Professional Documents
Culture Documents
IT Governance Research
IT Governance Research
IT Governance Research
Abstract IT governance is one of these concepts that suddenly emerged and became an important
issue in the information technology area. Many organisations started with the implementation of IT
governance to achieve a better alignment between business and IT. This paper carries interpretations
regarding important existing theories, models, and practices in the IT governance domain and presents
research questions derived from it. Next, multiple research strategies are triangulated in order to explore
how organisations are implementing IT governance and to analyse the relationship between these implementations and business/IT alignment. The major finding is that business/IT alignment maturity is
higher when organisations are applying a mix of mature IT governance practices.
124
IT Governance
Processes
Business/IT
alignment
Structures
Relational
mechanisms
Figure 1.
Research framework.
125
Figure 2.
Research process.
126
Delphi Research
In further completing the initial list of IT governance
practices and specifying it for the Belgian financial
organisations, the Delphi research methodology was
leveraged. The Delphi method can be characterized as a
method for structuring a group communication process
so that the process is effective in allowing a group of individuals, as a whole, to deal with a complex problem
(Linstone & Turoff, 1975). This method is particularly
suited as a methodology for this research as the Delphi
method technique lends itself especially well to exploratory theory building on complex, interdisciplinary
issues, often involving a number of new or future trends
(Akkermans et al., 2003). An expert panel was composed of
29 consultantssenior IT and senior business professionals
who are all knowledgeable about organisations operating in the Belgian financial services sector. From this
group, 22 experts continued to be involved in the full
Delphi research effort (25% drop off rate), with six senior
business/audit managers, eight senior IT managers, and
eight senior business/IT consultants.
Using the Delphi method, these financial services
sector experts needed to complete questionnaires in
three consecutive rounds. Similar to the Delphi research
work of Keill et al. (2002), the Delphi research started
Table 1.
Company
KBC (in-depth case)
Vanbreda (mini case)
Sidmar-Arcelor (mini case)
CM (mini case)
AGF Belgium (mini case)
Huntsman (mini case)
Industry
# Interviewees
Finance
Insurance
Steel
Insurance
Insurance
Chemicals
6
3
2
3
2
2
domains: communication, competency and value measurement, governance, partnership, scope and architecture and skills. Each question had to be rated on a scale
from zero to five.
127
practices within the case organisation. These workshops were structured according to the list of
33 IT governance practices as defined earlier in the
Delphi research. During the workshop, the participants were asked to come to a consensus regarding the
maturity for each of the 33 practices. This maturity
assessment was based on a generic maturity model
(Table 2) as proposed by the IT Governance Institute
(ITGI, 2003), providing a scale from 0 (non-existent) to
5 (optimised).
0 Non-existent.
Complete lack of any recognisable processes. The enterprise has not even recognised that there is an issue to be addressed.
1 Initial/Ad Hoc.
There is evidence that the enterprise has recognised that the issues exist and need to be addressed. There are, however, no standardised
processes; instead there are ad hoc approaches that tend to be applied on an individual or case-by-case basis. The overall approach to
management is disorganised.
3 Defined Process.
Procedures have been standardised and documented, and communicated through training. It is mandated that these processes should
be followed; however, it is unlikely that deviations will be detected. The procedures themselves are not sophisticated but are the
formalisation of existing practices.
5 Optimised.
Processes have been refined to a level of good practice, based on the results of continuous improvement and maturity modelling with
other enterprises. IT is used in an integrated way to automate the workflow, providing tools to improve quality and effectiveness,
making the enterprise quick to adapt.
ITGI, 2003, Board Briefing on IT Governance, www.itgi.org.
128
Delphi Research
The goal of the Delphi research was to further complete
the initial list of IT governance practices and to make the
list specific for the Belgian Financial services sector.
The Delphi research revealed a list of 33 IT governance
practices for the Belgian financial services sector. It
should be noted that this list cannot be exhaustive, and
the practices at operational level are discarded in this
research. These practices are shown in the first two columns of Table 4, with Sx being the structures, Px being
the processes and Rx being the relational mechanisms.
The research demonstrated that, according to the
expert group, some of the addressed practices are
perceived as being more effective or easy to implement
compared to others (see columns at the right in Table 4:
effectiveness and ease of implementation). The five practices perceived as the most effective for the Belgian financial services sector are IT steering committees, CIO
reporting to the CEO/COO, CIO on executive committee, IT budget control and reporting, and portfolio
management. All these practices were also identified as
being relatively easy to implement. The least effective
practices are IT governance assurance and self-assessment, job-rotation, and COSO/ERM.
Some practices were perceived as effective but not easy
to implement. Good examples in this high-effectiveness/
low ease of implementation domain are benefits management and reporting and charge back arrangements,
Table 3.
129
Structures
Name
KBC
Integration of
governance/alignment
tasks in roles&responsibilities
IT steering committee(s)
IT strategy committee
CIO on Executive
Committee
CIO reporting to CEO
Architecture Committee
Processes
Strategic information
systems planning
Balanced scorecard
Portfolio management
(incl. Information
economics)
Charge back
arrangements (ABC)
Service Level
Agreements
COBIT
Relational Mechanisms
Job-rotation
Co-location
Cross-training
Knowledge
management
(on IT governance)
Business/IT account
managers
Senior management
giving the good example
Informal meetings
between business and IT
senior management
IT leadership
Monnoyer&Willmott, 2005;
Smith, 2006
AGF
VanBreda
Huntsman
Sidmar
CM
x
x
x
x
x
130
Table 4.
Index
IT governance
structures
S1
S2
S3
S4
S5
S6
S7
IT governance
processes
IT strategy committee
at level of board of
directors
IT expertise at level of
board of directors
(IT) audit committee at
level of board of
directors
CIO on executive
committee
CIO (Chief Information
Officer) reporting to
CEO (Chief Executive
Officer) and/or COO
(Chief Operational
Officer)
IT steering committee
(IT investment evaluation / prioritisation
at executive / senior
management level)
IT governance function
/ officer
S8
Security / compliance /
risk officer
S9
S10
IT security steering
committee
S11
Architecture steering
committee
S12
Integration of governance/alignment
tasks in roles&
responsibilities
Strategic information
systems planning
IT performance
measurement (e.g. IT
balanced scorecard)
P1
P2
P3
P4
Portfolio management
(incl. business cases,
information economics, ROI, payback)
Charge back arrangements - total cost of
ownership
(e.g. activity
based costing)
Effectiveness
(from 05)
Ease of Implementation
(from 05)
3,67
3,4
3,14
2,18
3,22
3,4
4,38
3,56
4,5
4,21
4,69
3,35
2,93
3,11
3,28
4,06
4,03
4,01
2,82
3,61
3,04
3,14
3,18
2,63
3,82
2,82
3,97
2,76
4,13
2,67
3,28
2,4
Definition
(Continued)
Table 4.
Index
P6
IT governance
framework COBIT
IT governance
assurance and
self-assessment
Project governance /
management
methodologies
IT budget control and
reporting
Benefits management
and reporting
P7
P8
P9
P10
IT governance
relational
mechanisms
P11
R1
COSO / ERM
Job-rotation
R2
Co-location
R3
Cross-training
R4
Knowledge
management
(on IT governance)
Business/IT account
management
R5
R6
R7
R8
R9
R10
Executive / senior
management giving
the good example
Informal meetings
between business
and IT executive/
senior management
IT leadership
Corporate internal
communication
addressing IT on a
regular basis
IT governance awareness campaigns
(Continued)
Effectiveness
(from 05)
Ease of Implementation
(from 05)
3,47
3,13
3,36
2,42
2,79
2,54
4,1
2,94
4,13
2,85
2,36
2,39
2,35
2,04
2,36
2,79
3,01
2,76
2,82
3,24
2,68
3,79
3,36
3,88
2,81
3,79
3,88
3,89
2,82
3,43
3,69
2,83
3,14
IT Governance Practice
P5
131
Definition
132
3,5
3
2,5
Structures
Processes
1,5
Relational mechanisms
1
0,5
0
Perceived
effectiveness
Perceived ease of
implementation
Figure 3. Average
implementation.
effectiveness
and
ease
of
relational mechanisms are crucial enablers for IT governance (Keill et al., 2002; Weill & Broadbent, 1998;
Henderson et al., 1993; Callahan & Keyes, 2003). A possible explanation is that, just as in literature, less detailed
knowledge and expertise is available on relational mechanisms which often have a more intangible and informal
character. On the other hand, it should be noted that
many other relational mechanisms, such as business/IT
account management, senior management giving good
example, and informal meeting between business and
IT executive/senior management, attained very positive
scores, in terms of effectiveness and ease of implementation. It should certainly be considered, therefore, when
Table 5.
S6
S4
P3
P9
S1
R8
P1
S9
S5
P8
IT steering committee (IT investment evaluation / prioritisation at executive / senior management level)
CIO on executive committee
Portfolio management (incl. business cases, information economics, ROI, payback)
IT budget control and reporting
IT strategy committee at level of board of directors
IT leadership
Strategic information systems planning
IT project steering committee
CIO (Chief Information Officer) reporting to CEO (Chief Executive Officer) and/or COO (Chief Operational Officer)
Project governance / management methodologies
Table 6.
Organisation
A
B
C
D
E
F
G
H
I
J
Main Activities
Banking and Insurance
Banking and Insurance
Banking
Banking
Banking and Insurance
Financial transaction services
Banking and Insurance
Banking and Insurance
Banking and Insurance
Banking and Insurance
133
Deviation
from
average
Total
Alignment
maturity Score
2,10
0,52
Total number
of respondents
Number of IT
respondents
Number of
business
respondents
A
B
C
D
E
F
G
H
I
J
0,59
2,16
2,56
0,12
2,67
0,02
2,71
0,03
2,72
0,04
10
2,74
0,06
2,91
0,22
3,11
0,43
0,48
11
3,17
Total
Total
Total
Average
84
44
40
2,69
G
F
<<
A B
1,0
1,1
1,2
1,3
1,4
1,5
1,6
1,7
1,8
1,9
2,0
Figure 4.
2,1
2,2
C D E
2,3
2,4
2,5
2,6
2,7
H
2,8
2,9
3,0
3,1
3,2
>>
3,3
3,4
3,5
3,6
3,7
3,8
3,9
4,0
industries, such as manufacturing, because of the highdependency on IT and the strong impact of regulations.
134
3,5
3
2,5
S1
S2
S3
S4
S5
S6
S7
S8
S9
S10
S11
S12
P1
P2
P3
P4
P5
P6
P7
P8
P9
P10
P11
R1
R2
R3
R4
R5
R6
R7
R8
R9
R10
0
4
3
2
2
2
2
2
2
0
0
2
1
1
1
0
0
0
1
2
1
0
0
1
5
2
3
2
2
2
1
2
1
1,48
0
1
3
5
5
2
0
3
2
0
0
1
2
2
2
0
0
0
0
3
2
1
0
0
2
0
3
0
2
0
4
0
1
1,39
0
0
3
2
4
4
4
4
4
0
1
2
1
4
4
2
2
1
1
3
4
1
0
1
3
2
4
0
5
0
4
2
1
2,21
0
1
3
0
5
4
4
5
4
4
3
5
4
4
4
5
4
4
1
4
5
3
0
2
3
1
4
4
5
0
4
3
1
3,12
4,00
3,50
3,00
J
I
B
A
2,50
2,00
1,50
1,00
0,50
0,00
Structures
Figure 5.
Processes
Relational Mech.
general the high performers have more mature IT governance structures and processes, as shown in Figure 5.
This figure also shows that that processes on average
were less mature compared to structures, indicating
that it is more difficult to implement processes
compared to structures, which was also discussed in
previous section.
2
1,5
1
0,5
0
A
Figure 6.
Table 8.
S6
P3
P9
R8
S9
S5
P8
135
IT steering committee (IT investment evaluation / prioritisation at executive / senior management level)
Portfolio management (incl. business cases, information economics, ROI, payback)
IT budget control and reporting
IT leadership
IT project steering committee
CIO (Chief Information Officer) reporting to CEO (Chief Executive Officer) and/or COO (Chief Operational Officer)
Project governance / management methodologies
issues. During the interviews, three out of four organisations stated that board involvement in IT governance is
not feasible and probably not required. The representatives of the shareholders are more concerned with the
core financial services activities and less worried about
(operational) IT issues. Another IT governance practices
that was indicated as not being relevant for alignment
purpose was COSO/ERM. While the latter was recognised as probably a very good framework for general internal control, the value for governance or impact on
alignment did not appear at all.
Conclusions
As a general conclusion of this exploratory study, this
research revealed that IT governance is indeed high on
the agenda. Our research suggests that there is a clear
relationship between the use of IT governance practices
and business/IT alignment. It appeared that highly
aligned organisations do indeed leverage more mature IT
governance practices compared to poorly aligned organisations.
Some detailed conclusions were drawn regarding IT
governance structures, processes and relational mechanisms. It was demonstrated that it is easier to implement
IT governance structures compared to IT governance processes. It also appeared that relational mechanisms are
very important in the beginning stages of an IT governance implementation project and become less important when the IT governance framework is embedded
into day-to-day operations. For some specific IT governance practices, the research provides indications that
contradict existing literature. A good example is the
involvement of the board of directors in IT governance,
which is promoted by many authors in literature, but
was not supported in this research. This research also
provides a key minimum baseline of seven IT governance
practices that each organisation at least should have and
supplement with practices that are highly effective and
easy to implement. When an organisation wants to
implement these practices, it has to make sure that at
least a maturity level of two is obtained, to ensure that it
positively impacts business/IT alignment.
Future Research
It was explained in the beginning of this manuscript that
the focus of this research was on the Belgian financial
services sector only, negatively impacting the generalisability of this research. However, it can be expected that
many conclusions might apply to other sectors as well.
Further research could support that assumption but
should also address the impact of specific contingencies
such industry, geography, size of the organisation and/or
IT department, business strategy, etc.
In addition, this research is based on a snapshot in
time, and future research could be dedicated to verify how
implementations evolve over time. For example, this
research provides indications that relational mechanisms
are more important in the initiating phases of IT governance, but monitoring an organisation over time could provide valuable data to support or refute this statement.
Finally, it should be noted that this research is exploratory in the first place instead of hypothesis testing
(amongst other reasons due to the small sample size). It
does however provide some interesting potential hypotheses
to be tested in further (parametric and/or non-parametric)
statistical correlation research, for example to further validate the accuracy of the defined key minimum baseline for
IT governance. Larger data sets, potentially also covering
more internal and external contingencies, are required to
enable this more statistical approach.
136
Author Bios
Steven De Haes, PhD, is responsible for the Information
Systems Management executive programs and research
at the University of Antwerp Management School (UAMS)
and is guest lecturer at the University of Antwerp (UA). He
has teaching assignments in executive programs in the
domain of IT governance & assurance, alignment and IT
performance measurement. He is actively engaged in
applied research within the IT Alignment and Governance (ITAG) Research Institute (www.uams.be/ itag). He
performs research and project management assignments
for the IT Governance Institute (ITGI) in the domain of IT
governance and assurance and in this capacity contributed to many publication issued by ITGI (COBIT 4, VALIT
and IT Assurance Guide). He has several publications on
IT governance and business/IT alignment in leading journals and acts as advisor to firms in these domains.
Wim Van Grembergen, PhD, is professor at the Economics and Management Faculty of the University of Antwerp (UA) and executive professor at the University of
Antwerp Management School (UAMS). He teaches
information systems at bachelor, master and executive level, and researches in IT governance, IT strategy,
IT assurance, IT performance management and the IT
balanced scorecard. Within his IT Alignment and
Governance (ITAG) Research Institute (www.uams.be/
itag) he conducts research for ISACA/ITGI on IT governance and supports the continuous development of
COBIT. He is also member the IT Governance Committee, ISACA/ITGIs strategic committee. Van Grembergen is a frequent speaker at academic and
professional meetings and conferences and has served
in a consulting capacity to a number of firms. He has
several publications in leading academic journals and
published books on IT governance and the IT balanced
scorecard.
References
Ahituv. N., Neumann, S., & Zviran, M. (1989). Factors affecting
the policy for distributing computing resources. MIS Quarterly,
13 (2): 316.
Akkermans, H. A. et al. (2003). The impact of ERP on supply chain
management: exploratory findings from a European delphi
study. European Journal of Operational Research, 146, 284301.
Avison, D., Jones, J., Powell, P., & Wilson D. (2004). Using and
validating the strategic alignment model. Journal of Strategic
Information Systems, 13, 223246.
Bacharach, S. B. (1989). Organisational theories: some criteria
for evaluation. Academy of Management Review, 14 (4).
Benbasat, I., & Zmud, R.W. (1999). Emperical research in Information Systems: the practice of relevance. MIS Quarterly, 23 (1):
20, 197.
Bergeron, F., Raymond, L., & Rivard, S. (2003). Ideal Patterns of
Strategic Alignment and Business Performance. Information &
Management, 41 (8), 10031020.
137
Schmidt, R. (1997). Managing Delphi surveys using nonparametric statistical techniques. Decision Sciences, 28 (3): 763774.
Siegel, S. (1998). Nonparametric statistics for the behavioural sciences.
New-York: McGraw-Hill.
Sledgianowski, D., Luftman, J. & Reilly, R. R. (2006). Development and Validation of an Instrument to Measure Maturity of
IT Business Strategic Alignment Mechanisms. Information
Resources Management, 19 (3), 1833.
Smith, G. (2006). Straight to the Top - Becoming a World-Class CIO.
Chichester, West Sussex, UK: John Wiley & Sons.
Teo, T.S.H., & King, W. (1999). An empirical study of the
impacts of integrating business planning and information systems planning. European Journal on Information
Systems. 8 (3): 200210.
Van Grembergen, W. (2001). Introduction to the Minitrack: IT
Governance and its Mechanisms. In Proceedings of the 35th
Hawaii International Conference on System Sciences (HICSS), HICSS35, January 710, 2002, Hilton Waileoloa Village, Island of
Hawaii.
Van Grembergen, W., De Haes, S., & Guldentops, E. (2003).
Structures, Processes and Relational Mechanisms for IT
Governance. In Van Grembergen (ed), Strategies for Information Technology Governance. Hershey, PA: Idea Group
Publishing.
Weill, P., & Broadbent (1998). Leveraging the New Infrastructure:
how Market Leaders Capitalize on Information Technology. Boston:
Harvard Business School Press.
Weill, P., & Ross, J. (2004). IT Governance: How Top Performers Manage IT
Decision Rights for Superior Results. Boston: Harvard Business School
Press.