IT Governance IT Governance and Its Mechanisms By Steven De Haes and Wim Van Grembergen, Ph.D. Volume 1, 2004

IT governance is a concept that has suddenly emerged and become an important issue in the information technology field. Precisely when this new challenge began surfacing is unknown, but it is now a discussion issue within most organizations. Some corporations and government agencies began with the implementation of IT governance to achieve a fusion between business and IT and to obtain needed IT involvement of senior management. In surveys, CIOs also indicate IT governance as an important management priority. For example, in Gartner's Top Ten CIO Management Priorities for 2003, "improving IT governance" is included for the first time and is ranked third, and the related issue "providing guidance for the board/executive" is ranked first.

This article defines what IT governance is and explains its relationship with enterprise governance. IT governance is defined as the leadership and organizational structures, processes and relational mechanisms that ensure that an organization's IT sustains and extends its strategy and objectives. The article also provides an IT governance framework containing supporting structures, processes and relational mechanisms. The main objective of this article is to contribute to the understanding of IT governance and how it can be achieved in practice.

IT Governance Defined

While numerous definitions exist for IT governance, the following two definitions will be used in this article.¹

IT governance is the responsibility of the Board of Directors and executive management. It is an integral part of enterprise governance and consists of the leadership and organizational structures and processes that ensure that the organization's IT sustains and extends the organization's strategy and objectives.²

IT governance is the organizational capacity exercised by the Board, executive management and IT management to control the formulation and implementation of IT strategy and in this way ensure the fusion of business and IT.³

Although these definitions differ in some aspects, they focus on the same issues: achieving the link between business and IT, and the primary responsibility of the board of directors. Van Grembergen's definition also indicates that IT management must be involved in the IT governance processes. However, there is a clear difference between IT governance and IT management. IT management is focused on the effective supply of IT services and products and the management of IT operations. IT governance in turn is much broader and concentrates on performing and transforming IT to meet present and future demands of the business and its customers.⁴

The definition from the IT Governance Institute states that IT governance is an integral part of enterprise or corporate governance. Indeed, to make sure that corporate governance matters are covered, IT first needs to be properly governed. This relationship can be made more eloquent by translating the corporate governance questions⁵ into specific IT governance questions (see figure 1).

IT Governance Structures,
Processes and Relational Mechanisms

The question is: how can enterprises pragmatically implement IT governance? IT governance can be deployed using a mixture of various structures, processes and relational mechanisms. When designing IT governance for an organization, it is important to recognize that it is contingent upon a variety of sometimes conflicting internal and external factors. Determining the right combination of mechanisms is, therefore, a complex endeavor and it should be recognized that what works for one company does not necessarily work for another. This means that different organizations may need a combination of different structures, processes and relational mechanisms.

To be able to place IT governance structures, processes and relational mechanisms in a comprehensible relationship to each other, the framework displayed in figure 2 is proposed. Figure 2 is based on Peterson's framework.⁶ Structures involve the existence of responsible functions such as IT executives and a diversity of IT committees. Processes refer to strategic decision-making and monitoring. The relational mechanisms include business/IT participation, strategic dialogue, shared learning and proper communication.

Roles and Responsibilities

Clear and unambiguous definitions of the roles and responsibilities of the involved parties are crucial and prerequisites for an effective IT governance framework. It is the role of the board and executive management to communicate these roles and responsibilities and to make sure that they are clearly understood throughout the whole organization.

The board as well as the business and IT management have to play an important role in assuring the governance of IT. The CIO is an important, but certainly not the only, stakeholder in the IT governance process. The CEO has singular responsibility for carrying out the strategic plans and policies that have been established by the board, and he/she should ensure that the CIO is part of, and accepted in, the senior-level decision-making process. The CIO and the CEO should report on a regular basis to the board, which is the independent overseer of business performance and compliance. The board members should keep their knowledge of current business models, management techniques, technologies and the potential risks and benefits associated with each of them up- to-date.⁷

IT Organization Structure

Effective IT governance is also determined by the way the IT function is organized and where the IT decision-making authority is located within the organization. In the past, several models were developed and implemented, such as centralized, decentralized and federal IT organizations. A dominant model in many contemporary enterprises is the federal structure that is often a hybrid design of centralized infrastructure control and decentralized application control. This model tries to achieve both efficiency and standardization for the infrastructure, and effectiveness and flexibility for the development of applications.

IT Strategy Committee and
IT Steering Committee

IT governance should be an integral part of enterprise governance and, in this respect, a primary concern of the board of directors that is responsible for governing the enterprises. Boards may carry out their governance duties through committees and by considering the criticality of IT through an IT strategy committee. The IT strategy committee, composed of board and nonboard members, should assist the board in governing and overseeing the enterprise's IT-related matters. This committee should ensure that IT is a regular item on the board's agenda and that it is addressed in a structured manner.

The IT strategy committee should of course work in close partnership with the other board committees and management committees to guide, review and amend the aligned enterprise and IT strategies.8 The implementation of the IT strategy is the responsibility of executive management, assisted by one or more IT steering committees. Typically, such a steering committee has the specific responsibility for overseeing major projects and managing IT priorities, IT costs and IT resource allocation. While the IT strategy committee operates at the board level, the IT steering committee is situated at the executive level, which implies that it has different membership and authority.

Strategic Information Systems Planning

An important element of IT governance is the alignment of IT with the business. J. Henderson and N. Venkatraman developed their strategic alignment model (SAM) to conceptualize and direct the area of strategic management of IT.⁹ They were the first to describe in a clear way the interrelationship between business strategies and IT. The model is based on two building blocks: strategic fit and functional integration (figure 3). Strategic fit recognizes that the IT strategy should be articulated in terms of an external domain (how the firm is positioned in the IT marketplace) and an internal domain (how the IT infrastructure should be configured and managed). Strategic fit is equally relevant in the business domain, with similar attributes but focused to the business. Two types of functional integration exist: strategic and operational. Strategic integration is the link between business strategy and IT strategy, reflecting the external components, which is important because, for many companies, IT has emerged as a source of strategic advantage. Operational integration covers the internal domain and deals with the link between organizational infrastructure and processes and IT infrastructure and processes.

Although the SAM model clearly recognizes the need for continual alignment, it does not provide a practical framework to implement this. However, over the years, many alignment mechanisms have been developed and are used in organizations to achieve the business/IT fusion: business systems planning, critical success factors, the competitive forces model and the value chain of M.E. Porter, and business process reengineering. Recently, Porter adapted his models to the e-business (e-commerce) phenomenon concluding that "the Internet per se will rarely be a competitive advantage" and "many of the companies that succeed will be ones that use the Internet as a complement to traditional ways of competing, not those that set their Internet initiatives apart from their established operations."¹⁰

Balanced Scorecard

Another approach for the practical implementation of strategic alignment is the balanced scorecard (BSC). Robert Kaplan and David Norton introduced the BSC at the enterprise level.¹¹ Their fundamental premise is that the evaluation of a firm should not be restricted to a traditional evaluation but should be supplemented with measures concerning customer satisfaction, internal processes and the ability to innovate. Results achieved within these additional perspective areas should assure future financial results and drive the organization toward its strategic goals while keeping all four perspectives in balance. This concept has been applied to the IT function and its processes. Recognizing that IT is an internal service provider, the proposed perspectives of the balanced scorecard should be changed accordingly, with corporate contribution, user orientation, operational excellence and future orientation as perspectives. By using a cascade or waterfall of balanced scorecards, a method for business and IT fusion is provided to senior management. To achieve this, an IT development scorecard and an IT operational scorecard are defined as enablers for the strategic IT balanced scorecard that in turn is the enabler of a business balanced scorecard (figure 4). Linking the business BSC and the IT BSC is a supportive mechanism for IT governance.¹²

Information Economics

The information economics method developed by Robert J. Benson and Marilyn Parker can be used as an alignment/governance technique, whereby both business and IT people score IT projects and in this way prioritize and select projects.¹⁴ It departs from the return on investment (ROI) of a project and different intangibles such as "strategic match of the project" (business evaluation) and "match with the strategic IT architecture" (IT evaluation). In essence, information economics is a scoring technique resulting in a weighted total score based on the scores for the ROI and the intangibles (see figure 5). Typically, scores from 0 to 5 are attributed, whereby 0 means no contribution and 5 refers to a high contribution. The values obtain a positive score and the risks a negative score.

Service Level Agreements

In a maturing IT governance environment, service level agreements (SLAs) and their supporting service level management (SLM) process need to play an important role.

The functions of SLAs are:

1. To define what levels of service are acceptable by users and attainable by the service provider
2. To define the mutually acceptable and agreed-upon set of indicators of the quality of service

The SLM process includes defining an SLA framework, establishing SLAs including level of service and their corresponding metrics, monitoring and reporting on the achieved services and problems encountered, reviewing SLAs and establishing improvement programs. The major governance challenges are that the service levels are to be expressed in business terms and the right SLM/SLA process has to be put in place.¹⁶

COBIT and ITIL

Control Objectives for Information and related Technology (COBIT)¹⁷ provides for 34 identified IT processes their corresponding high-level control objectives and management guidelines (see www.isaca.org). COBIT's Management Guidelines includes the processes' maturity models and their scorecards in the form of key goal indicators and key performance indicators. As illustrated in other paragraphs of this article, maturity models and scorecards can assist organizations in achieving IT governance. The control objectives can help support IT governance within an enterprise. The control objectives of the "assist and advise IT customers" process, for example, consist of establishing a help desk, registering customer queries, escalating customer query, monitoring clearance, and analyzing and reporting trends. These high-level control objectives can be implemented through the use of the IT Infrastructure Library (ITIL) of the Central Computer and Telecommunications Agency (UK). Its help desk module, for example, complements and provides details on the help desk process including the planning, implementation, post-implementation, benefits and costs, and tools.¹⁸ So, COBIT's control objectives tell what to do and ITIL explains how to do it.

IT Alignment/Governance Maturity Models

To be able to measure alignment and governance maturity, organizations can use a maturity model. This is a method of scoring that enables the organization to grade its maturity level from nonexistent (0) to optimized (5). This tool offers an easy-to-understand way to determine the "as is" and the "to be" positions and enables the organization to benchmark itself against best practices and standard guidelines. In this way, gaps can be identified and specific actions can be defined to move toward the desired level of strategic alignment/ governance maturity.¹⁹ Good examples of IT maturity models are developed by Luftman²⁰ and the IT Governance Institute (www.itgi.org). Both models use criteria composed of a variety of attributes to build different levels of maturity. Luftman defines five maturity levels using the criteria and attributes described in the first two columns of figure 6. The last two columns indicate the characteristics or values of each attribute to obtain a level 1 or level 5. When performing a maturity assessment, it is important to comply with the basic principles of maturity measurement. One can move to a higher maturity only when all conditions described in a certain maturity level are fulfilled. This implies that to obtain maturity level 5, all attributes must have the values described in the last column of figure 6.

COBIT's Management Guidelines includes the maturity models for each of the 34 IT processes. The first process identified by COBIT is "define a strategic information technology plan." This process plays a very important role in the strategic alignment. Maturity level 1 entails that the need for IT strategic planning is known by IT management, but there is no structured decision process in place. To achieve the highest level of 5, IT strategic planning should at least be a documented and living process, continuously considered in business goal setting, and resulting in discernable business value through investments in IT.

To benchmark against other organizations, a maturity survey was conducted in 2002 asking the respondents to assign a maturity score for 15 of the 34 IT processes.21 The main result of this survey was that, on the average, the self-assessed maturity for these processes fluctuated between 2.0 and 2.5. The average for IT strategic planning was also in this range.

The IT Governance Institute recently developed a specific IT governance maturity model (figure 7). According to this model, enterprises assessed at level 0 are characterized by a complete lack of any recognizable IT governance process. To move up to level 1, the organization at least needs to recognize the importance of addressing IT governance issues. Maturity 5 implies an advanced and forward-looking understanding of IT governance issues and solutions, supported by an established framework and best practices of structures, processes and relational mechanisms. It should be noted that the desired "to be" position should be identified in function of the context where one operates (industry, geography, size, etc.) and of the enterprise strategy. When the "as is" and "to be" positions are known, gaps can be determined, projects defined and specific actions taken.

Relational Mechanisms

Relational mechanisms are very important. It is possible that an organization has all the IT governance structures and processes in place, but it does not work out because business and IT do not understand each other and/or are not working together. Or, it may be that there is little business awareness on the part of IT or little IT appreciation from the business. So, to reach effective IT governance, two-way communication and a good participation/collaboration relationship between the business and IT people are needed. Ensuring ongoing knowledge sharing across departments and organizations is paramount for attaining and sustaining business/IT alignment. It is crucial to facilitate the sharing and the management of knowledge by using mechanisms such as career crossover (IT staff working in the business units and business people working in IT), continuous education, cross-training, etc.

Conclusion

The key element in IT governance is the alignment of the business and IT to lead to the achievement of business value. This high-level goal can be achieved by acknowledging IT governance as a part of enterprise governance and by setting up an IT governance framework with best practices. Such a framework and practices should be composed of a variety of structures, processes and relational mechanisms. What works for one organization may not work for other organizations (e.g.,the balanced scorecard method can be successful in some organizations and not in others).

Endnotes

¹ See also Van Grembergen, W.; S. De Haes; E. Guldentops; "Structures, Processes and Relational Mechanisms for Information Technology Governance: Theories and Practices," Strategies for Information Technology Governance, Idea Group Publishing, Pennsylvania, USA, 2003
² Board Briefing on IT Governance, IT Governance Institute, 2001, www.itgi.org
³ Van Grembergen, W.; Introduction to the Minitrack IT Governance and Its Mechansims, Proceedings of the 35th Hawaii International Conference on System Sciences (HICSS), 2002
⁴ Peterson, R.; "Information Strategies and Tactics for Information Technology Governance," Strategies for Information Technology Governance, Idea Group Publishing, Pennsylvania, USA, 2003
⁵ Shleifer, A.; W. Vishny; "A Survey on Corporate Governance," Journal of Finance, vol. 52, no. 2, 1997
⁶ Op. cit., Peterson
⁷ Duffy, J., IT/Business Alignment: Is It an Option or Is It Mandatory?, IDC document, #26831, 2002; Duffy, J., 2002, IT Governance and Business Value Part I: IT Governance—An Issue of Critical Importance, IDC document, #27291, 2002; Duffy, J., 2002, IT Governance and Business Value Part 2: Who's Responsible for What? IDC document, #27807, 2002
⁸ IT Strategy Committee, IT Governance Institute, 2002, www.itgi.org
⁹ Henderson, J.; N. Venkatraman; "Strategic Alignment: Leveraging Information Technology for Transforming Organizations," IBM Systems Journal, 1993
¹⁰ Porter, M.E.; "Strategy and the Internet," Harvard Business Review, March/April 2001, pp.63-78
¹¹ Kaplan, R.; D. Norton; "The Balanced Scorecard—Measures That Drive Performance," Harvard Business Review, January/February 1992, pp. 71-79
¹² Van Grembergen, W.; R. Saull; S. De Haes; "Linking the IT Balanced Scorecard to the Business Objectives at a Major Canadian Financial Group," Journal of Information Technology Cases and Applications, vol. 5, no. 1, 2003, pp. 23-50
¹³ Van Grembergen, W.; R. Saull; "Aligning Business and Information Technology Through the Balanced Scorecard at a Major Canadian Financial Group: Its Status Measured with an IT BSC Maturity Model," 34th Hawaii International Conference on System Sciences (HICCS), CD-ROM, Maui, 2001
¹⁴ Parker, M.; Strategic Transformation and Information Technology, New Jersey, USA, 1996
¹⁵ Van Grembergen, W.; R. Van Bruggen; "Measuring and Improving Corporate Information Technology Through the Balanced Scorecard Technique," European Conference on the Evaluation of Information Technology, Delft, The Netherlands, 1997
¹⁶ Van Grembergen, W.; S. De Haes; I. Amelinckx; "Using COBIT and the Balanced Scorecard as Instruments for Service Level Management," Information Systems Control Journal, ISACA, USA, vol. 4, 2003, pp. 56-62
¹⁷ Control Objectives for Information and related Technology (COBIT), 3rd Edition, IT Governance Institute, 2000, www.itgi.org
¹⁸ CCTA, Helpdesk: The Stationary Office, 1998
¹⁹ Guldentops, E.; Part and Parcel of Corporate Governance, CIO Summit, European Financial Management and Marketing Conference, Brussels, 2003
²⁰ Luftman, J.; Assessing Business-IT Alignment Maturity, Communications of AIS, vol. 4, 2000
²¹ Guldentops, E.; W. Van Grembergen; S. De Haes; "Control and Governance Maturity Survey: Establishing a Reference Benchmark and a Self-assessment Tool," Information Systems Control Journal, ISACA, USA, vol. 6, 2002

Steven De Haes
is responsible for the information systems management executive programs at the University of Antwerp Management School (UAMS), Belgium. He is engaged in research in the domain of IT governance and in this capacity performs research for ISACA. Currently, he is preparing a Ph.D. on the practices and mechanisms of IT governance. He has several publications on IT governance primarily in the Information Systems Control Journal and the Journal of Information Technology Cases and Applications (JITCA).

Wim Van Grembergen, Ph.D.
is professor and chair of the MIS department at the business faculty of the University of Antwerp (UFSIA). He was previously guest professor at the University of Leuven (Belgium) and has taught at the University of Stellenbosch in South Africa and the Institute of Business Studies in Moscow. He teaches information systems at the undergraduate and executive level, and researches business transformations through information technology, audit of information systems, IT balanced scorecard and IT governance. He served as academic director of the MBA program of UFSIA (1989-1995) and presently is academic coordinator of an IT audit master program and an e-business master program.