Building a Framework for an efficient IT Governance

Table of Contents

1 Introduction

2 IT Governance Fundamentals
2.1 Embedding IT Governance into Corporate Governance
2.2 Objectives
2.2.1 Strategic Alignment
2.2.2 Value Creation
2.2.3 Risk Management
2.2.4 Performance Measurement
2.3 Effectiveness and Efficiency

3 Analysis of IT Problems
3.1 Problem Identification
3.2 Clustering of Problems
3.2.1 Stage One
3.2.2 Stage Two
3.2.3 Stage Three
3.3 The Holistic Perspective

4 IT Governance Standards and Frameworks
4.1 The Argument
4.2 Selection
4.2.1 CObIT
4.2.1.1 Purpose
4.2.1.2 Structure
4.2.1.3 Classification
4.2.2 ITIL V
4.2.2.1 Purpose
4.2.2.2 Structure
4.2.2.3 Classification
4.2.3 ISO/ IEC 27002:
4.2.3.1 Purpose
4.2.3.2 Structure
4.2.3.3 Classification
4.2.4 Val IT
4.2.4.1 Purpose
4.2.4.2 Structure
4.2.4.3 Classification
4.2.5 IT BSC
4.2.5.1 Purpose
4.2.5.2 Structure
4.2.5.3 Classification

5 Practical Part
5.1 Defining an efficient IT Governance
5.2 Building a Framework for an efficient IT Governance
5.2.1 Approach
5.2.2 Matching Frameworks and Problem Clusters
5.2.3 Interpretation
5.2.4 Limitations of the Model
5.3 Findings
5.3.1 Selecting a Proper Framework
5.3.2 Mapping Frameworks

6 Conclusion and Future Implications

Figures

Figure 1: Embedding IT Governance [Modified from RüSG2006, 27]

Figure 2: IT Governance Objectives [Modified from ITGI2003b, 27]

Figure 3: Structure of Vision, Mission, Strategy, and Activities [Own statement]

Figure 4: IT and Business Strategy Alignment [ITGI2003b, 30]

Figure 5: Interrelationship of Effectiveness and Efficiency [Own statement]

Figure 6: IT Governance Domains in a Hierarchal Architecture [Own statement]

Figure 7: The CObIT Cube [ITGI2008d, 25]

Figure 8: The ITIL V3 Service Lifecycle [ITIL2008a]

Figure 9: Val IT Focus Areas [ITGI2006b, 9]

Figure 10: IT BSC – Example Metrics [Modified from DiSc2004, 335]

Figure 11: Example of an IT BSC [Wies2007, n. p.]

Figure 12: How Strategy Translates into Efficiency [Own statement]

Figure 13: Matching Frameworks and Problem Clusters [Own statement]

Figure 14: Percentage Coverage of Problems by Selected Frameworks [Own statement]

Figure 15: Total Process Number Coverage of Problems by Selected Frameworks [Own statement]

Figure 16: Framework Selection Matrix [Own statement]

Tables

Table 1: Stage 1 Clustering of Problems [Own statement]

Table 2: Stage 2 Clustering of Problems [Own statement]

Table 3: Corrections Added to Stage 2 Clustering of Problems [Own statement]

Table 4: Stage 3 Clustering of Problems [Own statement]

Table 5: Overview of IT Governance Frameworks and Standards [JoGo2007, 24; with modifications from Nive2002, 216]

Table 6: Overview of Selected Frameworks [Own statement]

Table 7: CObIT Framework and IT Governance Focus Areas [ITGI2007, 26]

Table 8: Classification: CObIT [Own statement]

Table 9: Classification: CObIT, ITIL [Own statement]

Table 10: Classification: CObIT, ITIL, ISO 27002 [Own statement]

Table 11: Classification: CObIT, ITIL, ISO 27002, Val IT [Own statement]

Table 12: Classification: CObIT, ITIL, ISO 27002, Val IT, IT BSC [Own statement]

Table 13: Process Description PO1 [Golt2006, 51-53]

Table 14: Allocating Processes to Stage 2 Problem Clusters [Own statement]

Abbreviations

illustration not visible in this excerpt

1 Introduction

Nowadays almost every business in the modern world is using information technology (IT) for its daily tasks and complex processes. Proceeding globalization and decreasing costs make companies face an increasing pressure in their competitive environments. This so called information revolution is affecting market competition in three vital ways [PoMi1985, 150]: First, a change in industry structures that comes along with altering rules of competition. Second, IT gives the possibility to outperform rivals and thus, to strengthen a market position. And third, IT creates new businesses within the company’s existing operations. The third effect mentioned implies the role of IT as a trigger for business opportunities like new products and services.

Even though IT seems to be omnipresent in most businesses, it is important to further look at its efficiency. Business is about adding value, which is reflected by revenue from outputs less cost of inputs [Gran2008, 35]. Specifically, this thesis addresses the reduction of input costs for IT, which serves as one of the most important supporting functions for almost all business processes. However, increasing technological complexity most often comes along with failures and problems causing costs, incompatibilities, and further issues. In such cases, the IT department is likely to be pointed at for justifying problems in production, service delivery, etc. This is why it is not a surprise that it is not IT that has the problem, but it is IT that is the problem [RüSG2006, 1]. At the beginning of this century Nicholas G. Carr was one of the first authors who pointed out the diminishing business relevance and the changing role of IT in his articleIT Doesn’t Matter: “As information technology’s power and ubiquity have grown, its strategic importance has diminished. The way you approach IT investments and management will need to change dramatically.” [Carr2003, 41] This necessary change is what organizations face today. Changing competition and technology imply the need for changing the way of using IT. Almost every environmental change results in an IT project, including changes in governmental regulations, business processes, organizational structures and mergers and acquisitions (M&A) [RüSG2006, 17].

This thesis underlies the assumption that companies throughout all industries strive to adopt this changing role of IT in order to build up competitive strengths. A study by Weill and Ross on IT governance in over 250 multi-businesses found that “… good governance design allows enterprises to deliver superior results on their IT investments.” [WeRo2004, 3] They conclude effective IT governance to be the most important predictor for adding value from IT.

In addition to effectively aligning IT governance, leveraging financial and operating performance can be improved when implementing IT governance efficiently. Efficiency describes the relation between the accuracy and completeness with which goals are achieved, and the resources needed in achieving them, specifically completion and learning time [FrHH2000, 345]. IT governance is what brings together all these aspects and is “… the responsibility of the board of directors and executive management. It is an integral part of enterprise governance and consists of the leadership and organizational structures and processes that ensure that the organizations’ IT sustains and extends the organization’s strategies and objectives.” [ITGI2003a, 10]

Managing IT has been practiced since technology emergence. The main difference to IT governance lies in the organization’s perspective on handling IT. IT principles, from the new perspective, are high-level statements about how IT is used in the firm [WeWo2002, 2]. The purpose of IT governance is to align the IT strategy with the company’s overall strategy in order to realize the promised benefits. It shall also enable the enterprise to use IT for maximizing profits, exploiting all business opportunities, responsibly resourcing IT, and managing IT-related risks appropriately [ITGI2008a]. In other words, IT management turns into IT governance when it is seen as part of an organization’s asset management. According to Weill, IT governance links to the governance of other key enterprise assets such as financial, human, and intellectual property, which is why it cannot be considered in isolation [Weil2004, 3]. IT asset management refers to managing all IT assets, as regards content, which is the basis for increasing transparency of IT costs [BuES2005, 230].

However, integrating IT into corporate governance seems to cause more problems than theory predicts. A recent study in Central Europe demonstrates that even though many IT governance tools are applied today, most of the IT projects are still tardy or too expensive [Capg2007, 12]. According to this study, almost half of the companies (47%) still relinquish to use processes that help control or improve IT performance. This implicates that the roots of IT-related problems do not seem to lie in identifying problems, but in solving them. In addition to the first assumption, the pursued benefits are tried to be realized by improving existing IT processes or by looking for new business opportunities. This argument is supported by an increasing trend in distributing IT investments into new business initiatives and a decrease in dedicating the money to existing operating IT [Mich2006, 38].

The risk of underestimating IT’s potential will possibly result in a separation of executives from IT users, helplessness, mutual mistrust, and finally in a bad performance. The changing significance from just managing IT to integrating it points out the importance to recognize IT as a linkage between all business functions. This is why the abbreviation IT is also frequently used forIntegrating-Technologyinstead ofInformation-Technology[RüSG2006, 14]. Frameworks and standards try to help decision makers like chief information officers (CIO) to implement efficient and effective IT governance by providing helpful processes for all hierarchy levels and to interrelate them. Unlike Nicolas Carr described, with the foundation of the IT Governance Institute (ITGI) in 1998, many of these frameworks have emerged in recognition of the increasing criticality of IT to a company’s success [ITGI2008c]. The role of the CIO or other responsible executives is to constantly try to improve the performance of the integrated IT [PiMK2004, 93]. Examples for this are well-known concepts like customer relationship management (CRM) or supply chain management (SCM). On the other hand, implementing CRM, for example, heavily depends on IT specialists and operating staff.

Existing IT governance concepts offer control objectives and processes to solve these issues. But following the result of a European study, major problems are a lack of clear goals and the existence of too many non-prioritized activities [Capg2008, 37]. Since each concept seems to have different focuses and approaches to deal with IT issues, it is important to decide on implementing those that address and cover the firm’s specific issues best. Nevertheless, the main problem seems to evolve from deciding on the right ones. Situation depended factors might influence those decisions and require individual organizational analyses in order to maximize a framework’s effectiveness. However, building a framework for improving IT governance first requires analyzing whether there exists one best global IT governance approach for all organizations. Only if there no such all-purpose framework available, the creation of a new approach can help improving the current situation around an organization’s IT governance. Following this idea, the first hypothesis is:

H1: There exists no best global IT governance framework applicable for all organizations.

When implementing such frameworks, processes that are not directly needed should be avoided in order to improve their efficiency. Because every company might have different IT-related problems, it seems to be very difficult to create one all-purpose framework for good IT governance.

What sounds quite easy in theory still is a problem in practice. According to a global survey with 749 participants conducted by the ITGI in 2008, some important key findings were too low involvement of IT users, increasing importance of self-assessment regarding IT governance, security and strategic IT alignment issues, and non-familiarity with frameworks [ITGI2008b, 7-8]. A key implication is that even if the solutions for solving problems seem to exist already, there is an issue with applying them. According to Weill and Ross, organizations with superior IT governance have at least 20 percent higher profits than others with poor governance [WRBC2004, 6]. Following the arguments above, effective IT governance requires efficient use and implementation of standards and frameworks.

Based on the current state of knowledge, this problem is known but developing into different directions. Concepts are being more and more expanded in order to cover more problems. However, increasing the amount of processes will most likely result in an increasing number of processes that are not directly needed. The result, again, is not solving the efficiency problem. The purpose of this thesis is to increase the frameworks’ efficiencies. Therefore, the second hypothesis to be analyzed is:

H2: Increasing IT governance efficiency positively affects an organization’s value.

The goal of this thesis is to build a model that helps maximizing IT governance efficiency by supporting CIOs in their decision making on using the most appropriate frameworks and standards. The mass of publicly available concepts includes hundreds of implementation processes that seem to cause trouble in providing an overview of concepts and their different objectives, approaches, and functions. On the one hand, this model addresses organizations that have not implemented any IT governance frameworks so far, and which may find it hard to decide where to start with. Assessing all concepts in advance will probably be very time and money consuming and thus, would result in losses. On the other hand, those companies that have been applying IT governance concepts so far might get stuck on them and are likely to miss expanding their business opportunities and adapting to changing environments. In this case, the model seeks to provide direction that helps to solve current problems in order to increase transparency of value creation and risk reduction related to IT.

The structure of this thesis will be the following: Chapter 2 will cover the fundamentals of IT governance and will define its key objectives. In addition, it will illustrate how IT governance should be embedded into corporate governance. In Chapter 3, different surveys and research studies will be used for identifying frequent key IT-related problems that occur in practice. In a further step, these problems are going to be clustered in three cascading steps, which will help determine an appropriate concept for selecting frameworks later. Chapter 4 will cover five different frameworks and standards, followed by a comparing analysis and classification of individual characteristics. Chapter 5 will combine both previous chapters and will evaluate the coverage of the indentified problems by the various frameworks. In Chapter 6, the created model will be applied to a case study with the energy supplier Stadtwerke Düsseldorf, which might help derive some limitations and implications that might be useful for practitioners.

2 IT Governance Fundamentals

The termGovernancegains more and more importance in many areas of private, public and semi-public industries and means the responsible, transparent, and comprehensive leadership and control of organizations and their alignment to regulations, standards, and ethical principles [JoGo2007, 1]. Today, corporate governance is assumed to be applied among many businesses throughout all industries. Considering the fact that a company has many stakeholders with different interests, governance in general is what tries to find a compromise and to satisfy all of their needs. The principles of corporate governance can be applied similarly to a company’s IT environment. Supported by the internet boom in the 1990’s, IT today is generally recognized as an enabling, powerful set of tools in almost any industry and as part of almost any strategy. [Port2001] Furthermore, information is considered the fourth production factor in addition to production, service, and agriculture and is the reason why IT governance has gained more importance for managing a company’s IT today [RüSG2006, 15; Krcm2005, 17]. This topic has been discussed a lot in recent publications and emerged to a hype within which it is hard to find a clear and universally valid definition.

To explain the meaning behind IT governance and its interrelationship with corporate governance, this chapter will first illustrate the embedment of IT governance into corporate governance and will classify its objectives. As efficiency and effectiveness are fundamental for the present thesis, both will be explained at the end of this chapter. The last part will cover difficulties in implementing efficient and effective IT governance in order to provide direction for the further approach of this thesis.

2.1 Embedding IT Governance into Corporate Governance

With the evolvement of information management, the role of IT has changed dramatically. At the beginning, the goal was to use IT while monitoring its costs, whereas in the 1990’s the focus has changed to creating and maintaining IT for achieving competitive advantage [HeLe2005, 64]. Today, IT governance has become an executive function of a company’s top management and IT management with main focus on goal-oriented and effective control and use of IT [HoSc2007, 291]. Different internal and external influences address different issues within an organization. External factors that also affect IT are, for example, regulatory compliance, investor relationship, and competitive technology. Internal factors are, for example, implemented governance structures, corporate and technology strategy, as well as the existing corporate culture. In addition, security issues and risks like hacking attacks and internal misusage of computers also have to be taken into consideration and must be reduced to a minimum. IT governance covers measuring, monitoring and controlling target achievements of IT with the purpose of integrating those issues into a company’s leadership perspective [HeLe2005, 65]. IT governance serves as linkage between the core of IT and business, and is an integral part of a company’s corporate governance [ITGI2003a, 10]. It includes technology, regulations, as well as corporate strategy and culture, as illustrated in Figure 1.

illustration not visible in this excerpt

Figure 1: Embedding IT Governance [Modified from RüSG2006, 27]

“IT involves huge costs and significant risks, but it also offers tremendous value to the business and is critical to an organization’s survival.” [Lain2008, 25] IT governance introduces the changing perspective on IT that leads to an extension of responsibilities concerning corporate goals and business processes, which provide a management structure for IT in order to balance costs and risks versus added value. It covers the key goals, tasks and responsibilities on a strategic, administrative and operational business level. Those “… key goals or objectives help provide information about the target of achievement for a process or service – they can be used effectively to determine whether organizational objectives are being met.” [ITGI2006a, 29]

2.2 Objectives

Good governance needs to comply with the factors named above. Good IT governance means “… specifying the decision rights and accountability framework to encourage desirable behavior in the use of IT.” [WeRo2004, 8] This definition does not support an IT department concerning the development and establishment of an IT governance, but provides a basis for creating general structures and boundaries for using IT. Its objective is to create“… a structure of relationships and processes to direct and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing risk versus return over IT and its processes.” [Will2000, n. p.]

It is a typical appearance that many authors define the objectives and goals of IT governance differently. Hofman and Schmidt, for example, categorize the most important goals of managing IT into mission, vision, goals, IT organization, IT sourcing, IT staffing, and IT controlling [HoSc2007, 64]. Heinrich and Lehner define IT governance as a model with the four components: organizational structures, governance processes, controlling, and guidelines and standards [HeLe2005, 66]. The IT Governance Institute (ITGI) recognizes an enterprise’s IT challenges and concerns as the alignment of IT strategy with business strategy and to cascade strategy and goals. They further include providing organizational structures that facilitate the implementation of goals and strategy, insisting on the adoption of an IT control framework, and measuring IT’s performance. [ITGI2008c]

This information provides many perspectives on different categories of objectives within IT governance. The first category contains organizational structures and strategic IT goals. Both provide a basis for further strategic direction. They are part of a company’s IT strategy and must be integrated into the company’s overall strategy. [ITGI2003b, 51] A second class of objectives includes IT staffing and IT sourcing. The availability of IT and competent staff helps to add value by designing and managing business processes [Clar2004, 10]. Third, specific guidelines and standards focus on managing internal and external risks related to IT. Risk management is an important pillar of IT governance because it relates back to the process of decision making [ZoFr2005, 4]. The fourth class contains measuring the IT performance. Its results help to evaluate the initial situation and to adjust any of the previous categories, if necessary. Combining these goals, IT governance objectives can be classified into the four domainsStrategic IT Alignment, Value Creation through IT, Risk Management,andPerformance Measurement. According to the ITGI, these objectives are driven by stakeholder values and their resulting processes require general resource management across all domains [ITGI2003b, 28]. Figure 2 illustrates the cyclical process perspective on the domains that usually starts with strategy formulation.

illustration not visible in this excerpt

Figure 2: IT Governance Objectives [Modified from ITGI2003b, 27]

2.2.1 Strategic Alignment

It is important to continuously recognize good opportunities and to exploit all skills and flexibility in order to act in a goal-oriented manner. The crucial point is to understand the “game” for achieving an advantageous competitive position [GrNi2006, 25]. Grant distinguishes between corporate and business strategy [Gran2008, 20]. The first approach identifies the market in which an organization wants to compete. The business strategy defines how to achieve critical success by creating competitive advantages internally. Considering IT as a company’s business, the IT strategy describes the ability to create competitive strength by integrating IT into the corporate strategy. In this thesis, the IT strategy will be understood as an organization’s IT business strategy. It must be aligned to an organization’s overall strengths while minimizing threats and risks caused by IT. The key of strategic IT alignment is to adjust the IT investments to the strategic goals of an enterprise and to build up the necessary potential for increasing a company’s value [ITGI2003b, 29]. Hypothesis H2 questions an increase in organizational value through improving IT governance efficiency. Thus, strategic IT alignment is an important step in this analysis. Thereby, values, vision, and mission serve as boundaries for aligning IT strategy and corporate strategy.

illustration not visible in this excerpt

Figure 3: Structure of Vision, Mission, Strategy, and Activities [Own statement]

Specifically, the IT strategy supports decision making processes, functions as a coordinating device, and sets a directive target of what the IT of a firm will become in the future [Gran2008, 26]. The high-level strategy definition begins with the vision and mission, and can be defined as a collection of few high-level themes that break a shared vision into actionable focus areas [Rohn2008, 6]. A mission usually formulates a company’s market purposes and is derived from the vision; the vision essentially includes core values and a core ideology that is generally formulated very vague [Gran2008, 21]. It serves more as a broad and distant goal to follow instead of providing concrete implementable instructions. The formulated strategy depends on both vision and mission and usually contains the cascaded sub-goals and metrics that can be translated into activities.

According to Krcmar, even though market dynamics require quick changes, a corporate strategy can be fixed up to 20 years; the plan for IT applications can be fixed up to 15 years before replacement [Krcm2005, 309]. He further mentions that today’s fast moving environments more often require appropriate and quicker adoption of strategies. The ITGI reduces the need for rebuilding an IT governance strategy to only one year, which demonstrates the fast environmental change in technology development [ITGI2003b, 27].

One example and widely used model for aligning IT and business strategy is the strategic alignment model (SAM) by Henderson and Venkatraman [HeVe1999, 476]. The SAM consists of the four main domainsBusiness Strategy, IT Strategy, Administrative Infrastructure,andIT Infrastructure.It analyzes both the business and the IT perspective of an organization and distinguishes between the functional integration of IT and business, and the strategic fit between strategy and existing IT infrastructure. An important fact to consider is the existence of a cross-domain-perspective, which points out the multilateral relationship between all four domains. As a conclusion, simply fitting strategy and infrastructure is not sufficient for an optimal overall strategy. Furthermore, the SAM requires aligning the IT strategy with the business strategy and vice versa. The ITGI supports this argument and defines the strategic goal of IT governance as aligning IT with business strategy, or in other words, using IT for delivering the functionality and services in line with organizational needs, so the organization can do what it wants to do [ITGI2003c, 5].

In practice, aligning IT and business requires having a corporate strategy and an IT strategy [ITGI2003b, 30]. Aligning means to fit both strategies in order to achieve matching activities. Each strategy should result in activities (Figure 3, p.10) that support each other and that avoid controversial directions.

illustration not visible in this excerpt

Figure 4: IT and Business Strategy Alignment [ITGI2003b, 30]

Figure 4 illustrates the interdependences of strategies and activities. The corporate strategy influences and is influenced by corporate activities and the IT strategy. The same applies to the IT strategy, which is dependent on IT activities and the corporate strategy. Corporate and IT activities influence each other and are derived from its respective strategy. Aligning both strategies offers to increase the value of products and services, to support the competitive direction, to control costs, to increase administrative efficiency, and to improve the impact of management. [ITGI2003b, 30]

2.2.2 Value Creation

Creating value with IT means realizing the promised benefits, while focusing on the optimization of IT investments [ITGI2003b, 33]. As shown in Figure 2 (p. 9), this objective follows the formulated IT strategy and will require managing risk in a next step, while constantly managing resources. According to the ITGI, IT resources can be categorized into humans, applications, technology including hard- and software, facilities, and information [ITGI2003b, 38].

Value-adding activities are all activities that increase a company’s value and that provide benefits. The previous chapter explained the need for a good strategy in order to achieve competitive advantage. Completing this thought, value-adding activities follow strategy. According to Grant, the strategic direction depends on an industry’s key success factors, as well as on organizational capabilities that, in addition to tangible and intangible resources, also include human resource management (HRM) [Gran2008, 131]. Porter’s value chain lists value-adding supporting functions like infrastructure, HRM, technology development, and procurement whereas primary value adding activities are inbound logistics, operations, outbound logistics, marketing, sales, and services [PoMi1985, 153].

Using IT for increasing a company’s value requires investments, and thus, increases financial and operational risk. If managed well, Porter states that “… in any company, information technology has a powerful effect on competitive advantage in either cost or differentiation.” [PoMi1985, 156] Both factors can be affected by an efficient and well managed IT, which relates back to hypothesis H2. Metrics for measuring those benefits and values are named key goal indicators (KGI) and explain for example changes in:

- Profit maximization;
- Reducing time-to-market;
- Information to support management decisions;
- New products or services;
- Time and cost reduction for implementing new applications;
- New IT infrastructure;
- Transaction time;
- Increase in satisfaction within employees;
- Higher quality and fewer incidents. [ITGI2003b, 35; JoGo2007, 76-77]

As mentioned before, resource management includes resourcing staff and infrastructure, procurement from third parties, and more. As illustrated in Figure 2 (p. 9), resource management addresses all of the other domains of IT governance at any time. However, according to the previous explanations, it includes value-adding activities and, therefore, will be included in the domain Value Creationfor the further proceedings.

2.2.3 Risk Management

Globalization, technological advancements, and knowledge continuously cause threats and potential risk that almost doubled annually at the beginning of this century [Müll2003, 2]. It includes, on the one hand, threats that directly affect operations due to increasing complexity of systems and data structures resulting in, for example, incidents and exposure to malware^[1]and misuse of information. The key goal is to reduce adverse impacts on the organization to an acceptable level [ITGI2006a, 29]. The second group of risk contains external circumstances that include changing industry regulations or laws, but also technological changes that impact either IT strategy or business strategy, or both.

In this field, the ITGI has an important role and strives to serve as global authority in technology questions related to governance and regulatory compliance. Its goal is to be a trusted resource for executives and IT decision makers that strive to meet privacy, security, financial accountability, and other regulatory requirements. [ITGI2006a]

The topic’s practical relevance and importance is demonstrated by a study of the Aberdeen Group in 2007. They found that financial institutions are ahead of all other industries in several important aspects concerning security governance and risk management. [GrBu2008]

Considering that this industry represents the upper limit, there is a huge need to improve risk management throughout all industries as their results manifest:

- Only 70 percent have established consistent security and compliance policies;
- Only 70 percent have a responsible executive or team with primary ownership for security governance and risk management;
- Only 52 percent have insight into key information required to manage their security and compliance processes;
- Only 78 percent keep management accurately informed of IT-dependent risks;
- Only 67 percent have implemented controls to monitor and verify that requirements of internal policies and external regulations are being satisfied;
- Only 67 percent have identified all information required for auditing and reporting. [GrBu2008, 17]

All results include processes or policies depending on IT and thus, demonstrate the importance of not only managing IT, but integrating it. The introduction of the Sarbanes-Oxley Act (SOX) in 2002 is an often discussed example for changing regulations that affect IT. It is an extension of corporate governance standards in order to assure integrity of financial data, resulting in more transparency, clearer responsibilities, and independent auditing. [RüSG2006, 116]

IT is usually part of the relevant processes concerning SOX and therefore depends on an appropriate IT control system. Complete and correct financial data is necessary and depends on many IT factors, especially on an infrastructural and operational IT level. In addition to clear controls and responsibilities on a corporate governance level, the task of IT governance is to adapt existing processes to the new standards in order to gain as much control over existing IT as possible [RüSG2006, 120]. The SOX is a good, but only one example that requires compliance and that needs to be managed by IT governance.

Risk management is part of the top management’s custody and includes the identification of risk, the creation of awareness of controls and responsibilities, and the integration of risk management throughout all hierarchy levels. According to the ITGI, risk management activities include:

- Risk reduction(implies implementing controls to deal with issues like privacy and access policies);
- Risk transfer(includes referring risk to a business partner in form of a contractual agreement);
- Risk acceptance(indicates accepting risk existence and controlling and managing it). [ITGI2003b, 37]

The most hazardous risks are those that are not understood well enough. Identifying high-risk areas makes IT controls, policies, and procedures a key aspect of the IT governance structure [Roze2008, 29]. This is why good IT governance requires addressing particularly the management, operations, communications, and human competences. A well managed IT organization helps to manage risk and to improve financial performance for the whole company [Lutc2005, 36]. Therefore, risk management is an important step on the way to value-adding IT governance, as tracked by hypothesis H2.

2.2.4 Performance Measurement

“Good IT governance draws on corporate governance principles to manage and use IT to achieve corporate performance goals.” [Weil2004, 3] Therefore, measuring IT performance is the last domain in the IT governance cycle (Figure 2, p. 9). Its purpose, and the critical issue of successful strategy implementation, is to effectively measure organizational IT performance. Specifically, this objective is about tracking IT project delivery, monitoring IT services, and measuring the relationships and information-based assets to increase competitive strength [Lain2008, 24]. Successful control begins with IT strategy formulation. Goals must be defined appropriately in order to create an accurate performance measurement system.

“You can’t manage what you don’t measure” is an old management adage that is still applicable today [Reh2008]. Building competitive advantage in most cases does not only depend on maximizing traditional financial indicators. It further involves formulating and implementing a strategy that exploits an organization’s unique portfolio of resources and capabilities. [Gran2008, 129] It covers a complexity of many metrical and non-metrical measures.

In the past, different firms like Alinean or the Gartner Group have created concepts likeReturn on IT Investments(ROIT)^[2]orTotal cost of Ownership(TCO)^[3]in order to evaluate a company’s IT investments [Alin2008; Gart2008]. However, the purpose of measuring IT performance particularly includes non-financial indicators, as the following questions demonstrate:

How efficient are performances of employees and IT users? How satisfied are the customers with the new IT solution (keyword CRM)? How do individual business units perform and how can the knowledge concerning IT applications and security be increased? How well does the third party integration work (keyword SCM)?

These questions cannot be solved easily without defining numbers. One possible approach to this problem is the Balance Scorecard (BSC) concept by Kaplan and Norton, which will be explained in Chapter 4.2.5 [KaNo1997]. Measuring IT performance is essential because it enables executives to adjust and renew the previously defined IT strategy in order to optimize the value-creating processes (compare Figure 2, p. 9). In addition to financial indicators, technology and infrastructure can be evaluated and compared to internal or industry benchmarks. Focusing on a few metrics only, therefore, might quickly result in a loss of competitive strength and is the reason why performance measurement is an essential part of IT governance.

2.3 Effectiveness and Efficiency

Objectives of profit centers (that is, business units measured by own periodic profit targets) must be operationalized for cost centers (business functions) concerning time, content, measure and degree of performance [Frös2002, 6]. Effective use of a company’s IT implies choosing technologies that support business processes. The involvement of the top management into IT planning processes is an inevitable step within IT governance. IT’s new strategic role points out the significance of communicating any IT-related decisions to lower hierarchy levels in an organization [PiMK2004, 119]. The effectiveness of IT decisions includes appropriate IT-related investments and follows the structure “doing the right things”. Without effective implementation and allocation of resources and capabilities, even the best strategies are of little use [Gran2008, 11].

A different approach is to focus on IT efficiency. The goal is to improve the chosen IT, while minimizing waste. Efficiency is given if a defined output is achieved with minimal use of resources [Frös2002, 6]. For this reason, activities without direct necessities for covering IT-related problems should be avoided. The goal is to exploit all possibilities within the current situation, and follows the structure “doing the things right”. Both concepts are closely related to another. As Peter Drucker said: “There is surely nothing quite so useless as doing with great efficiency what should not be done at all.” [Druc2006, 147] If the efficiency is dissatisfying, effectiveness, and thus, the whole IT strategy should be adjusted. Figure 5 illustrates the interrelationship of effectiveness and efficiency.

illustration not visible in this excerpt

Figure 5: Interrelationship of Effectiveness and Efficiency [Own statement]

IT governance is an instrument to improve the positioning of IT within an enterprise and to balance given competencies with external requirements [RüSG2006, 27]. Its implementation focuses on activities and processes that address both investments into new tools and existing operations. Especially time-to-market and cost efficiency of business activities are levering factors for a value-adding IT [JoGo2007, 10].

This is why IT governance focuses on both effectiveness to meet the desired objectives (Chapter 2.2), and efficiency of selected frameworks (Chapter 4.2). However, a best approach for IT governance, as questioned by hypothesis H1, would have to meet all objectives accordingly. Numerous frameworks and standards provide many processes that might overlap in some cases, or address different issues within a company’s IT structure. Therefore, the purpose of this thesis is to effectively fit the selection of frameworks with the need for improvements. Implementing efficient IT governance focuses on the frameworks’ efficiency, which follows an effective selection of frameworks. However, the complexity of the company-wide goals of IT governance already fosters H1.

3 Analysis of IT Problems

The previous chapter points out the importance of implementing IT governance effectively and efficiently. This, however, first requires identifying all IT-related problems, which is the purpose of this chapter. Based on the identified problems, the second step is to select effective and appropriate frameworks that cover all problems and that avoid redundant or unnecessary activities in order to increase efficiency. The correspondent analysis for this part will follow in Chapter 5.

The first element of this chapter, therefore, is to identify actual IT-related problems with frequent occurrence in practice. In order to do so, different research studies have been chosen, whereas all studies were conducted by different research and advisory companies or institutions. The objective is to achieve responses from different industries, company sizes and responsibilities. Secondly, the identified problems will be clustered and refined in three cascading iterations. Thirdly, the final clusters will be classified, resulting in a clear allocation of problems to the four IT governance domains identified in Chapter 2.2. The studies chosen are:

- ITGI:IT Governance Global Status Report 2008[ITGI2008b];
- Accenture: Is there a smarter way to approach IT Governance?[Acce2005];
- A survey by the Economist Intelligence Unit (EIU) [CIO2005];
- Capgemini: IT Trends 2008[Capg2008].

3.1 Problem Identification

The ITGIGlobal Status Report 2008was conducted with 749 respondents on CIO/CEO-levels throughout the world [ITGI2008b]. Several questions were asked related to the frequency of occurrence of IT-related problems, severity, evolution over the past 12 months (improvement or deterioration), and priority for resolution within that time frame. The results are as following, with most frequently occurring problems listed first:

- Insufficient number of staff;
- IT service delivery problems;
- Staff with inadequate skills;
- High cost of IT with low or unproven return on investment;
- Problems with outsourcers;
- Lack of agility/ development problems;
- Problems with document content or knowledge management;
- Disconnect between IT strategy and business strategy;
- Inadequate disaster recovery or business continuity measures;
- Electronic archiving or storage problems;
- Serious operational IT incidents;
- IT neither meeting, nor supporting compliance requirements;
- Security and privacy incidents, eventually involving people, intrusion, etc. [ITGI2008b, 9 and 28]

According to the Accenture study, a major business goal is to ensure that executives spend enough time and effort working on an IT agenda. Accenture identified the following most frequently occurring IT-related problems on executive levels:

- Huge IT investments in time and money, but addressing the wrong levers;
- Focus on curtailing projects rather than creating competitive advantage through IT;
- Failure to achieve desired business goals;
- Failure to achieve desired IT effectiveness goals;
- “Many solutions don’t fit”;
- IT governance model goes into different direction than business;
- Abundance of technology alternatives;
- Over-delegation of IT governance challenges;
- Lack of strong fact base for making decisions;
- Assuming that the “best” technology solutions would emerge;
- Outside handling of the “system” through third parties;
- CIO is separated from technology executives;
- Centralized IT vs. decentralized IT. [Acce2005]

The survey by the EIU focuses especially on short IT budgets, which result in restraining compliance projects. In addition to adapting regulations like the SOX, for example, data security issues still seem to have the highest priorities. The results are:

- Budgetary constraints;
- Deadlines for compliance projects;
- IT’s lack of awareness of wider business issues relating to compliance;
- In-house skills required to implement compliance programs;
- IT staff not involved in decision making/ planning;
- Compliance of third party suppliers;
- Enforcing IT governance. [CIO2005]

The last study for the problem identification in this chapter was conducted in 2008 by the Austrian subsidiary of the technology consulting company Capgemini. Its purpose is to identify future IT trends in Western and Central Europe [Capg2008]. The study is based on interviews with 52 representatives from German, 31 from Austrian, and 16 from Swiss companies. All of the respondents are in executive or top management positions. The survey further includes topics that are not directly related to IT governance like Business Intelligence, Mobility/Wireless, and Outsourcing. However, focusing on issues related to IT governance only, the most frequently occurring problems (more than 40 percent of respondents) are:

- Reduction in service offers;
- Application congestion;
- Overburden IT employees;
- Decreasing quality of IT services;
- Endangerment of the IT department’s activities;
- Potential decrease in competitive strength;
- Time-to-market objectives;
- Lower customer acceptance due to service quality;
- One-sided strategy formulation;
- Low awareness within employees concerning risk and security;
- Unauthorized internal data access;
- Low awareness within the management concerning risk and security. [Capg2008]
39 percent or more of the respondents report to have issues with IT infrastructure that are in an initial, repeatable or defined, but not managed or optimized status.^[4]Those include:
- Incident, problem and change management;
- Configuration, release and service level management;
- Capacity and availability management;
- IT continuity and financial management. [Capg2008]

The most frequent issues with implementing a CRM strategy or project are:

- Lack of clear goal settings, too many non-prioritized activities;
- No establishment of concrete business cases;
- Lacking know-how of employees. [Capg2008]

3.2 Clustering of Problems

The objective of this chapter is to categorize the identified problems so as to converge them into more common categories that cover similar issues. A further step is to allocate the problems to the IT governance domains identified in Chapter 2.2 (Strategic Alignment, Value Creation, Risk Management,andPerformance Measurement).

3.2.1 Stage One

The first clustering stage is supposed to help understand each of the identified problems in a business context. Since the identified problems are mostly formulated unspecific, some clusters in the first stage may only include a business “translation” of the indentified problems. The purpose is to identify overlapping problems or tasks within the surveys.

An example of this approach is the allocation of the problems “Disconnect between IT strategy and business strategy”and “IT governance model goes into different direction than business”into the first target clusterStrategic Direction. Both problems clearly address the issue of finding a strategic IT governance direction for the organization. Thus, contextual-wise both problems are equivalent, which allows allocating both into one cluster.

“IT service delivery problems”, being another example, are based on contractual agreements on service delivery. This problem could be resolved by changingService Level Agreements (SLA), which is the target cluster for this problem. SLA’s are contractual agreements between an internal or external service partner and their customer and contain all rights and duties including quality, prices, and degree of customer integration [BuES2005, 231].

In addition, each of the problems will be tagged by a capital letter in brackets that identify its source from Chapter 3.1.^[5]Having adopted this approach to all identified problems, the first level clustering results are as following:

illustration not visible in this excerpt

Table 1: Stage 1 Clustering of Problems [Own statement]

3.2.2 Stage Two

The second stage is a coarser clustering of the first stage. The goal is to allocate a problem to organizational positions or subtasks, like for example Architecture ManagementorProblem Management. This is important in order to house capabilities within dedicated organizational units if organizational members are to achieve high levels of coordination [Gran2008, 153]. According to Krcmar, architecture management includes the elements data, processes, application, and communication [Krcmar2005, 195]. All elements refer to its architecture only. Data, in this case, represents an enterprise-wide data model, which is a holistic illustration of all data objects within the company [Krcmar2003, 86]. The resulting clusterArchitecture Managementin stage two, therefore, will include the stage-one-clustersIT Architecture, Responsibilities, Information Architecture,andCommunication Structure.

[...]

---

^[1]Malware is software with the purpose of infiltrating or damaging computer data without the owner’s consent. [Tech2008]

^[2]The ROIT was created to measure efficiency and effectiveness of IT investments and is based on net profits and on IT spending. Those include hardware, software, services, communication systems, development, administration and overhead.

^[3]TCO is a holistic assessment of IT costs over time and implies an all-encompassing collection of costs associated with IT investments, including capital investments, license fees, leasing costs, service fees and labor expenses.

^[4]The statuses define maturity levels of occurring problems according the capability maturity model integration (CMMI). It is the basic structure that organizes CMMI components and combines them into models. CMMI is a process improvement approach with five maturity stages, where the highest level (five) reflects the ideal state where processes are systematically being managed. [ChKS2007]

^[5](I) for ITGI Global Status Report, (A) for the Accenture study, (E) for the study by the EIU, and (C) for the Capgemini study