JOnline: IT Governance Implementation Using the 3P Model—A Staged Approach 

Download Article

Today’s chief information officers (CIOs) and IT organizations are faced with two typical challenges:

  1. Existing IT applications and infrastructure need to run smoothly to ensure the ongoing business.
  2. New IT trends need to be identified, validated and implemented to generate added value to the business.

While ensuring availability and maintenance of running systems is considered to be the duty or compulsory exercise of an IT organization (i.e., running the business), the analysis of new IT trends and their business-focused implementation (i.e., innovate the business) is often not yet regarded as an important role and responsibility of the IT organization. A 2007 Forrester survey1 of 75 global chief executive officers (CEOs) confirmed that although 60 percent of the CEOs are satisfied with the overall performance of IT, only 30 percent consider IT as a proactive leader in process improvement and only 28 percent regard IT as a proactive leader in innovation. On top of this, the CIO’s fields of operation are getting more complex due to quickly varying business needs and the changing technology environment. The launch of an enterprisewide IT governance initiative can be regarded as a starting point for each CIO to be on the forefront of strengthening the positioning of IT within the business organization.

In a previous article,2 IT governance was defined and the importance of establishing IT governance to strengthen the IT and business strategy alignment was highlighted, while describing a generic model that can be used to speed implementation. This article presents and describes a case study in implementing IT governance at a global business organization using the 3P Model.3

Business Driver Identification and Organizational Readiness Assessment

Introducing and implementing IT governance requires strong and proven program management skills and expertise. While the 3P Model offers a generic organizational framework for addressing central aspects of IT governance implementation, a pragmatic approach is required to provide visibility to key stakeholders on the progress of the initiative and to ensure continuous communication of results. For this purpose, a proven staged methodology has been developed, as depicted in figure 1.

Figure 1

This methodology is applicable regardless of the size of the initiative; it encourages management commitment and involvement and endorses good project/program management practices. This road map is to be perceived as a continuous improvement approach that is followed iteratively throughout the three perspectives of the 3P Model, building a sustainable business-as-usual process over the five stages:

1. Determine business drivers for the IT governance initiative—A central aspect in addressing the key issues (who, how and what) of an IT governance implementation program is to identify the business drivers for IT governance—in other words, answering the questions:

  • Why is the governance of the IT function needed?
  • What are the expected business outcomes for such an initiative?

The objective is to ensure in an early stage that the business needs behind the initiative have been identified and are clearly understood, and the focus will be on addressing these needs during the implementation program.

A proven method for identifying business drivers is awareness workshops with business and IT management leadership. The objective of the workshops is to enable senior management to discuss and agree on the objectives and expected outcomes of the initiative, while raising awareness of the importance and criticality of their involvement for its successful implementation. More efficient and timely delivery of the IT projects and ongoing visibility of global IT activities and initiatives have been identified as the key drivers of the considered IT governance program.

2. Analyze organizational readiness—Once the key drivers for the initiative are identified, the next stage is to assess the current capability of existing processes (process perspective) and the organizational structure (people perspective) to identify existing gaps and weaknesses, while setting improvement targets. Another critical aspect during this stage is the identification of key stakeholders and their ability to impact and support the initiative. During the project, Control Objectives for Information and related Technology (COBIT)4 and Val IT5 maturity models have proven to be pragmatic methodical guidance for realizing such assessment, in addition to interviews and workshops with key stakeholders. While interviews are useful instruments to identify the personal opinions of the stakeholders (e.g., frustrations with the current status), workshops have proven to be helpful in facilitating the discussion among different stakeholder groups, since these groups usually do not have the chance to discuss their situation with each other.

3. Define and set initiative objectives and outcomes—While during the previous stage the focus is on the assessment of the current (as-is) state, the analysis of gaps and weaknesses, and the identification of key stakeholders, this stage emphasizes involving the stakeholders in discussing the future (to-be) state; defining the scope of the initiative; and getting their commitment for the improvement targets, objectives, and expected benefits and outcomes of the initiative. Once these objectives and outcomes are agreed upon, the next step is to design an implementation program, i.e., to define the set of project activities to be undertaken to achieve the objectives; establish the time period for completion; define key milestones and progress measurement metrics and link them to deliverables; determine methods to be used; and develop detailed plans with corresponding phases, activities and tasks. A key deliverable of this stage is the implementation master plan, as illustrated in figure 2, as input for the next stage.

Figure 2

4. Implement the IT governance program—Based on the agreed-upon objectives and the implementation plan, the implementation stage focuses on developing and implementing governance structures and processes to enable improvement realization toward the future state. At this stage, the 3P Model has been used as methodical support to ensure that the key aspects (portfolio, processes and people) of IT governance are properly addressed and adequately adapted to the organizational context. A key success factor of this stage has been the strong and ongoing involvement of the stakeholders during the design of the process through reviews and continuous feedback. Furthermore, leveraging existing governance structures and adapting them to the context of IT governance have proven to be sound approaches to get rapid buy-in for the proposed concept from senior management. This stage ends with a postimplementation review that serves as a baseline for the fine-tuning of the concept and for the preparation of the rollout.

5. Operationalize the governance processes—Building upon the postimplementation review, a fine-tuning of the concept is realized as the first step toward the preparation of the global rollout of the concept. A communication precampaign is started to proactively communicate the timeline of the key activities (e.g., training workshops, process rollout, deadline for go-live) to stakeholders and involved parties. A critical success factor during the precampaign is to clearly highlight and focus on the benefits and the expected business outcomes of the initiative. Training workshops should be realized in different regions with stakeholders and affected parties, to make everyone familiar with the future “new way” of working and sensitize them again to the positive impact of the change on the current situation. Other key activities of the rollout preparation are the identification and coaching of regional/local process owners who will act as change champions in each region/country; the goal here is to support the acceptance of change locally. The implementation of IT governance will deliver sustainable benefits only if the affected employees understand and accept the change.

The People Perspective:  Structures, Roles and Responsibilities

IT governance describes the distribution of IT decision-making rights and responsibilities among different stakeholders in the organization.6 Thus, the repartition of decision rights and responsibilities is a key aspect of implementing IT governance.

In this regard, the starting point during the considered IT governance implementation project was to identify existing decision structures and allocated decision-making responsibilities throughout the organization, in an effort to determine if there were already some governance mechanisms in place. A further aspect was to assess the degree of formalization of the identified structures and their level of anchoring in the current decision-making process.

According to the IT investment decision-making archetypes (business monarchy, IT monarchy, federal, IT duopoly, anarchy),7 the current decision style in the IT organization was mapped and it was determined how the prevailing decision-making approach can be described and modeled. For this purpose, interviews were conducted with IT and business leadership to understand their perception of the decision-making process and determine the roots of the actual decision-making archetype. Furthermore, an assessment was made of the extent to which the current (i.e., previous) decision-making processes and mechanisms were compatible with the objectives of the IT governance initiative.

A key finding was that the prevailing decision-making archetype was quite similar to a business monarchy;8 thus, decisions on IT investments were made primarily by business executives (business unit [BU] leaders), since they were sponsoring the investments. That is, the IT organization—with some small exceptions—did not have any decision authority for IT investments.

It was also discovered that this business monarchy-like situation was one of the internal drivers for the IT organization in implementing IT governance. The IT leaders were aspiring to a new decision-making archetype in which IT could exercise a kind of veto or could be actively involved in the decision-making process.

A clear objective for the implementation stage was to find out the means to initiate an organizational change in the way decisions have been made around IT investments. The goal was to define decision structures that will bring together business executives and IT management leaders during the investment decision process in an effort to enforce business and IT alignment.

The main challenges were to demonstrate the need for such decision structures, convince corporate management how essential such structures are for successful implementation of the IT governance initiative, and gain their buy-in and commitment for introducing such structures throughout the organization.

To demonstrate the strong commitment of top management to the initiative, while anchoring the initiative throughout the organization and enforcing business leadership involvement, an enterprisewide IT policy (the IT governance guideline) was realized, signed off on by the board of directors and published throughout the enterprise. Key statements of the IT governance guideline were:

  1. An IT governance board (ITGB) was established (and its constitution and meeting frequency were defined) as the supreme decision-making authority regarding IT investment concerns.
  2. Key governance domains (IT service management, IT development and operations, IT portfolio management) were identified and defined, with shared responsibilities between IT and business.
  3. A program management office (PMO) was established as the organizational unit in charge of sustainably anchoring the IT governance framework (policies, procedures and processes) throughout the enterprise and endorsing the implementation initiative.

In addition to the PMO as the new organizational unit (see figure 3) in charge of undertaking the ownership of the IT governance initiative and the governance board as the supreme decision-making authority, other decision-making bodies were defined and established at regional and local levels, as depicted in figure 4, during the process implementation stage (stage 4).

Figure 3

Figure 4

The Portfolio Perspective

The portfolio perspective of the 3P Model mainly addresses the purpose of defining and setting the areas of focus for the governance measures to be applied in the future. In the context of the considered program, efficient and timely delivery of IT projects and increased visibility of ongoing IT activities and initiatives were identified during the first stage (identification of business drivers) as key drivers for launching an IT governance program.

During the organizational assessment stage (stage 2), the focus was set to assessing the current capability of the IT organization in regard to applying project portfolio management best practices. Based on COBIT maturity models and management guidelines,9 specific assessment tools (questionnaires, templates, evaluation matrices) were developed that were used during the joint interviews and the workshops with project managers and designated IT key account managers to conduct the capability assessment. The key findings of the as-is analysis were:

  1. Nonconsolidated view into all the demand placed on IT
  2. No enterprisewide standardized approach for project selection and prioritization
  3. Noncentralized project information repository and, therefore, no financial visibility into ongoing IT projects
  4. No enterprisewide methodologies for project management; therefore, impossible to track and monitor project progress and success

Based on the key findings and the weaknesses of the current situation, the following objectives were determined for the portfolio perspective during the implementation stage (stage 4):

1. Inventory the portfolio of ongoing IT projects for the period 2006-2007—In assessment workshops with project managers of the IT department, the organization tried to find out how the project information was managed and shared throughout the organization and how this information was handled once the project was closed. After identifying the different project information sources, the organization analyzed and assessed these sources in respect to their accuracy and significance and, thereafter, consolidated them to create a single source of truth for project information—a kind of centralized project repository that will serve as a baseline for an integrated project portfolio management approach.

2. Determine criteria for categorizing the portfolio of projects—Once a central project repository was established, the organization started structuring and categorizing the portfolio. The main objective was to define a set of criteria for categorizing the different types of investments in IT projects to enable a greater ability to establish a prioritization scheme for constructing a balanced portfolio of IT investments. Additionally, the defined categorization scheme had to serve as the groundwork for setting investment thresholds for proposal selection and the prioritization process.

A challenging task has been to clearly differentiate an IT project-related investment from an IT service-related expense. Furthermore, standard categorization according to the “run, grow, transform”10 scheme was not applicable to the organizational context in place because of the huge heterogeneity of ongoing projects. The run, grow, transform categorization scheme has more often been used as a baseline for defining organization-specific portfolio categories.

The Process Dimension and Decision-Execution Monitoring

After defining the main governance structures and decision bodies (people perspective) and setting the governance areas of focus (portfolio perspective), the next emphasis during the implementation stage was to define the procedures, policies and mechanisms for monitoring the execution of the investment decision:

1. Definition of governance mechanisms and rules—A central aspect of decision-execution monitoring is the definition of mechanisms and rules according to which the decision executions are realized. In the context of project portfolio management, the following key rules were defined to ensure alignment of the decision on IT investments:

  • Project approval and listing requirements—Not all project requests have to be subject to an approval from the central governance body. Therefore, a set of requirements and thresholds was defined (as depicted in figure 5), so the requester can find out whether an approval is needed.
  • Selection and prioritization rule—This rule integrates a set of organization-specific prioritization criteria (e.g., project category type, budget, strategic and technological impact of the project) and coordination mechanisms to enable the prioritization of the portfolio of IT investments.
  • Escalation mechanism—As depicted in figure 6, an escalation mechanism has been defined to deal with exception cases and issues where the decision maker is not able to solve or address these on his/her own authority, or when there is conflict between different decision bodies.

Figure 5

Figure 6

2. Design of governance procedures and policies—In addition to the described rules, procedures (e.g., for identification, evaluation, prioritization, monitoring and close-out) were defined and established concerning the planning and monitoring of the portfolio as a whole.

3. Definition and establishment of process-specific roles—In addition to the decision bodies, process-specific roles were defined and established, as shown in figure 7. These roles define the function and the responsibilities that have to be assumed to enable the procedure execution; these process-specific roles differ from organizational functions. Thus, an organizational function (e.g., application development team leader) can take many process-specific roles (e.g., project manager, account manager).

Figure 7

4. Design of templates and tools—Last, but not least, a set of templates (e.g., project request form, project reporting template, project close-out form) were defined to support the execution of procedures. Most of the templates were created with common desktop tools (e.g., Microsoft Office products). In the near future, the organization plans to roll out an integrated project portfolio management tool that will support the complete process.

Success Factors

Key success factors for the initiative include:

1. Early management buy-in and strong commitment—Without an early buy-in and strong commitment from top management, it would have been difficult to get business executive attention and involvement in this global initiative. Strong management commitment enabled project managers to highlight the importance of the initiative throughout the IT organization and to easily mobilize required resources and get the people involved in the implementation.

2. Defined and agreed-upon scope and outcomes—Although it had a big picture in mind, the organization tried to define the restricted scope and the short-term (12 months) outcomes at an early stage within the project and agree on these with key stakeholders. This facilitated communication of the initiative throughout the organization.

3. Early involvement of the affected parties—In addition to the strong commitment of top management, the organization tried to involve affected parties as soon as possible in the planning of the project activities through early interviews and workshops. This showed the positive impact insofar as employees easily identified themselves with the initiative and felt they were a part of it. From a change management point of view, that surely was a great facilitator.

4. Quick wins—Early identification and rapid realization of quick wins (e.g., the easily identified investment synergies in the different regions) strengthened the credibility of the initiative throughout the IT organization and the business units.

Lessons Learned

Lessons learned included:

1. Project approach—Following the slogan “think big, start small, scale fast,” the organization communicated the big picture while making small steps toward implementation. That strengthened awareness and clearly facilitated acceptance throughout the organization, especially among key project stakeholders.

2. Enhance collaboration and communication between IT and business—The implementation of IT governance led to a strengthened and enhanced awareness by the business on IT topics and, in the same way, to an improved collaboration between IT and the business, especially in the field of demand and request management.

3. First define and agree on the processes, then look for an adequate tool—It was a critical success factor to first set a focus on defining the required governance processes in the organization before looking at a tool for supporting these processes. This also facilitated and sped up the requirement specification of the tool, since the organization already had a clear picture of what functionalities the tool should provide.


There are some obvious and pragmatic recommendations to help any organization successfully implement IT governance initiatives:
  • Consider the IT governance implementation initiative as a program activity with a series of phases, rather than a one-off step.
  • Keep in mind that implementation involves cultural change as well as new processes; therefore, a key success factor is the effective management of organizational change.
  • Make sure there is a clear understanding of the objectives. Focus first on where it is easiest to make changes and deliver improvements, and incrementally build on successes from there.
  • Obtain top management buy-in and ownership and find a clear sponsor for the IT governance implementation process.
  • Ensure active ownership and effective oversight from initiation through the establishment of a program and/ or project steering committee consisting of appropriate representation from involved stakeholders.11


  • Van Grembergen, Wim; Strategies for Information Technology Governance, Idea Group Publishing, USA, 2004


1 Forrester Research Inc., survey among 75 CEOs, USA, 2007
2 Sandrino-Arndt, Bop; “People, Portfolios and Processes: The 3P Model of IT Governance,” Information Systems Control Journal, vol. 2, 2008
3 Ibid.
4 IT Governance Institute, COBIT 4.1, 2007,
5 IT Governance Institute, Val IT, 2006-2008,
6 Van Grembergen, Wim; “Introduction to the Minitrack IT Governance and First Mechanisms,” Proceedings of the 35th Hawaii International Conference on Systems Sciences, 2002
7 Weill, Peter; Jeanne W. Ross; IT Governance—How Top Performers Manage IT Decisions Rights for Superior Results, Harvard Business School Press, USA, 2004, p. 57
8 In a business monarchy, senior business executives make IT decisions affecting the entire enterprise. An IT monarchy differs from a business monarchy in that the decisions in an IT monarchy are always made strictly by IT representatives.
9 IT Governance Institute, IT Governance Implementation Guide: Using COBIT® and Val IT™, 2nd Edition, 2007,
10 Handler, Robert; Bryan Maizlisch; IT Portfolio Management Step by Step: Unlocking the Business Value of Technology, John Wiley & Sons Inc., USA, 2005, p. 205
11 Op cit, ITGI, IT Governance Implementation Guide

Bop Sandrino-Arndt, CISA, CGEIT, PMP
is manager of the IT strategy and governance practice at Maxence (, a Dusseldorf, Germany-based business consulting firm specializing in the pharmaceutical industry. He is an internationally operating management consultant with more than 10 years of extensive experience in the field of IT strategy consulting, especially in the areas of large project and program management, IT governance and effectiveness, and IT support in mergers and acquisitions. He can be reached at bop.sandrinoarndt@

ISACA Journal, formerly Information Systems Control Journal, is published by ISACA, a nonprofit organization created for the public in 1969. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors, employers or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.

Subscription Rates:
US: one year (6 issues) $75.00
All international orders: one year (6 issues) $90.00
Remittance must be made in US funds.