Towards a Method for Assessing IT Governance of Organizations

Towards a method for assessing IT governance of organizations

Master thesis

Author: Andre Son

Student ID number:313687

Master program: Economics & ICT

Department: Erasmus School of Economics

University: Erasmus University Rotterdam

First supervisor: prof.dr. Egon.W. Berghout

Second supervisor: prof.dr.Gert.J. van der Pijl

Date: 7 June 2012

Preface

This master thesis is the result of the research assignment of the master Economics & ICT of Erasmus University. The research has been conducted on assessment of IT governance.

I would like to thank prof. dr. E.W. Berghout for supervising me and providing useful feedback. Although he has given lecture in Erasmus University, he usually did not supervise students of Erasmus University. I was interested in the topic of his research field and fortunately he was willing to guide my research.

Andre Son

Hoofddorp, June 2012

Abstract

Many organizations have introduced IT governance in their organizations and a lot of research has been conducted on IT governance. However the research was mainly theoretical and little empirical research has been conducted. This thesis develops a method that enables comprehensive empirical research on IT governance. The method, calledIT governance assessment method consists of two components, IT governance description and IT governance effectiveness measurement. The method describes IT governance of organizations, is able to prescribe IT governance of organizations and measures the effectiveness of IT governance of organizations.

In order to develop the method, first a literature researchwas conducted to explore IT governance research. By exploring IT governance research, important elements of IT governance were identified. The elements were structures, processes & relations, strategic use of IT and control.IT governance research has primarily focused only in structures or in processes & relations. This research has combined them together which makes possible to study IT governance more comprehensively than before. The elements were converted in criteria for developing the method.

The literature research also identified methods that could be used for developing IT governance assessment method. These methods were evaluated and compared with each other on the criteria. IT governance matrix of Weill and Ross was selected to describe IT governance structures and IT governance mechanism of De Haes and Van Grembergen was selected to describe IT governance processes and relations.Business/IT alignment measurement of Luftman was selected to measure IT governance effectiveness.

The selected methods were modified to improve IT governance description and IT governance effectiveness measurement.IT governance matrix of Weill and Ross was modified by incorporating the element of control from corporate governance. The hierarchy levels and the relationships between them found in corporate governance were applied to IT governance and consequently incorporated in IT governance matrix. This IT governance matrix was combined with improved IT governance mechanisms and business/IT alignment measurement to form IT governance assessment method.

IT governance assessment method is able to prescribe IT governance of organizations by providing theoretical guidelines for organizing IT governance. The method provides theoretical guidelines for which IT decisions should be made and reviewed by which hierarchies. It gives recommendations on which IT governance mechanisms should be implemented, how many for each IT decision and how mature they should be.

IT governance assessment method was applied to two large financial organizations to validate whether the method can be usefully used in practice. Managers appointed by CIO’s of theorganizations to participate in the research were positive on the method. For this reason the method is deemed useful to assess IT governance of organizations in practice.

At the same time when the method was validated at the two organizations, an empirical research on IT governance has been conducted with the developed method. The main findings were that the organizations differed in the way some IT decisions were made and reviewed. The organization that has outsourced most of its IT did not review IT strategy decision. However at the organization that maintains most of its IT internally, IT strategy decision was reviewed by top management and even reviewed by the board of directors. Also at this organization major IT investment decision was made by top management itself supported by senior IT management whereas at the other organization senior IT management made major IT investment decision.

Future research can make IT governance effectiveness measurement of the method more sophisticated. Further the relationship between types of competitive strategy and IT governance of organizations can be investigated better with the use of IT governance assessment method.

Table of Contents

1.Introduction

1.1.Research motivation

1.2.Problem description

1.3.Research objective

1.4.Research question

1.5.Research approach

2.Literature research

2.1.Introduction

2.2.Literature research method

2.3.Evolution of IT governance

2.4.Traditional IT governance research (structures)

2.5.Recent IT governance research (processes & relations)

2.6.IT governance research limitations

2.7.Definition of IT governance

2.8.Conclusion

3.Selection of methods for IT Governance assessment method

3.1.Introduction

3.2.IT Governance description

3.3.IT Governance effectiveness measurement

3.4.Conclusion

4.Improvement of methods for IT Governance assessment method

4.1.Introduction

4.2.Modification of IT governance matrix

4.3.Construction of IT governance mechanisms list

4.4.Combination of IT governance hierarchy matrix and IT governance mechanisms

4.5.Adjustment of Business/IT alignment

4.6.Conclusion

5.Validation of method and empirical research on IT governance

5.1.Introduction

5.2.Validation

5.3.Empirical research on IT governance

5.4.Organization A

5.5.Organization B

5.6.Comparison between organizations

5.7.Conclusion

6.Conclusion

6.1.Research question

6.2.Research implications

List of figures and tables

References

Appendix A: Introduction letter of thesis research

Appendix B: Questionnaire IT governance research

1.Introduction

1.1.Research motivation

In a study that examined IT governance of more than 250 organizations throughout the world, it is found that organizations with superior IT governance had 20% more profit than organizations with poor IT governance given the same type of competitive strategy (Weill & Ross, 2004). This research indicates that IT governance is an important issue for organizations as it pays off to have a well managed IT governance in place.

Organizations invest heavily in IT and a large proportion of the investment budget is spent on IT. It has been reported that average firm’s IT investment is greater than 4% of annual revenue and that IT investment exceeds 50% of the average firm's annual total capital investment (Gorrmolski, Grigg, & Potter, 2001; Gartner Group, 2003). However the intended business value from IT investment was not evident and in many cases IT investments resulted even in negative results for many organizations (Brynjolfsson, 1993).

IT governance is a concept to address this problem of business value from IT (Dahlberg, 2007). The definition of IT governance that is used in this research is: IT governance is the control of the strategic use of IT with the distribution of decision rights and responsibilities (structures) and is supported by processes and relations.IT governance is different from IT management as is explained by Weill & Ross: “IT governance is not about what specific decisions are made. That is management. Rather, governance is about systematically determining who makes each type of decisions and how these people are held accountable for their role” (Weill & Ross, 2004). IT governance is therefore about organizing IT management and not managing IT by itself directly.

Many organizations have already implemented IT governance and many other organizations consider introducing IT governance. This is partly fueled by Sarbanes-Oxley Act in the United States. After a series of accounting scandals there was a need to enforce corporate governance to protect the rights of various stakeholders of companies. As a result companies had to perform accounting correctly, but also to manage IT resources properly and prevent IT risks (Brown & Grant, 2005).

1.2.Problem description

Many organizations have introduced IT governance, but there is still not much known about how IT governance is practiced at organizations.There has been a lot of research in the field of IT governance, but the research was mainly theoretical stating how IT governance should be organized. There was little empirical research that described how organizations were actually organizing IT governance (Sambamurthy & Zmud, 2000; De Haes & Van Grembergen, 2009). However it is needed that besides theoretical research also empirical research has to be conducted to investigate IT governance comprehensively (Peterson, 2000). This way IT governance can be understood more thoroughly and useful recommendations can be provided to organizations. In order to study IT governance in practice there is a need for methods with which empirical research can be conducted. There are however little methods available that can be used to assess IT governance of organizations. Further the methods that are available cannotassess IT governance comprehensively, because the methods examine only certain elements of IT governance and not all elements altogether.

1.3.Research objective

The research objective of this research is therefore formulated as follows:

Develop a comprehensive method that can be used to assess IT governance of organizations.

The developed method will examine as many as possible elements of IT governance altogether. This method has the main function that it describes IT governance of organizationsin practice. The method should also be able to give a prescription about how best to organize IT governance for organizations. Further the method should measure theeffectivenessof IT governance of organizations. Measurement of IT governanceeffectiveness is useful, because insight can be gained on how organizations with effective IT governance have organized their IT governance. The developed method is validated by applying the method to two organizations. At the same time a beginning has been made of empirical research on IT governance at these two organizations with the use of the developed method. The results of empirical research at the two organizations are also presented.

1.4.Research question

The research question of this research isformulated as follows:

Which constituents should be part of a comprehensive method to assess IT governance of organizations?

The following sub research questions are formulated to answer the research question:

1. What are the main elements of IT governance?(Chapter 2)

2. Which existing methods can be used for the development of the method? (Chapter 3)

3. How can the selected methods be improved and combined to develop the method? (Chapter 4)

4.Is the proposed method applicable in practice? (Chapter 5)

5. What are the findings of the empirical research with the use of the proposed method? (Chapter 5)

In the conclusion of each chapter the corresponding sub research question is answered. In the conclusion chapter of the thesis the research question is answered.

1.5.Research approach

In order to answer the research question and develop the method as stated in the research objective the following researchapproachis adopted. The research approach is depicted in figure 1.

1. Literature research

First, literature research is conducted to explore existing IT governance theory. Limitations of existing IT governance research are presented and a number of IT governance definitions are compared. From themelements are identified that are used to develop the method (Chapter 2).

2. Method development

Based on the findings from the literature research, the method that can assess IT governance is developed. The existing IT governance methods are evaluated and compared on the identified elements. The methods that satisfy the criteria are selected, improved and combined into the research method (Chapter 3&4).

3. Method validation and empirical research

The developed method is validated by applying the method at two organizations. First a survey is submitted to the manager of the organization. After the completion of the survey an interview is held or several mails are send to understand and discuss the answers to the survey. In addition to validating the method, an empirical research is conducted to make a beginning of empirical research on IT governance with the use of the developed method (Chapter 5).

Figure 1. Research approach

2.Literature research

2.1.Introduction

In this chapter it is first explained how the literature research is conducted. It is described how IT governance has evolved from the beginning until now. The traditional IT governance research and more recent IT governanceresearch are explained and their limitations highlighted.By studying existing IT governance research, important elements of IT governance are identified. The definitions of IT governance found in the literature are compared and a definition of IT governance is formed that is used in this thesis. By comparing definitions additional important elements of IT governance are identified. The identified elements will serve as criteria that are used for method development.

2.2.Literature research method

Literature reviewwas conducted tofind paperson IT governance. The keywords ‘Information Technology Governance’ and ‘IT Governance’ were used to search in journals of the academic field management information systems. The papers that were found are published between 1997 and 2010. Renowned journals as MIS Quaterly, Information Systems Research, and Journal of Management Information Systems provided very little or no papers on the topic of IT governance. Two papers were found in MIS Quaterly and no papers were found in Information Systems Research and Journal of Management Information Systems. However in Hawaii International Conference on Systems Sciences andthe journal Information Systems Management many papers on IT governance could have been found.In Hawaii International Conference on Systems Sciences 24 papers were found and in Information Systems Management seven papers were found.The journal Communication of AIS had three papers on IT governance.

After the papers have been found in the journals, the references of these papers are looked upon to find additional relevant papers on IT governance and other related IT research fields as IT planning, Business/IT alignment and IT performance. Further two academic books on IT governance are consulted.

2.3.Evolution of IT governance

Management of IT has been an issue since the introduction of computers in organizations. The earliest research on IT management dates back to 1963. Garrity found that IT generates profits and that to make this happen top management has to guide and direct computer systems (Garrity, 1963). The involvement of top management is a recurring theme that is also found in many recent IT governance researches.

In the 1970’s the concept of IT planning became important. Many IT research publications on IT planning can be found in that time (Zani, 1970; McLean & Soden, 1977; King, 1978). They argued that the planning of information systems in organizations have to be performed top down. IT planning should be strategic and consider organization’s mission, objective and strategy.

Henderson and Venkatraman played an important role in IT management research as they have introduced both the concepts business/IT alignment and IT governance in the early 1990’s. In one of their research papers they came up with the term strategic alignment to align business strategy with IT strategy on one hand and align strategies with internal organization and processes on the other (Henderson & Venkatraman, 1993). IT planning has been addressing issues like alignment between business and IT plan and alignment between business and IT strategy. These alignment views have been emphasized by Henderson and Venkatraman in the concept strategic alignment. Strategic alignment is later on named as business/IT alignment. Also much research has been published in this research field (Reich & Benbasat 1996; Chan, Huff, Barclay & Copeland, 1997; Luftman, Lewis & Oldach, 1993).

In another research paper Henderson and Venkatraman together with Oldach first introduced and explained the concept of IT governance (Henderson, Venkatraman & Oldach, 1993). They have described it as one of the four mechanisms to attain strategic alignment. It refers to allocation of decision rights. The other alignment mechanisms are technology capability, human capability and value management. The authors explained that IT governance deals with centralization or decentralization of decision making. However even before the introduction of IT governance concept, various researches have already been conducted on IT decision rights and responsibilities, elements of the definition of IT governance (Garrity, 1963; Golub, 1975; King, 1983; Boynton, Jacobs, & Zmud, 1992).

2.4.Traditional IT governance research(structures)

Traditionally IT governance research was mainly concentrated ondistribution of IT decision making rights and responsibilitiesto IT decision makers (Brown & Grant, 2005). In this thesis, the term IT governance structures will be used to refer to the distribution of IT decision making rights and responsibilities; and also to refer to IT decision makers themselves. IT governance structures are thedistribution of IT decisionmaking rights and responsibilities; and IT decision makers themselves.

IT governance structuresresearchcan be divided into two separate streams that both have contributed to the foundation of IT governance research (Brown & Grant, 2005). One stream is IT governance forms that deals with types of decision making that organization adopt. Research in this stream investigated the degree of centralization and decentralization of decision making. At centralized IT governance, IT decisions are made by central business or IT management. This form provides efficiency and standardization. At decentralized IT governance, IT decisions are made by business units. This form improves flexibility and responsiveness (Brown, 1997). Many scholars also refer to the form of federal decision making which is a combination of centralization and decentralization. At federal IT governance, central management has the authority over IT infrastructure decisions and business units have the authority over IT applications development decisions (Sambamurthy & Zmud, 1999). Research indicated that the federal form of IT decision making was dominant in organizations (Sambamurthy & Zmud, 1999; Hodgkinson, 1996).

The other stream is IT governance contingency analysis. Research in this stream investigated what IT governance structures were the best for which organization through an analysis of factors that affected IT governance design. Organizational structure, competitive strategy, industry and firm size were primary factors that were frequently analyzed. From these factors only competitive strategy was significantly associated with IT governance structures(Brown & Grant, 2005).

The research of Weill and Ross (Weill & Ross, 2004) has combined the two separate IT governance structuresresearch streams (Brown & Grant, 2005). The authors have added another form of decision making, IT duopoly. This form is similar to the federal form, but is still different. The federal form consists of a central group and a business unit with or without an IT group. At IT duopoly the focus is on whether the form consists of an IT group comprised of the central and/or business unit IT groupwith central business group and/or business unit. The authors have also defined five types of IT decisions that should be made by various people in the organization. They also dealt with IT governance contingency analysis stream by arguing that for different types of competitive strategies different IT governance structures are needed. They explained what patterns of IT decisions made by various people in the organization best suit different types of competitive strategies. More about the research of Weill and Ross will be explained in chapter 3.