Loading...

Discussion 5

Open Posted By: surajrudrajnv33 Date: 27/10/2020 High School Dissertation & Thesis Writing

 Read the attached articles and answer the following questions

Consider the role of IT governance in extending the leadership of the CIO through the IT organization and through the organization as a whole, including:

  • How do you envision the relationship between IT governance and best practices?( 1 paragraph, more than 5 lines)
  • Is IT governance a critical factor in establishing IT-business alignment and ensuring performance of the organization in meeting its mission?( 1 paragraph, more than 5 lines)
  • Are there circumstances in which informal (undocumented) governance is acceptable in an IT organization? If so, what type of organization would that be?( 1 paragraph, more than 5 lines)

MUST USE  THE ATTACHED ARTICLES TO ANSWER THE ABOVE QUESTIONS and can also use addition resources but APA format and  citations , references are must.

Category: Business & Management Subjects: Business Communication Deadline: 24 Hours Budget: $80 - $120 Pages: 2-3 Pages (Short Assignment)

Attachment 1

RESEARCH ARTICLE

Board-level IT governance and organizational

performance

Ofir Turel1 and Chris Bart2

1Steven G. Mihaylo College of Business and

Economics, California State University, Fullerton,

CA, U.S.A.; 2DeGroote School of Business, McMaster University, Hamilton, Ontario,

Canada

Correspondence: Ofir Turel, Steven G. Mihaylo College of Business and Economics, California State University, 800 N. State College Blvd., P.O. Box 6848, Fullerton, CA 92834-6848, U.S.A. Tel: þ1 657 278 5613

Both authors contributed equally to this work

Received: 24 October 2011 Revised: 26 January 2012 2nd Revision: 27 August 2012 3rd Revision: 5 November 2012 4th Revision: 11 December 2012 5th Revision: 13 December 2012 Accepted: 14 December 2012

Abstract Research on the strategic management of Information Technology (IT)

resources has mostly focused on the oversight provided by the management

team as a means to increase organizational performance. In recent years, boards of directors have also increased their involvement in IT matters, and

various theoretical lenses suggest that this oversight too has the potential

to influence organizational performance. Hence, this study synthesizes the resource-based and contingency views of MIS with corporate governance

theories, and examines key antecedents and consequences of board-level IT

governance (ITG) using a multi-method approach. Structural Equation Modell- ing analysis applied to organization-level data collected from 171 board

members suggested that the level of ITG exercised by boards was contingent

upon the organization’s ‘IT use mode’, along the two dimensions of need for

(a) fast and reliable IT, and (b) new innovative IT. But, the findings further suggested that the contingency approach may be suboptimal because it can

cause new ways of leveraging IT to be ignored. High levels of board-level ITG,

regardless of existing IT needs, increased organizational performance. This phenomenon was illuminated with applicability checks. Moreover, content

analysis and structured interviews with board members further enriched these

insights. European Journal of Information Systems (2014) 23, 223–239. doi:10.1057/ejis.2012.61; published online 5 February 2013

Keywords: IT governance; board of directors; resource-based view; strategic grid; organizational performance; corporate governance

Introduction The business value of Information Technology (IT) has been studied over the last two decades (Mukhopadhyay et al, 1995; Hitt & Brynjolfsson, 1996; Devaraj & Kohli, 2000; Kohli & Devaraj, 2003), in part, to try to demystify the productivity paradox (Brynjolfsson, 1993) and to help companies understand the merits of investing in IT (Devaraj & Kohli, 2003; Kohli & Devaraj, 2003; McAfee & Brynjolfsson, 2008). This line of research has especially examined how IT resources and capabilities, including IT artefacts, policies, managerial capabilities, and human capital, influence firm performance (Melville et al, 2004; Kohli & Grover, 2008). A critical mass of studies now indicates that technology does create value when it is synergistically embedded into value creation processes (Melville et al, 2004; Wade & Hulland, 2004; Kohli & Grover, 2008); and that this effect depends on many factors, including IT management and planning capabilities and processes, which are the focus of this study. These include the ability to effectively manage IT resources, identify fruitful projects, lead the IT function, and coordinate IT needs and solutions with stakeholders (Melville et al, 2004)

European Journal of Information Systems (2014) 23, 223–239 & 2014 Operational Research Society Ltd. All rights reserved 0960-085X/14

www.palgrave-journals.com/ejis/

The current study expands this view, and examines the antecedents and organizational performance conse- quences of often overlooked IT management processes, more specifically, IT governance (ITG) by the board of directors. ITG is ‘an integral part of enterprise governance and consists of the leadership and organizational struc- tures and processes that ensure that the organization’s IT sustains and extends the organization’s strategies and objectives’ (IT Governance Institute, 2003, p. 10). Con- sistent with the definition by the IT Governance Insti- tute, IT is treated as a broad concept that encapsulates technical infrastructure, the supporting organizational structure, and IT management capabilities and processes. Because ITG is the responsibility of the executive manage- ment team and the board of directors (IT Governance Institute, 2003, p. 10), we use the term board-level ITG to narrow the focus of this study on boards of directors and their ITG-related actions. Relying on the above definition of ITG, board-level ITG is defined as the board’s actions to ensure that the organization’s IT sustains and extends the organization’s strategies and objectives. While board- level ITG may be an important practice that can drive organizational performance, little is known about it (Nolan & McFarlan, 2005; Bart & Turel, 2010). We seek to partially fill this gap, and examine whether the level of ITG exercised by boards is based on the IT use mode of the organization (an internal contingency), whether this con- tingency approach has merit, and whether performance gains caused by ITG exercised by boards are sustainable.

We first rely on several theoretical lenses to explain how boards’ ITG practices can influence organizational performance. Taking a resource-based perspective (Peter- af, 1993; Hart, 1995), board-level ITG can be conceived as a managerial IT resource, which can add value to the executive management team and the organization in four ways by: (1) facilitating strategic leadership, (2) advising the executive management team, (3) establishing con- trol mechanisms to protect the principals’ (stakeholders) interests from self-interest actions of the executive man- agement team (agents), and (4) enabling access to external resources (e.g., knowledge, capital) (Zahra & Pearce, 1989; Johnson et al, 1996). All of these can apply to IT issues as later explained. As such, board-level ITG has the potential to complement and supplement the more commonly examined resource of executives’ IT management practices and decisions.

Given the presumed influence of board-level ITG on organizational performance, it is also desirable to under- stand some of its antecedents and the way they poten- tially interact with ITG practices. One such factor can be the organization’s mode of IT use (Nolan & McFarlan, 2005); that is, the extent to which IT is used for strategic- offensive purposes and the extent to which IT needs to be fast and reliable. These factors are used by Nolan & McFarlan (2005) as the basis for offering prescriptive ITG guidelines for boards. When either one of the suggested IT needs is high, a higher level of ITG by the board is prescribed to the organization. Employing a contingency

view (Fiedler, 1964; Weill & Olson, 1989), the board is likely to assess, at least to some extent, the particular IT situation of their organization and use this information for deciding on the optimal level of ITG. We therefore propose that the level of ITG by the board depends, in part, on the organization’s need for (1) fast and reliable IT, and (2) innovative and competitive IT. These organi- zational IT needs can also moderate the proposed effect of ITG on firm performance. Specifically, it is proposed that the fit between these needs (the IT use mode) and the prescribed level of ITG by the board should augment firm performance.

Altogether, this model conceptualizes and examines board-level ITG, some of the mechanisms that drive its enactment and how such actions translate to firm performance. The proposed model is first tested with Structural Equation Modelling techniques applied to data collected from 171 board members. While the hypothe- sized direct effects were supported, the moderation (fit between the prescribed and exercised level of ITG) effects were not, which implies that board-level ITG increases organizational performance regardless of the IT needs of the organization. We then shed more light on these insights by using applicability checks, and by using struc- tured interviews and content analysis to develop a better understanding of the potential sustainability of board- level ITG effects and ways to improve board-level ITG. Ultimately the findings enrich and advance the IT value and management literatures by adding one missing piece – board-level ITG. Presumably, this missing piece can influence many other IT capabilities and resources discussed in the MIS literature, and ultimately improve organizational performance. Thus, this study develops a platform for future research on the antecedents, forms and configurations, and consequences of ITG by an organization’s board of directors.

Theoretical background This section provides an overview of three concepts that are pertinent to this study: (1) board-level ITG and its difference from governance by executive management; (2) the IT environment as an internal contingency that can influence board-level ITG; and (3) IT management capabilities and their effects on organizational perfor- mance. Other concepts and theories are embedded in the hypotheses section.

Board-level ITG ITG is an oversight practice that is executed by both the board of directors and the executive management team. Its objective is to ensure effective utilization of IT such that: (1) IT is aligned with the enterprise, (2) IT allows the organization to exploit opportunities, (3) IT resources are used responsibly, and (4) IT risks are managed appropria- tely. These four foci are intertwined with performance measurement – the board and the executive management team need to track project plans and delivery, and monitor IT services and risks (IT Governance Institute, 2003).

Board-level IT governance and organizational performance Ofir Turel and Chris Bart224

European Journal of Information Systems

Similar views regarding the scope of ITG have been expressed in multiple studies (O’Donnell, 2004; Read, 2004; Trites, 2004).

Several associations and standardization bodies have attempted to develop ITG frameworks, including Val IT (framework for planning, executing and monitoring the extraction of value from IT-enabled processes), and COBIT (Control Objectives for Information and related Technol- ogy) which are endorsed by the IT Governance Institute (see www.itgi.org). Others include ISO/IEC 38500 (Standard for Corporate Governance of IT, 2008) by the International Organization for Standardization, and COSO (Committee of Sponsoring Organizations) guidelines for internal con- trol systems, fraud prevention, and risk management (see www.coso.org). However, there is no single widely accepted ITG framework (Raghupathi, 2007; Wilkin & Chenhall, 2010).

Given the importance of ITG, it should include signi- ficant board involvement (Read, 2004). The board of directors is a group that oversees the management of an organization. Their general corporate governance respon- sibilities include strategic planning and monitoring, ensuring policies and resources for achieving targets, validating internal controls, and making sure risks are identified and monitored. Boards of directors approve all major decisions, often provide advice and counsel to executives (external directors can bring insights from other organizations with which they are involved), and monitor both management’s actions and the resultant performance (Daily et al, 2003a, b). All of these duties can have IT links, which behove the board to engage in ITG (Trites, 2004). Boards obtain information for their ITG duties (e.g., for risk assessment, assessment of needed resources, and examination of strategic needs) by raising IT issues in the boardroom and asking management questions about existing and potential IT risks, invest- ments, and strategic plans (Bart & Turel, 2010). These questions can drive management to examine overlooked IT issues, find funding sources for IT projects, and ensure that managers act according to the best interest of stakeholders.

While board-level ITG is an important topic (Nolan & McFarlan, 2005), there has been little empirical research on it. Studies thus far have focused on ITG by executives and IT managers but not on ITG by the board (see review in Wilkin & Chenhall, 2010). These studies mostly show, through a resource-based lens, that management over- sight regarding IT adds value. We argue that board-level ITG can add value beyond the value produced by execu- tives’ ITG practices. Other authors discuss the ITG respon- sibilities of board members (O’Donnell, 2004; Read, 2004; Trites, 2004; Wilkinson, 2004) or suggest conceptual ITG development frameworks (Raghupathi, 2007). These conceptual papers have highlighted the potential impor- tance of board-level ITG and the need to further study empirically this essential practice. This paper extends these works, and examines a theory-based framework explicating the links between the IT environment of an

organization, board-level ITG, and organizational perfor- mance.

The IT environment and board-level ITG Boards often respond to industry demands while taking into account the internal situation of the organization (Zahra & Pearce, 1989; Minichilli et al, 2009). They should therefore employ contingent governance – change their governance style and foci based on the internal and external situations they perceive (Strebel, 2004). It is reasonable to expect that the same applies to IT issues, and that boards consider, among other things, the way the organization utilizes IT when they decide on their ITG efforts.

What may be the key situational IT criteria (the con- tingency factors) boards would normally consider? Researchers have advanced the notion of the IT strategic grid (McFarlan et al, 1983; Cash et al, 1988) to the board level. They argue that one important consideration is the organization’s ‘IT usage mode’ which is based on two criteria: (1) the need for new, cutting-edge technologies to gain (or sustain) competitive advantage (‘high need/ offensive use’ vs ‘low need/defensive use’), and (2) the need for fast and reliable information technologies (high need vs low need) (Nolan & McFarlan, 2005). The two contingency factors, the four resultant modes (i.e., factory, strategic, support, and turnaround), as well as the 14 indicators for determining a firm’s classification, are depicted in Figure 1.

Companies in the ‘turnaround mode’ do not need fast, reliable IT systems and so there is a greater expectancy for potential system failures. Such companies, though, will still attempt to use innovative, less tested technologies ‘offensively’ to help them implement major transforma- tions, reduce costs, and gain strategic advantage. In con- trast, companies in the strategic mode heavily rely upon both expensive state-of-the-art IT for producing significant strategic gains and quick, highly reliable systems (which typically require stronger IT security, stability, and backup than those in the turnaround mode). When companies do not need such revolutionary technologies to thrive strate- gically but nevertheless require rapid response and reliable IT to carry out major operations (e.g., an automated auto assembly line), their IT usage is more ‘defensive’ in nature and they are categorized as ‘factory mode’. Finally, ‘support mode’ companies are those in which both the need for IT response swiftness and reliability is low and there is a low need for new state-of-the-art technologies to stay in business (i.e., IT is used only for defensive purposes).

IT management capabilities and organizational performance Organizational performance captures an organization’s health along financial, systemic, and social dimensions (Zahra & Pearce, 1989). The financial performance dimension focuses on wealth maintenance and creation; the systemic performance dimension focuses on sur- vival and growth; and the social performance dimension

Board-level IT governance and organizational performance Ofir Turel and Chris Bart 225

European Journal of Information Systems

captures organizations’ responses to societal expecta- tions. We adopt a slightly narrower view in this study, and focus mostly on the financial performance dimen- sion for two key reasons. First, the systemic and social dimensions often translate into companies’ bottom-lines and are hence reflected in their financial performance (McGuire et al, 1988; Habbershon et al, 2003). Second, it is likely to be easier for directors to observe, reflect, and report on overall financial performance as opposed to the other two.

IT investments translate into financial payoffs predo- minantly when IT management capabilities and pro- cesses supplement the investment in IT (Mata et al, 1995; Santhanam & Hartono, 2003). The rationale of this effect is that managerial IT skills meet three criteria for sustained competitive advantage (Mata et al, 1995), and that such an advantage often translates to improved performance (Bharadwaj, 2000; Wiggins & Ruefli, 2002). First, IT management capabilities are valuable and can influence firm performance (Lewis & Byrd, 2003; Ravichandran & Lertwongsatien, 2005; Byrd et al, 2006). Second, managerial IT capabilities are heterogeneously distributed across competing firms; that is, not all firms possess this capability to the same extent (Weill, 2004; Weill & Ross, 2004). Finally, managerial IT capabilities are imperfectly mobile. They are very difficult to develop and require long periods of learning by doing and trial and error (Mata et al, 1995). Indeed, the potential influences of different facets of managerial IT capabilities on organizational performance have gained support in multiple studies (Armstrong & Sambamurthy, 1999; Bharadwaj, 2000; Lewis & Byrd, 2003; Santhanam & Hartono, 2003; Ravichandran & Lertwongsatien, 2005). This study argues that board-level ITG is an overlooked IT management capability that can also influence organiza- tional performance.

Figure 2 synthesizes the concepts reviewed in this section and depicts the resultant research model and associated hypotheses which we develop in the next section.

Hypotheses The literature thus far has mostly implied that IT manage- ment capabilities are a property of the IT unit, and/or of the executive management team (i.e., the CEO, CIO, and other executives) (Armstrong & Sambamurthy, 1999; Wade & Hulland, 2004). However, several studies suggest that boards can oversee and steer an organization’s IT manage- ment efforts (Nolan & McFarlan, 2005; Appleby, 2008). Accordingly, we conjecture that ITG by the board is a special and important IT management capability – worthy of separate treatment, investigation, and nomenclature. To this end, we propose that board-level ITG meets the three criteria suggested by Mata et al (1995) for sustained strategic impact of IT resources, and that it has the resource attributes specified by Wade & Hulland (2004) for achiev- ing at least a short term strategic advantage.

First, several studies show that firm executives, includ- ing the CEO, CIO, and their interactions can influ- ence organizational performance (Chatterjee et al, 2001; Preston et al, 2008; Chen et al, 2010; Johnson & Lederer, 2010). However, the actions of top executives can be guided and monitored, in part, by the plans and demands set by the board of directors (Laux, 2010; O’Shannassy, 2010).

Factory Mode

- One-minute system failure causes loss of business

- Response time lag has serious consequences for users

- Core business activities are online

- Most systems work is maintenance

- Systems work provides little strategic value or cost saving

Support Mode - 12-hour service interruption causes no serious

consequences Online userre sponse time can take up to 5 seconds

- Systems are mostly invisible to customers and suppliers

- 80% of value transactions can quickly revert to manual - Most systems work is maintenance

Strategic Mode

- One-minute system failure causes loss of business

- Response time lag has serious consequences for users

- New systems promise major transformations and cost reductions

- New systems will close gaps with competitors

Turnaround Mode

- New systems promise major transformations and cost reductions

- New systems will close gaps with competitors - IT is more than 50% of capital spending - IT is more than 15% of total corporate expenses

Need for New IT (with strategic impact)

Low Need (Use IT Defensively)

N ee

d fo

r Sp

ee d

& R

el ia

bi lit

y

H ig

h L

ow

High Need (Use IT Offensively)

Figure 1 Contingency variables for board-level ITG, the emergent IT use modes, and their indicators (adapted from Nolan &

McFarlan (2005) as adapted from the original strategic impact grid described in McFarlan et al (1983)).

Need for New IT (Low = Defensive, High = Offensive)

Need for Fast & Reliable IT

(Low Need, High Need)

Level of ITG by the Board

Perceived Organizational Performance

H1

Contingency Variables

Board’s IT Oversight Practices

Outcome

H 2b

H 2a

H3a

H 3b

Figure 2 Research model.

Board-level IT governance and organizational performance Ofir Turel and Chris Bart226

European Journal of Information Systems

The board directs (or limits) the executive management team’s attention to the business areas, and presumably also IT issues, the board perceives to be important through the questions and requests they raise in the boardroom. These efforts have been linked to organiza- tional performance (Mueller & Barker, 1997; Cannella & Hambrick, 2001).

Extending this view, we argue that board-level ITG can add value to other IT management resources, such as the executive management team’s IT management capabil- ities. First, from a resource-dependence view (Johnson et al, 1996), directors are often affiliated with multiple organizations, vendors, and customers, and have indus- try and governance experience (Zahra & Pearce, 1989). They therefore often provide organizations with access to resources, such as knowledge and capital, to which execu- tives may not have access. External knowledge may include the IT oversight practices developed in another organization or experiences gained with an outsourcing vendor. Access to capital may include the ability to secure funds for a system implementation project. By so doing they can influence management foci and the quality of their decisions, and ultimately allow better orchestra- tion of external demands and resources with internal needs and capabilities. Second, taking an agent-theoretic perspective (Eisenhardt, 1989), the board can raise IT questions, and through this process reduce the infor- mation asymmetry between management (agents) and stakeholders (principals), and ultimately prevent oppor- tunistic behaviours of management (e.g., ensure that the executive management team invests in proper IT security measures, rather than giving themselves a bonus). Third, from a stewardship theory perspective (Donaldson, 1990), managers need less oversight, and more advice, because they are deemed to be trustworthy good stewards of the resources they manage. Boards can provide these services as well through the IT issues they discuss. For example, by discussing IT strategies and risks in board meetings they can direct management to consider IT risks and needs that were not previously known to the executive management team. Synthesizing these perspec- tives, board-level ITG can be a valuable capability.

Second, board-level ITG is not executed homoge- neously across firms and competitors; some boards do not discuss IT issues at all, and others have established dedicated IT committees that discuss many IT issues (Nolan & McFarlan, 2005; Bart & Turel, 2010). Thus, board-level ITG is plausibly heterogeneously distributed across competitors.

Third, board-level ITG can be imperfectly mobile. Even though there are prescriptive guidelines describing what the board should do (IT Governance Institute, 2003; CICA, 2004; ISO, 2008), board-level ITG is easier said than done. Many directors may lack the knowledge to discuss IT issues (Huff et al, 2004; Nolan & McFarlan, 2005) and consequently are afraid ‘to raise IT issues at meetings for fear of embarrassing themselves in front of their peers’ (Huff et al, 2004, p. 4). Considering the

abovementioned three criteria, board-level ITG can produce temporary and potentially sustained competitive advantage (Mata et al, 1995), which should ultimately translate to superior financial performance (Bharadwaj, 2000; Wiggins & Ruefli, 2002).

A similar picture emerges from using Wade and Hulland’s (2004) classification of resources and capabil- ities. Board-level ITG is close in scope to what they called ‘IS management/planning’, in that it is a spanning cap- ability that focuses on the capacity of IT management to understand how technologies should be used and IT-enabled processes should be changed in response to the strategic forces in the market. While previous studies assumed that this is the responsibility of the CIO and/or other executives (Armstrong & Sambamurthy, 1999; Wade & Hulland, 2004), we argue that such capabilities can be developed by boards of directors as well. Treated as a spanning resource, board-level ITG should help firms achieve at least a short-term competitive advantage – it is relatively rare (Bart & Turel, 2010) and valuable (Appleby, 2008). Thus, from this perspective too, board-level ITG can improve organizations’ competitive standing, and ultimately their performance. Hence:

H1: Higher levels of ITG by the board of directors increase organizational performance.

Boards of directors often base their foci and decisions on internal organizational contingencies (Zahra & Pearce, 1989). Following the contingency logic (Weill & Olson, 1989) and the strategic grid research as applied to IT managers (Raghunathan et al, 1999), the stronger the organization’s need for reliable IT and its need for new IT, the higher would be the level of ITG exercised by the board (Nolan & McFarlan, 2005). Boards have limited time and resources, and would therefore spend them as deemed necessary (Kroll et al, 2008; Laux, 2010), presumably also on IT matters. When boards perceive IT-related needs to be low, they will likely devote their time to what they perceive to be as more prominent issues for the organization.

Indeed, it has been shown that boards of companies with a high need along either one of these dimensions raise more IT issues (and hence engage in a higher level of ITG) than companies that have low needs for reliable IT or for new IT (Bart & Turel, 2010). Replicating these findings, but in a broader nomological network which allows further insight:

H2: Organizations’ IT use mode influences the ITG efforts exercised by the boards of directors.

H2a: Boards of organizations with high need for fast and reliable IT would engage in greater ITG than boards of organizations with low need for fast and reliable IT.

H2b: Boards of organizations with high need for new IT (using IT offensively) would engage in greater ITG than

Board-level IT governance and organizational performance Ofir Turel and Chris Bart 227

European Journal of Information Systems

boards of organizations with low need for new IT (using IT defensively).

Firm needs for new or for fast and reliable IT can have a broader role than merely determining the level of ITG the board of directors will choose to employ. Presumably, when the prescribed level of ITG meets the organi- zational situation, performance should be enhanced (Nolan & McFarlan, 2005). For example, when an organization uses IT offensively, the board is prescribed to discuss a large set of questions as a means to improve firm performance. That is, when there is fit between the board’s level of ITG and the IT needs of the organization, the board-level ITG efforts should be better translated into performance. In contrast, when there is misfit between IT needs and the exercised level of ITG, boards’ efforts should be less effective because the board has presumably misunderstood the situational contin- gencies of the organization. Thus:

H3: The fit between the IT needs of organizations and the level of ITG by the board of directors increases organizational performance, over and above the direct effect of the level of ITG by the board of directors on organizational performance.

H3a: Higher need for fast and reliable IT interacts with the level of ITG exercised by the board to increase organizational performance.

H3b: Higher need for new IT (using IT offensively) interacts with the level of ITG exercised by the board to increase organizational performance.

Methods A multi-method approach was taken. First, a paper-based survey was administered to board members of Canadian firms. It collected data for assessing the research model, as well as an open-ended question for content analysis. Second, content analysis was applied to director respon- ses, and structured email-based interviews were con- ducted with several directors and CEOs. The qualitative studies were used to enrich the insight yielded by the structural model, explain surprising findings, and pro- duce more focused practical recommendations for boards of directors.

Sample The survey was administered to 240 board members who attended a corporate director governance training programme in Canada. The training programme was directed by one of the researchers, and covered typical directorship issues such as accountability, leadership, strategy, financial literacy, and oversight. While the respondents as a whole were known casually to him, individual submissions were anonymous and could not be linked to particular individuals or firms. While it is

possible that the sample contained respondents from the same organization, these would be few in number, that is, less than 5%. Out of the participants who were ap- proached, 176 board members presumably representing 176 Canadian organizations turned in the survey. Five surveys were incomplete and were removed, and a sample of 171 board members (response rate of over 71%) was retained. Data pertaining mostly to board/organization actions and performance as perceived by the individual board member, as well as to board members’ gender, status (independent/external or non-independent /inter- nal) and the number of boards on which they serve were also obtained. The sample was male dominant (83%), and included mostly independent (outside) directors (78%) who served on average on 2.23 boards (1 to 10). Table 1 presents descriptive statistics regarding the participating organizations. As can be seen, the sample is heterogeneous in profit orientation, size (sales and number of employees), and the level of ITG executed by boards (the number of IT issues that were discussed by the boards). The average number of IT topics raised by the sampled boards was about 12 out of 27 potential IT issues (std.dev.¼7). While the sample is slightly dominated by non-profit firms, organizations with all combinations of IT needs are pre- sent. Owing to the anonymity of respondents we do not have the specific composition of the types of non-profits we have in the sample. Based on the composition of the group of board members who participated in the training, we can assume that non-profits in our sample included mostly two groups: (1) Associations and industry boards, hospitals, as well as provincial government boards (e.g., the ones that control gambling or alcohol sales in a province), and (2) federal government corporations, such as the Canadian Wheat Board and Canada Lands Com- pany.

First, it was examined whether respondents’ gender, status (independent vs non-independent director), and the number of boards on which they serve had any influence on the ways they perceived their companies. Gender (Po0.69), status (Po0.47), and their interaction (Po0.95) were modelled as fixed factors, the number of boards on which respondents serve (Po0.34) as a covariate, and the model’s constructs as dependent variables in multivariate analysis of variance. The model yielded non-significant Pillai’s Trace scores for these relationships (see parentheses next to predictor names). It was hence concluded that there are no indivi- dual-characteristic-based reporting differences in the data set.

Measures Because board members often serve on multiple boards (Mean¼2.23), we asked them to refer to a single organization with which they were most familiar. They were asked to self-report on behaviours as well as organizational performance perceptions of the larger board of directors. They hence provided organizational/ board-level data as they observe it.

Board-level IT governance and organizational performance Ofir Turel and Chris Bart228

European Journal of Information Systems

Performance The measurement of the impact of IT resources and capabilities is a debated issue in MIS research because there are many potential outcomes at different organizational levels (Ray et al, 2004; Wade & Hulland, 2004). In this study, we employed a perceptive measure of performance that captures how directors perceive their organization’s performance from a finan- cial standpoint. We did so for several reasons. First, the validity of such measures has been demonstrated (Tallon et al, 2000; Tallon, 2010) as well as their potential accur- acy (Tallon & Kraemer, 2007). Second, perceptive mea- sures can be advantageous because ‘Scaled perceptual measures of (performance) are considered more relevant than absolute measures y because the latter tend to be arbitrary and influenced by the type of industry’ (Bart, 1993, p. 349). Perceptions, on the other hand, are what ultimately influence board and senior management behaviours and decision making. Third, because partici- pants remained anonymous for the most part, links to the participating firms could not be established and objective performance measures could not be obtained.

The perceptive measure we used encapsulated primarily financial performance because directors often do not have access to operational-level data (Strebel, 2004) and often focus solely on financial measures (Gaa, 2009). Thus, they can best report on a holistic assessment of organizational financial performance, but may fail to adequately report on other dimensions or operational performance measures. We employed a self-developed three-item measure which includes implicit and explicit comparisons to competitors and to industry expecta- tions. These are important aspects that can be missing in direct measures of financial performance. Direct mea- sures may be impressive (e.g., growth rate of 50% a year) but they are not that meaningful without considering the performance of industry peers (e.g., an average growth rate of 200% in the sector). We therefore asked directors to report on (1) their board’s and (2) their own satis- faction with their organization’s current financial per- formance, using a 10-point Likert scale (1¼not at all satisfied; 10¼ extremely satisfied). They were also asked to report on the ‘relative performance standing’ of their organization in its particular industry, again using a 10- point Likert scale (1¼ significantly below; 10¼ significantly above).

Level of ITG by the board To capture the level of ITG exercised by the board, respondents were asked to indicate whether (yes/no) their boards raised each of the 27 ITG questions that were recommended by the Canadian Institute of Chartered Accountants (CICA) (CICA, 2004). The ITG questions were developed for inclusion in one of a series of monographs dealing with issues of importance to board members. Other topics in the series include risk, strategy, and executive compensation. Each monograph was designed to give corporate directors guidance on the types of questions they should be asking as part of their oversight responsibilities. Thus, the CICA’s ITG questions

T a b

le 1

D e sc

ri p

ti v e

st a ti

st ic

s fo

r th

e sa

m p

le a

P ro

fi t

o ri

en ta

ti o n

C o n ti

n g en

cy fa

ct o rs

n B o a rd

-l ev

el IT

G P er

fo rm

a n ce

S a le

s (m

ill io

n $

C A

D )

N u m

b er

o f

em p lo

ye es

N ee

d fo

r n ew

IT N

ee d

fo r

sp ee

d a n d

re lia

b ili

ty

N o t

fo r

p ro

fi t

(n ¼

1 1 8 ,

6 9 %

) Lo

w Lo

w 2 7

6 .4

8 6 .4

9 2 3 8 .2

5 3 1 4 9 .1

3 (7

.0 9 )

(1 .6

5 )

(3 3 9 .3

3 )

(1 0 ,9

7 6 .3

5 )

H ig

h 2 2

1 3 .0

9 6 .9

6 5 3 5 .0

0 1 3 8 1 .1

3 (7

.5 3 )

(1 .7

1 )

(4 0 6 .4

4 )

(2 2 7 8 .7

1 )

H ig

h Lo

w 2 9

1 3 .0

3 7 .2

2 1 0 6 6 .7

1 8 8 9 .2

7 (6

.3 4 )

(1 .5

2 )

(1 7 7 5 .7

4 )

(9 4 7 .6

4 )

H ig

h 4 0

1 4 .3

5 7 .3

6 1 2 8 1 .0

2 3 6 4 3 .7

7 (5

.8 6 )

(1 .5

6 )

(2 1 0 4 .3

5 )

(1 1 ,6

1 4 .8

0 )

Fo r

p ro

fi t

(n ¼

5 3 ,

3 1 %

) Lo

w Lo

w 1 6

1 0 .8

8 7 .2

1 8 0 4 .4

1 6 3 6 .2

5 (6

.7 7 )

(1 .5

2 )

(1 9 4 2 .4

0 )

(7 4 1 .8

8 )

H ig

h 1 1

1 3 .2

7 5 .8

5 3 0 9 .4

2 1 0 1 3 .3

9 (1

3 .4

0 )

(2 .5

3 )

(3 2 0 .0

4 )

(1 0 0 4 .2

9 )

H ig

h Lo

w 1 0

7 .8

8 6 .3

8 1 7 7 .3

9 3 6 5 .6

6 (6

.2 0 )

(1 .9

4 )

(2 6 1 .2

0 )

(6 3 6 .2

6 )

H ig

h 1 6

1 4 .2

2 6 .7

3 4 7 9 .2

9 7 0 3 .0

2 (8

.3 5 )

(1 .8

9 )

(1 1 7 6 .4

7 )

(1 2 3 2 .1

3 )

T o ta

l 1 7 1

1 2 .0

1 6 .9

1 7 3 8 .6

0 1 9 0 7 .3

1 (7

.7 7 )

(1 .7

3 )

(1 4 8 1 .7

3 )

(7 1 7 6 .4

7 )

a E a ch

ce ll

co n

ta in

s th

e m

e a n

o n

to p

, a n

d th

e st

a n

d a rd

d e vi

a ti o n

in p

a re

n th

e se

s o n

th e

b o tt

o m

.

Board-level IT governance and organizational performance Ofir Turel and Chris Bart 229

European Journal of Information Systems

presumably cover the spectrum of IT issues boards should discuss. While there are many governance frameworks that can be utilized by boards, they cover parallel topics and propose similar sets of ITG issues to be discussed in the boardroom (Bart & Turel, 2010; Wilkin & Chenhall, 2010). However, given the Canadian context of this study, the ITG questions proposed by the CICA seem most appro- priate (see Appendix A).

The reported total of the ITG issues raised by the board was used as a proxy for the level of ITG oversight provided. It is acknowledged that this measure captures only ITG breadth (the range of IT topics that were discussed by a board) and not depth (the amount of time, number of meetings or efforts devoted to IT issues in the boardroom). This measure was employed because ITG depth is difficult to operationalize using self-reported data. Nevertheless, boards are likely to discuss raised topics to the extent deemed necessary. Thus, the scope of ITG topics covered by the board can be a reasonable proxy for the level of ITG exercised by the board.

Contingency variables Two internal contingencies were conceptualized in this study: the need for new IT and the need for fast and reliable IT. While there are valid measures for the strategic grid position of firms (Raghunathan et al, 1999), they were only developed for and tested with IT managers, but not with boards of directors. We therefore employed the more board- targeted framework suggested by Nolan & McFarlan (2005) for assessing the firms’ position on the strategic grid from a board’s perspective.

The items proposed by Nolan & McFarlan (2005) were developed for classification purposes, and were accord- ingly used in the current study for binary classification (high vs low need along each one of the IT use mode dimensions). Specifically, respondents were queried – using a 7-point Likert scale (1¼ strongly disagree; 7¼ strongly agree) – on their level of agreement with the 14 questions depicted in Figure 1. For each respon- dent, the average level of agreement reported for the questions indicating a ‘high need for new IT’ (i.e., the questions in the right-hand column in Figure 1) was calculated and compared with the average level of agreement reported for the questions indicating a ‘low need for new IT’ (i.e., the questions in the left-hand column of Figure 1). Organizations were classified based on the highest column score as having either a low or high need for new IT. A binary variable corresponding with this classification was created (i.e., low need for new IT¼0; high need for new IT¼1). A similar comparison between the average level of agreement calculated for the questions in the top and bottom rows of Figure 1 was used for generating a dummy variable to capture each company’s need for fast and reliable IT (i.e., Low need¼ 0; High need¼1).

Control variables The data collected on each organiza- tion included its sales (revenue in millions of CAD$),

number of employees, and the type of firm orientation (i.e. for-profit or not-for-profit). The first two control variables are proxies for organization size, which often influences internal processes and resource utilization (Zahra & Pearce, 1989; Ray et al, 2004), as well as IT planning efforts (McFarlan et al, 1983). The third control variable can also be important. Non-profit organizations (e.g., government hospitals and schools) and for-profit companies (e.g., large retailers) can employ different governance styles (Fama & Jensen, 1983).

Analysis and results Correlations and reliability measures (for multi-item constructs) were calculated (see Table 2). The measure of performance was consistent and reliable.

Assessment of common method bias The potential effect of Common Method Variance (CMV) was assessed using multiple techniques (Turel et al, 2011). First, Harman’s single factor test was employed. The results of un-rotated principal component analysis ap- plied to the model’s constructs indicated the existence of more than one principal component. The first one explained 38% of the variation, and the second one explained another 28%. Thus, no single dominant (i.e., methods) factor exists (Harman, 1976). Second, an examination of correlation matrices as specified by Pavlou et al (2007) was conducted. The correlations ranged from 0.01 to 0.67, and all were below the 0.9 threshold. The fact that there are several very low correlations (close to zero) among some of the constructs further indicates that there is no single dominant CMV factor.

Third, we utilized an adjusted Lindell & Whitney (2001) procedure as described in Turel & Serenko (2012). The marker variable we used was the number of boards on which the reporting director is currently serving because it is theoretically unrelated to the model’s constructs. It was not correlated with the other variables, suggesting that there was no systematic bias in the data. Fourth, a Confirmatory Factor Analysis (CFA) model which included a CMV factor that draws variance from the observed indicators was estimated. While the model fit the data well [w2(7)¼11.05 (non-significant, Po0.14), CFI¼0.99, IFI¼ 0.99, RMSEA¼0.058 with P-close¼0.36, and SRMR¼ 0.040], the CMV effects were non-significant (Po0.84). Furthermore, when this model was contrasted with a CFA model without the CMV factor, the chi-square difference test statistic (w2diff (1)¼0.01) was not significant (Po0.92). This indicated that adding the CMV factor fails to produce a significant reduction in chi-square. Thus, the more parsimonious model, without the CMV factor, is superior. Overall, these analyses imply that CMV is unlikely to have a major influence on the data.

Model estimation The research model was estimated with the structural equation modelling facilities of AMOS 19. Initially, a CFA

Board-level IT governance and organizational performance Ofir Turel and Chris Bart230

European Journal of Information Systems

model was fit to the data, and produced good fit indices (w2(8)¼11.06 (non-significant, Po0.20), CFI¼0.99, IFI¼ 0.99, RMSEA¼ 0.047 with P-close¼ 0.46, and SRMR¼ 0.040). All loadings were significant (Po0.001). Conse- quently, we proceeded to estimate the structural model. In order to separate the direct and moderation effects, the model was estimated in a hierarchical fashion.

First, a model with only direct effects (i.e., a full-media- tion model) was estimated. It included the H1, H2a, and H2b paths. Initially, the model also included sales (revenue in millions of CAD$), number of employees, and profit orientation as control variables. While the data fit the model well [w2(14)¼ 19.42 (non-signifi- cant, Po0.15), CFI¼0.99, IFI¼ 0.99, RMSEA¼0.048 with P-close¼ 0.48, and SRMR¼0.037], and all hypothesized effects were significant, number of employees and profit orientation did not significantly influence the model and were removed from further analyses. Sales significantly increased the level of ITG by the board and it was therefore retained. Subsequently, the partial-mediation model with sales effect on the level of ITG was specified and estimated. The data fit this model well [w2(11)¼12.39 (non-signifi- cant, Po0.34), CFI¼0.99, IFI¼ 0.99, RMSEA¼0.027 with P-close¼ 0.66, and SRMR¼0.044], and all hypothesized paths were significant. This model therefore provided sup- port to H1 (b¼ 0.27, Po0.001), H2a (b¼0.16, Po0.05), H2b (b¼ 0.23, Po0.01), and the role of sales in board-level ITG enactment (b¼0.24, Po0.001). It explained 17% of the variation in board-level ITG efforts, and 7% of the variation in performance.

Second, a model that also included the hypothesized moderation-effects (H3a and H3b) was estimated. To operationalize these effects, the model included interac- tion terms (Level of ITG�Need for new IT, and Level of ITG�Need for fast and reliable IT), as well as direct effects of the IT use mode variables on performance. These were included because the interaction terms should be assessed after controlling for the direct effects of the variables that comprise the interaction terms. The model fit indices were adequate [w2(19)¼48.52, CFI¼ 0.97, IFI¼0.97, RMSEA¼0.090 with P-close¼0.02, and SRMR¼ 0.095]. Sales was no longer a significant control

variable (Po0.20), and hence was removed from this analysis. The model was re-estimated, and produced adequate fit indices [w2(12)¼ 28.24, CFI¼0.98, IFI¼0.98, RMSEA¼0.088 with P-close¼0.07, and SRMR¼ 0.090]. The standardized path coefficients, their levels of sig- nificance, and the variables’ Squared Multiple Correla- tions (explained variation) are depicted in Figure 3.

Figure 3 demonstrates that the full-mediation hypoth- eses (H1, H2a, and H2b) were still supported, but the hypothesized moderation effects (H3a and H3b) were not. This implies that while board members employ ITG based on their organizations’ IT needs, a high level of ITG increases performance regardless whether it is aligned with the level prescribed by an organization’s IT mode. The stronger the board-level ITG is, the better the per- formance is, regardless of the IT use mode the organiza- tion is in. Potential reasons for this deviation are examined in the qualitative study.

Post-hoc analyses First, the research model implies that the effects of the contingency variables on performance are fully mediated through the exercised level of ITG. To rule out the possibility that the contingencies also influence perfor- mance directly, a partial-mediation model (where the contingencies influence board-level ITG and perfor- mance) was contrasted with the full-mediation model. The partial-mediation path coefficients remained the same and significant. The path coefficients from the contingen- cies to performance were not significant (Po0.35). The chi-square difference test statistic (w2diff(2)¼0.87) was not significant (Po0.85). This indicated that estimating the additional paths does not improve the model, and that the full-mediation model is superior to the partial-mediation model. This further supports the theory we put forth.

Second, the model implies that a higher need for new as well as for fast and reliable IT leads boards to engage in higher levels of ITG. It is interesting to see if this increase in IT issues the board discusses focuses on particular sets of prescribed issues as outlined in Appendix A (strategy, control, and risk), or on all ITG domains. To this end, analyses of variance models were applied to the data,

Table 2 Variable correlationsa

Construct (1) (2) (3) (4) (5) (6) (7) (8)

Model (1) Need for new IT NA

(2) Need for fast and reliable IT 0.18* NA

(3) Interaction (new IT� fast and reliable IT) 0.64** 0.67** NA (4) Level of ITG by the board 0.19* 0.25** 0.21** NA

(5) Perceived organizational performance 0.11 0.01 0.10 0.29** 0.87

(0.88)

[0.72]

Control variables (6) Profit orientation �0.09 0.01 0.00 0.01 �0.10 NA (7) Sales (million CAD$) 0.17* 0.06 0.14 0.26* 0.04 �0.11 NA (8) Number of employees 0.01 0.05 0.08 0.09 �0.02 �0.11 0.26** NA

a Cronbach’s alphas (composite reliability), and [average variance extracted] are reported on the diagonal (bolded) for multi-item constructs.

*Po0.05, **Po0.01

Board-level IT governance and organizational performance Ofir Turel and Chris Bart 231

European Journal of Information Systems

with the counts of number of ITG questions pertaining to each set of issues (strategy, control, and risk) as depen- dent variables, and the contingency factors as indepen- dent variables. The results indicate that when the need for new IT was high, boards raised significantly more strategy (Po0.02) and risk (Po0.03), but not control (Po0.67) questions. When the need for fast and reliable IT was high, boards raised significantly more strategy (Po0.02), risk (Po0.004), and control (Po0.008) ques- tions. Thus, for the most part (except for one case), increases in the level of ITG in response to identified IT needs are done across ITG knowledge domains, and not in particular areas.

In order to supplement this analysis, we also ran a chi- square test for each one of the 27 questions, by using contingency tables with the counts of the number of boards that raised each question in each quadrant. The results of these analyses suggest that there were statisti- cally significant (at least at Po0.05) quadrant-based differences in 25 out of the 27 questions. For the most part, boards of companies in the strategic and turnaround modes raised more IT issues than others did. The same pattern was observed regarding questions #7 and #11 (Appendix A), but the differences in the case of these two questions were not statistically significant. Overall, it appears that the IT issues boards discuss differ across the quadrants of the IT strategic grid.

Qualitative analyses In order to understand, corroborate, and enrich the quantitative findings, three qualitative analyses were conducted.

Applicability checks Structured email-based interviews were employed for applicability checks (Rosemann & Vessey, 2008). A summary of the study’s findings was communicated to five senior directors (mostly presidents or chairmen of the board) who were known to one of the researchers. They were asked to comment on the research findings and to indicate their firm’s position on the IT strategic grid. Four out of five directors responded (see Table 3).

These comments lend support to the proposed rele- vance of ITG to organizational performance and the increasing need for board-level ITG research. They imply that, in retrospect, the findings can make sense. As these responses suggest, even companies in low-IT-need modes can benefit from higher levels of ITG by the board, because such efforts would be future-looking and enable organizations to explore likely future needs, which other firms in their sector ignore.

Can board-level ITG be easily replicated? The quantita- tive findings suggest that higher levels of ITG by the board may lead to improved performance. To enrich these findings, we sought to examine whether the obtained advantage can be sustainable, or board-level ITG can be easily replicated by competitors. To this end, we conducted a structured email-based interview with stakeholders who were known to one of the researchers. Two directors and a CEO were asked whether ITG practices can be easily mimicked. Their responses are provided in Table 4. The two directors believed and justified that ITG cannot be easily mimicked because ‘good governance is more about people than process’ (Respondent #1). The CEO was less supportive of the idea of low mobility of board-level ITG, but still implied that it may be challenging to mimic such practices. Overall, it

Table 3 Interview responses of directors for applicability checks

Low need for new IT (defensive use) High need for new IT (offensive use)

High need for

speed and

reliability

It is interesting to think that a firm with low IT

needs can still perform better with a high level

of IT governance. I would think that there would be

diminishing returns for firms in low-tech industries (y) vs, for example, Banks or Software Developers. On the other

hand, it may turn out that all firms will be high-tech in the

future.

The fact that boards seem to employ a contingency

approach with respect to ITG is not unexpected, and it is

often on an ad hoc basis. However, the conclusion that

broad, high-level ITG results in strategic and financial

benefits even for those companies with limited IT needs is

somewhat surprising. If one thinks about it though, IT is

pervasive and will only become more so. Therefore, it

behoves boards to develop sound ITG.

Low need for

speed and

reliability

It emphasizes the need to keep your head up,

and look at the horizon about what could benefit

your organization. There may be beneficial IT

options available that you are not aware of.

Given my experience, the findings made intuitive sense for

me and I think they ARE interesting and worthwhile.

Need for New IT (Low = Defensive, High = Offensive)

Need for Fast & Reliable IT (Low Need, High Need)

Level of ITG by the Board

Perceived Organizational Performance

0.30**

SMC=17%

0.15*

-0.06 NS

0. 20

** *

-0.04 N S

SMC=8%

Figure 3 Structural model.

Board-level IT governance and organizational performance Ofir Turel and Chris Bart232

European Journal of Information Systems

may be challenging and require practice to effectively replicate this spanning IT resource.

Ways to improve board-level ITG In order to enrich the implications for corporate governance practice, content analysis was applied to director suggestions for improving ITG practices in their boards. These data were collected as

part of the survey. One hundred and seventy-nine usable textual responses were obtained, and subjected to con- tent analysis following the guidelines by Krippendorff (1980). First, a codebook was developed and refined by one of the researchers (see Table 5). It was then used independently by two external raters to classify the responses into categories. The initial classification has yielded a raw agreement of 67.2% and a Cohen’s Kappa (agreement adjusted for agreement due to chance) of 0.61. The raters then met and discussed their differences. Agreement was achieved regarding all items, but three. The post-discussion raw agreement was 98.3% and the Cohen’s Kappa was 0.98. The frequencies in Table 5 therefore reflect a reliable categorization of director suggestions.

Table 5 shows that directors’ responses focused on three areas of improvement: (1) structural changes to facilitate ITG, (2) new ITG processes, and (3) closing the knowledge gap and learning about the strategic impact of IT and/or ITG. New ITG processes, such as asking for frequent updates from management on IT issues, and IT- related discussions in the boardroom were the most common line of suggestions (over 72%). Some suggested structural changes, such as creating an IT committee or assigning ITG responsibilities to an existing committee (over 14%), and others indicated that there is a need to improve the board’s ITG literacy by either better educat- ing directors regarding IT’s strategic role and current ITG practices, or by appointing more IT-savvy directors (over 11%). This implies that the current typical composition of the board is not optimized for dealing with IT issues. The bulk of respondents acknowledged the need to apply ITG at the board level, and only 1.7% of respondents thought that IT is not a discussion-worthy issue for their board.

Discussion Prior research suggests that managers should, and often do, employ a contingency approach for dispensing their responsibilities (Fiedler, 1964; Otley, 1980), including IT matters (Cash et al, 1988; Raghunathan & Raghunathan, 1990). Our study indicates that directors are not different, and as prescribed in previous studies (Nolan & McFarlan, 2005; Bart & Turel, 2010), they choose the level of ITG they exercise based on their organizations’ (1) need for new IT, and (2) need for fast and reliable IT. Boards of organizations with a high need for newer IT, presumably for strategically offensive manoeuvring in their competi- tive marketplace (strategic need), tend to raise more IT issues than their counterparts. Boards of companies that need fast and reliable IT to manage their operations (operational needs) also tend to have a higher level of ITG than their counterparts. These IT issues pertain, for the most part, to all ITG knowledge domains as outlined in Appendix A. Boards of companies with higher sales also exercised a higher level of ITG, at least when only full- mediation effects of the IT use mode were considered. This lends potential support to the proposition set by

Table 4 Director and CEO opinions regarding the mobility of ITG

Respondent Response

(1) Executive Vice President

(director) of a large

global construction firm

Corporations may make some of their

IT governance public by describing it

in shareholder communication or on

websites. Therefore, they could pro-

vide guidance to competitors which

can be copied (just like material we

had from (name removed for con-

fidentiality)). However, as we know

good governance is more about

people than process, so in the end

I don’t think it is easy to copy.

(2) President (director) of a

large public institution

for skill training

I think it would be (is) relatively ‘easy’

for competitors to copy general IT

governance practices and implement

some practices as required. However,

my limited experience with IT gov-

ernance suggests that each organiza-

tion/company has varied

requirements for IT governance –

that is, organizational differences

require a nuanced IT governance

approach that is not easily copied

(this is, of course, based on a very

small ‘n’). Or in other words, each

competitor will use and respond to

the 27 ITG [issues] in a unique, not

directly copied, way.

(3) CEO of an e-commerce

delivery company

In general, I don’t think Board adop-

tion of improved IT governance

would be necessarily mimicked by

industry competitors. There are a

couple of barriers to this. The first

would be the lack of awareness of the

risk of ITy. The second is the ‘sticki- ness’ of Board composition which

limits the speed in which IT skills can

be augmented. However, the factor

which might push competitive copy-

ing is the fact that much of current IT

governance is driven through the

audit committee. The oligopoly of

auditors quickly adopts best practices

and pushes them on clients (particu-

larly where it leads to increased audit

scope and fees).

Board-level IT governance and organizational performance Ofir Turel and Chris Bart 233

European Journal of Information Systems

McFarlan et al (1983) that larger firms will need to employ better and more formal IT planning processes. It may also be due to the proposition that in smaller firms, boards can be less scrutinizing and underutilized (Zahra & Pearce, 1989). Overall, these contingency factors influenced the execution of an important oversight practice, board-level ITG, and explained 17% of the variation in it.

In line with the resource-based view regarding IT management capabilities (Mata et al, 1995; Melville et al, 2004; Wade & Hulland, 2004) and corporate governance theories on the effects of board actions on organizational performance (Zahra & Pearce, 1989; Johnson et al, 1996), the level of ITG exercised by the board was found to improve performance. This suggests that board-level ITG is a valuable capability. Combined with the plausible evidence we provided for the heterogeneity of this cap- ability (see standard deviation in Table 1), its value, and its possible low mobility (see Table 4), our findings imply that the level of ITG exercised by the board can be a means to obtain strategic advantage and superior organizational performance. The level of ITG provided by a board expla- ined 8% of the variation in performance, which is impres- sive because there are many other variables (e.g., CEO competency, market forces, etc.) that can influence it.

Implications for theory Several implications emerge from this study. First, the findings supplement and enrich the resource-based view as applied to IT resources. They show that board-level ITG

can be an important IT management capability that is often overlooked in MIS research. Many studies that focus on such capabilities (Bharadwaj, 2000; Wilkin & Chenhall, 2010) emphasize the leadership of the IT unit and the organization’s executives. A similar view is implied in studies that focus on IT planning efforts (McFarlan et al, 1983; Raghunathan & Raghunathan, 1990; Raghunathan et al, 1998).

This study shows that the scope of IT management and planning capabilities could and should be extended to include additional organizational elite, namely the board of directors. Revisiting the scope of IT resources is worth- while because, as per the resource-based view, manage- ment capabilities can help explain organizational beha- viours and phenomena (Mata et al, 1995). The board’s IT focus diffuses to the rest of the organization, including the CEO and CIO, and can determine IT-related invest- ments, management foci and processes, and ultimately the value of IT to the organization. Boards can help improve organizational performance over and above the value added by executives’ IT-related actions through three services: controlling management actions (resolving agent-theoretic issues), providing consulting and guidance services to management, and providing access to external resources – all of which can focus on IT. Future research of IT value, IT planning, and the resource-based view of IT are therefore encouraged to pay closer attention to boards of directors as another source of IT competency.

Second, the findings indicate that the contingency view regarding IT planning prescribed by the IT stra- tegic grid research (Cash et al, 1988; Raghunathan & Raghunathan, 1990; Raghunathan et al, 1998; Nolan & McFarlan, 2005) can be suboptimal, at least in the case of boards of directors. While boards essentially cast their net around obvious and immediate IT needs as per their location in the strategic grid, they sometimes fail to see the bigger picture, longer-term and strategic forest for the trees. For example, boards of firms in support mode generally discussed, as prescribed, fewer IT issues com- pared with others; yet the ones that raised more IT issues in the boardroom had better performance. This may explain the inconsistent findings in prior research regard- ing the value of adhering to the IT planning prescribed by the IT strategic grid (Tukana & Weber, 1996). It also suggests that additional factors, beyond current needs, with a stronger future-looking emphasis should be considered by prescriptive ITG guidelines.

It is interesting to consider why having boards go beyond the prescribed level of ITG is valuable and drives performance. Several studies suggest that even firms that would normally be classified as utilizing IT in support or factory mode (e.g., retail or casino chains) can benefit from shifting to a more offensive mode of IT utilization (Hopkins & Brynjolfsson, 2010). By so doing, they increase their ‘information metabolism’, utilize IT more effectively than their competitors, and can strengthen or replace their existing IT utilization modes (McAfee & Brynjolfsson, 2008). Thus, it is possible that when boards of companies

Table 5 Code book and frequencies for director responsesa

Category Frequency

Structure (n¼25, 14.2%) 1.1. Setup an IT committee 10

1.2. Assign a board IT representative 13

1.3. Assign IT responsibilities to existing committees 2

Process (n¼127, 72.2%) 2.1. Reports/presentations/briefings on IT status delivered

to the board

23

2.2. Consider, develop, review, and monitor IT issues and

plans

76

2.3. Appraise IT risks 27

2.4. Survey IT users for needs and satisfaction 1

Close knowledge gap (n¼21, 11.9%) 3.1. Increase board expertise through training or

appointment

21

Other (n¼3, 1.7%) 4.1. IT is not sufficiently important/should not be

considered by the board

3

Total 176

a Includes only items for which agreement was obtained.

Board-level IT governance and organizational performance Ofir Turel and Chris Bart234

European Journal of Information Systems

that are traditionally defensive users of IT adjust their level of ITG to that typically found in a more offensive use mode, they help their organizations gain strategic advan- tage. This view is supported by comments from board members (see Table 3).

Lastly, the findings imply that board-level ITG can be associated with organizational performance. Consequen- tly, the focus on IT in the boardroom plausibly matters. Thus, corporate governance theories can be informed by including ITG by the board and its associated IT con- tingencies. This study focused on a limited set of contin- gencies. Hence, future research may expand this set, and include also other IT-relevant factors, such as the reporting relationship of the CIO (Banker et al, 2011), qualities of the IT function, etc. While it is acknowledged that technical expertise is a potentially important board characteristic (Vance, 1968), the ability of boards to engage in ITG has not received enough attention in the corporate govern- ance literature (Bart & Turel, 2010). Our findings suggest that this may be an additional board attribute to consider that, together with other board actions, can present a more complete picture of the influence of the board on firm performance (Zahra & Pearce, 1989).

Overall, IT management and planning capabilities were often too narrowly conceptualized in past MIS research as were board roles in corporate governance research. Given the increasing involvement of boards of directors in IT oversight (Nolan & McFarlan, 2005; Bart & Turel, 2010), MIS researchers should broaden and expand the hierarchy of the sources of IT competencies to include the board and its ITG practices. Corporate governance researchers should broaden the scope of board roles to include ITG. Consequently, many new questions regard- ing the antecedents, measurement, and outcomes of board-level ITG – and not just executive management – can and should be explored. This study serves as a plat- form for future research in this domain.

Practical implications This study extends the conceptual views taken in previous studies (e.g., Appleby, 2008) and suggests that board-level ITG can influence organizational perfor- mance. Hence, the first implication is that boards should not shy away from governing their organizations’ IT strategies and operations, a perspective that some boards take (Huff et al, 2004). In fact, the findings imply that boards of directors should attempt to cover the broad range of IT issues suggested by the CICA, or other ITG frameworks, regardless of the current and obvious IT needs. This would potentially allow their organizations to use IT more strategically, identify overlooked oppor- tunities, and ultimately achieve superior performance. This can be done through board training in ITG, through reviewing ITG frameworks and the IT issues they recom- mend to discuss, or by seeking help from consultants and IT experts who are familiar with ITG. As the con- tent analysis (Table 5) indicates, the training compo- nent (closing the knowledge gap) can be supplemented

with creating proper structures and processes for board-level ITG. Assigning ITG responsibilities to board members, whether in an existing committee or as a separate committee, may force them to explore and better understand IT issues. Receiving more frequent debriefs from management regarding IT matters can help board members better understand the IT situation, foresee future IT needs, and integrate IT with the strategic directions they chart.

A second implication is that given the potential impor- tance of board-level ITG and the growing prevalence of the practice, the MIS and corporate governance educa- tion communities should consider ways in which board members and business students can be better informed regarding the ITG responsibilities of the board and their impacts. Boards need domain knowledge and experience, beyond mere vigilance, to be effective (Kroll et al, 2008). However, they often lack the skills to provide IT oversight (Huff et al, 2005; Bart & Turel, 2010). The current IS curriculum guidelines for undergraduate students suggest a core course in ‘IS Strategy, Management & Acquisition’, which covers management and CIO IT-related responsi- bilities, but does not currently include references to the board (Topi et al, 2010). Board-level ITG should be incor- porated into IS strategy courses at both the under- graduate and graduate levels, and also covered in both corporate governance courses and director training pro- grammes.

Limitations and suggestions for future research Several limitations should be acknowledged. First, lim- ited-in-scope conceptualization and operationalization of contingency factors, board-level ITG, and performance were used in this study. There can be many other contingency factors that can affect board-level ITG (Zahra & Pearce, 1989). Accepting the two contingency factors implied by the IT strategic grid was a convenient choice because it has been heavily used in IS research (Raghunathan & Raghunathan, 1990; Raghunathan et al, 1999), but additional contingency factors should be explored in future research. Similarly, the level of ITG by the board was operationalized in this study as the range of IT-related issues that the board has discussed; and it relied on a single board-level ITG framework. While this may be a good starting point, future research may add more dimensions and depth to it. Moreover, our performance measure relied on financial-focused self- reported perceptions. It can therefore be extended by measuring other subjective and objective facets of performance. The study can also benefit from surveying all board members in each organization in order to increase the reliability of the self-reported board beha- viours and attitudes.

Second, the proposed model is a simplistic representa- tion of organizational reality. While we controlled for several factors such as sales and profit orientation, there may be many other factors that influence ITG practices and organizational performance (e.g., industry dynamics).

Board-level IT governance and organizational performance Ofir Turel and Chris Bart 235

European Journal of Information Systems

For parsimony reasons, such factors were not consid- ered in the current study, but may be the focus of future research. Moreover, caution should be exercised when interpreting the qualitative responses, because they can be susceptible to social desirability biases.

Third, the model assumed a direct effect of the level of ITG by the board on performance. However, there can be many factors that mediate this effect (Dehning & Richardson, 2002; Kohli & Grover, 2008) or moderate it. Mediators can include intermediate IT-driven value factors, such as process improvements, service quality enhancements, and increases in customer satisfaction. Moderators may include the structure and quality interac- tions among the board, top executives, and the IT function (Kohli & Grover, 2008; Banker et al, 2011). The current model can benefit from adding such variables in future research. Moreover, it is possible that the current effects are spurious. Both board-level ITG and organizational perfor- mance may be influenced by unmeasured factors, such as the board’s composition or competency. Future research should better explore this possibility.

Finally, this study was conducted in a specific context. For increasing the findings’ generalizability, the study should be replicated in multiple countries, using different types of organizations, and utilizing various board-level ITG frameworks.

Conclusion Board-level ITG is an important IT management cap- ability that can lead to superior organizational perfor- mance. Boards consider at least two contingency factors for determining their level of ITG: their organizations’ need for new IT and the need for fast and reliable IT. In contrast to the widely held belief that this practice is healthy, we show that a higher level of ITG by the board, regardless of these internal contingencies, may help organizations generate greater gains with IT. Ultimately, this study adds to the bodies of knowledge regarding IT value, IT resources, and corporate governance by focusing on a relatively new IT management capability, board- level ITG, and by extending the scope of IT leadership to include the board of directors.

About the authors

Dr. Ofir Turel is a professor of information systems and decision sciences at the College of Business and Economics, California State University, Fullerton. Before joining the academia, he held senior positions in the information technology and telecommunications indus- tries. His research interests include a broad range of behavioural and managerial issues in various information systems contexts. His work received several national and international awards, and was presented in many con- ferences. He published over 40 articles in journals such as MIS Quarterly, Journal of MIS, European Journal of Information Systems, Communications of the ACM, Infor- mation & Management, Journal of Information Systems, Behavior & Information Technology, Telecommunications

Policy, Group Decision and Negotiation, and Communications in Statistics.

Dr. Chris Bart is a professor of Strategic Market Leadership (Strategy and Governance) at the DeGroote School of Business, McMaster University, Hamilton, Ontario and the Principal with Corporate Missions Inc. (http://www.corpor- atemissionsinc.com). In 2003, he helped found The Direc- tors College, Canada’s first university accredited director education programme. He is the author of the Canadian Business #1 best seller, A Tale of Two Employees and the Person Who Wanted to Lead Them as well as the CICA Publication, 20 Questions for Directors About Strategy. He has also published over 100 other articles, cases and reviews.

References APPLEBY C (2008) IT & the board: taking responsibility. Trustee 61(2),

14–17, 1. ARMSTRONG CP and SAMBAMURTHY V (1999) Information technology

assimilation in firms: the influence of senior leadership and it infrastructures. Information Systems Research 10(4), 304–327.

BANKER RD, HU N, PAVLOU PA and LUFTMAN J (2011) Cio reporting structure, strategic positioning, and firm performance. MIS Quarterly 35(2), 487–504.

BART CK (1993) General managers control new and existing products differently. Journal of Business Venturing 8(4), 341–361.

BART CK and TUREL O (2010) IT and the board of directors: an empirical investigation into the ‘GOVERNANCE QUESTIONS’ canadian directors ask about it. Journal of Information Systems 24(2), 147–172.

BHARADWAJ AS (2000) A resource-based perspective on information technology capability and firm performance: an empirical investiga- tion. MIS Quarterly 24(1), 169–196.

BRYNJOLFSSON E (1993) The productivity paradox of information technology. Communications of the ACM 36(12), 67–77.

BYRD TA, LEWIS BR and BRADLEY RV (2006) Is infrastructure: the influence of senior it leadership and strategic information systems planning. Journal of computer information systems 47(1), 101–113.

CANNELLA AA and HAMBRICK D (2001) Upper echelons: Donald Hambrick on executives and strategy. Academy of Management Executive 15(3), 36–44.

CASH JI, MCFARLAN FW, MCKENNEY JL and VITALE MR (1988) Corporate Information Systems Management: Text and Cases. Irwin, Homewood, IL.

CHATTERJEE D, RICHARDSON VJ and ZMUD RW (2001) Examining the shareholder wealth effects of announcements of newly created cio positions. MIS Quarterly 25(1), 43–70.

CHEN DQ, PRESTON DS and XIA WD (2010) Antecedents and effects of cio supply-side and demand-side leadership: a staged maturity model. Journal of Management Information Systems 27(1), 231–272.

Board-level IT governance and organizational performance Ofir Turel and Chris Bart236

European Journal of Information Systems

CICA (2004) 20 Questions Directors Should Ask About It. Canadian Institute of Chartered accountants (CICA), Toronto, ON, pp 1–16.

DAILY CM, DALTON DR and CANNELLA AA (2003a) Introduction to special topic forum corporate governance: decades of dialogue and data. Academy of Management Review 28(3), 371–382.

DAILY CM, DALTON DR and RAJAGOPALAN N (2003b) Governance through ownership: centuries of practice, decades of research. Academy of Management Journal 46(2), 151–158.

DEHNING B and RICHARDSON VJ (2002) Returns on investments in information technology: a research synthesis. Journal of Information Systems 16(1), 7–30.

DEVARAJ S and KOHLI R (2000) Information technology payoff in the health-care industry: a longitudinal study. Journal of Management Information Systems 16(4), 41–67.

DEVARAJ S and KOHLI R (2003) Performance impacts of information technology: is actual usage the missing link? Management Science 49(3), 273–289.

DONALDSON L (1990) The ethereal hand: organizational economics and management theory. Academy of Management Review 15(3), 369–381.

EISENHARDT KM (1989) Agency theory: an assessment and review. Academy of Management Review 14(1), 57–74.

FAMA EF and JENSEN MC (1983) Separation of ownership and control. Journal of Law and Economics 26(2), 301–325.

FIEDLER FE (1964) A contingency model of leadership effectiveness. In Advances in Experimental Social Psychology. (BERKOWITZ L, Ed.), Academic Press, New York pp 149–190.

GAA JC (2009) Corporate governance and the responsibility of the board of directors for strategic financial reporting. Journal of Business Ethics 90(2), 179–197.

HABBERSHON TG, WILLIAMS M and MACMILLAN IC (2003) A unified systems perspective of family firm performance. Journal of Business Venturing 18(4), 451–465.

HARMAN HH (1976) Modern Factor Analysis. The University of Chicago Press, Chicago, IL.

HART SL (1995) A natural resource-based view of the firm. Academy of Management Review 20(4), 986–1014.

HITT LM and BRYNJOLFSSON E (1996) Productivity, business profitability, and consumer surplus: three different measures of information technology value. MIS Quarterly 20(2), 121–142.

HOPKINS MS and BRYNJOLFSSON E (2010) The four ways it is revolutionizing innovation. MIT Sloan Management Review 51(3), 51–56.

HUFF SL, MAHER M and MUNRO MC (2004) What boards don’t know – but must do – about information technology. Ivey Business Journal (September/October), 1–4.

HUFF SL, MAHER M and MUNRO MC (2005) Adding value: the case for adding it-savvy directors to the board. Ivey Business Journal (November/ December), 1–5.

ISO (2008) ISO/IEC Standard 38500: Corporate Governance of Information Technology. International Organization for Standardization (ISO), Geneva, Switzerland.

IT GOVERNANCE INSTITUTE (2003) Board Briefing on it Governance. IT Governance Institute, Rolling Meadows, IL.

JOHNSON AM and LEDERER AL (2010) Ceo/cio mutual understanding, strategic alignment, and the contribution of is to the organization. Information & Management 47(3), 138–149.

JOHNSON JL, DAILY CM and ELLSTRAND AE (1996) Boards of directors: a review and research agenda. Journal of Management 22(3), 409–438.

KOHLI R and DEVARAJ S (2003) Measuring information technology payoff: a meta-analysis of structural variables in firm-level empirical research. Information Systems Research 14(2), 127–145.

KOHLI R and GROVER V (2008) Business value of it: an essay on expanding research directions to keep up with the times. Journal of the Association for Information Systems 9(1), 23–39.

KRIPPENDORFF K (1980) Content Analysis: An Introduction to its Methodol- ogy. Sage Publications, Beverly Hills, CA.

KROLL M, WALTERS BA and WRIGHT P (2008) Board vigilance, director experience, and corporate outcomes. Strategic Management Journal 29(4), 363–382.

LAUX V (2010) Effects of litigation risk on board oversight and ceo incentive pay. Management Science 56(6), 938–948.

LEWIS BR and BYRD TA (2003) Development of a measure for the information technology infrastructure construct. European Journal of Information Systems 12(2), 93–109.

LINDELL MK and WHITNEY DJ (2001) Accounting for common method variance in cross-sectional research designs. Journal of Applied Psychology 86(1), 114–121.

MATA FJ, FUERST WL and BARNEY JB (1995) Information technology and sustained competitive advantage: a resource-based analysis. MIS Quarterly 19(4), 487–505.

MCAFEE A and BRYNJOLFSSON E (2008) Investing in the it that makes a competitive difference. Harvard Business Review 86(7–8), 98–107.

MCFARLAN FW, MCKENNEY JL and PYBURN P (1983) Information archipe- lago: plotting a course. Harvard Business Review 61(1), 145–161.

MCGUIRE JB, SUNDGREN A and SCHNEEWEIS T (1988) Corporate social responsibility and firm financial performance. Academy of Management Journal 31(4), 854–872.

MELVILLE N, KRAEMER K and GURBAXANI V (2004) Review: information technology and organizational performance: an integrative model of it business value. MIS Quarterly 28(2), 283–322.

MINICHILLI A, ZATTONI A and ZONA F (2009) Making boards effective: an empirical examination of board task performance. British Journal of Management 20(1), 55–74.

MUELLER GC and BARKER VL (1997) Upper echelons and board characteristics of turnaround and nonturnaround declining firms. Journal of Business Research 39(2), 119–134.

MUKHOPADHYAY T, KEKRE S and KALATHUR S (1995) Business value of information technology: a study of electronic data interchange. MIS Quarterly 19(2), 137–156.

NOLAN R and MCFARLAN FW (2005) Information technology and the board of directors. Harvard Business Review 83(10), 96–106.

O’DONNELL E (2004) Discussion of director responsibility for it govern- ance: a perspective on strategy. International Journal of Accounting Information Systems 5(2), 101–104.

O’SHANNASSY T (2010) Board and ceo practice in modern stra- tegy-making: how is strategy developed, who is the boss and in what circumstances? Journal of Management & Organization 16(2), 280–298.

OTLEY DT (1980) The contingency theory of management accounting: achievement and prognosis. Accounting, Organizations and Society 5(4), 413–428.

PAVLOU PA, LIANG HG and XUE YJ (2007) Understanding and mitigating uncertainty in online exchange relationships: a principal-agent perspective. MIS Quarterly 31(1), 105–136.

PETERAF MA (1993) The cornerstone of competitive advantage: a resource-based view. Strategic Management Journal 14(3), 179–191.

PRESTON DS, LEIDNER DE and CHEN D (2008) Cio leadership profiles: implications of matching cio authority and leadership on it impact. MIS Quarterly Executive 7(2), 57–69.

RAGHUNATHAN B and RAGHUNATHAN TS (1990) Planning implications of the information-systems strategic grid: an empirical investigation. Decision Sciences 21(2), 287–300.

RAGHUNATHAN B, RAGHUNATHAN TS and TU Q (1998) An empirical analysis of the organizational commitment of information systems executives. Omega - International Journal of Management Science 26(5), 569–580.

RAGHUNATHAN B, RAGHUNATHAN TS and TU Q (1999) Dimensionality of the strategic grid framework: the construct and its measurement. Information Systems Research 10(4), 343–355.

RAGHUPATHI W (2007) Corporate governance of it: a framework for development. Communications of the ACM 50(8), 94–99.

RAVICHANDRAN T and LERTWONGSATIEN C (2005) Effect of information systems resources and capabilities on firm performance: a resource- based perspective. Journal of Management Information Systems 21(4), 237–276.

RAY G, BARNEY JB and MUHANNA WA (2004) Capabilities, business processes, and competitive advantage: choosing the dependent variable in empirical tests of the resource-based view. Strategic Management Journal 25(1), 23–37.

READ TJ (2004) Discussion of director responsibility for it governance. International Journal of Accounting Information Systems 5(2), 105–107.

ROSEMANN M and VESSEY I (2008) Toward improving the relevance of information systems research to practice: the role of applicability checks. MIS Quarterly 32(1), 1–22.

Board-level IT governance and organizational performance Ofir Turel and Chris Bart 237

European Journal of Information Systems

SANTHANAM R and HARTONO E (2003) Issues in linking information technology capability to firm performance. MIS Quarterly 27(1), 125–153.

STREBEL P (2004) The case for contingent governance. MIT Sloan Management Review 45(2), 59–66.

TALLON PP (2010) A service science perspective on strategic choice, it, and performance in us banking. Journal of Management Information Systems 26(4), 219–252.

TALLON PP and KRAEMER KL (2007) Fact or fiction? A sensemaking perspective on the reality behind executives’ perceptions of it business value. Journal of Management Information Systems 24(1), 13–54.

TALLON PP, KRAEMER KL and GURBAXANI V (2000) Executives’ perceptions of the business value of information technology: a process-oriented approach. Journal of Management Information Systems 16(4), 145–173.

TOPI H, VALACICH JS, WRIGHT RT, KAISER K, NUNAMAKER Jr. JF, SIPIOR JC and DE VREEDE GJ (2010) Is 2010: curriculum guidelines for undergraduate degree programs in information systems. Communications of the Association for Information Systems 26(Article 18), 359–428.

TRITES G (2004) Director responsibility for it governance. International Journal of Accounting Information Systems 5(2), 89–99.

TUKANA S and WEBER R (1996) An empirical test of the strategic-grid model of information systems planning. Decision Sciences 27(4), 735–765.

TUREL O, SERENKO A and GILES P (2011) Integrating technology addiction and use: an empirical investigation of online auction users. MIS Quarterly 35(4), 1043–1061.

TUREL O and SERENKO A (2012) The benefits and dangers of enjoyment with social networking websites. European Journal of Information Systems 21(5), 512–528.

VANCE SC (1968) The Corporate Director: A Critical Evaluation. Dow Jones- Irwin, Homewood, IL.

WADE M and HULLAND J (2004) Review: the resource-based view and information systems research: review, extension, and suggestions for future research. MIS Quarterly 28(1), 107–142.

WEILL P (2004) Don’t just lead, govern: how top-performing firms govern it. CISR WP No. 341, Center for Information Systems Research, Massachusetts Institute of Technology, Sloan School of Management, Cambridge, MA, pp 1–21.

WEILL P and OLSON MH (1989) An assessment of the contingency theory of management information systems. Journal of Management Informa- tion Systems 6(1), 59–85.

WEILL P and ROSS JW (2004) It Governance: How Top Performers Manage it Decision Rights for Superior Results. Harvard Business School Press, Boston, MA.

WIGGINS RR and RUEFLI TW (2002) Sustained competitive advantage: temporal dynamics and the incidence and persistence of superior economic performance. Organization Science 13(1), 82–105.

WILKIN CL and CHENHALL RH (2010) A review of it governance: a taxonomy to inform accounting information systems. Journal of Information Systems 24(2), 107–146.

WILKINSON D (2004) The cica’s it competency model. International Journal of Accounting Information Systems 5(2), 245–250.

ZAHRA SA and PEARCE JA (1989) Boards of directors and corporate financial performance: a review and integrative model. Journal of Management 15(2), 291–334.

Appendix A

Recommended IT issues to be discussed by the board (CICA, 2004) For each question/issue please state whether the board of directors of the organization you selected raised or considered this question/issue (or a similar one) (Yes/No)

IT STRATEGIC ISSUES

1. Does management have a strategic information systems plan in place that is monitored and updated as required?

2. Does this strategic information systems plan form the basis for the annual plans, annual and long-term budgets and the prioritization of

information technology projects?

3. Have appropriate procedures been established to ensure that the organization is aware of technology trends, periodically assessing them

and taking them into consideration when determining how it can better position itself?

4. Have key performance indicators and drivers of the IT department been determined?

5. Are they monitored from time to time and are they benchmarked against industry standards?

6. Have relevant indicators been defined and monitored to manage the performance of the organization’s third-party information technology

service providers?

7. How has management identified the required information technology expertise?

8. How is top information technology talent attracted?

9. Does management have appropriate procedures to address information technology employee turnover, training and project assignment?

IT INTERNAL CONTROL ISSUES

10. Has the board considered the creation of an IT subcommittee or assigned a board member specific responsibility for the organization’s

investment in, and use of, information technology?

11. Has the responsibility for IT corporate governance been assigned to a person in a sufficiently senior management position?

12. How does management communicate their IT policies to personnel?

13. What procedures are in place to ensure that the company’s information systems and management are in compliance with Sarbanes-Oxley

and/or CSA Investor Confidence rules, as appropriate?

IT RISK ISSUES

14. Does management have a plan to periodically conduct risk assessments covering the organization’s use of information technology,

including internal systems and processes, outsourced services and the use of third-party communications and other services?

15. If management does have a risk assessment plan, are the results of the assessments acted on where appropriate or required?

Board-level IT governance and organizational performance Ofir Turel and Chris Bart238

European Journal of Information Systems

16. How does management ensure data integrity, including relevance, completeness, accuracy and timeliness, and its appropriate use within

the organization?

17. What arrangements does the organization have for the regular review and audit of its systems to ensure risks are sufficiently mitigated and

controls are in place to support the major processes of the business?

18. Has the organization assigned someone the responsibility for privacy policy, privacy legislation and compliance therewith?

19. Has the organization identified the set of legislative and regulatory requirements for protecting personal information and developed a

policy and procedures for monitoring compliance with them?

20. If the organization uses e-business to buy or sell products or services, has there been a specific review of the risks and controls over the

e-business activities?

21. Are the organization’s e-business activities appropriately protected from external and internal attack by unauthorized persons or others

that, if successful, would result in loss of customer satisfaction or public embarrassment?

22. Has the organization adopted formal availability policies?

23. Has the organization implemented effective controls to provide reasonable assurance that systems and data are available in conformity with

availability policies?

24. Does the organization understand the impact of an interruption in service and are there plans in place to deal with potential interruptions?

25. Has a business continuity plan been adopted? And if so, is it tested regularly and are the results used to improve the plan?

26. Has management considered and addressed legal implications that pertain to the use of software, hardware, service agreements, and

copyright laws?

27. Have policies covering licenses, agreements, copyright, and acceptable use been formulated and disseminated to all personnel?

Board-level IT governance and organizational performance Ofir Turel and Chris Bart 239

European Journal of Information Systems

Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.

Attachment 2

JISTEM - Journal of Information Systems and Technology Management

Revista de Gestão da Tecnologia e Sistemas de Informação

Vol. 10, No. 3, Sept/Dec., 2013 pp.521-540

ISSN online: 1807-1775

DOI: 10.4301/S1807-17752013000300004

_____________________________________________________________________________________

Manuscript first received/Recebido em 23/01/2012 Manuscript accepted/Aprovado em: 01/07/2013

Address for correspondence / Endereço para correspondência

João Souza Neto, Doctor of Science in Electrical Engineering, University of Brasilia – UNB, Professor at Catholic

University of Brasilia, on the Master’s degree Program in Information Technology and Knowledge Management,

Campus Avançado, SGAN 916 Asa Norte - Modulo B - Sala A121 - CEP:70.790-160 Brasília – DF, Brasil -

Telefone: (61) 3448-6534 - E-mail: [email protected]

Arthur Nunes Ferreira Neto, Master in Information Technology and Knowledge Management – MGCGI/UCB,

Catholic University of Brasilia, Researcher at Catholic University of Brasilia in Metamodels of IT frameworks,

Campus Avançado, SGAN 916 Asa Norte - Modulo B - Sala A111 - CEP: 70.790-160 Brasília – DF, Brasil -

Telefone: (61) 3338-6534 - E-mail:[email protected]

Published by/ Publicado por: TECSI FEA USP – 2013 All rights reserved.

METAMODEL OF THE IT GOVERNANCE FRAMEWORK COBIT

João Souza Neto

Arthur Nunes Ferreira Neto

Catholic University of Brasilia, Brasília/DF, Brazil __________________________________________________________________________

ABSTRACT

This paper addresses the generation and analysis of the COBIT 4.1 ontological

metamodel of IT Governance framework. The ontological metamodels represent the

logical structures and fundamental semantics of framework models and constitute

adequate tools for the analysis, adaptation, comparison and integration of IT best

practice frameworks. The MetaFrame methodology used for the construction of the

COBIT metamodel is based on the discipline of conceptual metamodeling and on the

extended Entity/Relationship methodology. It has an iterative process of construction of

the metamodel’s components, using techniques of modeling and documentation of

information systems. In the COBIT 4.1metamodel, the central entity type is the IT

Process. The entity type of IT Domain represents the four domains that group one or

more IT processes of the COBIT 4.1. In turn, these domains are divided into one or

more Activities that are carried through by one or more Roles which are consulted,

informed, accounted for or liable for each Activity. The COBIT 4.1 metamodel may

suggest adaptation or implementation of a new process within the framework or even

contribute to the integration of frameworks, when, after the processes of analysis and

comparison, there are connection points between the components and the logical

structures of its relationships.

Keywords: COBIT, Metamodels, Entity/Relationship, IT Governance, IT framework.

522 Souza Neto, J., Ferreira Neto, A. N.

JISTEM, Brazil Vol. 10, No.3,Sept/Dec 2013, pp. 521-540 www.jistem.fea.usp.br

1. INTRODUCTION

According to the IT Governance Institute (2005), "the survival and success of an

organization on the new global market, where time and distances were suppressed, depend on

the effective management of information and related technologies." In this context, where IT

(Information Technology) plays a decisive and strategic role within the organizations, models of

IT best practices frameworks have emerged in the last two decades. These frameworks are a

response of business owners to the challenges posed by IT governance and management,

working as tools for the promotion of the alignment between the IT processes and the strategic

objectives of the organization.

According to Johannsen and Goeken (2007), the IT best practices frameworks "describe

organizational objectives, processes and aspects of the IT management and control of IT".

The effective implementation of an IT best practice framework is a complex activity that

demands planning and managing and it usually induces significant changes in the organization

and in its processes. Thence, the challenge arises to deeply understand the structure of the

framework so that a preliminary study of its suitability to the organization's processes can be

made.

Furthermore, it has been observed that the adoption of only one of these IT best practice

frameworks may not be sufficient for a particular organization. Despite the different foci and the

conceptual and structural differences, IT best practice frameworks, in principle, are not

incompatible, and they can be used concomitantly to promote an improvement in the

organization’s IT management. Therefore, one of the challenges currently faced in IT

management is how to analyze, adapt, compare, and integrate different IT best practice

frameworks.

Consequently, it is understood that the first step towards solving these problems is

understanding the logical structures and the generating semantics of the IT best practice

frameworks. This can be achieved through the methodical generation of ontological metamodels

(models of models) of these frameworks.

The basis for this proposition is that the ontological metamodels represent, from a higher

level of abstraction, the conceptual components and the rich logical structure and semantics of

the relationships of the IT best practices frameworks and, at the same time, they enable the

adaptation, comparison and integration among different IT frameworks.

Among the main approaches used, up to now, in order to carry out the analysis and

comparison of IT best practice frameworks, there are the high-level classifications based on

diverse criteria of comparison and the high-level detailed mapping of the functions and

processes among the frameworks (ITGI, 2006, 2008).

However, only the application of these two approaches does not significantly contribute

to the solution of comparing the IT best practice frameworks problem. The high-level

classifications based on comparison criteria are not detailed enough to detect correspondences

or incoherencies among different areas of the IT frameworks. On the other hand, the detailed

mapping of the functions and processes of the IT best practice frameworks shows a high level of

detail, but it presents little available information for understanding the conceptual and logical

structures which are important for the planning and the effectiveness of the integration.

This paper, in an effort to fill this gap, used the MetaFrame methodology, which

comprises procedures, strategies and instructions for creating ontological-type metamodels for

these IT best practice frameworks. (Ferreira Neto, 2010). This methodology is then applied for

the generation of the COBIT 4.1 framework.

Metamodel of the IT Governance Framework Cobit 523

JISTEM, Brazil Vol. 10, No.3,Sept/Dec 2013, pp. 521-540 www.jistem.fea.usp.br

2. THEORETICAL REFERENCE

2.1 Metamodels Definitions

The managing of elements in an organization increasingly uses more and more

complex models, tools, and environments of modeling. For Karagiannis (2002), the

state of the art in the area of organizational modeling is based on metamodels.

A literal analysis about the meaning of a metamodel may start with the prefix

“meta”. In Greek, “meta” means “that which is beyond”, “that which encompasses”,

“that which supersedes”, “that which transcends”, etc.

According to the open consortium of the OMG (Object Management Group),

responsible for the MDA (OMG, 2003) and UML (OMG, 2004) specifications, a model

is an instance of a metamodel, which implies that a metamodel is a model of another

model.

An important contribution to the studies which were developed concerning the

subject of this paper was provided by Atkinson and Kühne (2003a and 2003b), who

identified two dimensions of metamodeling that generated two distinct forms of

instancing of the metamodel objects (linguistic and ontological). One dimension is

related to the definition of the language and it uses the linguistic instantiation,

employed, for example, in MDA architecture, the basis of UML language. Another

dimension concerns the definition of the domain or type of object and uses the

ontological instancing employed in the creation of the metamodel of the COBIT

framework in this study. Both forms occur simultaneously and serve to precisely locate

an element of the model in the linguistic-ontological space.

Figure 1 uses the OMG-MDA architecture with four layers of abstraction (M0 to

M3), also followed by UML2.0 and MOF 2.0 linguistic modeling standards. There is the

visualization of a linguistic metamodel with four horizontal layers that starts with M0,

denoting the lowest level, and M3, the highest level of abstraction. At the same time,

there is the visualization of the ontological metamodel, represented by different areas

separated by a dashed line in the vertical division at the M1 level. By expliciting the two

metadimensions, Figure 1 also illustrates the relationship between the elements of the

model and the real world. The dog and the lamp (mental concept) of the M0 level are the

elements of the real world to be modeled. The real Lassie is “represented” by the object

Lassie and not by an ‘instance of’ Collie. The abstraction level M1 contains the first

level of abstraction of an object in the real world, together with the type of which the

object is an ontological instantiation. The Lassie object (O0) is an ontological

instantiation of the type Collie (O1). From M1 each level is a model expressed in the

language defined at the higher level. In M2, the Lassie object is a linguistic instantiation

of the Object type, which, in M3, is a linguistic instance of the Class type.

524 Souza Neto, J., Ferreira Neto, A. N.

JISTEM, Brazil Vol. 10, No.3,Sept/Dec 2013, pp. 521-540 www.jistem.fea.usp.br

Figure 1: The Linguistic Metamodel (Adapted from Atkinson and Kühne, 2003b)

The ontological metamodels employ the ‘instance of’ relationship to relate the

concepts to their types or metatypes. In Figure 2, the ontological levels were extended

by rotating Figure 1 to the right, and adding level O2.Therefore, the ontological

metalevels are arranged horizontally. For Atkinson and Kühne (2003b), the two points

of view are equally valid and useful.

Figure 2: The Ontological Metamodel (Adapted from Atkinson and 2003b).

According to Atkinson and Kuhne (2003b), despite the validity and utility of the

ontological metamodels of types, the tool builders and members of the standardizing

consortia, such as the OMG, the metamodel term refers typically only to the metamodel

of the linguistic type. Meanwhile, from the perspective of the user of the language, the

hierarchy of types formed by ontological levels is much more relevant. In other words,

the ontological metamodels are metamodels for the users focused on the content and the

linguistic metamodels are a standard of metamodels focused on forms.

Metamodel of the IT Governance Framework Cobit 525

JISTEM, Brazil Vol. 10, No.3,Sept/Dec 2013, pp. 521-540 www.jistem.fea.usp.br

Researcher Strahringer (1996) studied how the level hierarchies of the models are

built and coined the term ‘metaization principle’ to designate an operation that is

repeatedly applied from a level to another, or rather, the primary mechanism of

abstraction to structure the objects in levels of hierarchy. Kühne’s analysis (2006) is

similar to Strahringer’s (1996), but it uses a different distribution of the elements for the

levels and a diverse terminology. The MetaFrame methodology (Ferreira Neto, 2010)

utilizes the metaization principle in order to verify and inform users how the metamodel

components of the COBIT framework were built.

The most used metaization principle in information systems is the linguistic

metamodeling. For instance, the syntax of the languages of modeling is at the M2 level,

such as the well-known E/R (Entity/Relationship) methodology by Chen (1976) that is

applied to represent part of the objects in the real world (M0) at the level of an E/R (M1)

model, where only the components of the language (types, entity, relationship types,

attributes etc.) can be used. Based on this principle, a M2 level structures the

representation of the objects at the M0 level in the M1 level. In the ontological

metamodeling, metatypes at the Mx level are defined and they describe the concepts that

exist at the Mx-1 level.

2.2 Metamodels Principles and Instructions

Schütte (1998) is one of the authors who contribute to this research work through

the modeling instructions contained in GoM (Guidelines of Modelling). The GoM is a

framework for the development and evaluation of conceptual models composed of six

general principals, described as follows:

1. Construction Adequacy Principle: There must exist a consensus among

specialists and users on what type of a model construction is adequate for the problem

and its proposal.

2. Language Adequacy Principle: the language used to create the

metamodel fulfills its proposal. This principle refers to the completeness and the

consistency between the model and the metamodel. This means that the model should

not possess any symbol or item that has not been specified in the metamodel.

3. Economic Efficiency Principle: this principle formulates economic

restrictions on the task of modeling. The costs of developing of a model should not

surpass the gains of its use.

4. Clarity Principle: this principle deals with the comprehensibility and

expressivity of the model. Within the objectives of clarity, there are the hierarchical

decompositions, the formatting (arrangement of the elements) of the model and the

filtering of information. Criteria and objectives of the quality of the graphic formatting

of a model were defined by Tamassia (1988).

5. Systematic Conception Principle: this principle deals with the

consistency of the construction among the models and it is also important for the

integration of the models.

6. Comparability Principle: this principle deals with the semantic

comparison between two models according to their correspondence or similarity. This is

one of the most important principles in a metamodelling environment. Metamodels are

frequently used to compare and integrate models.

526 Souza Neto, J., Ferreira Neto, A. N.

JISTEM, Brazil Vol. 10, No.3,Sept/Dec 2013, pp. 521-540 www.jistem.fea.usp.br

Goeken (2009) proposes the use of the principles defined by Schütte (1998) to

also evaluate the metamodels. The author adds three new specific instructions to

evaluate the quality of the metamodels:

Instruction 1: a metamodel reveals its metaization principle. It is important for the

metamodel user to know which rules were utilized to construct the metamodel levels.

Instruction 2: a metamodel should possess a clear mapping between the universe

of the discourse and the words and symbols that name and describe them. There should

not exist doubts among users concerning the meaning of concepts in the metamodel.

Instruction 3: a metamodel must have rich semantic connections. The

relationships among the metamodel components must be relevant and described in an

expressive way.

The metamodels created from the MetaFrame methodology should be verified

concerning the principles and instructions described.

2.3 Applications of the Metamodels

The ontological metamodels can be applied in order to complete the analysis,

adaptation, comparison and integration of the IT Governance frameworks. Once the

components of the metamodels are extracted, the frameworks can be examined and

analyzed so that the characteristics of their structure are known. This analysis

contributes to the evaluation of the framework and also in helping the implementation

and adaptation within the organization.

Other possibilities related to the application of the IT Governance frameworks

metamodels are the comparison and integration with different frameworks. Using the

same methodology for the construction or, according to Strahinger (1996), the same

metaization principle, the representation of the metamodels allows the comparison

between the frameworks at a higher or abstract level. This comparison process is an

important step towards the integration of the frameworks. The integration of the

metamodels can guide the integration of the frameworks at a lower or concrete level.

2.4 Extensive E/R Methodology

The Entity Relationship E/R methodology, proposed by Chen (1976), was

developed for the creation of conceptual and semantic models. The metamodels

constructed with the MetaFrame methodology, presented in this study, follow the

concepts and the notation of an extension of the E/R methodology, formalized by Engel

et all (1992), with the objective of improving metamodel expressiveness. Figure 4

presents the main components and their notation, according to the authors cited above.

Metamodel of the IT Governance Framework Cobit 527

JISTEM, Brazil Vol. 10, No.3,Sept/Dec 2013, pp. 521-540 www.jistem.fea.usp.br

Figure 3: Components and notation of the extended E/R methodology. Adapted

from Engels et all (1992).

Depending on the quantity and complexity of the objects (entity types,

relationship types, attributes, and constructor types), the use of a modeling strategy is

important to help in the organization and development of the work of finding and

defining the metamodel components. One modeling strategy for the extended E/R

methodology is a sequence of steps that repeat themselves, producing small

transformations of the initial model in the final model. The choice of the strategy for the

construction of the model is influenced by the main source of information of the

modeling process.

The literature shows that there are four types of basic modeling strategies (Top-

Down, Bottom-Up, Inside-Out or Middle-Out and Mixed). However, there is no

consensus among the authors on which of these is the best technique. The works of

Heuser (1998) and Atzeniet (1999) are used to describe these strategies. In the Top-

Down strategy, an initial model is created in which the most abstract concepts (‘from

above’) are represented first. Afterwards, intermediary models are gradually created

through the refinement of the concepts into more specific concepts.

The Bottom-Up strategy (from below to above) is the inverse of the Top-Down

strategy (from above to below). It consists in starting with the most elementary and

detailed concepts to construct more abstract and complex concepts. The Inside-Out

strategy (from inside to out) or Middle-Out strategy (from the middle out) consists in

starting with the considered most important or central concepts (from inside), and then

528 Souza Neto, J., Ferreira Neto, A. N.

JISTEM, Brazil Vol. 10, No.3,Sept/Dec 2013, pp. 521-540 www.jistem.fea.usp.br

gradually adding peripheral concepts related to them (to outside). The Mixed strategy is

a combination of the other strategies.

None of the modeling strategies presented above is universally accepted. The

authors recommend the use of a certain strategy or a combination of them, starting with

the specific information. Figure 5 shows some sources of information and

recommendations on strategies to be used.

Figura 4: Modeling strategies by source of information. Source: the authors.

The complexity of the model depends on the types of sources of information and

on the quantity of the entity types to be represented. Therefore, in more complex

models, with more than 20 types of entities, various strategies are usually used at the

same time. In these cases, a higher level model is divided so that each partition can be

modeled separately.

2.5 The COBIT 4.1 Framework

The COBIT 4.1 (Control Objectives for Information and related Technology) is a

guide for IT management and governance, organized to ensure that the use of IT

resources are effectively aligned with the organization’s business strategies. According

to ITGI, the COBIT's mission is "to research, develop, publish and promote a control

framework for the governance of Information Technology that is updated and

internationally accepted for adoption by organizations and is used in a day-to-day basis

by business managers, IT professionals and auditors" (ITGI, 2007). It is probably the

most widely used reference framework for IT governance (SIMONSSON e JOHNSON,

2006a), risk mitigation and value delivering through IT (RIDLEY et al, 2004;

DEBRACENY, 2006).

The conceptual model of COBIT 4.1 is represented by a cube whose faces are

interrelated, as shown in Figure 5.

Metamodel of the IT Governance Framework Cobit 529

JISTEM, Brazil Vol. 10, No.3,Sept/Dec 2013, pp. 521-540 www.jistem.fea.usp.br

Figure 5 –The Cube of COBIT 4.1. Source: ITGI, 2007.

To better understand the model, the IT Process dimension is organized in a

structure with four domains, as follows: Planning and Organization – it focuses on

strategy and tactics so that IT may actually contribute to the business goals of the

organization; Acquisition and Implementation - the focus is on the implementation of

the IT strategy. In this domain the solutions are identified, developed, acquired,

implemented and integrated with business processes; Delivery and Support –focusing

on issues related to the delivery of services, including routine operations, security,

continuity and training; and finally Monitoring and Evaluation - its goal is to regularly

assess the IT processes from a quality and compliance point of view according to

control requirements.

These four domains include thirty-four processes and these processes comprise

two hundred and ten activities.

On the other side of the cube, there are Business Requirements. According to the

model proposed by COBIT 4.1, in order to satisfy business objectives, information

needs to conform to certain criteria such as effectiveness, efficiency, confidentiality,

integrity, availability, compliance, and reliability.

Finally, the third dimension links characteristics related to the IT resources, which

are: Applications, Information, Infrastructure and People, to previous dimensions. The

areas of focus for the IT governance, according to the COBIT 4.1, are presented in the

pentagon illustration shown in Figure 6 (ITGI, 2007).

Figura 6 – IT Governance Areas of Focus. Source: (ITGI, 2007)

At the Pentagon, one can identify the strategic alignment, which aims to ensure

consistency between the organization's strategic goals and the IT objectives; the value

delivery, which is linked to the delivery of products or services with appropriate quality,

time and cost that allows to achieve the objectives previously agreed upon; the risk

530 Souza Neto, J., Ferreira Neto, A. N.

JISTEM, Brazil Vol. 10, No.3,Sept/Dec 2013, pp. 521-540 www.jistem.fea.usp.br

management, which refers to the treatment of uncertainties and to the value

preservation; the resource management, which aims to ensure the capacity to support

the activities required by the business, optimizing costs and other available resources,

and, finally, the monitoring of the performance of IT activities with the purpose of

ensuring the management of the entire environment.

To meet managerial control and measurement IT’s needs the COBIT 4.1 provides

guidelines for the thirty-four IT processes which contain assessment and measurement

tools for the IT environment of the organization including maturity model, critical

success factors, key goal indicators and key performance indicators for each process

(GREMBERGEN, 2004).

3. RESEARCH METHOD

The survey, according to Gil (2002), is a "formal and systematic development of

the scientific method. The fundamental objective of the research is to find answers to

problems by employing scientific procedures." Moresi (2004, p.30) adds that "research

is a reflective and critical procedure for seeking answers to problems not yet solved."

The research is classified according to the research methodology that will be

employed. In this work it was used used the classification of Vergara (2000), for whom

the research can be classified according to its purposes or goals and the means of

research or technical procedures.

Regarding its purposes or goals, this research is classified as a methodological and

applied research. The research methodology is the study related to the development of

instruments to capture or manipulate reality. Therefore, it is associated with paths,

shapes, manners, and procedures used to reach a determined purpose. The research is

applied to solve specific problems, more immediate or not. Therefore, it has a practical

purpose, unlike pure research that is motivated primarily by the intellectual curiosity of

the researcher and is set mainly at the speculation level.

As to the means of research or to the technical procedures, this research is

classified as bibliographical. The bibliographical research may be defined as the

development of a systematic study based on materials published in books,

articles/papers, periodicals, electronic networks or, in other words, material that is

accessible to the general public. Although it provides analytical tools for any type of

research, it can also be an end in itself. The published material may come from a

primary or secondary source. Table 1 summarizes the classification of this research.

Metamodel of the IT Governance Framework Cobit 531

JISTEM, Brazil Vol. 10, No.3,Sept/Dec 2013, pp. 521-540 www.jistem.fea.usp.br

Table 1: Classification of this research according to Vergara (2000).

Categories Tipos Justificativa

Purposes or goals

Methodological

Development of a methodology for building

meta-frameworks of IT best practices

(MetaFrame).

Applied

Several practical applications of the methodology

and results of the research in organizations and

professional applications: metamodels creation,

analysis, adaptation, comparison and integration

of frameworks of IT best practices.

Means of investigation or

technical procedures Bibliographical

Search of the best methodologies, strategies and

guidelines for the creation of the methodology for

this research. Use of the frameworks official

guides for gathering and analyzing data.

4. METHODOLOGY

In order to develop the COBIT 4.1 metamodel, a collection, depuration,

organization, analysis and presentation of data was made. The ITGI’s three official

COBIT 4.1 guides were used as sources of information

(http://www.isaca.org/Knowledge-Center/COBIT). The process of data collection of

official documents is similar to the data survey technique of systems analysis for the

modeling of information systems. The Extended Entity/Relationship methodology, by

Engels et all (1992), was used, combined with the conceptual modeling strategies for

the organization and analysis and representation of the data according to the following

types: entity type, relationship type, attribute type and constructor type. The final

purpose of this data survey was to develop the conceptual metamodeling framework.

All of the procedures described above are included in the methodology named

MetaFrame, which was created by Ferreira Neto (2010), and it describes a detailed

process of creation and verification of the quality of the metamodels of IT best

practices. The objective of the MetaFrame methodology is to ensure the quality of the

metamodel and create useful products such as metamodel data dictionaries to be

used in the applications of metamodels, as, for example, in the comparison and

integration of frameworks.

4.1 The MetaFrame Methodology

The aim of this methodology is to create a metamodel framework of IT best

practices based on the collecting and analyzing of data contained in the official guides

of the IT best practices framework. The methodology comprises an iterative

construction process of the metamodel components using modeling techniques and

documentation of information systems, thus determining the verification of the results

based on quality criteria.

532 Souza Neto, J., Ferreira Neto, A. N.

JISTEM, Brazil Vol. 10, No.3,Sept/Dec 2013, pp. 521-540 www.jistem.fea.usp.br

The metamodel documentation, generated by the MetaFrame methodology, is

important for the analysis, adaptation, comparison and integration of the IT frameworks

as it contains a data dictionary with the definitions of the components represented.

Phase 1 of the Metaframe methodology comprises the preparation of the study. In

this phase, the objectives are defined, the professionals are selected and their roles are

assigned and the training and the distribution of support materials for the participants

are performed. Phase 2 is the execution phase, where the metamodel data collection and

the iterative construction and documentation processes of the metamodel are carried out

using modeling techniques. Phase 3 verifies the quality of the metamodel according to

the principles and instructions presented in the 2.2 item as well as the correction and

updating of the documentation generated by the methodology. A summary of the

methodology is presented in Figure 7.

Figure 7: Metaframe Methodology for the creation of IT metamodel frameworks.

At the end of the verification phase of the MetaFrame methodology, the results or

products will be ready to be disclosed within the organization or published outside of it.

The metamodel and the explanatory summary should be released together so that the

users will have no questions as to the components represented. After the release of the

metamodel, the team responsible for its development may receive questions from the

users, as well as suggestions for the improvement and the implementation of the

metamodel. It is suggested that the members of the team that developed the metamodel

work meet to analyze the issues and suggestions from the users and to take the

necessary actions. It is also important that the team discuss what was learned from the

creation of the metamodel, based on the MetaFrame methodology.

5. RESULTS AND DISCUSSIONS

Metamodel of the IT Governance Framework Cobit 533

JISTEM, Brazil Vol. 10, No.3,Sept/Dec 2013, pp. 521-540 www.jistem.fea.usp.br

5.1. Building the COBIT 4.1 Metamodel

The steps to build the ontological metamodel of COBIT 4.1, according to the

Metaframe methodology are presented in this item. The beginning of the job to create a

metamodel corresponds to Phase 1 of the MetaFrame methodology, named Preparation.

This phase consists of the following stages: the reading the ISACA’s official guides for

the COBIT 4.1such as the COBIT 4.1 Manual, the COBIT 4.1 Control Practices and IT

Assurance Guide, Using COBIT 4.1; the ontological metamodel creation; the metadata

dictionary creation;, the database schemas of the metamodel creation and the analysis

and customizing of the model.

The job of creating the COBIT 4.1 metamodel itself corresponds to Phase 2 of the

MetaFrame methodology, named Execution, where the following activities are

performed: the data collection, the definition of the metamodel components, the creation

of the data dictionary, the creation of the metamodel and the creation of database

schemas.

In Phase 3 of the MetaFrame methodology, named Verification, the products that

are generated, are then examined as to their correctness and quality. The following

stages are performed in this phase: the documentation, the metamodel and the database.

The diagram of the COBIT 4.1 metamodel is shown in Figure 8.

Figure 8: COBIT 4.1 Metamodel. Source: The authors.

534 Souza Neto, J., Ferreira Neto, A. N.

JISTEM, Brazil Vol. 10, No.3,Sept/Dec 2013, pp. 521-540 www.jistem.fea.usp.br

5.2. Summary of the COBIT Metamodel

The ontological metamodel developed in this work represents the conceptual

structures that constitute the COBIT 4.1 framework. These concepts are symbolized as

entity types (rectangles), relationship types (diamonds), cardinalities (numbers in

parentheses), attributes (ellipses), constructor types (triangles) and lines connecting

entities to relationships. The explanatory summary, recommended by the MetaFrame

methodology in phase 2, stage 4, step 2, intends to give a clear interpretation of the

metamodel to the user. The definitions presented here are a selection from the ISACA’s

COBIT 4.1official guides.

In the COBIT 4.1 metamodel, the central entity type is the IT Process. The

COBIT 4.1 has thirty-four IT processes that belong to certain domains of IT. The IT

Domain entity type represents the four domains that group one or more IT processes of

the COBIT 4.1.

The COBIT 4.1 processes are divided into one or more Activities. Each Activity

of COBIT 4.1 is carried out by one or more Roles that are consulted, informed,

accountable or liable for each Activity.

Each COBIT 4.1 IT Process considers from one up to seven elements of the

Information Criterion entity type as business requirements for information. Each IT

Process also uses from one up to four elements of the IT Resource entity type

(applications, people, information and infrastructure).

An IT Process also supports from one up to five elements of the IT Governance

Focus Area entity type. Each IT Process requires and delivers one or more elements of

the Input and Output entity type, containing results (documents, actions, etc.) of the

COBIT 4.1 IT processes or of external processes.

Each COBIT 4.1 IT Process is evaluated according to a specific Maturity Model.

The Maturity Model entity type provides a maturity profile for each process based on a

rating of just six elements of the Maturity Level entity type.

An IT Process defines one or more elements of the Goal entity type. A Goal entity

type of the COBIT 4.1 represents the following entity types: Business Goal, IT Goal,

Process Goal or Activity Goal. One Goal is measured by one or more elements of the

Metric entity type. A Metric in the COBIT 4.1 represents the Key Goal Indicator or Key

Performance Indicator entity types.

A COBIT 4.1 IT Process is controlled by one or more elements of the IT Control

entity type. The IT Control entity type represents the following entity types: Application

Control, Process Control or Detailed Control Objective and it controls a particular IT

Process.

An IT Control is implemented with one or more elements of the Control Practice

entity type. The Control Practice implements only a particular IT Control. A Control

Practice is based on one or more elements of the Driver entity type (risk or value).

An IT Control is audited by one or more elements of the Control Test entity type

which, in turn, audits a specific IT Control. The Control Test entity type represents the

Design Test and Result Test entity types.

Metamodel of the IT Governance Framework Cobit 535

JISTEM, Brazil Vol. 10, No.3,Sept/Dec 2013, pp. 521-540 www.jistem.fea.usp.br

5.3. Relevant Issues of the COBIT 4.1 Metamodel

During the metamodel creation process some issues have arisen, and they were

addressed to in meetings held to discuss and review both the data collection stage and

the process of analyzing and defining the components of the metamodel.

The COBIT 4.1 metamodel uses four constructor types that aim to optimize the

representation of the entity types as well as the relationship types involved. They were

formed through the specialization of an input entity type into two or more output entity

types. This structure allowed the use of only one relationship type with the input entity

type making it easier to understand the metamodel. Another advantage of using

constructor types is the decomposition of a more general concept into more detailed

concepts which are important for the understanding of the metamodel.

An example of the constructor type use was the creation of the IT Control entity

type and its specialization in the output entity types: Application Control, Process

Control and Control Objective. The three output entity types are examples of controls

for IT processes of the COBIT 4.1. They come up together in COBIT’s Control

Practices and IT Assurance Guide Using COBIT that are related to the control practices

and the audit tests, respectively.

Another issue of the construction of the COBIT 4.1 metamodel was the creation

of the Business Goal entity type. This type of goal is not present in the IT processes

forms in COBIT 4.1 User's Guide, but the goals of activity, process and IT are. As the

MetaFrame methodology involves thorough reading of all the official guides for data

collection of the metamodel components, significant references to the Business Goal

entity type were found externally to the forms of IT processes. In Appendix I of the

Handbook of COBIT 4.1, there are tables containing the seventeen business goals

suggested by ISACA and related to IT processes.

The COBIT 4.1 presents a RACI chart for each IT process containing IT activities

and the type of role (R-Responsible, A-Accountable, C-Consulted, I-Informed) for each

process stakeholder. The metamodel represents the type of relationship "is performed

by" between an Activity entity type and a Role entity type. The responsibility of each

role was considered as an attribute of the relationship because it depends on the

elements of the two entity types at the same time. The responsibility is dependent of the

Activity and Role entity types as shown in Figure 9. The attribute responsibility, as well

as other attributes of the metamodel entity types, appears in the diagram of the complete

metamodel, printed on a page large enough to hold all the components. However, in

cases where the attribute is indeed important for the comprehension of the metamodel

by the users, a given atribute may be included in the metamodel drawing.

Figure 9: Representation of the Relationship Attribute

536 Souza Neto, J., Ferreira Neto, A. N.

JISTEM, Brazil Vol. 10, No.3,Sept/Dec 2013, pp. 521-540 www.jistem.fea.usp.br

One issue that sparked the debate among the participants of the meeting was the

creation of the Input and Output entity type. The COBIT 4.1 provides for each IT

process one table with the entries for the process, including the external inputs and

another for the results or outputs of the process. Both inputs and outputs of the

processes can be in the form of actions, documents, etc. Instead of creating two entity

types, one for the input and another for the output, it was decided to create a single

entity type as the elements of the entity type are of the same type.

In order that the metamodel demonstrates the two types of relationship of the

Input entity type and the Output entity type with the IT Process entity type, two verbs

were used for naming the relationship type. One verb expresses the relationship with the

inputs of the process and another verb expresses the relationship with the outputs of the

process. Therefore, it is clear to the user of the metamodel what the scope of the

relationship between the two entity types is. Reading the metamodel from the left to the

right, the relationship is described as "requires and delivers", i.e., an IT process requires

one or more inputs and also delivers one or more outputs of the Input entity type and the

Output entity type.

Another important issue discussed by the participants was the representation of

the maturity model of the COBIT 4.1. The COBIT 4.1 framework has a maturity model

for each IT process. This model was based on the maturity levels of the CMM

(Capability Maturity Model) developed by the SEI (Software Engineering Institute),

although it has different goals. The maturity model of the COBIT 4.1 is not meant to

accurately assess the level of the process maturity. The maturity model of the COBIT

4.1 fosters the creation of a maturity profile for the IT process by evaluating the process

evolution stage with each of the six levels of the maturity model.

5.4. Validation of the COBIT 4.1 Metamodel

Table 2 shows the validation of the COBIT 4.1 metamodel based on the principles

defined by Schütte (1998) for evaluating metamodels plus the guidelines defined by

Goeken (2009). This table also shows that the generated metamodel fully meets all

quality requirements set by these two authors.

Table 2: Validation of the COBIT 4.1 Metamodel

Principles(P) /

Guidelines(G) Fulfillment

P1 - Adequacy of

construction

The use of ontological metamodels to portray the COBIT 4.1 essential concepts

and structures was adequated.

P2 - Adequacy of

language

The purpose of the metamodel is suitable for the language used for the COBIT

4.1 metamodel does not include other symbols or different items from those

already present in the model, i.e., there is consistency between the model and the

metamodel.

P3 - Economic

efficiency

The ontological COBIT 4.1 metamodel sustains this principle because it does not

need any extension or modification in the language used, therefore it does not

require an additional development for the organization.

P4 – Clarity This principle is fulfilled by the guidelines and principles used in the metamodel

creation, for example, the quality goals and criteria of the graphical formatting.

Metamodel of the IT Governance Framework Cobit 537

JISTEM, Brazil Vol. 10, No.3,Sept/Dec 2013, pp. 521-540 www.jistem.fea.usp.br

P5 – Systematic

Design

This principle deals with the construction consistency between the metamodels.

This principle is covered by the systematic creation of the metamodels of IT best

practices frameworks through the use of the MetaFrame methodology.

P6 – Comparability

This principle handles the semantic comparison between two models according to

their similarity or correspondence. This principle is met because the metamodels

created using the MetaFrame methodology are comparable as they have in their

documentation a metamodel data dictionary that allows a more effective

comparison of the concepts presented.

O1 - Revelation of

the Metaization

Principle

This guideline is attained through the revelation that the type of the COBIT 4.1

metamodel is the ontological one and that the language components of the

extended E/R methodology (rectangles - entity type, lozenges - relationship type

etc.), used to represent the metamodel, are named according to the essential or

primary concepts of the model, i.e., according to the concepts that classify the

model.

O2 – Clear

Mapping

The metamodel of the COBIT 4.1 meets this principle because the MetaFrame

methodology demands the creation of an explanatory summary of the metamodel

so the users may clearly understand the concepts used. Although those concepts are

known to the users of the model, they may not be known to other professionals of

the IT management area

O3 - Having rich

semantic

connections

This guideline is followed by the COBIT 4.1 metamodel, which is created

according to the MetaFrame methodology because only the most significant

relationships that express important concepts contained or created from the model

are used. For every relationship there are two expressions naming the type of each

relationship, depending on the direction in which the entity types are read. The

names of the relationships are extracted from the official guides, with rare

exceptions.

6. CONCLUSION AND FUTURE RESEARCH

This paper aims at presenting the COBIT 4.1 metamodel and it was used to

analyze the overall structure of the framework.

Comparing the treatment followed here with other approaches on the subject, such

as that defined by Goeken (2009), it is important to emphasize that the development of

the COBIT 4.1 metamodel was started from the so called MetaFrame methodology, and

not from the use of a simple conceptual modeling devoid of standard procedures that

prevent the repetition of the modeling by others. Furthermore, it is worth noting the fact

that the MetaFrame methodology requires strict adherence to the official documentation

of the model under study. In other approaches, it remains clear the differencesbetween

the conceptualization of the official documents and what is described by the author.

In future research, it is also possible to use metamodels as a methodological

support for adapting or customizing frameworks to the processes and structures of an

organization. For example, the COBIT 4.1 metamodel may suggest how to adapt or

implement a new process into the framework by displaying the associated entity types

and relationship types. This means that the metamodel, having a rich conceptual

framework and their relationships, becomes a guide for the changes to be made in the

framework, since its essential characteristics are respected.

One may also compare the IT best practices frameworks using metamodels, which

can be quite useful for analyzing possible feature additions. This can be done using the

538 Souza Neto, J., Ferreira Neto, A. N.

JISTEM, Brazil Vol. 10, No.3,Sept/Dec 2013, pp. 521-540 www.jistem.fea.usp.br

documents generated by the MetaFrame methodology, in particular, the metamodel data

dictionary with all its components and their descriptions, types, relationships etc. The

metamodel dictionary generated by the MetaFrame methodology is a prerequisite for

comparing the structures of two or more frameworks and, also, for addressing the issue

of synonyms and homonyms concepts.

The metamodels of the IT best practices frameworks can also contribute to the

integration of frameworks. Here, the term integration is used in the context of creating a

common area between two frameworks, despite keeping, at the same time, the

characteristics of each one. After the processes of analysis and comparison, the

connection points between components and the logical structures of their relationships

are identified. Then, it is possible to construct a new metamodel displaying an

integration area containing the components of the frameworks that were integrated.

Entity types such as processes, activities, resources, products etc., are present in most of

the IT best practice frameworks with similar meanings and attributes. Other

components, despite having different names, have the same meaning and can also be

integrated.

The metamodels may also contribute to the fusion of different IT frameworks.

The term fusion refers to the creation of a new framework starting from the existing

ones. This situation occurs when it is requested that one framework complements

another, what may occur through the embodiment of the more specific framework into

the structure of the framework displaying a wider scope. The fusion process also

depends on the analysis and comparison of the frameworks. After this step, a new

framework will arise from the introduction or adaptation of existing concepts or by

creating new concepts consistent with the frameworks of origin.

REFERENCES

Atkinson, C., and Kühne, T. (2003a), Model-Driven Development: A Metamodeling

Foundation, IEEE Software, vol. 20,no. 5, pp. 36-41.

Atkinson, C., and Kühne, T. (2003b), Calling a Spade a Spade in the MDA

Infrastructure, International Workshop Metamodeling for MDA, York.

Atzeni, P., Ceri, S., Paraboschi, S., Torlone, R. (1999), Database Systems Concepts,

Languages and Architectures. McGraw-Hill.

Chen, Peter, P.S. (1976), The Entity-Relationship Model: Towards a Unified View of

Data, ACM Transaction on Database Systems, vol. 1, nº1, pp. 9-36.

Debreceny, R. Re-engineering IT Internal Controls: Applying Capability Maturity

Models to the Evaluations of IT Controls. Proceeding of the 39 nd

International

Conference on Systems Engineering Research, Hawaii, 2006.

Engels, G., Gogolla, M.,Hohenstein, U., Hulsmann, K. (1992), Conceptual Modelling of

Database Applications Using an Extended ER Model. North Holland, Amsterdam, pp.

157-204.

Ferreira Neto, A. N. F., Metamodelos Ontológicos de Frameworks de Melhores Práticas

de TI (2010). Disponível em:

Metamodel of the IT Governance Framework Cobit 539

JISTEM, Brazil Vol. 10, No.3,Sept/Dec 2013, pp. 521-540 www.jistem.fea.usp.br

http://www.bdtd.ucb.br/tede/tde_busca/arquivo.php?codArquivo=1282. Acesso em:

8mar 2011.

Gil, Antônio C. Como elaborar projetos de pesquisa. 4ª Ed. São Paulo: Editora Atlas,

2002.

Goeken M., Alter S. (2009), Towards Conceptual Metamodeling of IT Governance

Frameworks Approach - Use - Benefits, hicss, 42nd Hawaii International Conference on

System Sciences, pp.1-10.

Grembergen, W. Strategies for information technology governance. Idea Group Inc.,

2004.

Heuser, C. A. (1998), Projeto de Banco de Dados, 6ª edição. ISBN: 979-85-7780-382-8.

Editora Bookman.

IT Governance Institute. COBIT 4.1 (2005). Disponível em:

http://www.isaca.org/Knowledge-Center/COBIT/Pages/Downloads.aspx. Acesso em: 1

Fev 2011.

IT Governance Institute: COBIT Mapping: Overview of International IT Guidance

(2006), 2nd Edition, ISBN 1-933284-31-5.

IT Governance Institute: COBIT® 4.1. Framework Control Objectives Management

Guidelines Maturity Models (2007).

IT Governance Institute COBIT® Mapping: Mapping of ITIL V3 With COBIT® 4.1

(2008), ISBN 1-933284-31-5.

Johannsen, W., Goeken, M. (2007). Referenzmodelle für IT Governance. verlag GmbH,

Heidelberg.

Karagiannis, D., and Kühn, H. (2002), Metamodeling Platforms. In A. Min Tjoa, & G.

Quirchmayer (Eds.), Lecture Notes in Computer Science: Vol. 2455. Proceedings of the

Third International Conference EC-Web, Springer, pp. 451-464.

Kühne, T. (2006), Matters of (Meta-) Modelling, In Journal on Software and Systems

Modeling, Volume 5, Number 4, pp. 369-385.

Moresi, E. A. D. Metodologia de Pesquisa. Brasília-DF: Universidade Católica de

Brasília-UCB, mar. 2004.

OMG (2003). MDA Guide Version 1.0.1 Version 1.0.1, OMG document omg/03-06-01.

OMG (2004).UML-Unified Modeling Language Infrastructure Specification, Version

2.0, Version 2.0, OMG document ptc/03-09-15.

Ridley, G.; Yo Ung, J. e Carroll, P. COBIT and Its Utilization: A Framework from the

Literature. Proceedings of the 37th International Conference on System Sciences,

Hawaii 2004.

Schütte, R., Rotthowe, T. (1998). The Guidelines of Modeling- an approach to enhance

the quality in information models. In Ling, Ram, Lee (Eds.) Conceptual Modeling – ER

98. Singapore, 16.-19.11.98, pp. 240-254.

Simonsson, M. e Johnson, P. Defining IT Governance – A consolidation of Literature.

Department of Industrial Information and Control Systems. Royal Institute of

Technology (KTR), 2006.Disponível em

<http://www.ics.kth.se/Publikationer/Working%20Papers/EARP-WP-2005-MS-

04.pdf>. Acesso em 05/02/09.

540 Souza Neto, J., Ferreira Neto, A. N.

JISTEM, Brazil Vol. 10, No.3,Sept/Dec 2013, pp. 521-540 www.jistem.fea.usp.br

Strahringer, S. (1996).Metamodellierungals Instrument des Methodenvergleichs, Shaker

Verlag, Aachen.

Tamassia, D.; DI Battisti, G.; Batini, C.(1988): Automatic graph drawing and

readability of Diagrams. IEEE Transactions on Systems, Man and Cybernetics, 18 1, S.

61-79.

Vergara, Silvia Constant, (2000) Projetos e Relatórios de Pesquisa em Administração.

3ª ed. São Paulo: Atlas.

Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.

Attachment 3

Research Article

Business value through controlled IT: toward an integrated model of IT governance success and its impact Arne Buchwald1,2, Nils Urbach1, Frederik Ahlemann2

1University of Bayreuth, Bayreuth, Germany; 2University of Duisburg-Essen, Essen, Germany

Correspondence: Arne Buchwald, University of Bayreuth, Universitätsstraße 30, 95447 Bayreuth, Germany. Tel: +49-921-55-4710; Fax: +49-921-55-844710; E-mail: [email protected]

Abstract Owing to increasing regulatory pressure and the need for aligned information technology (IT) decisions at the interface of business and IT, IT governance (ITG) has become important in both academia and practice. However, knowledge of integrating the determinants and consequences of ITG success remains scarce. Although some studies investigate individual aspects of ITG success and its impact, none combine these factors into a comprehensive and integrated model that would lead to a more complete understanding of the ITG concept. To address this gap, our research aims at understanding what factors influence and result from successful ITG, and at determining how they can be translated into a model to explain ITG success and the impact thereof. Therefore, we conducted interviews with 28 IT decision makers in 19 multinational organizations headquartered in Europe. Our study synthesizes the fragmented previous research, provides new empirical insights gathered on the basis of a clear ITG conceptualization, and suggests three innovative constructs heretofore not related to ITG. Moreover, we elucidate in a holistic model the factors that make ITG successful, how ITG contributes to an IT organization’s success, and how it eventually unfolds throughout the overall organization. The resulting model allows organizational decision makers to develop an effective ITG implementation and to explain the implications of successful ITG, thus providing a justification for the respective investments. Journal of Information Technology (2014) 29, 128–147. doi:10.1057/jit.2014.3; published online 29 April 2014 Keywords: IT governance; IS management; IS success/failure; IS alignment

Introduction

T oday, most organizations increasingly rely on informa-tion technology (IT) and continue to make significant IT-enabled business investments (Cubeles-Márquez, 2008). While many companies’ IT structures have become very complex, IT has been designated as a strategic tool in increasing a firm’s value and helping it attain its business goals (IT Governance Institute (ITGI), 2003; Lazic et al., 2011b). Accordingly, over the past few years, corporate IT departments’ emphasis has shifted from technical to manage- rial issues. Thus, today’s IT departments can be considered a ‘business within a business’ (Segars and Hendrickson, 2000: 432). Triggered by this increasing business orientation and the resulting management complexity of corporate IT depart- ments, IT governance (ITG) has become an important matter in both academic research and organizational practice (Brown

and Grant, 2005). As the utilization of IT involves a combina- tion of organizational, technical, and cultural influences (Sethibe et al., 2007), effective ITG is required to orchestrate them. According to Weill and Ross (2004), ITG refers to an actively designed set of mechanisms that encourages behaviors consistent with the organization’s mission, strategy, and culture. These ITG mechanisms are directed toward a variety of IT-related matters, such as the manner in which critical IT decision processes are carried out, the policies put in place to guide these decision processes, and the assignment of accountabilities and participation rights regarding these pro- cesses (Sambamurthy and Zmud, 1999; Weill and Ross, 2004).

Despite its popularity, the ITG notion remains vague. Extant literature provides diverse definitions of ITG, acknowl- edging its structures, control frameworks, and/or processes.

Journal of Information Technology (2014) 29, 128–147 © 2014 JIT Palgrave Macmillan All rights reserved 0268-3962/14

palgrave-journals.com/jit/

Thereby, the ‘definitions applied within the literature and the nature and breadth of discussion demonstrate a lack of a clear shared understanding of the term,’ which might ‘confuse and possibly impede useful research in the field and limit valid cross-study comparisons of results’ (Webb et al., 2006: 6). As Brown and Grant (2005: 697) point out, ‘attempting to secure a definitive definition of ITG from existing literature quickly becomes a futile exercise in semantics’ due to the many disparate descriptions available. Correspondingly, prac- titioners’ perceptions of ITG objectives, properties, and responsibilities appear as unclear and heterogeneous as they do in the literature. The term ITG has been widely used by many parties, such as IT managers, consultants, auditors, and software providers, for various aspects of corporate IT man- agement. Consequently, the contents and activities that the different parties associate with ITG vary (Fröhlich et al., 2007).

Complementary to the fuzzy understanding of the term ITG in the literature and in practice, comprehensive knowl- edge of the factors influencing ITG success and its subsequent impact is scarce. On the one hand, previous academic research has provided some studies on single ITG success determinants (e.g., Guldentops, 2004; Ali and Green, 2007; Huang et al., 2010) and consequences (e.g., Weill and Ross, 2004; De Haes and Van Grembergen, 2009a; Heart et al., 2010). However, these studies’ contexts are quite diverse and their underlying understanding of ITG is heterogeneous, and thus their results are hardly compar- able and sometimes describe different empirical phenomena. Furthermore, none of the existing studies combine ITG success determinants and consequences into a comprehensive and integrated model of ITG success and its impact. Such integrated perspective on ITG, however, is important – especially from the practitioners’ point of view – because it provides an easy- to-understand, end-to-end view on how ITG can be leveraged to create business value. On the other hand, while existing practitioner guides (e.g., ITGI, 2007) provide helpful advice, they are often limited to specific implementations, display limited rigor, and do not provide a sufficient explanation of the cause–effect relationships. While ITG success specifically refers to the IT organization and its effective and efficient relationship with the business divisions, it eventually has an impact, in terms of utility, on the whole organization.

Accordingly, this paper has three research objectives: (1) con- ciliating the different notions of and fragmented research on ITG, (2) empirically investigating relevant factors that influ- ence and result from successful ITG, and (3) integrating these factors into a model that explains ITG success and its impact. Given the rather limited theoretical body of knowledge and the heterogeneous empirical basis that underpins ITG success research, we address the above-mentioned research gap following a qualitative–explorative approach. We conducted 25 interviews comprising 28 IT decision makers in 19 Central European companies across different industries, analyzed and interpreted the collected data by applying an extensive content analysis, and theoretically integrated our findings with prior research results.

With our research, we aim to contribute in two ways: we aim to synthesize the fragmented previous research with new empirical insights gathered on the basis of clear ITG conceptua- lization, as well as to elucidate in a holistic model what factors make ITG successful and how it contributes to an IT organiza- tion’s success. Thereby, we intend to close an evident research gap by combining fragmented research. In terms of practice, our

research allows organizational decision makers to achieve effective ITG implementation and to explain the implications of ITG, thus justifying the respective investments. By combining research on ITG success determinants and their impact on an organization, we provide a comprehensive end-to-end perspec- tive on how organizations can leverage their IT to become more effective. Finally, we discuss how our specific findings add to the organization’s ability to exploit IT for real innovation.

This paper is structured as follows. The next section briefly reviews the most important ITG conceptualizations and studies that inform our research. In the subsequent section, we outline our methodological approach to answering the research questions. Then, in the following section, we present our empirical findings resulting from the interview study. Subsequently, in the penultimate section, we synthesize our findings into a model that explains how successful ITG works and how it impacts the organization. In the final section, we summarize and discuss our results, as well as outline our study’s limitations and research contribution.

Foundations In this section, we will discuss prior research that is relevant to our investigation. As the phenomenon of ITG is complex and subject to diverse research streams, we present its historical background as well as the most established definitions and main focus areas in the following subsection. Subsequently, we provide an overview of ITG’s success determinants and consequences that we identified in previous studies. These form the basis for our successive empirical investigation and theoretical integration.

IT governance Although similar phenomena had been studied for some time, such as the management guidelines by Garrity (1963) or organizational characteristics’ impact on the structure of the information services function by Olson and Chervany (1980), the term ITG was first used in academic literature in the early 1990s in the contexts of IT outsourcing (Loh and Venkatraman, 1992) and strategic alignment (Henderson and Venkatraman, 1993). A few years later, a research stream emerged with the first specific studies on this topic, including Brown’s (1997) examination of the emergence of hybrid ITG solutions and Sambamurthy and Zmud’s (1999) theory of multiple contingencies for ITG arrangements. Since then, research has produced various definitions of ITG, leading to a lack of clarity with regard to the term’s meaning (Peterson, 2004; Brown and Grant, 2005; Webb et al., 2006). In a rela- tively focused manner, Weill and Ross (2004: 2) define ITG as ‘specifying the decision rights and accountability framework to encourage desirable behavior in using IT.’ Highlighting the importance of organizational structures and processes, the ITGI understands ITG as a responsibility of the board of directors and executive management. According to its broader, more dynamic definition, ITG ‘is an integral part of enterprise governance and consists of the leadership and organizational structures and processes that ensure that the organization’s IT sustains and extends the organization’s strategies and objec- tives’ (ITGI, 2003: 10). A similar definition that focuses on business–IT alignment was formulated by Van Grembergen (2002: 1), who considers ITG ‘the organizational capacity exercised by the board, executive management and IT man- agement to control the formulation and implementation of IT

IT governance success and its impact Buchwald et al. 129

strategy and in this way ensure the fusion of business and IT.’ In order to make a clear distinction between IT management and ITG, and to correspond to established definitions of corporate governance, we take ITGI’s understanding as our up-front working definition.

Although the literature emphasizes different ITG focus areas, most of the publications share certain central aspects. ITG is commonly referred to as a subset of corporate gov- ernance (Webb et al., 2006; Heart et al., 2010). As various authors have indicated, ITG comprises five basic content domains (ITGI, 2003; Meyer et al., 2003; Webb et al., 2006): (1) ensuring the linkage between business and IT plans (strategic alignment); (2) optimizing IT expenses and proving the value of IT (value delivery); (3) securing the optimal investment in and the proper management of critical IT resources (resource management); (4) addressing the safe- guarding of IT assets, disaster recovery, and the continuity of operations (risk management); and (5) tracking project delivery and monitoring IT services (performance measure- ment). Furthermore, there is broad consensus that ITG deployment comprises structures (e.g., CIO organization and IT committees), processes (e.g., strategic IT decision mak- ing and monitoring procedures), and relational mechanisms (e.g., business-IT participation and partnerships, strategic dialog, and shared learning) (Van Grembergen et al., 2004; De Haes and Van Grembergen, 2009a). To get an overview of previous academic research and gather deeper insight on the phenomena of ITG, the reader may refer to the in-depth literature reviews by Brown and Grant (2005), Simonsson and Johnson (2005), Webb et al. (2006), and Buckby et al. (2008).

To conclude, we see a number of publications on ITG that were published over the last few years. However, although most studies share certain central aspects, the concept of ITG is still not clearly defined and thus without an established and fully accepted understanding. While one may be tempted to argue that establishing a clear understanding is simply a question of definition, the problem lies deeper: being based on diverse conceptualizations, existing studies on antecedents and outcomes of ITG are hardly comparable, thus leaving ‘research in the domain of IT governance implementations […] in its early stages’ (De Haes and Van Grembergen, 2009a: 125). In turn, a differing definitional base of ITG is not

necessarily negative because it certainly enriches research on ITG with various aspects. However, the more different the underlying definitional base of ITG, the more difficult it is to compare and contrast research on ITG in order to advance the cumulative knowledge. Considering Suddaby’s (2010) call for more construct clarity, we see the problem that a differing definitional base challenges and inhibits valid analytical con- clusions across studies on ITG and may thus lead to wrong inferences. In order to help narrow down the challenge of diverse conceptualizations, we draw on a morphological box (Zwicky, 1967) in which we portray the constituent elements and their characteristics of our analysis of previous literature on ITG outlined above (Table 1).

ITG success determinants Several studies have been published that identify single ITG success determinants from empirical observations. On the basis of a case study investigation of large complex organizations in Europe and North America, Ribbers et al. (2002) conclude that effective ITG is influenced by both methodological comprehen- siveness and social interventions among stakeholders. On the basis of conceptual considerations, Guldentops (2004) presents five key success determinants of IT control and governance that are focused on establishing appropriate IT structures and processes, as well as aligning business and IT in strategy and operations. Weill (2004), who undertook a survey of CIOs and case studies of multinational firms, suggests that managers consider eight critical success factors when assessing or imple- menting ITG. Interestingly, he adds education to the list of antecedents, stressing that the organizational adoption of ITG depends on the internalization of the respective practices.

Having analyzed survey data obtained from members of the Information Systems and Audit Control Association (ISACA) in Australia, Ali and Green (2005) find significant positive relationships between ITG effectiveness and four ITG mech- anisms that include strategy committees, an appropriate information system, as well as a supporting organizational culture of compliance. Using sample data from auditors working in Australian public sector organizations, these authors (2007) again confirm that the IT strategy committee and corporate communication systems are success factors. Via

Table 1 Morphological box on the ITG concept

IT governance success and its impact Buchwald et al. 130

an in-depth study of an Australian organization, Bowen et al. (2007) explore the factors influencing ITG structures, pro- cesses, and outcome metrics. Their results indicate that stakeholders need a shared understanding of the business and IT objectives and that a balance of business and IT represen- tatives in IT decisions along with intense communication is required. The work of De Haes and Van Grembergen (2008) provides insights into the effectiveness and ease of ITG practices’ implementation, and provides a minimum baseline of practices that organizations should have; these include IT leadership and strategic information systems planning.

Adopting an inductive research strategy to examine quali- tative data, Huang et al. (2010) provide evidence of IT steering committees’ and IT-related communication policies’ influence on ITG effectiveness. On the basis of a literature review and case study research, Nfuka and Rusu (2010) identify a set of 11 critical success factors for effective ITG in Tanzanian pub- lic sector organizations. These include the governance of IT structures, stakeholders’ involvement, defining and track- ing benefits, as well as well-communicated IT strategies and policies. In a follow-up publication, Nfuka and Rusu (2011) empirically investigate and confirm the positive effect of the previously identified factors on ITG performance using survey data from 135 organizations.

In contrast to the aforementioned studies identifying criti- cal success determinants, Lee et al. (2008a, 2008b) empirically examine how inhibiting features associated with ITG affect its success. On the basis of a literature review and a survey of leading Korean enterprises, a lack of clear IT principles and policies, as well as the inadequate support of financial resources, were identified as some of the inhibiting factors.

From our literature review (see Table 2), we conclude that previous research has investigated ITG success determi- nants using different conceptualizations and methodological approaches in various contexts, resulting in a number of factors on diverse abstraction levels. This inconsistency, together with the fuzziness of the ITG concept, makes a synthesis and aggregation solely on the basis of previous literature quite challenging. Therefore, we believe that build- ing upon previous findings and incorporating additional empirical insights is a worthwhile endeavor.

Consequences of ITG success The consequences of ITG success have received relatively less attention than its determinants. In their influential book, Weill and Ross (2004) define ITG performance as ITG’s effectiveness in delivering four outcomes weighted by their importance to the organization: the cost-effective use of IT as well as the effective use of IT for asset utilization, growth, and business flexibility. Owing to its straightforwardness and ease of use, researchers have widely adopted this measure (Simonsson et al., 2010; Nfuka and Rusu, 2011). Bowen et al. (2007) extended it by including a fifth objective, namely, compliance with the legal and regulatory requirements, in their assess- ment. Huang et al. (2010) operationalize ITG effectiveness in terms of the organizational success of IT use. Therefore, they consider the efficiency of IT use, which refers to the extent to which cost and productivity advantages accrue in the deploy- ment of IT assets and capabilities, as well as the breadth of IT use, as reflecting the extent to which IT assets and capabilities are used to support work processes across the organization. Ta

b le

2 P rio

r lit er at ur e on

IT G

su cc

es s de

te rm

in an

ts

R ef er en ce

C on ce pt ua

liz at io n

R es ea rc h

ap pr oa ch

Em pi ri ca lb as is

Su cc es s de te rm

in an

ts

R ib be rs et al .

(2 00 2)

O rg an iz at io n al m od

el of

de ci si on

m ak in g

C as e st ud

y 9 la rg e co m pl ex

or ga ni za ti on

s in

E ur op

e an d N or th

A m er ic a

● M et ho

do lo gi ca lc om

pr eh en si ve ne ss

● St ra te gi c in te gr at io n of

bu si ne ss

an d IT

de ci si on

s ● B ui ld in g co lla bo ra ti ve

re la ti on

sh ip s an d sh ar ed

un de rs ta nd

in g

am on

g ke y st ak eh ol de rs

G ul de nt op

s (2 00 4)

In te rn al co nt ro lo

f IT

C on

ce pt ua l n/ a

● Fo

rm in g IT

st ra te gy

an d IT

st ee ri ng

co m m it te es

● A lig ni ng

IT an d th e bu

si ne ss

in st ra te gy

an d op

er at io ns

● C as ca di n g of

IT go al s an d st ra te gy

● A pp

ly in g em

er gi ng

m an ag em

en t be st pr ac ti ce s

● Im

pl em

en ti ng

a go ve rn an ce

an d co nt ro lf ra m ew

or k fo r IT

W ei ll (2 00 4)

Fr am

ew or k fo r de ci si on

ri gh ts an d

ac co un

ta bi lit ie s

Su rv ey ,

ca se

st ud

y 25 0 en te rp ri se s in

23 co un

tr ie s

● T ra ns pa re nc y of

th e IT

de ci si on

s ● A ct iv el y de si gn ed

IT ● In fr eq ue n tly

re de si gn ed

IT G

● E du

ca ti on

ab ou

t IT G

● Si m pl ic it y of

th e go ve rn an ce

ar ra ng em

en ts

● E xc ep ti on

-h an dl in g pr oc es s

● G ov er na nc e de si gn ed

at m ul ti pl e or ga ni za ti on

al le ve ls

● A lig ne d in ce nt iv e an d re w ar d sy st em

s

IT governance success and its impact Buchwald et al. 131

Table 2 Continued

Reference Conceptualization Research approach

Empirical basis Success determinants

Ali and Green (2005, 2007)

Structure of relationships and processes to control the IT

Survey 176 members of ISACA Australia (thereof 54 responses from public sector organizations)

● Forming an IT strategy committee ● Senior management involvement ● Culture of compliance ● Adequate corporate communication systems

Bowen et al. (2007)

IT-related decision-making structure and methodologies for planning, organizing, and controlling IT activities

Case study Large Australian company ● Shared understanding of the business and IT objectives ● Active involvement of IT steering committees ● Balance of business and IT representatives in IT decisions ● Comprehensive and well-communicated IT strategies and policies

De Haes and Van Grembergen (2008)

Mixture of structures, processes, and relational mechanisms

Delphi research

22 experts from Belgian financial services sector

● ITG structures ● ITG processes ● ITG relational mechanisms

Lee et al. (2008a, 2008b)

Decision rights and accountabilities, strategic alignment between IT and business, organizational structure of relationships

Survey 96 leading enterprises in Korea ● Stakeholder involvement ● Clear ITG principles and policies ● Adequate organizational cultures ● Active communication ● Clear ITG processes ● Adequate support for financial resources ● Adequate support for time resources

Huang et al. (2010)

Framework for decision rights and accountabilities

Case study Three organizations located in the mid-west USA

● IT steering committees ● IT-related communication

Nfuka and Rusu (2010, 2011)

Mechanisms for leadership and organizational structures and processes

Survey 135 Tanzanian public sector organizations

● IT leadership ● Senior management support ● IT/business communication and partnership ● Stakeholders’ involvement ● Define and align IT strategies to corporate strategies ● Governance of IT structures ● Well-communicated IT strategies and policies ● Provide ITG awareness and training ● Competitive IT professionals ● Defining and tracking of benefits

IT g o vern

an ce

su ccess

an d its

im p act

Buchw ald

etal. 1 3 2

According to the ITGI (2007), effective ITG generates real business benefits, such as enhanced reputation, trust, product leadership, time-to-market, and reduced costs, all of which increase stakeholder value. Lee et al. (2008a, 2008b) agree with these outcomes and emphasize the additional role of ITG in mitigating IT risks. On the basis of their analysis of extreme cases, De Haes and Van Grembergen (2009a, 2009b) conclude that business–IT alignment maturity is higher in organizations that apply a combination of mature ITG practices. Heart et al. (2010) confirm a positive relationship between ITG and IT- enabled enterprise adaptability by analyzing survey data gathered from executives in medium-sized to large Israeli organizations. A study by Weill and Ross (2004) indicates that well-structured ITG can have positive effects on corporate performance. The results of their survey of 256 corporations suggest that the best-performing enterprises show a return on assets (ROA) of more than 40% compared with the values achieved by their competitors. Similarly, on the basis of 19 case studies of major multinational corporations, Lazic et al. (2011a, 2011b) suggest that ITG is positively related to business performance through the mediators IT relatedness and business process relatedness. Finally, drawing on strategic alignment and coordination theories, Liang et al. (2011) show that strategic alignment is a major factor that mediates the effect of ITG on firm performance.

From our literature review (see Table 3), we conclude that previous research gives some indication of how successful ITG initiatives have a certain business impact. However, this impact dimension has rarely been empirically analyzed in a multi- dimensional way, and often only focuses on specific implica- tions, such as improved business IT/alignment or IT efficiency. Thus, we believe that previous findings could be advanced by a broader and more in-depth exploration of the different ITG consequences and how they interrelate with each other.

Methods

Research approach ITG is a notion that is hard to grasp (Webb et al., 2006). Previous research examined different aspects of ITG in diverse contexts that often have different understandings of the con- cepts under investigation. Theory building is further hampered by ITG implementations’ lack of theoretical underpinnings (De Haes and Van Grembergen, 2009a). We therefore chose an exploratory approach for this research endeavor. Accordingly, we followed a qualitative-empirical research design – an established approach to analyzing strategic IT planning issues in practice (Wu et al., 2006) – to address our research questions. According to Benbasat et al. (1987: 369), this kind of research is particularly applicable to ‘sticky, practice-based problems where the experiences of the actors are important and the context of action is critical.’ Drawing on recommendations by Klein and Myers (1999), we subsequently initiated a field study based on interviews to look for empirical patterns that would explain ITG success and its impact. Thereby, our study’s unit of analysis is the organization implementing ITG.

Data collection To collect data, we carried out 25 guided interviews com- prising 28 IT decision makers at the medium and top Ta

b le

3 P rio

r lit er at ur e on

IT G

co ns

eq ue

nc es

R ef er en ce

C on ce pt ua

liz at io n

R es ea rc h ap pr oa ch

Em pi ri ca lb as is

C on se qu

en ce s

W ei ll an d R os s

(2 00 4)

Fr am

ew or k fo r de ci si on

ri gh ts an d

ac co un

ta bi lit ie s

Su rv ey

25 6 co rp or at io ns

● C os t- ef fe ct iv e us e of

IT ●

E ff ec ti ve

us e of

IT fo r as se t ut ili za ti on

● E ff ec ti ve

us e of

IT fo r gr ow

th ●

E ff ec ti ve

us e of

IT fo r bu

si ne ss

fl ex ib ili ty

● In cr ea se d co rp or at e pe rf or m an ce

th ro ug h

im pr ov ed

R O A

B ow

en et al .

(2 00 7)

IT -r el at ed

de ci si on

-m ak in g st ru ct ur e an d

m et ho

do lo gi es

fo r pl an ni ng ,o rg an iz in g,

an d co nt ro lli ng

IT ac ti vi ti es

C as e st ud

y La rg e A us tr al ia n

co m pa ny

● Li ke

W ei ll an d R os s (2 00 4)

● C om

pl ia nc e w it h th e le ga la nd

re gu la to ry

re qu

ir em

en ts

IT G I (2 00 7)

Le ad er sh ip

an d or ga ni za ti on

al st ru ct ur es

an d pr oc es se s

C on

ce pt ua l

n/ a

B us in es s be ne fi ts fo r st ak eh ol de rs ,f or

ex am

pl e

● E nh

an ce d re pu

ta ti on

● T ru st

● P ro du

ct le ad er sh ip

● Sh or t ti m e- to -m

ar ke t

● R ed uc ed

co st s

Le e et al .

(2 00 8a ,

20 08 b)

D ec is io n ri gh ts an d ac co un

ta bi lit ie s,

st ra te gi c al ig nm

en t be tw ee n IT

an d

Su rv ey

96 le ad in g en te rp ri se s

in K or ea

● Li ke

IT G I (2 00 7)

● M it ig at ed

IT ri sk s

IT governance success and its impact Buchwald et al. 133

management levels (CIO, CFO, CEO, Director of IT Govern- ance, etc.), as they are usually responsible for establishing and maintaining ITG (ITGI, 2003). The 28 interviewees were from 19 multinational organizations headquartered in Europe (Germany, Austria, and the Netherlands). Our selection of organizations can be considered a convenience sample as it allowed us to achieve this relatively large number of inter- viewees. However, drawing on the concept of theoretical replication (Benbasat et al., 1987; Yin, 2009), we tried to achieve sufficient variation across the organizations with respect to industry, size, IT/business structure, and IT/busi- ness strategy to avoid any bias in this regard. We consequently considered companies from different fields and industries (Table 4).

The interviewees were recruited by means of invitation letters sent via post and email to 152 IT decision makers. Of these IT decision makers, 141 were sampled from the client network of a German management consulting company, which previously had dealings with those IT decision makers. The remaining 11 possible interviewees were sampled from the corporate partners’ network of the authors’ univer- sities. A total of 27 organizations responded to our inquiry, while 19 gave their consent to be interviewed. Eventually, we conducted 25 interviews with one or, in three cases, two interviewees simultaneously between May and September 2011. The interview process was supported by an interview guide with 42 questions on the interviewees’ and their organizations’ demographics, as well as their understanding, implementation status, development path, and – of particular importance for the research presented in this paper – the determinants and consequences of ITG. The final interview guide is provided in Appendix to this paper. We pre-tested the interview guide by having extensive discussions with two researchers who were not involved in the project and one subject matter expert as well as one pilot interview. As a result of the pilot interview, the interviewees were given access to a more aggregated form of the interview guide and an information package about the study in general beforehand to support their pre-preparation. The interviews lasted between 1.5 and 2 h each. For 11 of the interviews, there were two interviewers, while only one was used for the remaining 14 interviews. We conveyed the length of the interview to the interviewees beforehand, thus addressing their time con- straints and increasing the likelihood of cooperation. In addition, all the interviewees were briefed on the guaranteed anonymity and consented to the interview being recorded. Furthermore, we took field notes to support the analysis process. At the beginning of the interviews, we asked the informants how they understood ITG to avoid misunder- standings and assure content validity. During the interviews, we compared the interviewee’s understanding with our initial ITG definition and used the interviewees’ answers to steer the conversation in order to take advantage of emergent themes and unique aspects of the interviewee (Eisenhardt, 1989). All the interviews were then transcribed and stored in a database.

Data analysis We relied on the guidelines for case-based theory building (Eisenhardt, 1989; Eisenhardt, 1991; Dooley, 2002) and pro- ceeded to analyze the collected empirical data in two phases. First, in the within-case analysis, we focused on identifying theTa

b le

3 C on

tin ue

d

R ef er en ce

C on ce pt ua

liz at io n

R es ea rc h ap pr oa ch

Em pi ri ca lb as is

C on se qu

en ce s

bu si ne ss ,o rg an iz at io na ls tr uc tu re

of re la ti on

sh ip s

D e H ae s an d

V an

G re m be rg en

(2 00 9a ,2 00 9b )

Le ad er sh ip

an d or ga ni za ti on

al st ru ct ur es

an d pr oc es se s

Li te ra tu re

re se ar ch ,p

ilo t ca se

re se ar ch ,d

el ph

ir es ea rc h,

be nc hm

ar k re se ar ch ,e xt re m e ca se

re se ar ch

33 co m pa ni es

of th e

B el gi an

fi na nc ia l

se rv ic es

se ct or

● Im

pr ov ed

bu si ne ss – IT

al ig nm

en t m at ur it y

H ea rt et al .

(2 01 0)

Fr am

ew or k fo r de ci si on

ri gh ts an d

ac co un

ta bi lit ie s

Su rv ey

38 6 em

pl oy ee s of

m ed iu m -s iz ed

to la rg e

Is ra el io

rg an iz at io ns

● In cr ea se d IT -e na bl ed

en te rp ri se

ad ap ta bi lit y

H ua ng

et al .

(2 01 0)

Fr am

ew or k fo r de ci si on

ri gh ts an d

ac co un

ta bi lit ie s

C as e st ud

y T hr ee

or ga ni za ti on

s lo ca te d in

th e m id -w

es t

U SA

● E ffi ci en cy

of IT

us e

● In cr ea se d br ea dt h of

IT us e

La zi c et al .

(2 01 1a ,2 01 1b )

Fr am

ew or k fo r de ci si on

ri gh ts an d

ac co un

ta bi lit ie s

C as e st ud

ie s

19 m aj or

m ul ti na ti on

al co rp or at io ns

● In cr ea se d bu

si ne ss

pe rf or m an ce

th ro ug h IT

re la te dn

es s an d bu

si ne ss

pr oc es s re la te dn

es s

Li an g et al .

(2 01 1)

Fr am

ew or k fo r de ci si on

ri gh ts an d

ac co un

ta bi lit ie s

Su rv ey

33 4 re sp on

se s fr om

16 7

T ai w an es e fi rm

s’ bu

si ne ss an d IT

ex ec ut iv es

● In cr ea se d fi rm

pe rf or m an ce

th ro ug h be tt er

st ra te gi c al ig nm

en t

IT governance success and its impact Buchwald et al. 134

concepts that either contributed to ITG success or caused problems that the companies had to overcome, as well as on the impact that ITG success had on the observed organiza- tions. In order to make this distinction, we explicitly raised questions on ITG success determinants and questions on their impacts to the interviewees and discussed their responses in depth. Second, we carried out a cross-case analysis to search for similarities and differences between the sample organiza- tions. This approach enabled us to identify patterns that could potentially be included in a framework to explain ITG success and its impact. The interviews thus helped us gradually identify the framework’s constituent elements. In order to ensure comparability of our results, we only considered those interviews for our analysis in which the interviewees had, by and large, a shared understanding of ITG. As a result, one interview (#17) had to be excluded from the analysis, as the interviewers’ understanding of ITG was largely centered on operational IT management tasks. Two researchers involved in this study coded the interview transcripts and proceeded in a complementary way. We started our data analysis without a fixed coding scheme; all the data was initially open-coded. Open-coding refers to dividing, compar- ing, forming, and categorizing data into meaningful elements. Thus, we scanned the interview transcripts and the field notes for similarities and differences, and assigned codes to these. Overall, we created 576 codes in this first step. Later, the two researchers reconciled the used codes in four 3-h

discussion sessions by merging analogous codes and resolving conflicting codes, which resulted in 430 codes. During axial coding, the constructs identified in the open-coding process were grouped into synthesizing categories. We then con- densed the codes resulting from the open-coding process to 45 categories.

We illustrate our data analysis process with the following example of how the success determinant top management commitment emerged. The number in brackets indicates the number of distinct interviews to which the codes were assigned. During the open-coding process, we attached the codes ‘IT reports to the board of directors’ (7), ‘CIO is part of the board of directors’ (6), ‘IT awareness by the board of directors’ (9), ‘Top Management Commitment’ (15), and ‘Board of directors provides required resources’ (10), among others, to the transcripts. In the second round of coding, axial coding, the single codes revealed the overarching success determinant to be the top management commitment (15) category. Table 5 provides a summary of excerpts from the codes that were included in exemplary axial categories. In order to derive the propositions in our model, we not only identified constructs in our transcripts, but also marked how these constructs relate to one another. The empirical ground- ing of each proposition is thus provided next to each proposi- tion. We extracted quotes of our interviewees in which they address the relationship between both constructs. The data analysis was conducted using the qualitative data analysis

Table 4 Profile of companies

Number Industry Revenues (billion EUR)

Employees Interviews (interviewees)

Interviewee role(s)

1 Higher education 0.035 500 1 (1) Chief Information Officer 2 Manufacturing 4 21,000 1 (1) Chief Information Officer 3 Stock exchange 100a 300 1 (2) Chief Information Officer, Head of IT Service

Management 4 Financial services 1850b 102,000 2 (3) Head of IT Transformation, Delivery & Program

Manager, Director of Central Program Office 5 Financial services

(IT service provider) 1.4 2800 3 (3) Head of Organization Department, Key Account

Manager, Head of Information Systems Group 6 Automotive 127 435,000 1 (1) Head of Information Systems, Communication &

Governance, Risk and Compliance 7 Chemicals and pharmacy 9 22,000 1 (1) Chief Financial Officer 8 Consulting 0.1 450 1 (1) Chief Information Officer 9 Financial services

(IT service provider) 0.03 70 1 (1) Head of Administration & Controlling

10 Financial services 10b 5000 1 (1) Chief Information Officer 11 Telecommunications 62 247,000 3 (3) Head of HR Demand & Vendor Management,

Head of Program Management & Strategy, Head of Project Management

12 Consumer goods 6 18,000 1 (1) Director of IT Governance 13 Automotive 15 48,000 1 (1) Head of IT Governance & Strategy 14 Aid organization 0.3 8000 1 (1) Chief Information Officer 15 Professional association 0.125 1100 1 (1) Chief Information Officer 16 Chemicals and pharmacy 23 47,000 1 (1) Chief Information Officer 17 Media and publishing 0.07 400 1 (2) Chief Executive Officer, Chief Information Officer 18 Manufacturing 6 24,000 2 (2) Chief Executive Officer, Chief Information Officer 19 Transportation 0.3 3000 1 (1) Chief Information Officer aTrading turnover. bBalance sheet total.

IT governance success and its impact Buchwald et al. 135

software Atlas.ti Version 6.2, which also served as our field study database.

After finishing the data analysis, we distributed our study’s result report, comprising descriptive statistics and the proposed model of ITG success and its impact, to our interviewees. We received feedback from two interviewees (organizations 9 and 12) who were both in favor of our model. One of them (organization 12) pointed out: ‘I highly appreciated the model which is very helpful to me. In my eyes, it portrays the prerequisites for successful IT governance and its value added to an organization very well.’

Empirical findings Delving deep into the data allows for a more in-depth under- standing and traceability of our qualitative research inquiry. In the next four sections, we extensively draw on interviewees’ responses in order to describe the understandings, triggers, problems and challenges, as well as the organizational impact of ITG. In the first section, we synthesize the different under- standings of ITG in previous research and establish our reconciled definition. Furthermore, we highlight the triggers for ITG implementations and their respective problems and challenges in this undertaking in the succeeding section. Finally, the last section describes how ITG impacts the organizations investigated in this study.

Understanding of ITG As mentioned in our foundations section, ITG has become an umbrella term for various aspects both in research and in practice. In other words, the term is still fuzzy, and there are as many definitions for ITG as there are studies in this domain. Previous studies have largely taken their own routes,

without having converged into a cumulative body of knowl- edge. In order to provide clarity on the term ITG, we asked our study’s participants about their understanding of ITG as a first step. The IT manager of a stock exchange commented on the nature of governance using an analogy of the highway: ‘Where we are driving is part of the strategy. Why we are driving this way is also part of the strategy. But why are there crash barriers on the left and right hand side of the road? Why are there road signs? Why do we have to hold up to them? Where am I allowed to accelerate up to 200 km/h? Where am I only allowed to park for one hour? All of that is part of governance!’ Similarly, the IT manager of a tele- communication company summarized: ‘In essence, govern- ance means that I cede certain responsibilities and accept the decisions of others and align my duties according to those guidelines.’

The manager continues his understanding of ITG: ‘With regard to steering the IT organization, from my point of view, IT governance not only involves the steering of single aspects, but the assurance that all parties together are proceeding in the right way. However, this of course implies that the parties can actually be steered!’ An executive of a financial services organization sees ITG as ‘the steering of investments, the alignment of the IT strategy with the business strategy, as well as the deliberate and active steering of complexity.’

Even though the understanding of ITG varies among the interviewees and organizations, almost all of them share the understanding of ITG as the steering of IT within organiza- tions. In this respect, most of the interviewees highlight a holistic approach to the steering of the IT organization. More precisely, ITG should not only cover single aspects (e.g., IT management-related) or some parts of the IT organization, but rather, ITG should comprise all IT aspects

Table 5 Sample categories resulting from axial coding

Category Quantity of category Sample of the code

Success determinant: adequacy of regulations 13 ● Right relationship between latitude and limit ● Practical and compact governance ● Helpful guideline for daily work

Success determinant: top management commitment 15 ● IT reports to the board of directors ● CIO is part of the board of directors ● IT awareness by the board of directors ● Board of directors provides required resources

Success determinant: persuasiveness of communication 10 ● Explain the reasoning behind the ITG process ● Communicate ITG process in work groups ● Set an example for ITG

Goal: increase in transparency 16 ● Increase process transparency ● Increase costs transparency ● Emphasize the added-value of IT

Goal: increase in business/IT alignment 11 ● IT supports the divisions better ● IT is a business enabler ● Sustainable integration of business and IT

Goal: increase in efficiency 15 ● Optimize resource allocation ● Achieve consistent quality standards ● Reap synergy effects

IT governance success and its impact Buchwald et al. 136

and the whole IT organization. Within the steering of the IT organization, the understanding varies according to the interviewees’ different priorities. Specific governance aspects, such as application governance or project governance, are highlighted. In order to achieve their objectives, many inter- viewees determine responsibilities, processes, and structures. Overall and despite the heterogeneous understanding of ITG in theory and practice, the understanding of ITG among the interviewees of this study is quite similar. Accordingly, for the remainder of our study, we adopt this broad and comprehensive understanding of the ITG concept as a holistic approach for steering and strategic controlling the IT organi- zation with the objective of implementing the IT strategy.

Trigger for ITG The interviewees presented a colorful array of reasons why organizations decide to implement ITG. Among many others, the reason most commonly cited is that executives are not satisfied with their ability to steer the IT organization. While this aspect and many others are quite diverse, they essentially stem from the same root. The label that can most appro- priately be attached to this root is increasing complexity. An executive of a stock exchange highlights that IT is increasingly pervasive in businesses and their processes and summarizes: ‘IT has become ubiquitous. All our business divisions involve IT. IT has become so complex. Our core business and all of our core business processes completely depend on and are processed by IT.’ For instance, due to increasing complexity, executives feel that they can no longer steer the IT organiza- tion as well as they could in the past. In other words, ITG is a response to the challenge of increasing complexity by which executives hope to regain their steering ability of the IT organization. The head of HR demand and vendor manage- ment of a telecommunication organization even concludes: ‘We reached a point where the assumption that IT cheapens all processes is no longer necessarily true, but at which IT also possibly increases complexity and costs.’ However, what triggers induce increased complexity, and can subsequently be counter-balanced by ITG? The interviewees’ responses can, by and large, be grouped into two categories: (a) internal triggers and (b) external triggers.

Internal triggers are related to pursuing increasing effi- ciency in the organization, which comprises aspects such as the introduction of end-to-end responsibility and the align- ment of business and IT. The goal of the IT service provider of a financial services organization is to introduce end-to-end responsibility from IT demand management to IT operations, which triggers the introduction of ITG. Earlier on, when the IT service provider was only responsible for providing the software, executives on the client and provider side found that too much efficiency was lost when the involved parties were going back and forth during the software development process. More importantly, the provider not only served a single client, but had to undergo the back and forth with each of the autonomous business divisions during the devel- opment process. Accordingly, in this case, the need to consolidate various autonomous business divisions’ IT opera- tions is part of the quest for end-to-end responsibility. An executive of the IT service provider summarizes: ‘We wanted to exploit synergies by consolidating the development process and IT operations of the business units. We explicitly decided

to set up a preparation project whose goal was to introduce all necessary structures, procedures, and contracts, before we could pursue the actual goal. This preparation triggered the introduction of our IT governance.’

Similar to the trigger of the end-to-end responsibility above, the need to collaborate among multiple organizations trig- gered the introduction of the ITG in a manufacturing organization. In that organization, value creation no longer occurs only within the boundaries of the manufacturing organization, but also by combining skills and capabilities across organizations to build a product. The CIO of the manufacturing organization highlights: ‘This evident pressure to overcome the boundaries triggered the introduction of our IT governance. It enabled us to introduce and combine the required processes, resources, and decision rights. It also helped us make available the required resources for its implementation. If any part of it was missing, the process would have slowed down or even stopped.’

External triggers describe factors whose focus point is outside the organization. The interviewees primarily refer to external pressure to change, which comprises market pressure and, especially in the financial services industry, regulatory pressure. Interviewees in two manufacturing organizations see the internationalization of an organization as a major external trigger for an ITG. Likewise, mergers of organizations, a major change in business segments, or major outsourcing decisions call for an adjusted ITG. Whereas informal communication is often adequate in smaller settings (e.g., organizations with a manageable number of subsidiaries), it often fails in larger or rapidly growing organizations. As the CEO of a manufactur- ing organization sums up: ‘In our increasingly international environment, the “Hey Joe” approach [i.e., informal commu- nication] won’t work any longer. Instead, more formal IT governance needs to be established.’

Another external trigger of ITG is legal regulations. Orga- nizations in the financial industry are forced to implement more and more regulations (e.g., Basel III or Minimal Requirements to Risk Management in Germany). Most of these regulations also have a strong influence on organiza- tions’ IT. In the case of an IT service provider in the financial industry, those regulations have had a significant impact on its operations. Auditors increasingly demand and examine exten- sive documentation (e.g., processes, structures, or responsibil- ities). The executive of the organization summarizes the following: ‘Our IT governance has been and is constantly propelled by legal regulations.’

Implementation of ITG In their quest to implement and further develop ITG, organi- zations are confronted with a set of diverse problems and challenges. The interviewees point out that the most salient issue on this journey is the delineation of responsibilities. This problem is twofold and comprises the delineation of respon- sibilities within the IT organization, as well as between the IT organization and the business divisions. The first aspect refers to the question as to how centralized or decentralized the management of IT should be. For instance, to what extent should the centrally managed ITG prescribe IT processes to its subsidiaries, or should IT operations be regulated? When considering those questions during the implementation of ITG, interviewees stress the importance of comprehensible

IT governance success and its impact Buchwald et al. 137

and adequate regulations. While the degree of centrality of IT is clearly an issue that is internal to the IT department, the second part concerns the delineation of responsibilities between the IT department and the divisions of the organiza- tion. Aspects related to this tension are, for instance, whether IT and divisions meet on a level playing field, whether IT is closely integrated into the demand management process of the divisions, whether IT is perceived as a business-enabler or as a necessary evil, or whether IT has the power of veto in case of divisional demands that would turn the existing architec- ture upside-down. An executive of a large telecommunication company argues: ‘IT governance implies that the IT depart- ment has the power of veto in case divisions want to implement IT systems, which may be beneficial from a local divisional perspective but which are not compliant with the overarching architecture. In this case, our task is to say “no” and make suggestions for how the proposed IT systems can be aligned with the overarching architecture.’ This comment highlights the attitude that most interviewees see as crucial when implementing ITG: it is not enough to reject business initiatives in the case of misalignment, but to be business- oriented and to provide constructive suggestions on how the IT and business perspective can be combined.

In addition to the delineation of responsibilities, intervie- wees point out the importance of increasing all business divisions’ commitment to the ITG. For the time being, according to the interviewees, the majority of employees in organizations generally consider ITG restricting, inconveni- ent, and not useful. Employees often find it hard to grasp the added value associated with ITG in the first place. Similarly, interviewees emphasize that heads of business divisions, who are depicted by the term ‘principalities,’ are also likely to play their own game. Especially in situations where a business division has had immediate or privileged access to IT in the past that would be put at risk due to the upcoming ITG or a business division is financially indepen- dent of the central organization, commitment to the ITG was particularly cumbersome to achieve. The ITG director of a consumer goods organization argues: ‘The change in accountabilities may not be beneficial from a local point of view, but is absolutely beneficial in terms of the big picture. This main problem involves the acceptance of IT governance. The major challenge is to address every job role concerned and convince employees that it is necessary to cede certain respon- sibilities while, simultaneously, conveying that this path is the best for the organization. This has been the major challenge so far and still leads to resistance and dissatisfaction.’ Sum- marizing the remarks above, interviewees stress the right breadth and depth of ITG, as well as intensive communica- tion of ITG in work groups in order to ensure different business divisions’ commitment to ITG and overcome the resistance to change.

Interviewees consider missing resources, including person- nel and budget resources, another major obstacle to the implementation of ITG. In terms of personnel, qualified resources are required that design, reconcile, and implement ITG in the organization. Such qualified resources are not available in some of the organizations investigated in this study. More specifically, IT personnel in these organizations primarily consist of employees who have focused on tradi- tional IT operations. These employees who were used to set up and implement systems themselves would need to adopt

a steering role and are usually not experienced in the ITG components, which is why interviewees often needed to recruit qualified personnel for this task. This point touches on the second aspect that the interviewees highlight: the implementation of ITG also needs financial resources. The IT director of a financial services organization’s IT service provider made the following point: ‘IT governance costs money. You cannot do IT governance on Friday afternoons while preparing for the weekend. You need dedicated people.’

Organizational impact of ITG At the beginning of the ITG’s implementation, many inter- viewees admitted that they experienced resistance to the project. The more privileges and traditional customs were at risk, the more visible and nonvisible influences there are on ITG. Especially in organizations in which IT has grown organically over decades in each of the business divisions, which are almost isolated from one another, strong efforts were made to preserve the status quo. The CFO of a large chemical company highlights: ‘Our business divisions are independent; they have their own profit/loss statements. It even took ages for the mere idea of establishing a centrally- managed division [the IT governance group] to not be out- right rejected.’ In contrast, other interviewees state that in newly established subsidiaries, for which no risks are at stake, standards, such as ITG, are much easier to establish and maintain. The process executive of a large automotive com- pany points out: ‘We were fortunate in that we did not have to change an established organization but could start from scratch with our standards in new sites in India, Russia, and the USA. In such greenfield projects, it is much easier to establish standards. We only had to prove that our standards work out. In existing sites, however, you face significant resistance towards changing the traditional approach.’

Interviewees point out that, over time, the ITG implemen- tation has helped the organization shift the IT organization’s role so that it focuses more on consulting and enabling. Particularly due to the improved alignment of business and IT, as well as the increased business orientation of the IT organization, the perception of business divisions regarding the IT organization has significantly improved. An executive of a large communication organization summarizes: ‘The IT organization takes a leap from a simple assistant role in business processes towards a consulting role in the business on a level playing field, in which the IT influences the business.’ Interviewees from other organizations acknowledge a similar trend. The head of ITG and strategy at an automotive orga- nization comments: ‘Of course, our core value added is not IT. However, we now acknowledge how much IT supports business divisions by helping them reduce costs, and increase flexibility and transparency. In the past, the IT organization was perceived as a group of grubby kids, which only caused costs. These days, however, the perception is completely different, and the importance and the enabler role of the IT organization are acknowledged across our business divisions. Now, each business division strives for a high IT budget and more IT personnel to enable its business.’ As the role of the IT organization has changed in the context of ITG implemen- tation, the IT organization is perceived as a service provider, and the added value of the IT organization is increasingly appreciated by business divisions.

IT governance success and its impact Buchwald et al. 138

Model development In this section, we synthetize the empirical findings from the 25 interviews we undertook for our study of antecedents of ITG success and its impact on business. We define and describe the identified constructs and conclude this section by making propositions for how the constructs are interrelated and how they contribute to or result from successful ITG.

First, we define ITG success as the extent to which a clearly defined and transparent set of structures, processes, and standards exists that is accepted throughout the organization and integrated into the daily work routines. This triad of ITG success thus includes the implementation of ITG, its adoption by the company, and, finally, its diffusion throughout the company. This definition implies that the governance regime’s steering and controlling processes are clearly communicated to the IT staff, so that they are well understood and obeyed. The documentation of the ITG regime is complete, up to date, and actively distributed to all relevant parties. IT managers are trained and exercise their accountabilities. As far as governance processes are relevant to the business they are also considered during business changes. A dedicated IS may support the steering and controlling processes. Moreover, these processes are subject to regular self-performed assess- ments to ensure compliant behavior. Thus, this understanding corresponds to the enterprise-wide maturity level of ITG performance proposed by the ITGI (2007) and adopted by Lee et al. (2008a, 2008 b). The analysis of our empirical data reveals that successful ITG is determined by the comprehen- sibility and adequacy of the regulations, the understanding of the IT value chain, the level of top management commit- ment, the persuasiveness of the communication, as well as IT’s business orientation.

One of the major factors for successful ITG is comprehen- sible regulations. The construct comprehensibility of regula- tions is defined as the extent to which the internal regulations defined by the ITG are clear, simple, and consistent, and thus understandable to the whole organization. This construct is supported by Weill (2004), who argues that governance arrangements also need to be simple in order to be successful. Lee et al. (2008b) have a similar focus and highlight the need for clear ITG processes. In terms of empirical evidence, this construct and its relationship to ITG success is supported by 15 organizations (1, 2, 3, 4, 5, 6, 7, 9, 10, 11, 13, 14, 15, 18, and 19). When analyzing the cases of this study, we find that regulations need to be tailored to the specific organiza- tion, need to be pragmatic, and need to be meaningful. An executive of a financial services organization stated: ‘IT gov- ernance needs to be structured in such a way that it is pragmatic and does not appear as a large elephant but in small bites that can be both easily digested by and well explained to the organization.’ Similarly, an executive of another financial services organization highlights: ‘One of the most important success factors is to not be wooed by the fad of a vast number of KPIs, but to focus on the ones relevant for steering, which are usually still quite abundant. If in doubt, everything can be measured according to its KPIs, but then, IT governance will not be successful. Also, you have to have the guts to abandon service reports that were implemented once but are no longer needed.’ Elaborating on the latter aspect, some interviewees also point out that top management needs to take action based on aggregated KPIs of the ITG. If top management does not

show commitment to act based on them, rather ignores them, or does not want to discuss the relevant numbers with the people in charge of the KPIs, those people will at some point stop paying or at least pay less attention to measuring the KPIs. Accordingly, we propose:

Proposition 1: The greater the comprehensibility of ITG regulations, the greater the ITG success.

In addition to the comprehensibility of regulations, the adequacy of regulations refers to the extent to which ITG is designed to support the efficient steering and controlling of the IT organization. This includes three constituent character- istics of the governance regime. First, ITG offers a balance between binding regulations and freedom of action, which prevents the demotivation of employees and leads to a higher degree of acceptance and adherence during daily work. Second, the ITG regime has to be detailed enough so that individuals understand how it impacts their work environ- ment and act accordingly. Third, the governance only com- prises those structures, processes, and relational mechanisms that serve controlling and steering purposes. This implies that overly complex and bureaucratic approaches should be avoided to keep costs down and reduce the administrative burden. While the construct of adequacy and its relationship to ITG success has, to the best of our knowledge, not been discussed in previous ITG literature, it is strongly supported by empirical evidence from 13 organizations (1, 2, 3, 4, 5, 9, 10, 11, 12, 13, 16, 18, and 19). One executive reports: ‘I discarded the existing [IT governance] document on my second day of work and made them delete everything related to it. It was not useful at all! IT governance’s objective is to provide a guideline that supports employees in their daily work; not one that becomes dusty on the shelf of bureaucracy.’ Similarly, almost every interviewee mentioned the right depth of regulation. The head of an IT service provider in the financial services industry argues: ‘It is important to stop imposing regulations at a certain point by saying “this is our IT governance, and it covers aspects up to this point. From this point onwards, there is a black box in which the IT department can decide on its own how to achieve objectives.” It is important to not regulate every single detail and impose procedures, but to deliberately leave some latitude.’ The IT executive of a stock exchange proceeds in a similar way, also highlighting the importance of decisions: ‘Everyone wants to steer the IT organization. However, if 27 bodies and 25 people from business divisions want to voice their opinion on whether or not to invest, the steering is turned upside-down. A major success factor is therefore the right depth of regulation such that sufficient flexibility is maintained but that business divisions think that business and IT are aligned. At my previous employer, a bank, IT decisions were very strained. Every single business division wants to have a voice and the governance structure allows for this. Accordingly, there are bodies, bodies, and bodies, but no decisions are made!’ Accordingly, we propose:

Proposition 2: The greater the adequacy of the ITG regulations, the greater the ITG success.

In addition to the adequacy of the regulations, the construct understanding of the IT value chain refers to the extent to which the process of the IT value generation is understood in the IT organization. Empirical evidence from seven organiza- tions (3, 4, 5, 6, 11, 14, and 18) supports this construct and its

IT governance success and its impact Buchwald et al. 139

relationship to ITG success. The CIO of an Aid organization provides the following example: ‘Assume a production line on which the C-Model [car type] is assembled. No board member comes up with the idea to say “The C-Model is nice but I would like the rear part of the car to look like the A-Model, the center should remain that of the C-Model, but the front part should look like the S-Model.” Everybody knows that this is just nonsense. If this is to be achieved, a new development cycle needs to be triggered and a completely new car needs to be built. This is quite similar to IT.’ As the quote highlights, the processes how IT value is generated in an organization need to be well understood, which involves the awareness of the IT processes with its respective predecessors and successors. An in-depth understanding of the IT value chain is necessary in order to define appropriate structures, processes, and relational mechanisms that are aligned to the value generation processes of the IT organization. Accord- ingly, we propose:

Proposition 3: The higher the understanding of the IT value chain, the greater the ITG success.

Next to the understanding of the IT value chain, top management commitment is seen as a major success factor for the introduction of ITG. The construct top management commitment refers to the extent to which top management promotes the ITG activities by means of steering, commu- nicating, providing resources, and advising. Many prior studies have highlighted top management commitment. For instance, Lee et al. (2008a) considers a lack of various senior and top management commitment factors inhibiting to successful ITG. Similarly, Nfuka and Rusu (2011) list the involvement and support of senior management as a critical success factor for ITG. Overall, empirical evidence from 15 organizations (1, 3, 4, 5, 8, 9, 10, 11, 12, 13, 14, 15, 16, 18, and 19) support this construct and its relationship to ITG success. In many cases, interviewees pointed out the need for both budget and personnel resources when attempt- ing to implement ITG. Even though we expect it would not come as a surprise to most people, this success factor is particularly salient among the interviewees. In order to oppose an often-heard claim by management that ITG could simply be conducted within the IT organization along with daily work, the head of administration and controlling of a financial services organization’s IT service provider argues: ‘The major failure factor of management is just to say “These should be our new structures, these should be our new processes,” without committing the necessary budgets for the implementation.’ This highlights the necessity for ITG processes and general conditions to be defined and equipped with sufficient resources. Similarly, the CIO of a manufacturing organization concludes: ‘IT governance implies getting one’s chequebook out from the beginning, which is hampering the progress towards IT governance in our case and probably in many others as well. The reason why organizations refrain from the investment is that IT is running − somehow.’

Furthermore, top management commitment not only refers to the senior executives, but also to the operative management who has to advocate the introduction of ITG and enforce its application on an ongoing basis. Similarly, interviewees find it helpful if there is a single person (champion) who constantly promotes the topic. The project manager of a financial services

organization points out: ‘IT governance has to be sufficiently supported by top management. Otherwise, everyone who is being steered will work against it.’ Similarly, the CIO of an automotive organization concludes: ‘It is completely useless to attempt to introduce IT governance if there is no management commitment. If superiors do not champion IT governance, you better refrain from trying to introduce it, since it is only stressful and exhausting for everyone – for the one who attempts to introduce it and for the ones who are somehow concerned by it.’ Accordingly, we propose:

Proposition 4: The greater the top management commit- ment, the greater the ITG success.

The next success factor to ITG is persuasiveness of commu- nication. The construct refers to the extent to which the IT management has the necessary persuasiveness to establish ITG throughout the organization. Similarly, Lee et al. (2008a) highlight the need for communication in their summarized framework. Overall, this construct and its relationship to ITG success is supported by empirical evidence from 10 organizations (3, 4, 5, 6, 9, 11, 12, 13, 14, and 18). The adequacy of ITG has to be communicated to all employees. They need to understand its components and the interplay between them. In order to achieve this objective, different routes may be taken. For instance, the CEO of a manufactur- ing organization points out the importance of persuasion: ‘Even though I have the backing of the board of directors, I need to do a lot of persuading in the field. Even though formal reporting structures may sometimes be helpful, I am convinced that, at the end of the day, working with human beings is all about convincing and aligning them. If you only achieve it by drawing on formal reporting structures, escala- tions, or commands, it will not be successful for long.’ She continues: ‘I always attempted to closely integrate the business divisions by forming work groups. By forming such bodies, people can be better aligned and more readily convinced. There is a simple rule of thumb: If somebody does not gain acceptance in such a body, it is most likely an inferior solution. As soon as everyone acknowledges this, it is much easier to make an effort to return to the factual level to proceed.’ Accordingly, we propose:

Proposition 5: The greater the persuasiveness of commu- nication, the greater the ITG success.

IT’s business orientation refers to the extent to which the IT organization (and its employees) has the necessary skills and attitudes to adequately support the business function and act as business enablers. Nfuka and Rusu (2011) describe a similar aspect when they propose to encourage and support IT/business communication and partnership. This construct and its relationship to ITG success is supported by empirical evidence from eight organizations (4, 6, 7, 9, 11, 12, 18, and 19). Many interviewees highlight that IT organizations increasingly strip off the role of the ivory tower and develop toward the role of a business enabler. The executive of an IT service provider in the financial services industry comments: ‘When I took over responsibility for the IT organization, it primarily had a support function in the organization. From that point onwards, we changed it step-by-step into a consult- ing role that helps develop the organization.’ The ITG director of a consumer goods organization explains the goal of the transformation process in more detail: ‘We have to recognize

IT governance success and its impact Buchwald et al. 140

IT demands in business processes and translate those still- unstructured IT demands from business divisions into clear- cut and appropriate projects. Part of this process is to challenge those demands and thus provide consulting as to where the business may go and how IT can support the path these days.’ Accordingly, we propose:

Proposition 6: The greater the IT’s business orientation, the greater the ITG success.

Next, we describe and define the consequences of ITG success. This involves the alignment of business and IT activities, the transparency of IT costs, the transparency of IT services, the strategic controllability of IT, IT efficiency, IT effectiveness, IT risk mitigation, the facilitation of IT compli- ance, the transformational readiness of IT, and ITG success’s overall business impact.

The first consequence alignment of business and IT activities refers to the extent to which the IT activities directly or indirectly aim to satisfy business needs. By implementing a clearly defined and transparent set of structures, processes, and standards that are accepted throughout the organization and integrated into daily work routines, interviewees no longer consider business and IT to operate next to each other. Instead, they coordinate and align their goals and operations. Previous research has also pointed out that ITG success leads to a better alignment of business and IT. For instance, Guldentops (2004) also stresses the integration of business and IT activities in strategy and operations. In the same vein, empirical evidence from 10 organizations (1, 2, 3, 4, 5, 7, 8, 10, 12, and 16) in our study also confirms this consequence. Therefore, we propose:

Proposition 7: The greater the ITG success, the greater the alignment of the business and IT goals.

A second and third consequence of successful ITG is the transparency of IT costs and the transparency of IT services. Both refer to the extent to which the IT costs and the IT service portfolio are transparent. By establishing a clearly defined and transparent set of structures, processes, and standards, interviewees state that they gain transparency into the IT services offered and the overall IT costs. Interviewees highlight that, as IT has grown organically, it is often not only located in and provided by the IT organization, but is to some extent distributed among business divisions. Accordingly, knowledge about available and offered IT services is fragmen- ted. Therefore, reliable IT costs cannot be calculated. Both challenges are commonly solved by the organizations in their ITG implementations, which is why they achieve transparency into IT costs and IT services. Empirical evidence from 10 organizations (1, 4, 5, 6, 9, 10, 11, 13, 14, and 18) also strongly supports these propositions. For instance, an executive of a financial services organization states: ‘When we established our IT governance, we had two objectives in mind: to achieve transparency regarding the services’ costs and to ensure that IT no longer acted in almost complete isolation from our divisions.’ Accordingly, we propose:

Proposition 8: The greater the ITG success, the greater the transparency of the IT costs.

Proposition 9: The greater the ITG success, the greater the transparency of the IT services.

As a result of the alignment of business and IT goals, the transparency of the IT costs, and the transparency of IT services, the IT organization can be steered. The strategic controllability of IT refers to the extent to which the IT management has the information required to assess the strategic situation of the IT organization in order to improve its positioning. This allows for goal-oriented decision making within and the steering of the IT organization.

The alignment of business and IT activities helps close the gap between business and IT by increasing mutual understanding, fostering trust, and thus promoting more target-oriented results of IT. In other words, available IT resources are preferably to be assigned to and aligned with business needs. On the basis of this alignment, decisions on business initiatives impact the IT organization more directly, which increases the strategic controllability of IT. Empirical evidence from eight organizations (2, 3, 4, 5, 7, 10, 12, and 16) supports this proposition.

Proposition 10: The greater the alignment of the business and IT goals, the greater the strategic IT controllability.

By achieving transparency of IT costs and IT services, organizations’ management knows which IT services are actually provided to the business divisions as well as the cost of each of the IT services. On the basis of this transparency, meaningful decisions can be derived, which, in turn, allows management to steer the IT organization. Empirical evidence from 13 organizations (1, 2, 3, 4, 5, 6, 9, 10, 11, 13, 14, 18, and 19) supports these propositions.

Proposition 11: The greater the transparency of the IT costs, the greater the strategic IT controllability.

Proposition 12: The greater the transparency of the IT services, the greater the strategic IT controllability.

One of the results of strategic IT controllability is the efficiency of IT. The construct IT efficiency refers to the extent to which IT is able to deliver IT services quickly and cost-efficiently. Empirical evidence from 13 organizations (2, 4, 5, 7, 9, 10, 11, 12, 13, 14, 15, 16, and 18) supports this proposition. As with efficiency, the strategic controllability of IT also results in IT effectiveness. IT effectiveness refers to the extent to which IT delivers the right services to the organization in order to create value for the business. On the basis of the strategic controllability of the IT organization, which implies both the alignment of business and IT activi- ties and the transparency of IT costs and services, IT manage- ment can employ IT resources according to business needs to provide the IT services required. This leads to effective IT utilization or IT effectiveness. Empirical evidence from 10 organizations (2, 3, 4, 5, 7, 11, 12, 13, 16, and 18) supports this proposition. The head of the organization department of a financial services organization’s IT service provider highlights: ‘Both transparency and business–IT alignment are not ends in themselves, but means to achieve and/ or improve the steering. Steering, in turn, is a means to achieve economic benefits, while the overall goal is to better assign and direct our limited resources.’ Accordingly, we propose:

Proposition 13: The greater the strategic IT controllability, the greater the IT efficiency.

IT governance success and its impact Buchwald et al. 141

Proposition 14: The greater the strategic IT controllability, the greater the IT effectiveness.

In addition to the IT efficiency and IT effectiveness consequences of strategic IT controllability, interviewees also point out IT risk mitigation, which refers to the extent to which IT is able to mitigate IT risks. Lee et al. (2008b) also stresses that ITG is a means for organizations to mitigate their IT risks because vulnerability to IT failures is decreased. The more controllable the IT organization (for instance, by having clear, transparent, and established structures and processes), the better IT risks can be addressed and thus mitigated. In turn, in organizations in which IT has developed over years without ITG (where there are no clear, transparent, or established structures and processes), interviewees hold that IT risks cannot be comprehensively addressed and thus not mitigated. This consequence of strategic IT controllability is especially highlighted in the five financial services organiza- tions (organizations 2, 4, 6, 10, and 18), which supports this proposition. Accordingly, we propose:

Proposition 15: The greater the strategic IT controllability, the greater the IT risk mitigation.

Similar to IT risks, interviewees describe IT compliance as another consequence of the strategic controllability of an IT organization. IT compliance refers to the extent to which IT is able to facilitate compliance with legal and regulatory require- ments. Lee et al. (2008b) also highlight IT compliance as one of the objectives that organizations tried to achieve by implementing ITG. Financial services organizations, in parti- cular, are continuously exposed to governmental regulations. Interviewees hold that, without the strategic IT controllability, such regulations would be extremely difficult to obey and that the consequence of noncompliance would be severe. Empirical evidence from five organizations (2, 4, 6, 10, and 18) supports this proposition. The CIO of a manufacturing organization puts it in nutshell: ‘Compliance is of significance to us, even though we are not yet very good at it. The better IT governance is understood and practiced throughout the entire organization, the more likely we are to be compliant, which would in turn be good for the firm’s standing.’ Accordingly, we propose:

Proposition 16: The greater the strategic IT controllability, the greater the IT compliance.

The final consequence of the strategic IT controllability is the transformational readiness of IT. It refers to the extent to which the IT organization is able to adopt new strategic objectives. These strategic objectives may involve a merger of IT organizations or the decision to significantly change the way in which IT services are being sourced. While the construct transformational readiness of IT has, to the best of our knowledge, not yet been discussed in research on ITG, its proposition is empirically supported in three organi- zations (11, 16, and 18). An interviewee from the telecommu- nication organization concludes: ‘The ability to steer an organization ensures in case of a merger of two organizations or the acquisition of another organization that the IT services of the target organization can be more easily integrated. The process is much more efficient, since the IT governance provides a point of reference in which the third party will be integrated. Otherwise, the question in which direction the

two organizations should be heading will be raised all over again with every merger or acquisition.’ Accordingly, we propose:

Proposition 17: The greater the strategic IT controllability, the greater the transformational readiness of IT.

The chain of the ITG impact finally concludes with business impact. Business impact refers to the extent to which IT has a positive effect on corporate performance. The interviewees highlight that the efficiency of the IT organization is closely related to a positive business impact. In other words, the more efficiently the IT organization achieves its goals with the available resources in an economic and optimized manner, the better the business impact will be. The CIO of a chemical and pharmaceutical organization comments: ‘By practicing advanced IT governance, we strive to become […] more efficient, and, thus, better support our divisions.’ Empirical evidence from 11 organizations (4, 5, 7, 9, 10, 11, 12, 14, 15, 16, and 18) supports the following proposition:

Proposition 18: The greater the IT efficiency, the greater the business impact.

Moreover, interviewees point out the positive relationship between IT effectiveness and business impact. The better the IT organization provides the appropriate services to the organization, the more the organization can benefit from those services. Empirical evidence from eight organizations (3, 4, 5, 7, 11, 12, 16, and 18) supports this relationship. Therefore, we propose:

Proposition 19: The greater the IT effectiveness, the greater the business impact.

IT risk mitigation also results in a positive business impact. Interviewees summarize that IT risk mitigation often implies some short-term expenses, but saves the organization signifi- cant amounts in the mid and long term. Empirical evidence from five organizations (2, 4, 14, 16, and 18) supports this proposition. The CIO of a chemical and pharmaceutical organization provides an insight into his own organization: ‘When I started my current position, some of our business divisions used and relied on applications on ancient IT systems. Those IT systems were mission-critical, and their failure was seriously anticipated every day. Accordingly, spare parts had to be bought on a major global online marketplace since they were beyond their lifecycle and official vendors no longer stocked them. The business divisions only focused on their short-term profits, did not invest in IT, and just ignored this significant IT risk. Thereby, they increased the risk to regular business operations to such an extent that I immedi- ately had to take corrective measures.’ Accordingly, we propose:

Proposition 20: The greater the IT risk mitigation, the greater the business impact.

The second last proposition concerns IT compliance. In the investigated organizations, the IT organization is required to facilitate compliance with legal and regulatory requirements. Noncompliance with those regulations not only involves a significant financial risk, but sometimes also a major threat to the company’s continued existence. Empirical evidence from

IT governance success and its impact Buchwald et al. 142

Table 6 Constructs and their description

Construct Description

Comprehensibility of regulations

Extent to which the regulations defined by the ITG are clear, simple, and consistent, and thus understandable to the whole organization

Adequacy of regulations Extent to which ITG is designed to support the efficient steering and controlling of the IT organization

Understanding of the IT value chain

Extent to which the process of the IT value generation is understood in the IT organization

Top management commitment

Extent to which top management promotes the ITG activities by means of steering, communicating, providing resources, and advising

Persuasiveness of communication

Extent to which the IT management has the necessary persuasiveness to establish ITG throughout the organization

IT’s business orientation Extent to which the IT organization (and its employees) has the necessary skills and attitudes to adequately support the business function and act as business enablers

ITG success Extent to which a clearly defined and transparent set of structures, processes, and standards exists that is accepted throughout the organization and integrated into the daily work routines

Alignment of business and IT activities

Extent to which the IT activities directly or indirectly aim to satisfy business needs

Transparency of IT costs Extent to which the IT costs are transparent to the whole organization Transparency of IT services Extent to which the IT service portfolio is transparent to the whole organization Strategic controllability of IT Extent to which the IT management has the information required to assess the strategic situation

of the IT organization in order to improve its positioning IT efficiency Extent to which IT is able to deliver IT service quickly and cost-efficiently IT effectiveness Extent to which IT delivers the right services to the organization in order to create value for the

business IT risk mitigation Extent to which IT is able to mitigate IT risks IT compliance Extent to which IT is able to facilitate compliance with legal and regulatory requirements Transformational readiness of IT

Extent to which the IT organization is able to adopt new strategic objectives

Business impact Extent to which IT has a positive effect on corporate performance

Adequacy of Regulations

Understanding of the IT value

chain

Persuasiveness of

Communication

Top Management Commitment

Comprehen- sibility of

Regulations

IT’s Business Orientation

IT Governance Success

Alignment of Business and IT

Activities

Transparency of IT Services

Strategic Controllability

of IT

IT Risk Mitigation

IT Effectiveness

IT Efficiency

Business Impact

IT Governance Success

IT Governance Impact

Transparency of IT Costs

IT Compliance

Transformational Readiness

of IT

Figure 1Model of ITG success and its impact.

IT governance success and its impact Buchwald et al. 143

five organizations (2, 4, 14, 16, and 18) supports this proposi- tion. Thus, we propose:

Proposition 21: The greater the IT compliance, the greater the business impact.

The last proposition concerns the link between the trans- formational readiness of IT and business value. The better an IT organization is prepared for a transformation, the less the management is constrained in its strategic decision-making process and the more strategic decision-making alternatives it has available. Multiple options allow the management to opt for the best strategic alternative, which results in the highest business value possible. Empirical evidence from three orga- nizations (11, 16, and 18) supports this proposition. Inter- viewees highlight: ‘The objective of our IT governance is to prepare the IT organization for the challenges ahead and for acquisitions in the time to come. This way, we have target architectures available in which acquired organizations are integrated.’ Thus, we propose:

Proposition 22: The greater the transformational readiness of IT, the greater the business impact.

The introduced constructs (summarized in Table 6) and propositions based on the 25 interviews of our study are synthesized into an ITG model that portrays both antecedents of ITG success and its impact on the business. More precisely, we propose a model that describes how the various observed constructs are interrelated and how they contribute to or result from successful ITG (Figure 1).

Discussion and conclusion This study was carried out as an integral part of an ongoing research program to understand how ITG helps organizations handle the growing complexity of managing corporate IT departments in the context of an increasing business orienta- tion. We consequently set out to identify the factors that influence and result from successful ITG and to understand how knowledge of these factors can be translated into a model for explaining ITG success and its impact. On the one hand, our results advance the theoretical discourse on ITG. On the other hand, practitioners will benefit from this model, because it enables them by drawing on the ITG success determinants that we propose in our model to better set up and develop ITG, as well as to understand and promote its potential impact. We explicitly address ITG from an end-to-end perspective, that means starting with ITG success determinants and their subsequent impact, in order to provide practitioners with a holistic view on ITG. We subsequently discuss both our practical and research contributions and show how each of them contributes to achieving a more effective IS organization, which ultimately leads to real business value.

In terms of managerial implications, we find that most IT decision makers in our study recognize ITG’s potential and importance for the future development of their IT organizations. However, most of them also acknowledge that the status quo of the implementation is retrogressing. Accordingly, we suggest increasing the relative importance of ITG by showing active management support. This involves empowering and cham- pioning the ITG implementation project as well as continuously ensuring sufficient resources. This requires a sufficient budget

and competent people, since ITG, as one interviewee puts it, cannot be developed and implemented ‘on Friday afternoons.’

Second, managers should proactively strive to achieve the commitment of their business divisions. As our interviewees point out, insufficient commitment is likely to become a showstopper, especially if the business divisions are rather autonomous in the overall hierarchy. To overcome this chal- lenge, interviewees were particularly successful at starting work groups in which they discuss the appropriate depth and breadth of ITG’s scope. By choosing this approach, managers are found to be more likely to avoid the ‘not-invented-here’ syndrome. We discovered that, in such work groups, it is much easier to convey the reasons why, for instance, the IT personnel next door should not be directly approached (e.g., for implementing new IS functionality), but why an intermediary (ITG) is beneficial to the overall organization in the long run.

As a third implication, managers should work toward changing business divisions’ perception of the IT organization to that of a business-enabler. By and large, the interviewees in our study describe that their IT organizations used to be perceived as a group of narrowly focused IT specialists in an ivory tower, which changed in the course of the ITG imple- mentation in a sustainable manner. In other words, if applied with good judgment, managers may benefit from the oppor- tunity to implement a successful ITG whose consequences, as our model illustrates, will result in increased business value.

Our investigation also contributes to research in multiple ways. While previous studies have investigated individual aspects of ITG success and its impact, none have combined these factors into a comprehensive and integrated model that would lead to a more complete understanding of the ITG concept. Therefore, we empirically investigated relevant fac- tors that influence and result from successful ITG. Part of this undertaking was to reconciliate the different notions of and fragmented research on ITG.

Our research identified several constructs and relationships that are strongly supported by empirical evidence, three of which previous research – to our knowledge – has not investigated. Specifically, we identified two new constructs, namely, the adequacy of regulations and the understanding of the IT value chain, as two major antecedents of successful ITG. Even though the idea of adequate regulations is popular in other streams of research (conceptualized as the degree of organizational leeway or empowerment; e.g., Psoinos et al., 2000), the construct has not received the attention in research on ITG, which the strong empirical grounding of this construct in our study suggests. We therefore propose including this construct in future research on ITG. Second, we found the understanding of the IT value chain to be an additional important success determinant for successful ITG. It involves that the IT organization is aware how the IT processes with its respective predecessors and successors engage with one another. As a result, a meaningful ITG can be defined which is in accordance with the value chain of the IT organization.

Finally, we discovered an innovative impact of ITG, namely, the transformational readiness of IT. This impact describes how ITG improves the transformational readiness of IT organizations. Structures, processes, and procedures are not only available, but actively support the transformation of the IT organization toward the new strategic objectives. ITG provides a reference framework that can be leveraged for

IT governance success and its impact Buchwald et al. 144

business value, for instance in case of mergers or acquisitions. While there is research on IT transformation itself (e.g., Möller et al., 2011), it has not yet been discovered and discussed as a consequence of ITG, which is why we suggest including it in future research endeavors. Before discussing suggestions for future research, we acknowledge a few limita- tions. The generalizability of our results is limited due to the qualitative approach based on convenience sampling. How- ever, despite the variation in the interviewees’ companies, we did find stable elements and relationships. While acknowl- edging that our results must be tested on a larger sample, we believe that the model developed is a promising basis for future research on the success and impact of ITG.

Future research activities should comprise the testing of our inductive propositions by means of a large-scale quantitative study that includes structural equation modeling (Straub et al., 2004; Urbach and Ahlemann, 2010). While we recognize the substantial work that remains to be done in the context of operationalizing our constructs and collecting survey data, testing our propositions will produce a deeper understanding of how the various concepts relate to one another in an integrated model of ITG success and its impact.

Acknowledgements We thank the Institute for Research on Information Systems at EBS Business School and the CIO & Project Advisory competence center of Horváth & Partners Management Consultants for supporting the empirical study presented in this paper.

References

Ali, S. and Green, P. (2005). Determinants of Effective Information Technology Governance: A study of IT intensity, in Proceedings of the International IT Governance Conference; Auckland, New Zealand.

Ali, S. and Green, P. (2007). IT Governance Mechanisms in Public Sector Organisations: An Australian context, Journal of Global Information Management 15(4): 41–63.

Benbasat, I., Goldstein, D. and Mead, M. (1987). The Case Research Strategy in Studies of Information Systems, MIS Quarterly 11(3): 369–386.

Bowen, P.L., Cheung, M.-Y.D. and Rohde, F.H. (2007). Enhancing IT Governance Practices: A model and case study of an organization’s efforts, International Journal of Accounting Information Systems 8(3): 191–221.

Brown, A.E. and Grant, G.G. (2005). Framing the Frameworks: A review of IT governance research, Communications of the AIS 15: 696–712.

Brown, C.V. (1997). Examining the Emergence of Hybrid IS Governance Solutions: Evidence from a single case site, Information Systems Research 8(1): 69–95.

Buckby, S., Best, P. and Stewart, J. (2008). The Current State of Information Technology Governance Literature, in A. Cater-Steel (ed.) Information Technology Governance and Service Management Frameworks and Adaptations, Hershey, PA: Idea Group Publishing, pp. 1–43.

Cubeles-Márquez, A. (2008). IT Project Portfolio Management – The strategic vision of IT projects, European Journal for the Informatics Professional 9(1): 31–36.

De Haes, S. and Van Grembergen, W. (2008). An Exploratory Study into the Design of an IT Governance Minimum Baseline through Delphi Research, Communications of AIS 2008(2): 443–458.

De Haes, S. and Van Grembergen, W. (2009a). An Exploratory Study into IT Governance Implementations and Its Impact on Business/IT Alignment, Information Systems Management 26(1): 123–137.

De Haes, S. and Van Grembergen, W. (2009b). Exploring the Relationship between IT Governance Practices and Business/IT Alignment through Extreme Case Analysis in Belgian Mid-to-Large Size Financial Enterprises, Journal of Enterprise Information Management 22(5): 615–637.

Dooley, L.M. (2002). Case Study Research and Theory Building, Advances in Developing Human Resource 4(3): 335–354.

Eisenhardt, K.M. (1989). Building Theories from Case Study Research, Academy of Management Review 14(4): 532–550.

Eisenhardt, K.M. (1991). Better Stories and Better Constructs: The case for rigor and comparative logic, Academy of Management Review 16(3): 620–627.

Fröhlich, M., Glasner, K., Goeken, M. and Johannsen, W. (2007). Sichten Der IT-Governance, IT-Governance 1(1): 3–8.

Garrity, J. (1963). Top Management and Computer Profits, Harvard Business Review 41(4): 6–174.

Guldentops, E. (2004). Key Success Factors for Implementing IT Governance: Let’s not wait for regulators to tell us what to do, Information Systems Control Journal 2: 22–23.

Heart, T., Maoz, H. and Pliskin, N. (2010). From Governance to Adaptability: The mediating effect of IT executives’ managerial capabilities, Information Systems Management 27(1): 42–60.

Henderson, J.C. and Venkatraman, N. (1993). Strategic Alignment: Leveraging information technology for transforming organizations, IBM Systems Journal 31(1): 4–16.

Huang, R., Zmud, R.W. and Price, R.L. (2010). Influencing the Effectiveness of IT Governance Practices through Steering Committees and Communication Policies, European Journal of Information Systems 2010(19): 288–302.

IT Governance Institute (ITGI) (2003). Board Briefing on IT Governance, 2nd edn, Rolling Meadows: IT Governance Institute.

IT Governance Institute (ITGI) (2007). Cobit 4.1: Framework, control objectives, management guidelines, maturity models, Rolling Meadows: IT Governance Institute.

Klein, H.K. and Myers, M.D. (1999). A Set of Principles for Conducting and Evaluating Interpretive Field Studies in Information Systems, MIS Quarterly 23 (1): 67–93.

Lazic, M., Groth, M., Schillinger, C. and Heinzl, A. (2011a). The Impact of IT Governance on Business Performance, in Proceedings of the 17th Americas Conference on Information Systems, 4–7 August, Detroit, Michigan.

Lazic, M., Heinzl, A. and Neff, A. (2011b). IT Governance Impact Model: How mature IT governance affects business performance. Sprouts: Working Papers on Information Systems, 11(147): 1–43.

Lee, C.-H., Lee, J.-H., Park, J.-S. and Jeong, K.-Y. (2008a). A Study of the Causal Relationship between IT Governance Inhibitors and ITs Success in Korea Enterprises, in Proceedings of the 41st Hawaii International Conference on System Sciences, Big Island, Hawaii, USA.

Lee, J., Lee, C. and Jeong, K.-Y. (2008b). Governance Inhibitors in IT Strategy and Management: An empirical study of Korean enterprises, Global Economic Review 37(1): 1–22.

Liang, T.-P., Chiu, Y.-C., Wu, S.P.J. and Straub, D. (2011). The Impact of IT Governance on Organizational Performance, in Proceedings of the 17th Americas Conference on Information Systems; Detroit, Michigan.

Loh, L. and Venkatraman, N. (1992). Diffusion of Information Technology Outsourcing: Influence sources and the kodak effect, Information Systems Research 3(4): 334–358.

Meyer, M., Zarnekow, R. and Kolbe, L.M. (2003). IT-Governance: Begriff, Status quo und Bedeutung, Wirtschaftsinformatik 45(4): 445–448.

Möller, D., Legner, C. and Heck, A. (2011). Understanding IT Transformation – An explorative case study, in Proceedings of the 19th European Conference on Information Systems (ECIS 2011); Helsinki, Finland.

Nfuka, E. and Rusu, L. (2010). Critical Success Factors for Effective IT Governance in the Public Sector Organizations in a Developing Country: The case of Tanzania, in Proceedings of the European Conference on Information Systems; Pretoria, South Africa.

Nfuka, E.N. and Rusu, L. (2011). The Effect of Critical Success Factors on IT Governance Performance, Industrial Management & Data Systems 111(9): 1418–1448.

Olson, M.H. and Chervany, N.L. (1980). The Relationship between Organizational Characteristics and the Structure of the Information Services Function, MIS Quarterly 4(2): 57–69.

Peterson, R. (2004). Crafting Information Technology Governance, Information Systems Management 21(4): 7–22.

Psoinos, A., Kern, T. and Smithson, S. (2000). An Exploratory Study of Information Systems in Support of Employee Empowerment, Journal of Information Technology 15(3): 211–230.

Ribbers, P.M., Peterson, R.R. and Parker, M.M. (2002). Designing Information Technology Governance Processes: Diagnosing contemporary practices and competing theories, in Proceedings of the 35th Hawaii International Conference on System Sciences; Big Island, Hawaii, USA.

IT governance success and its impact Buchwald et al. 145

Sambamurthy, V. and Zmud, R.W. (1999). Arrangements for Information Technology Governance: A theory of multiple contingencies, MIS Quarterly 23(2): 261–291.

Segars, A.H. and Hendrickson, A.R. (2000). Value, Knowledge, and the Human Equation: Evolution of the information technology function in modern organizations, Journal of Labor Research 21(3): 431–445.

Sethibe, T., Campbell, J. and McDonald, C. (2007). IT Governance in Public and Private Sector Organizations: Examining the differences and defining future research directions, in Proceedings of the 18th Australasian Conference on Information Systems; Toowoomba, Australia.

Simonsson, M. and Johnson, P. (2005). Defining IT Governance – A consolidation of literature, Stockholm, Sweden: KTH Royal Institute of Technology.

Simonsson, M., Johnson, P. and Ekstedt, M. (2010). The Effect of IT Governance Maturity on IT Governance Performance, Information Systems Management 27(1): 10–24.

Straub, D., Boudreau, M.-C. and Gefen, D. (2004). Validation Guidelines for IS Positivist Research, Communications of the AIS 13: 380–427.

Suddaby, R. (2010). Construct Clarity in Theories of Management and Organization, Academy of Management Review 35(3): 346–357.

Urbach, N. and Ahlemann, F. (2010). Structural Equation Modeling in Information Systems Research Using the Partial Least Squares Approach, Journal of Information Technology Theory and Application 11(2): 5–40.

Van Grembergen, W. (2002). Introduction to the Minitrack ‘IT Governance and its Mechanisms’, in Proceedings of the 35th Hawaii International Conference on System Sciences; Big Island, Hawaii, USA.

Van Grembergen, W., De Haes, S. and Guldentops, E. (2004). Structures, Processes and Relational Mechanisms for IT Governance, in W. Van Grembergen (ed.) Strategies for Information Technology Governance, Hershey, PA: IGI Publishing, pp. 1–36.

Webb, P., Pollard, C. and Ridley, G. (2006). Attempting to Define IT Governance: Wisdom or folly? in Proceedings of the 39th Hawaii International Conference on System Sciences; Kauai, Hawaii, USA.

Weill, P. (2004). Don’t Just Lead, Govern: How top-performing firms govern IT, MIS Quarterly Executive 3(1): 1–17.

Weill, P. and Ross, J.W. (2004). IT Governance – How top performers manage IT decision rights for superior results, Boston: Harvard Business School Press.

Wu, W.W., Lin, S.-H., Cheng, Y.-Y., Liou, C.-H., Wu, J.-Y., Lin, Y.-H. and Wu, F.H. (2006). Changes in Mis Research: Status and themes from 1989 to 2000, International Journal of Information Systems and Change Management 1(1): 3–35.

Yin, R.K. (2009). Case Study Research – Design and methods, Thousand Oaks: Sage Publications.

Zwicky, F. (1967). The Morphological Approach to Discovery, Invention, Research and Construction, in F. Zwicky and A. Wilson (eds.) New Methods of Thought and Procedure, Berlin Heidelberg: Springer, pp. 273–297.

About the Authors

Arne Buchwald is a Doctoral Student and Research Assistant at the University of Bayreuth, Germany. Previously, he was a Research Assistant at EBS Business School in Wiesbaden, Germany. Additionally, he is a consultant with Horváth & Partners Management Consultants. He studied business administration from 2006 to 2009 at EBS Business School and proceeded with his master studies at the School of Business and Economics at Maastricht University, The Neth- erlands. During his study, he gained hands-on experience, both at home and abroad, at a consultancy and at an IT service provider. His recent research focuses on project portfolio management, IT governance, and cloud computing. His work has been published in internationally renowned conference proceedings, such as the International Conference on Infor- mation Systems (ICIS) and the European Conference on Information Systems (ECIS).

Nils Urbach is a Professor of Information Systems and Strategic IT Management at the University of Bayreuth.

Furthermore, he is Deputy Director of the Finance & Informa- tion Management Research Center and the Project Group Business & Information Systems Engineering of Fraunhofer FIT. Before, he held the position of an Assistant Professor at EBS Business School in Wiesbaden, where he was head of the Strategic IT Management Competence Center at the Institute of Research on Information Systems. He also received his doctorate from EBS. Furthermore, he holds a diploma in information systems from the University of Paderborn. He gathered international experience during his research stays at the University of Pittsburgh and at Université de Lausanne. Complementary to his academic work, he was Consultant with Horváth & Partners and Accenture. In research and teaching, he mainly addresses questions in the areas of strategic IT management as well as communication and IT- based collaboration. In recent research projects, he is engaged in topic such as IT governance, IT outsourcing, and project portfolio management, among others. His work has been published in several international journals and in the proceed- ings of key international conferences.

Frederik Ahlemann obtained an Information Systems Diploma from the University of Münster, Germany, and worked as a Project Management Consultant for 2 years. Following this period, he joined the Faculty of Economics and Business Administration at the University of Osnabrück, where he obtained his doctorate in 2006. He subsequently joined the European Business School, Germany, as an Assistant Professor where he headed a competence center for strategic IT/IS management. In 2012, he was appointed full professor at the University of Duisburg-Essen, Germany, where he holds the Information Systems and Strategic IT Management chair. His research interests are project portfolio management, enterprise architecture management, and IS strategy. His projects are funded by major German enterprises from the automotive, software, and professional services industries. He has authored and co-authored more than 80 scientific and professional publications, has won several research and teach- ing awards, and is a renowned speaker and consultant.

Appendix

Interview guide

Demographic details

1. Interview partner

a. What is your name? b. In which department are you employed? c. What is your role in the company? d. How many subordinates do you have? e. How long have you been working for this company? f. How would you rate your experience in the field of ITG

(on a scale of 0 [low] to 5 [high])?

2. Company

a. What is the name of your company? b. To which industry does your company belong? c. Over how many locations is your company spread?

International subsidiaries?

IT governance success and its impact Buchwald et al. 146

d. How many people are employed in your company? e. How high were the sales of your company in the last

financial year?

3. IT organization

a. How many employees (internal, external) can be attrib- uted to the IT organization of your company?

b. How much were the total IT costs (expenses for internal and external services) for the last financial year? More IT outsourcing in the past years?

c. Does the IT organization of your company provide services for external customers?

d. What is the legal structure of the IT organization (business division/department, group, separate entity, etc.)?

e. How is the IT organization organized (cost center, service center, profit center, etc.)?

f. To whom does the CIO report in your company? g. Does the IT organization create value for your company

(on a scale of 0 [low] to 5 [high])? h. How would you estimate the customers’ appreciation of

IT (on a scale of 0 [low] to 5 [high])?

Interview questions

1. Understanding

a. What does ITG mean to you personally? b. According to your individual understanding, what are

the most important elements and topics of ITG? c. How is the term ITG defined in your company? d. Where do you draw the line between ITG, IT strategy,

and IT management?

2. Level of implementation

a. How would you characterize ITG in your company? b. How would you characterize the degree of matu-

rity of ITG in your company (according to CoBIT)? What are open topics in the field of ITG in your company?

c. Does your company have documentation for ITG? Would you make this available to us?

d. Is ITG in your company defined as a part of corporate governance or is it derived from it?

e. What methods and standards of ITG are used in your company (CoBIT, ITIL, etc.)?

f. Who is responsible for ITG in your company? Dedicated function of ITG? Management staff unit or line func- tion? In your opinion, who in your company should be responsible for ITG?

g. How would you assess the significance of the topic of ITG in your company?

3. Development

a. How has ITG in your company developed over the past years?

b. What challenges or problems were faced regarding the establishment or development of ITG?

c. Are there currently any projects or other initiatives dealing with ITG in your company?

d. Is there a concrete plan for developing ITG in your company?

4. Goals and benefits

a. What goals have been pursued to establish the current corporate governance in your company? Which of these goals have actually been achieved?

b. From your perspective, what are the potential benefits of ITG in general?

c. From your point of view, when is ITG successful? How can the potential benefits of ITG be achieved best?

d. In your opinion, by how far does ITG have the potential to positively influence the performance of the IT organization and of the company?

5. Success and contextual factors

a. From your point of view, what are the most important critical success factors of ITG?

b. From your point of view, what are the most important critical constraining factors of ITG?

c. From your perspective, how do contextual factors influence ITG? What are the most important contextual factors from your point of view?

d. How important do you consider an improved under- standing of the success and constraining factors of ITG?

Finally, are there any further comments or suggestions you would like to make with regard to the topic of ITG?

IT governance success and its impact Buchwald et al. 147

Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.

  • Business value through controlled IT: toward an integrated model of IT governance success and its impact
    • Introduction
    • Foundations
      • IT governance
      • ITG success determinants
    • Table 1
      • Consequences of ITG success
    • Table 2
    • Methods
      • Research approach
      • Data collection
    • Table 3
      • Data analysis
    • Table 4
    • Empirical findings
      • Understanding of ITG
    • Table 5
      • Trigger for ITG
      • Implementation of ITG
      • Organizational impact of ITG
    • Model development
    • Table 6
    • Figure 1Model of ITG success and its impact.
    • Discussion and conclusion
    • We thank the Institute for Research on Information Systems at EBS Business School and the CIO &#x00026; Project Advisory competence center of Horv&#x000E1;th &#x00026; Partners Management Consultants for supporting the empirical study presented in this pa
    • ACKNOWLEDGEMENTS
    • AliS.GreenP.2005Determinants of Effective Information Technology Governance: A study of IT intensity, in Proceedings of the International IT Governance Conference; Auckland, New ZealandAliS.GreenP.2007IT Governance Mechanisms in Public Sector Organisation
    • About the Authors
    • Appendix
      • Interview guide
      • Demographic details
      • Interview questions