IT Governance. Available online: www.itgi.org.
ITGI (2002). IT Governance executive summary. Available online: www.itgi.org.
ITGI (2002). IT Strategy committee. Available online: www.itgi.org.
Kakabadse, N. K., & Kakabadse, A. (2001). IS/IT Governance: Need for an integrated model. Corporate Governance, 1(9), 9–11.
Kaplan, R., & Norton, D. (1992). The balanced scorecard - measures that drive performance. Harvard Business Review, (January/February), 71–79.
Kaplan, R., & Norton, D. (1993). Putting the balanced scorecard to work. Harvard Business Review, (September/October), 134–142.
Kaplan, R., & Norton, D. (1996). The balanced scorecard: Translation vision into action. Harvard Business School Press.
Kaplan, R., & Norton, D. (1996). Using the balanced scorecard as a strategic management system. Harvard Business Review, (January/February), 75–85.
Lie, C. L. (2001). Modelling the business value of Information Technology. Information and Management, 39(2), 191–210.
Luftman, J. (2000). Assessing Business-IT alignment maturity. Communications of AIS, 4.
Luftman, J., & Brier, T. (1999). Achieving and sustaining business-IT alignment. California Management Review, 42(1), 109–122.
Ministry Of International Trade And Industry (1999). Corporate approaches to IT Governance. Available online: http://www.jipdec.or.jp/chosa/MITIBE/sld001.htm.
OECD. (1999). OECD principles of corporate governance. Available online: http://www.oecd.org.
Parker, M. (1996). Strategic transformation and information technology. Upper Saddle River, NJ: Prentice Hall.
Patel, N.V. (2003). An emerging strategy for e-business IT Governance. In W. Van Grembergen (Ed.), Strategies for Information Technology Governance. Hershey, PA: Idea Group Publishing.
Peterson, R. R. (2003). Information strategies and tactics for Information Technology governance. In W. Van Grembergen (Ed.), Strategies for Information Technology Governance. Hershey, PA: Idea Group Publishing.
Porter, M. (1980). Competitive strategy. New York: The Free Press.
Porter, M. (1985). Competitive advantage. New York: The Free Press.
Porter, M. (2001). Strategy and the Internet. Harvard Business Review.
Ribbers, P. M. A.,Peterson, R. R., & Parker, M. M. (2002). Designing Information Technology governance processes: Diagnosing contemporary practises and competing theories. Proceedings of the 35th Hawaii International Conference on System Sciences (HICCS), Maui. CD-ROM.
Rockart, J. (1979). Chief executives define their own data needs. Harvard Business Review, 57(2).
Rockart, J. (1982). The changing role of the Information Systems Executive: A critical success factors perspective. Sloan Management Review, 245(1).
Sambamurthy, V., & Zmud, R.W. (1999). Arrangements for Information Technology governance: A theory of multiple contingencies. MIS Quarterly, 23(2), 261–290.
Shleifer, A., & Vishny, W. (1997). A survey on Corporate Governance. The Journal of Finance, 52(2).
Smaczny, T. (2001). Is an alignment between business and Information Technology the appropriate paradigm to manage IT in today's organizations? Management Decisions, 39(10).
Strassman, P. (1990). The business value of computers. London: Business Intelligence.
Suomi, R., & Thkp, J. (2003). Governance structures for IT in the health care industry. In W. Van Grembergen (Ed.), Strategies for Information Technology Governance. Hershey, PA: Idea Group Publishing.
Van Der Zee, J.T.M., & De Jong, B. (1999). Alignment is not enough: Integrating business and Information Technology management with the balanced business scorecard. Journal of Management Information Systems, 16(2).
Van Grembergen, W. (2002). Introduction to the Minitrack: IT governance and its mechanisms. Proceedings of the 35th Hawaii International Conference on System Sciences (HICCS), IEEE.
Van Grembergen, W., & Saull, R. (2001). Aligning business and Information Technology through the balanced scorecard at a major Canadian financial group: Its status measured with an IT BSC Maturity Model. Proceedings of the 34th Hawaii International Conference on System Sciences (HICCS), Maui. CD-ROM.
Van Grembergen, W., & Van Bruggen, R. (1997). Measuring and improving corporate Information Technology through the balanced scorecard technique. Proceedings of the European Conference on the Evaluation of Information Technology, Delft, The Netherlands.
Van Grembergen, W.,Kritis, V., & Van Belle, J. L. (1997). Bedrijfsveranderingen met informatietechnologie (Business transformations through information technology). Kluwer, Deventer (NL).
Van Grembergen, W.,Saull, R., & De Haes, S. (2003). Linking the IT balanced scorecard to the business objectives at a major Canadian financial group. In W. Van Grembergen (Ed.), Strategies for Information Technology Governance. Hershey, PA: Idea Group Publishing.
Venkatraman, N. (1999). Valuing the IS contribution to the business. Computer Sciences Corporation.
Weill, P. (2002). Research Briefing. MITSloan, 2, nr. 2C.
Willcocks, L. (1995). The evaluation of information systems, investments, Information management. London: Chapman & Hall.
Duffy, J. (2002). IT Governance and Business Value Part 2: Who's responsible for what? IDC document # 27807.
Board responsibility |
CEO responsibility |
CIO responsibility |
|
---|---|---|---|
Executive responsibility for IT/Business partnership |
At a time when business and technology are entirely interdependent, the Board has responsibility for confirming that the IT leaders and the IT department are delivering maximum value as defined in the organisation's strategic plan. It is also in the Board's purview to ensure that policy requires the plan to be validated on a regular basis and allows for it to be updated as required. |
It is the CEO's responsibility to ensure that business and IT strategies are fully harmonized and that the CIO is provided with a credible management context in which to execute against the plan. It is the CEO's responsibility to ensure that the CIO is a key business player and a full partner in the executive decision-making process. The CEO defines the CIO's roles and responsibilities and supports him or her in responding to the Board's requirements. |
It is the CIO's responsibility to interpret the business strategy in terms of IT requirements, to proactively seek ways in which the IT value contribution can be increased, and to develop the vertical and horizontal relationships needed in order to successfully execute against a fully harmonized IT/business strategy. |
Executive responsibility for HR organization and management |
The role of the Board is value creation, and in that context, the members have the responsibility to ensure that the people appointed to key positions have the appropriate skills and competencies and that performance measures and compensation plans are in the long-term interests of the company and its shareholders. The Board also has the responsibility to ensure that the overall organisational structure (including IT) complements the business model and direction. |
The CEO is responsible for ensuring a match between the skills needed by the business and the types of individuals hired. The CEO is also responsible for ensuring that the CIO is given the support needed to hire and retain people with the best IT skills available. |
The IT executive has responsibility for maintaining the credibility of the IT organisation, ensuring that the positions and roles critical to driving maximum business value from technology have been clearly defined and staffed with the appropriate people. |
Executive responsibility for IT/Business architectures |
As the steward responsible for shareholder assets, the Board must review the IT/business architecture and the standards and processes it encompasses to ensure that it mitigates risks associated with legislative and regulatory compliance, ethical use of information, and business continuity. The Board also has responsibility for confirming that the IT/business architecture is designed to drive maximum business value and return. |
The CEO is responsible for promoting the IT/business architecture and enlisting the support of other executives. It is also the responsibility of the CEO to give the CIO the authority to effectively develop and manage the IT architecture to ensure full alignment with the business. The CEO ensures that the IT/business architecture reflects the need for legislative and regulatory compliance and the ethical use of information and satisfies the requirement for business continuity. |
The CIO has responsibility for planning IT, setting standards, establishing IT policy, and designing and managing architectures that ensure integrated information and technology management across the organisation and throughout the technology life cycle. The CIO is responsible for implementing standards and processes that ensure legislative and regulatory compliance and the ethical use of information and that satisfy the requirement for business continuity. |
Executive responsibility for operational excellence |
Ultimate responsibility for risk management rests with the Board. The Board is responsible for overseeing the management of any arrangements with third parties, confirming that potential risks have been mitigated. It is the Board's responsibility to guide the definition of operational excellence and to monitor the organisation's progress in achieving the goals that have been established and mutually agreed upon, recommending corrective action as needed. |
The CEO is responsible for the organisation's system of internal control and ensuring that clear accountability for risk management is embedded in the operations of the organisation. The CEO is responsible for ensuring that arrangements and agreements with third parties do not put the organisation at risk. The CEO is responsible for implementing the policies and processes that underpin operational excellence and ensuring that the appropriate resources are in place to facilitate execution. |
It is the CIO's responsibility to ensure that measurable value is delivered on time and on budget. The CIO is responsible for the day-to-day management and verification of IT processes and controls. The CIO is also responsible for ensuring appropriate governance at the individual project or initiative level. It is the CIO's place to inform the CEO and the Board of identified risks. The CIO is responsible for providing liaison with any third parties, minimizing the risk of duplicate effort and redundancy. |
Executive responsibility for innovation and renewal |
It is the Board's responsibility to ensure that the organisation is sufficiently adaptive to respond to changing demands. The Board is also responsible for ensuring that investment in the future is not sacrificed in order to maintain the status quo. |
It is the CEO's responsibility to ensure that the organisation is flexible and adaptive and that it is in the best position to capitalise on its information and knowledge to sense what is happening in the market. |
The CIO is responsible for ensuring that IT and IT-related processes are focused on improving business value currently and in the future. The CIO is responsible for monitoring emerging technologies and identifying when and how they would be of benefit to the organisation. |
Executive responsibility for ROI strategy and management |
The Board is responsible for ensuring that IT delivers on the promise of related strategies through clear expectations and measurement. The Board must work with the CEO to define and monitor performance measures. It is also the Board's responsibility to ensure that IT investments represent a balance of risk and benefit and that budgets are acceptable and reflect the overall organisation's financial direction. |
The CEO is responsible for ensuring strong links between business objectives and performance measures. It is the CEO's responsibility to develop an appropriate incentive scheme to drive adherence to the performance measures. The CEO is responsible for integrating the IT budget and investment plan into the overall financial plan, ensuring that it is realistic, balanced, and achievable. The CEO is then responsible for reporting progress to the Board on a regular basis. |
The CIO is responsible for developing and managing the IT budget, including short-term and long-term investment strategies. The CIO is responsible for developing a realistic IT performance measurement plan, along with appropriate metrics. In conjunction with the CEO, it is the CIO's responsibility to implement and manage a performance measurement scheme. The metrics used by the CIO should be linked directly to achievement of business goals and, wherever possible, be assigned a financial value. |
Section I - IT Governance Frameworks
Section II - Performance Management as IT Governance Mechanism
Section III - Other IT Governance Mechanisms
Section IV - IT Governance in Action