e-IRGSP Governance Report

\chapter{Overview of Literature in IT Governance}

\label{chapter:3}

The importance of \ac{it} governance has been widely acknowledged in the

academic and professional literature, especially with regards to the

private sector. The corporate scandals of Enron and other US-based

companies raised the level of regulation and tightened corporate

governance in order to protect investors and ensure fiscal

accountability. Increased significance was similarly attributed to \ac{it}

governance, which is the focus of this chapter. Research has found

that effective \ac{it} governance enhances competitiveness and business

value \cite{WeillRoss2004b}. There is debate, however, as to how this

can be best operationalised. The following sections will provide an

overview of the literature on the nature, forms and mechanisms of \ac{it}

governance. Current research in the main areas will be discussed,

together with the latest empirical findings.

\section{Defining IT Governance}

As a result of research developing in different areas, scholars and

professional bodies have suggested many useful definitions. There

seems to be general consensus as to how \ac{it} governance has come to

be interpreted, although the focus is slightly different between

studies.

Sambamurthy and Zmud \cite{SambamurthyZmud2000} define \ac{it}

governance as ``an organisation's \ac{it}-related authority pattern''.

The authors suggest research should understand the ``organising logic

for the \ac{it} function'' which they define as ``the managerial

rationale for designing and evolving specific organisational

arrangements in response to an enterprise's environmental and

strategic imperatives''. Building on this work, Schwarz and Hirschheim

\cite{Schwarz2003} refer to \ac{it} governance as ``the \ac{it}

related structures or architectures (and associated authority pattern)

implemented to successfully accomplish (\ac{it} imperative) activities

in response to an enterprise's environmental and strategic

imperatives''.

In another strand of research, Weill and Ross \cite{WeillRoss2004b}

define \ac{it} governance as representing ``the framework for decision

rights and accountabilities to encourage desirable behavior in the use

of \ac{it}''. This definition captures the high level at which \ac{it}

governance operates, but at the same time emphasises the unique

character it can attain since desirable behaviors differ between

organisations. It also encompasses both the behavioural and normative

aspects of governance in line with \ac{oecd} principles \cite{OECD}.

Relating \ac{it} governance with other aspects of the organisation,

Van Grembergen \cite{Grembergen2003} proposes the following

definition: ``\ac{it} governance is the organisational capacity

exercised by the board, executive management and \ac{it} management to

control the formulation and implementation of \ac{it} strategy and in

this way ensure the fusion of business and \ac{it}''. Along other

material operationally focused on implementation, the \ac{it}

Governance Institute suggests that ``\ac{it} Governance is the

responsibility of the Board of Directors and executive management. It

is an integral part of enterprise governance and consists of the

leadership and organisational structures and processes that ensure

that the organisation's \ac{it} sustains and extends the

organisation?s strategy and objectives''~\cite{ITGI2003} .

The last two definitions emphasise the relevance to corporate

governance, a recurring theme in the literature. Weill

\cite{Weill2004} suggests that ``good \ac{it} governance draws on

corporate governance principles to manage and use \ac{it} to achieve

corporate performance goals''. Other work states that due to the

growing reliance of organisations on \ac{it}, it is very difficult to

distinguish between \ac{it} and corporate governance, since they are

interrelated and constantly feeding into each other

\cite{Grembergen2003}. In addition to this synergy, the literature on

Strategic Information Systems Planning also provides useful guidance

to \ac{it} governance\cite{Webb2006}, as it contributes to work on its

supporting mechanisms such as critical success factors, the value

chain model and business process reengineering \cite{Grembergen2003}.

There is, however, a clear demarcation between \ac{it} governance and

\ac{it} management. The former is usually referred to as a broader

term that covers \ac{it} performance and transformation towards

business and customer demands, while the latter is restricted to

denoting effective supply of \ac{it} services and products, as well as

management of \ac{it} operations \cite{Peterson2003}. Although

scholars and practitioners insist on the value of involving \ac{it}

management in \ac{it} governance processes, they are quick to dismiss

the assumption of \ac{it} governance as an enhanced mode of \ac{it}

management and draw a definite line between the two concepts and the

distinct purposes they serve \cite{HaesGrembergen2004,Peterson2003}.

As Weill and Ross\cite{WeillRoss2004b} clearly explain, governance

establishes who has the right to make decisions, while management

involves the actual decision-making and implementation processes.

A large part of the literature discusses an extended view of \ac{it}

governance, departing from decision rights to include governance

mechanisms, informal arrangements and other means to support

organisational objectives, as will be discussed in the following

sections.

\section{Key IT Governance Decisions}

\label{sec:key-it-governance-decisions}

Weill and Ross \cite{WeillRoss2004b} depart from traditional research

on \ac{it} governance with their contemporary framework for the

customisation of \ac{it} governance systems \cite{BrownGrant2005}.

Drawing on research in 250 companies worldwide, they argue that the

starting point for effective \ac{it} governance lies in articulating

\ac{it} governance decisions and positioning the appropriate people to

engage in decision-making in the following five interrelated areas:

\begin{itemize}

\item \ac{it} Principles

  These are high-level statements regarding the use of \ac{it} and

  should be derived naturally to match and support an organisation's

  business and operational objectives. Weill and Ross

  \cite{WeillRoss2004b} suggest that these principles should identify

  the organisational operating model, concrete ways in which \ac{it}

  can support it, and the funding model required. \ac{it} principles

  guide decisions in the other domains listed below and may be used to

  raise a shared understanding among organisational members.

\item \ac{it} Architecture

  Architecture design relies on \ac{it} principles to capture

  requirements for process, data and technical standardisation and

  integration, according to the organisation's objectives. For

  example, the extent to which an organisation decides between stable

  infrastructure and local flexible applications reflects a

  translation of relevant strategic choices such as the degree of

  business flexibility.

\item \ac{it} Infrastructure Strategies 

  \ac{it} infrastructure is defined as ``the foundation of planned

  \ac{it} capability (both technical and human) available throughout

  the business as shared and reliable services and used by multiple

  applications''~\cite{WeillRoss2004b}. Examples of crucial governance

  decisions around infrastructure include the location of

  infrastructure services, pricing, updating and outsourcing.

\item Business Applications Needs

  Decisions in this area seek to achieve a balance between, on the one

  hand, finding creative ways to increase business value through

  applications that support organisational objectives and, on the

  other, complying with architectural integrity.

\item \ac{it} Investment and Prioritisation

  Investment levels should correspond to the strategic role attached

  to \ac{it}. An \ac{it} investment portfolio---an analogy to

  financial investment portfolios---provides a useful way to approach

  decisions on funding allocation, based on strategic alignment,

  return and risk considerations. Prioritising and reconciling \ac{it}

  needs between organisational departments, as well as distinguishing

  absolutely necessary from merely desirable \ac{it} capabilities, are

  both included in this area of decision-making.

\end{itemize}

\section{IT Governance Forms and Archetypes}

A large part of the literature discusses appropriate \ac{it}

governance decision-making structures for different areas in order to

maximise efficiency and return on investment.

One of the most common approaches distinguishes ``\ac{it}-related

authority patterns'' as centralised, decentralised, or federal

\cite{SambamurthyZmud1999}. \emph{Centralised} \ac{it} governance

grants decision rights to corporate stakeholders only. The

\emph{decentralised} mode assigns authority to either divisional

units, a mix of divisional units and line management actors, or in

very rare cases, just to line managers. The advantages of the first

include control over \ac{it} and a greater opportunity to realise

economies of scale, while the second model allows for greater

customisation and responsiveness \cite{BrownGrant2005}.

A \emph{federal} model would involve a corporate unit and divisional

units or line management in different variations \cite{Peterson2004,

  SambamurthyZmud1999, Weill2004}, combining the advantages of both

centralised and decentralised models. Peterson suggests a distinction

between \ac{it}-centric and business-centric approaches, according to

the participation of \ac{it} and business executives in

decision-making \cite{Peterson2004}. Typically, there is central

control on decisions around \ac{it} infrastructure supply and

decentralised patterns regarding \ac{it} applications and use

\cite{BrownMagill1998}. Similar types of \ac{it} governance have been

described as hybrid, distributed, centrally-decentralised and

equilibrium models or structures \cite{BrownGrant2005}.

Sambamurthy and Zmud \cite{SambamurthyZmud1999} note that \ac{it}

governance arrangements are not stable but frequently change from more

centralised to more decentralised forms and vice versa. At the same

time, it is acknowledged that there are no strict boundaries

between centralised, decentralised and federal models, since they are

all situated on a continuum and reflecting more complicated

arrangements encountered in organisations \cite{BrownGrant2005}.

In essence, governance structures are put in place to balance the

tensions between local units and central parts of an enterprise

\cite{Huang2010}. To achieve this task, more flexible \ac{it}

governance models have been developed, in vertically and horizontally

expanded variations \cite{BrownGrant2005, WeillRoss2004b}. Six \ac{it}

governance archetypes have been identified to illustrate which sets of

stakeholders have input and/or decision rights regarding the five key

decisions areas described in~\ref{sec:key-it-governance-decisions}.

\paragraph{Business Monarchy}

In business monarchies, business executives at the most senior levels

of organisations (CxOs) make decisions on \ac{it} governance. This

style is common with respect to \ac{it} principles, in this way

enhancing the chances for \ac{it} alignment with business objectives.

\ac{it} investment is another area of regular application, where such

high-level budgeting decisions establish funding priorities across

competing parts of the organisation, rather than being solely focused

on \ac{it}.

\paragraph{IT Monarchy}

Senior \ac{it} executives make decisions in groups or individually,

usually with input from both corporate teams and business units. This

governance model is more frequently adopted in \ac{it} architecture

and \ac{it} infrastructure strategies decisions. In other areas the

involvement of business executives is required to ensure strategically

important goals, responsibility and commitment.

\paragraph{Feudal}

Feudal arrangements delegate decision-making to the leaders of

business units, regions or business functions who own \ac{it}

processes. However, this is a less widespread model, as it does not

take advantage of synergies across the organisation. Only little

application has been observed.

\paragraph{Federal}

This model of \ac{it} governance involves coordination between the

senior business executives and business unit leaders. There is often

participation of senior \ac{it} executives or business unit \ac{it}

leaders. The federal archetype is regularly used, but only to provide

input to all five decision areas

of Section~\ref{sec:key-it-governance-decisions} by a large percentage of the

organisations studied. Actual decision-making is organised around this

type of arrangement mainly with regard to business applications needs

across different units, as well as for \ac{it} investment, in order to

ensure a balance between different business units' priorities. It can

be argued that this model favours large and powerful business units,

leading the rest to adopt local \ac{it} solutions.

\paragraph{IT Duopoly}

Duopolies refer to bilateral decision-making processes between \ac{it}

executives (only central or together with those from business units)

and either senior level business executives, or business unit leaders,

the same group involved in feudal arrangements. The simple management

structure and the ability to customise decisions for different units

efficiently make duopolies popular in the five key \ac{it} governance

decision areas. Regarding \ac{it} principles, coordination between

senior business and \ac{it} management ensures alignment and

commitment to business objectives. Duopolies allow rapid consideration

of both business and technological issues around shared infrastructure

services, transferring expertise from one party to the other.

Moreover, \ac{it} duopolies increase the involvement of \ac{it} in

business applications decisions, resulting to greater exploitation of

current technical infrastructures. Along these lines, \ac{it}

investment and prioritisation often relies on \ac{it} duopolies to

identify risks and opportunities, especially around long-term and more

efficient sharing of infrastructures.

\paragraph{Anarchy}

Here, there is no coordination across the organisation, as local needs

guide decisions made by individuals or small groups independently.

This model is very rare and only appropriate when it is necessary to

react quickly to change.

As organisations expand geographically and diversify their activities,

organisational structures are not adequate to reconcile conflicting

needs and objectives and \ac{it} governance becomes indispensable. A

certain amount of heterogeneity in governance forms archetypes is

identified across studies, while it is now widely acknowledged that

``there is no single `best' \ac{it} organisational structure or

governance arrangement because \ac{it} needs to respond to the unique

environment within which it exists'' \cite{Agarwal2002,

  BrownGrant2005}. Willson and Pollard stress the significance of the

unique characteristics of the organisational and historical

environment \cite{WillsonPollard2009}. Other research shows that more

successful organisations are adopting specific governance models

\cite{WeillRoss2004b}. A significant amount of work has been devoted

to understanding how specific variables affect \ac{it} governance

structures. This topic will be discussed in the following section.

\section{Drivers of IT Governance Forms: Multiple Contigencies}

It is important to understand the reasons for adopting specific

\ac{it} governance arrangements \cite{SambamurthyZmud1999}. Early

research considered single contingencies or a set of individual

contingencies without paying attention to possible interactions.

Strategic and performance goals, organisational and decision-making

structures, governance experience, size and diversity have been found

to influence the choice of \ac{it} governance structural forms

\cite{BrownGrant2005, WeillRoss2004b}. At the same time, differences

according to industries and regions determine appropriate governance

arrangements. For instance, not-for-profit and government

organisations are characterised by different performance measures,

accountability patterns and cultures; as a result, governance

archetypes suitable to successful for-profit companies may not apply

directly to these organisations.

In any case, single contingency factors are not adequate to explain

how \ac{it} governance forms are shaped, since there is significant

interaction between multiple influences \cite{BrownMagill1998,

  SambamurthyZmud1999}. A theory of multiple contingencies has been

introduced~\cite{SambamurthyZmud1999}, looking at how a consideration

of reinforcing, conflicting and dominating forces generates a better

understanding of the evolutionary nature of \ac{it} governance in

organisations. Through empirical work it was found that reinforcing

and dominating contingencies would contribute towards centralised or

decentralised models of \ac{it} governance, while conflicting

contingencies were more likely to create federal modes. Contingencies

have been grouped in three categories. These explain the establishment

of specific \ac{it} governance types against others.

\paragraph{Corporate Governance}

\ac{it} governance models frequently reflect similar arrangements

adopted in the corporate governance of the same organisations. In

addition, the size of the firm plays a significant role, as larger

organisations usually have more divisions and tend to decentralise

corporate and \ac{it} governance to be able to respond to the needs of

the business units.

\paragraph{Economies of Scope}

Economies of scope are defined as ``the benefits arising from the

sharing of appropriate \ac{it}-related expertise, know-how and

investments across the enterprise''~\cite{SambamurthyZmud1999}.

Drawing on strategic management literature, it is suggested that

diversification mode, diversification breadth, and exploitation

strategy are three additional factors influencing \ac{it} governance.

\begin{itemize}

\item \emph{Diversification mode} refers to whether, on the one hand,

  strategic goals towards growth assume an internal outlook,

  leveraging existing technological capabilities and infrastructures.

  A centralised mode would facilitate coordination of such objectives.

  On the other hand, the diversification mode can be directed towards

  external expansion through acquisitions, a strategy that may require

  a decentralised form of \ac{it} governance in order to accommodate

  differences between the \ac{it} infrastructures and units.

\item \emph{Diversification breadth} refers to the similarity between

  the products of different business units in the same firm or the

  relevance of the markets they compete in. Assuming that greater

  similarity in products and markets means less differentiation in

  \ac{it}, a centralised mode would be more likely to achieve

  economies of scope. Conversely, little similarity in products and

  markets would make a decentralised model more appropriate.

\item Under the condition that diversification mode or breadth allow

  the leveraging of economies of scope, \emph{exploitation strategies}

  provide an avenue to take further advantage of the situation. One

  way to achieve this would be either by building internal

  partnerships to integrate \ac{it} knowledge and authority, and

  thereby adopting decentralised \ac{it} governance at the divisional

  level, or by merging \ac{it} assets, supported by centralised

  decision rights. \end{itemize}

\paragraph{Absorptive Capacity}

This term is used to denote employee experience and capabilities in

evaluating information and constructing knowledge bases, as well as

engaging in effective decision-making and implementation. Lack of

\ac{it}-related absorptive capacity in line management favours

centralised \ac{it} governance models, while greater \ac{it}

experience supports decentralised forms.

\section{Governance Mechanisms} 

\ac{it} governance is not solely determined by governance

forms~\cite{Ribbers2002, Schwarz2003}, as these work within a dynamic

and competitive environment. In addition to decision rights and

authority structures, the \ac{it} governance literature extends to

examine horizontal integration capabilities, as ``the ability to

coordinate and integrate formal and informal \ac{it} decision-making

authority across business and \ac{it} stakeholder communities''

\cite{Peterson2004}. This section will discuss the cross-functional

implementation of \ac{it} governance in terms of formal and informal

coordination mechanisms, structural layers and processes

\cite{Brown2004}.

\paragraph{Structures and Committees}

Structures and committees are referred to as structural \ac{it}

governance capabilities \cite{Peterson2004}. Unrelated to \ac{it}

governance forms, these mechanisms involve formal roles and

relationships contributing to horizontal contact between \ac{it} and

business management. \acsp{cio} and liaison roles such as \ac{it}

relationship managers, \ac{it} account managers, as well as \ac{it}

executive councils and project committees, advisory boards and centres

of excellence, are all elements of structural capabilities.

Weill and Ross \cite{WeillRoss2004b} emphasise the decision-making

responsibilities accompanying this type of mechanisms, discuss how

they can generate commitment and relate these with the \ac{it}

governance archetypes. As it would be anticipated, business monarchies

employ executive committees or part of these, sometimes together with

the {\sc ceo}. In \ac{it} monarchies one encounters \ac{it}

leadership teams and \ac{it} architecture committees, with some

members participating in both the \ac{it} and business realms in order

to ensure alignment. The drive for shared \ac{it} infrastructures and

data makes federal archetypes necessary, but to balance local and

enterprise priorities, senior executive committees in this case draw

members from all business units. Duopolies are supported by three

mechanisms: \ac{it} councils with joint business/\ac{it} memberships,

process teams comprising cross-functional process owners and

\ac{it} executives, as well as business/\ac{it} relationship managers.

\paragraph{Processes and Control Frameworks}

This type of mechanism reflects the degree to which decision-making

and monitoring follow formalised standard procedures and rules

\cite{Peterson2004}. Apart from \ac{it} governance frameworks

developed by organisations themselves, there is a range of \ac{it}

standards provided by external bodies that consolidate best practices

in a structured manner, but at the same time allow organisations to

adapt them to their needs.

One of the most widely accepted frameworks is the \ac{cobit},

published free online by the \ac{isaca}. This set of guidance

documentation includes the framework, high-level and detailed control

objectives, audit guidelines, management guidelines and an

implementation guide together with a toolkit, to support executives

with \ac{it} governance \cite{COBIT, Guldentops2003}. De Haes and Van

Grembergen \cite{HaesGrembergen2004} suggest complementing \ac{cobit}

with the \ac{itil}, a framework maintained by the \ac{ogc} in the

United Kingdom. It is significantly oriented towards service

management, such as payroll infrastructures, and comprises of best

practice documentation material on strategy, design, transition,

operation and continual service improvement

(\url{http://www.itil-officialsite.com}).

Maturity models are also useful to benchmark performance and alignment

against other standards. Some maturity models are included in, for

instance the management guidelines of \ac{cobit}, or are developed

separately by researchers or institutions such as the \ac{it}

Governance Institute \cite{HaesGrembergen2004, Luftman2003}. Simonsson

et al \cite{Simonsson2010} carried out 35 case studies to examine the

correlation between \ac{it} governance maturity and \ac{it} governance

performance. The strongest positive correlation to \ac{it} governance

performance was exhibited by the internal \ac{it} structure, clear

organizational structures and relationships, mature quality management

and cost allocation. Minimal correlation was found with the maturity

of project management, service level management, performance and

capacity management.

Taking the view of \ac{it} as a service provider to the rest of the

organisation, the Balanced Scorecard can be used to control \ac{it}

performance in areas such as user satisfaction, business contribution,

operational excellence and future orientation

\cite{HaesGrembergen2004, Grembergen2000}. In addition, by linking the

objectives of the business Scorecard to the \ac{it} Scorecard, there

is greater strategic alignment and capability exploitation

\cite{HaesGrembergen2004, Grembergen2000}.

Other related measurement and control tools include Service Level

Agreements, strategic alignment frameworks and information economics

models \cite{HaesGrembergen2004, Karten2004, WeillRoss2004b}. Weill

and Ross add to these the \ac{it} investment approval process, the

architectural exception process, chargeback, project tracking and the

formal tracking of business value and benefit realisation

\cite{WeillRoss2004b}. A review of such \ac{it} governance tools can

be found in \cite{Larsen2006}. It should be noted though that these

tools cannot provide universal solutions, but need to be assessed and

adapted against the specific context of implementation. Learning

achieved through iterative modifications is of great significance

\cite{Weill2004}.

\paragraph{Relational Mechanisms}

Structures and committees, and processes and control frameworks, do

not guarantee effective \ac{it} governance \cite{Peterson2004}.

Organisations employ relational mechanisms to improve lateral

communication and understanding between corporate executives, \ac{it}

and business people \cite{HaesGrembergen2004}. The purpose is to find

integrative solutions combining expert and tacit knowledge through

participation and collaboration across boundaries. This type of

relational integration is facilitated through direct informal contacts

and negotiations, common locations and ``virtual meeting points'',

lobbying, joint performance incentives and shared learning

\cite{Peterson2004}.

Weill and Ross have focused on the communication aspect of relational

mechanisms \cite{WeillRoss2004b}. They have found that formal

communication of \ac{it} governance mechanisms relates to more

effective governance (while informal communication is not associated

with governance effectiveness). Some examples of such communication

devices include senior management announcements, communication between

and within formal committees to coordinate efforts, web-based portals

and intranets. Ownership in the sense of discussing \ac{it} governance

in the office of the \acs{cio} or a devoted \ac{it} governance office are

deemed equally important. Last but not least, a significant amount of

time is spent to guide managers through \ac{it} architecture in order

to increase acceptance and conformity to \ac{it} governance

arrangements.

Robbins proposes a more inclusive approach to \ac{it} governance,

involving external parties such as partners, service providers and

communities of practice \cite{Robbins2004}. In certain arrangements

such as outsourcing this outside input to decision-making is sought

regularly already \cite{WeillRoss2004b}.

\begin{table}

\caption{Structures, Processes and Relational Mechanisms \cite{HaesGrembergen2004, Grembergen2003, Peterson2004, WeillRoss2004b}}

\begin{center}

    	\begin{tabular}{ | p{2.5cm} | p{2cm} | p{2cm} | p{2,4cm} | p{2cm} |}

    	\hline

        & \textbf{Structures} & \textbf{Processes} & \multicolumn{2}{c|}{\textbf{Relational Mechanisms}} \\ \hline

	\textbf{Tactics} & \ac{it} executives and accounts & Strategic \ac{it} decision-making & Stakeholder participation & Strategic dialog \\

	& Committees and councils & Strategic \ac{it} monitoring & Business / \ac{it} partnerships & Shared learning \\ \hline

	\textbf{Mechanisms} & Roles and responsibilities\medskip

	\ac{it} organisation structure\medskip

        \acs{cio} on board\medskip

        \ac{it} strategy committee\medskip

	\ac{it} steering committee & Strategic information systems planning\medskip

	Balanced (\ac{it}) scorecards\medskip

	Information economics\medskip

	Service level agreements\medskip

	\ac{cobit} and \ac{itil}\medskip

	\ac{it} alignment / governance maturity models & Active participation by principal stakeholders\medskip

	Collaboration between principal stakeholders\medskip

	Partnership rewards and incentives\medskip

	Business/\ac{it} colocation & Shared understanding of business/\ac{it} objectives\medskip

	Active conflict resolution\medskip

	Cross-functional business/\ac{it} training\medskip

	Cross-functional business/\ac{it} job rotation\\ \hline

     	\end{tabular}

\end{center}

\label{default}

\end{table}

The mechanisms mentioned above should be simple and unambiguous,

transparent and suitable to engage appropriate individuals. The design

of mechanisms should employ a mix of techniques from all three types

and implement these at multiple organisational levels, use less but

more effective decision-making structures focusing on alignment, while

overlapping membership and clear accountability patterns should be

considered \cite{WeillRoss2004b}.

\section{Effective Governance}

Weill and Ross suggest top for-profit governance performers have more

managers who are able to accurately describe the role of \ac{it}

governance in their organisation \cite{WeillRoss2004b}. Senior

management engages more effectively through structural, relational and

communication mechanisms. Objectives for \ac{it} investment are

clearly articulated and communicated, through generally stable \ac{it}

governance arrangements over time. They also observe more formal

architecture exception processes, together with diversified business

strategies.

High-level commitment and communication emerge as significant elements

of contemporary \ac{it} governance. Departing from an earlier focus on

loci of control, Peterson concludes that collaboration is the

foundation of effective \ac{it} governance, ``where the need for

distinct competencies is recognized, developed, and shared adaptively

across functional, organizational, cultural, and geographic

boundaries'' \cite{Peterson2004}.

%%% Local Variables: 

%%% mode: latex

%%% TeX-master: "governance"

%%% End: