Practices in IT Governance and Business/IT Alignment

Steven De Haes, Ph.D., and Wim Van Grembergen, Ph.D.

In many organisations, information technology (IT) has become crucial in the support, sustainability and growth of the business. The pervasive use of technology has created a critical dependency on IT that calls for a specific focus on IT governance, which consists of the leadership, organisational structures and processes that ensure that the organisation’s IT sustains and extends the organisation’s strategy and objectives.

Today, IT governance is high on the agenda in many organisations and, as a result, high-level IT governance models are being created. However, developing a high-level IT governance model does not imply that governance is actually working in the organisation. The development of the IT governance model is the first step and the implementation of it, at a sustainable level, is the next. Once a specific IT governance model is chosen and implemented, it should enable IT to sustain and extend the business goals or, in other words, ensure that IT is aligned to the business needs. The challenge of the IT governance implementation and the subsequent impact on business/IT alignment are the core aspects of the research that is the subject of this article.

Looking at Belgium as the example, researchers at the University of Antwerp Management School asked: How are mid-sized to large financial service organisations implementing IT governance to achieve a better alignment between the business and IT? To break this question down further (see figure 1):

How are organisations implementing IT governance? The development of a high-level IT governance model does not imply that governance is actually working in the organisation. IT governance can be set up using a variety of structures, processes and relational mechanisms. The structures include ‘structural (formal) devices and mechanisms for connecting and enabling horizontal, or liaison, contacts between business and IT management (decision-making) functions’¹ (e.g., steering committees). Processes refer to ‘formalisation and institutionalisation of strategic IT decision making or IT monitoring procedures’² (e.g., IT balanced scorecard). The relational mechanisms are about ‘the active participation of, and collaborative relationship among, corporate executives, IT management, and business management’³ (e.g., training). Relational mechanisms are crucial in the IT governance framework and paramount for attaining and sustaining business/IT alignment, even when the appropriate structures and processes are in place.
What is the relationship between IT governance and business/IT alignment? As discussed previously, the goal of IT governance is to achieve better alignment between the business and IT. The ultimate question, therefore, is whether the implemented processes, structures and relational mechanisms enable the achievement of business/IT alignment. It is important to recognise that each of the applied processes, structures and relational mechanisms serves specific or multiple goals in the complex alignment challenge. However, dividing the IT governance framework into smaller pieces, and solving each problem separately, does not always solve the problem as a whole. A holistic approach to IT governance acknowledges its complex and dynamic nature, which consists of a set of interdependent subsystems (processes, structures and relational mechanisms) that compose a powerful whole.

It is recognised that focusing the research on only one sector and geographic area may limit the applicability of the research. On the other hand, it is believed that many conclusions are likely to be generic and applicable to other environments.

Research Methodology and Approach

The research strategy is based on a triangulation of multiple research methods: literature research, pilot case research, Delphi method research, benchmark research and extreme-case research. This triangulation enables a richer insight into the reality to be obtained. The different research methods are applied in parallel or sequentially, as shown in figure 2.

The research process started with exploring the research domain and defining the research questions through a detailed literature review in the domain of business/IT alignment and IT governance. The focus was on defining and refining the research questions and on finding an initial list of structures, processes and relational mechanisms that organisations can leverage to implement IT governance. To complement the initial list of IT governance practices, pilot cases were undertaken at KBC, Vanbreda, Sidmar-Arcelor, CM, AGF and Huntsman.

In exploring how Belgian financial services organisations are implementing IT governance, the Delphi research methodology was leveraged as a method to obtain consensus among a group of experts. Through different interview rounds, an expert panel composed of 22 consultants and senior IT and business professionals was asked to provide input regarding the perceived effectiveness (0 equals not effective, 5 equals very effective) and the perceived ease of implementation (0 equals not easy, 5 equals very easy) of IT governance practices. The respondents were also asked to provide the top 10 most important IT governance practices, which are, in their opinion, crucial elements or a minimum baseline of an optimal IT governance mix.

The following research step was aimed at exploring the relationship between IT governance implementations and business/IT alignment. This phase started with creating a business/IT alignment benchmark for the Belgian financial services sector based on a sample of 10 Belgian financial services organisations. In each organisation, five to 10 senior business and IT managers were asked to complete a questionnaire measuring business/IT alignment maturity (on a scale from 0 to 5). From the results of this benchmark, four extreme-case organisations were selected (two high performers and two low performers in terms of business/IT alignment), in which a workshop was organised (extreme-case research) to measure the maturity of the IT governance practices applied based on a generic maturity scale from 0 (non-existent) to 5 (optimised). The data collected allowed for detailed cross-case analysis that looked for causes that could explain why some organisations achieved a higher business/IT alignment score than other organisations.

Results of the Research

From the pilot-case studies, different drivers for adopting IT governance were identified. One of the most important is the need to comply with US Sarbanes-Oxley Act requirements, which significantly impact the control environment in IT. Other important drivers for IT governance are the push to achieve economies of scale after mergers and acquisitions and budget pressure, which resulted in a smaller budget for new projects. The challenge is to assign the remaining budget to projects and activities that deliver value to the business. Finally, some pilot-case companies mentioned that the IT governance project was more of an effort to formalise and structure existing mechanisms already applied.

How Are Organisations Implementing IT Governance?

The Delphi research revealed that, according to a group of 22 industry experts, Belgian financial services organisations can leverage a wide range of structures, processes and relational mechanisms to implement IT governance to support business/IT alignment. This research revealed a list of 33 IT governance practices at the level of strategic and executive/senior business and IT management. It should be noted that this list cannot be exhaustive and practices at the operational level are discarded in this research. These practices are shown in the first two columns of figure 3, with Sx being the structures, Px being the processes and Rx being the relational mechanisms.

The research demonstrated that, according to the expert group, some of the addressed practices are more effective or easier to implement than others (see columns at the right in figure 3). The five practices perceived as most effective for the Belgian financial services sector are an IT steering committee, the chief information officer (CIO) reporting to the chief executive officer (CEO)/chief operating officer (COO), the CIO serving on the executive committee, IT budget control and reporting, and portfolio management. All of these practices were also identified as being relatively easy to implement. The least effective practices are IT governance assurance and selfassessment, job rotation and COSO ERM.

Some practices were perceived as fairly effective, but not easy to implement. Good examples in this higheffectiveness/ low-ease-of-implementation domain are benefits management and reporting and charge-back arrangements. Another interesting case here is Control Objectives for Information and related Technology (COBIT). This framework is receiving a lot of attention in literature and in the field, yet with regard to ease of implementation, it scores just above average. Many of the practices referred to in this research are integral to the COBIT framework. The inclusion of these ‘harder to implement’ practices in COBIT, combined with the higher-level abstraction of its content, clearly impacts the P6 ease of implementation result, as indicated in figure 3.

An interesting finding to pinpoint is that many IT governance definitions stress the prime responsibility of the board of directors in IT governance, whilst these results reveal that the mechanisms to achieve this (IT expertise at level of board of directors and IT strategy committee) are rated relatively low in terms of perceived effectiveness. This can possibly be explained by the fact that making the board of directors more IT-literate is not easy to achieve, which is confirmed by the second-to-last score in terms of ease of implementation of IT expertise at the level of the board of directors. The results of this research raise questions on how financial services organisations realise this board involvement in practice.

If averages are calculated for effectiveness and ease of implementation for all the structures, processes and relational mechanisms (see figure 4), it appears that structures and processes are, in general, perceived as being equally effective. However, it appears that IT governance structures are perceived as being easier to implement than IT governance processes, although in many cases they are closely related.

A good example here is the IT steering committee, which is a crucial element to build a portfolio management process, but which is also perceived as being much easier to implement than the whole portfolio management process. Relational mechanisms are also perceived as easier to implement than IT governance processes, probably because some relational mechanisms can have a very informal character (e.g., R7 informal meetings between business and IT executive/senior management).

The Delphi research also resulted in a list of IT governance practices that can be regarded as a minimum baseline to implement IT governance. This suggests that, in implementing IT governance within a specific financial services organisation, these minimum baseline mechanisms may play an important role. These practices are IT steering committee, CIO on executive committee, IT portfolio management, IT budget control and reporting, IT strategy committee, strategic information systems planning, IT leadership, CIO reporting to the CEO or COO, IT project steering committee, and project management methodologies.

It was surprising that only one relational mechanism was reported in this minimum baseline (IT leadership) whilst many authors on this topic stress that the relational mechanisms are crucial enablers for IT governance. A possible explanation is that, just as in literature, less-detailed knowledge and expertise are available on relational mechanisms, often resulting in a more intangible and informal character. On the other hand, it should be noted that many other relational mechanisms, such as business/IT account management, senior management giving a good example, and informal meetings between business and IT executive/senior management, attained very positive scores in terms of effectiveness and ease of implementation and, therefore, should be considered when complementing the minimum baseline.

It is also important to point out that the aforementioned minimum baseline should be regarded as a holistic set of practices, contributing as a whole to better business/IT alignment. This insight explains that some of the individual practices, such as the IT strategy committee, received a lower score for effectiveness. Its value, however, is constituted in being part of the minimum baseline, enabling the other practices to operate and be effective.

What Is the Impact of IT Governance on Business/IT Alignment?

After measuring alignment in 10 Belgian financial services organisations, it appears that the overall business/IT alignment maturity is 2.69 on a scale of five in the Belgian financial services sector (figure 5).

The benchmark contained two organisations with a relatively high business/IT alignment maturity compared to the overall average (high performers, I and J) and two organisations with a relatively low business/IT alignment maturity compared to the benchmark (low performers, A and B). The other six organisations were situated around the overall average. An interesting consideration here is what the desired target or to-be situation would be for the financial services sector. There is no literature available in this domain, but taking the high dependency on IT into account, one could argue that a maturity level of at least 3 would be required, which implies standardised and documented processes and procedures.

In each of these extreme cases, it was assessed at which maturity level (on a scale from 0, non-existent, to 5, optimised) the organisation was applying each of the 33 IT governance practices discussed earlier. When comparing the averages of maturity of IT governance practices (structures, processes and relational mechanisms) in those extreme cases, it appears that in general the high performers have more mature IT governance structures and processes, as shown in figure 6. This figure also shows that on average, where processes are less mature than structures, it is more difficult to implement processes than structures, which was also discussed in the previous section.

It was also shown that the organisations with low business/alignment maturity did have a lot of practices in place, but the average maturity of these practices was below maturity level 2, as shown in figure 7. This might indicate that the impact on business/IT alignment of IT governance practices that have a maturity level lower than 2, is limited.

The impact of relational mechanisms on business/IT alignment maturity was not clearly demonstrated in this research (figure 6). However, the research did find that the two high performers had started their IT governance implementation many years ago and were at a point that many structures and processes are embedded in day-to-day practices. At that time, the importance of relational mechanisms becomes less important. The relational mechanisms are more important in the initiating phase of IT governance, in which the two low performers were situated.

Analysing the high performers in more detail revealed that they distinguish themselves by a set of IT governance practices that were also proposed in the Delphi research as minimum baseline IT governance practices. From this previously defined set of 10 minimum baseline practices, seven appear to be clearly present and mature (above maturity level 2) amongst the high performers. This reduced set is called the key minimum baseline and constitutes the following practices: IT steering committee, IT project steering committee, portfolio management, IT budget control and reporting, CIO reporting to the CEO/COO, project governance/management methodologies, and IT leadership.

An interesting IT governance practice that was not used by any of the organisations, although it is promoted by experts and thought leaders as being very important,⁴ is the IT strategy committee at the level of the board of directors. This practice is promoted as a structure to ensure that the board gets involved in a structured way in IT governance issues. During the interviews, three out of four organisations stated that board involvement in IT governance is not feasible and probably not required. The representatives of the shareholders were found to be more concerned with the core financial services activities and less concerned with (operational) IT issues. Another IT governance practice that was indicated as irrelevant for alignment purposes was COSO ERM. While this was recognised as a good framework for general internal control, the value for governance or impact on alignment did not appear at all.

Conclusions

This research revealed that IT governance is indeed high on the agenda and that organisations with a mature mix of structures, processes and relational mechanisms achieved a higher degree of business/IT alignment maturity compared to other organisations. Some detailed conclusions were drawn regarding IT governance structures, processes and relational mechanisms. It was demonstrated that it is easier to implement IT governance structures than IT governance processes. Relational mechanisms also appeared to be very important in the beginning stages of an IT governance implementation project and become less important when the IT governance framework gets embedded into day-to-day operations.

This research also provides a key minimum baseline of seven IT governance practices that each organisation should have and supplement with practices that are highly effective and easy to implement. When an organisation wants to implement these practices, it must ensure that at least a maturity level of 2 is obtained, to guarantee that it positively impacts business/IT alignment.

The best approach to implement IT governance is to start with setting up these seven key minimum baseline IT governance practices. This core set of practices should be supplemented with other key practices that are highly effective and relatively easy to implement. At the initial stages of such IT governance projects, sufficient attention should be given to relational mechanisms to ensure the commitment of all the involved people in the process. Once the governance culture is embedded in the implemented structures and processes, these relational mechanisms require less attention.

References

De Haes S.; W. Van Grembergen; ‘IT Governance Best Practices in Belgian Organisations’, proceedings of the Hawaii International Conference on System Sciences, USA, 2006

Nolan, R.; F.W. McFarlan; ’Information Technology and the Board of Directors’, Harvard Business Review, 83(10), 2005, p. 96-106

Sledgianowski D.; J. Luftman; R.R. Reilly; ‘Development and Validation of an Instrument to Measure Maturity of IT Business Strategic Alignment Mechanisms’, Information Resources Management Journal, 19(3), 2006, p. 18-33

Van Grembergen, W.; S. De Haes; Information Technology Governance: Models, Practices, and Cases, IGI Publishing, 2008

Van Grembergen, W.; S. De Haes; E. Guldentops; ‘Structures, Processes and Relational Mechanisms for IT Governance’, in Van Grembergen, W. (Ed.), Strategies for Information Technology Governance, Idea Group Publishing, 2003

Weill, P.; J. Ross; IT Governance: How Top Performers Manage IT Decision Rights for Superior Results, Harvard Business School Press, USA, 2004

Endnotes

¹ Peterson, R. R.; ‘Information Strategies and Tactics for Information Technology Governance’, in Strategies for Information Technology Governance, Idea Group Publishing, 2003

² Ibid.

³ Ibid.

⁴ IT Governance Institute, Board Briefing on IT Governance, 2nd Edition, 2003, www.itgi.org. Monnoyer, Willmott P.; ‘What IT Leaders Do: Companies That Rely on IT Governance Systems Alone Will Come Up Short’, McKinsey Quarterly, 2005

Authors’ Note:

The results reported in this article are based on Ph.D. research executed by Steven De Haes under the direction of Professor Wim Van Grembergen at the University of Antwerp Management School (www.uams.be/itag).

Steven De Haes, Ph.D.
is responsible for the information systems management executive programmes and research at the University of Antwerp Management School. He is managing director of the Information Technology Alignment and Governance (ITAG) Research Institute and recently finalised a Ph.D. on IT governance and business/IT alignment. He has been involved in research and development activities of several COBIT products. He can be contacted at steven.dehaes@ua.ac.be.

Wim Van Grembergen, Ph.D.
is a professor at the Information Systems Management Department of the University of Antwerp and an executive professor at the University of Antwerp Management School. He is academic director of the ITAG Research Institute and has conducted research in the areas of IT governance, value management and performance management. Over the past years, he has been involved in research and development activities of several COBIT products. He can be contacted at wim.vangrembergen@ua.ac.be.

Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by the ISACA. Membership in the association, a voluntary organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal.

Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of the Information Systems Audit and Control Association and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journal does not attest to the originality of authors' content.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by the Information Systems Audit and Control Association Inc., for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.


What is CISA	What is CISM	What is CGEIT	What is CRISC
Benefits of CISA	Benefits of CISM	Benefits of CGEIT	Benefits of CRISC
How to Become Certified	How to Become Certified	How to Become Certified	How to Become Certified
Register for the Exam	Register for the Exam	Register for the Exam	Register for the Exam
Prepare for the Exam	Prepare for the Exam	Prepare for the Exam	Prepare for the Exam
Taking the Exam	Taking the Exam	Taking the Exam	Taking the Exam
Apply for Certification	Apply for Certification	Apply for Certification	Apply for Certification
Maintain Your CISA	Maintain Your CISM	Maintain Your CGEIT	Maintain Your CRISC


COBIT 5 Home
Product Family
Education and Training
News
Recognition
Join the Conversation
Looking for COBIT 4.1?