Designing a new Integrated IT Governance and IT Management ...

Designing a new Integrated IT Governance and IT Management Framework Based on Both Scientific and Practitioner Viewpoint

Ruben Pereira* Department of Computer Science Instituto Superior Técnico/INOV Universidade Técnica de Lisboa Rua Alves Redol, 9, 1000-029 Lisboa, Portugal Phone: +351966474901 Fax: +351213100445 E-mail: [email protected]

Miguel Mira da Silva Professor, Department of Computer Science Instituto Superior Técnico/INOV Universidade Técnica de Lisboa Rua Alves Redol, 9, 1000-029 Lisboa, Portugal Phone: +351919671425 Fax: +351213100445 E-mail: [email protected]

* Corresponding Author

Biographical Notes Ruben Pereira received his first degree (2008) and then a master degree (2010) in Computing Science from the Technical University of Lisbon, where currently is also working on his PhD thesis. Since 2009 Ruben has been a researcher at the INOV research institute, applying and evaluating his research proposals together with Portugal's largest private bank (Millennium BCP) and international IT consulting companies. His research focuses on information systems management and governance, in particular maturity models for ITIL, integrated "super frameworks" and now formalizing compliance and auditing. Ruben has published a number of articles in respected international conferences, such as EDOC and EMCIS. Miguel Mira da Silva graduated (1989) and received a master degree (1993) in Electrical Engineering from the Technical University of Lisbon, a PhD (1997) in Computing Science from the University of Glasgow and, more recently, a prestigious master in management entitled “Sloan Fellowship” (2005) from the London Business School. Currently, Miguel is Professor of Information Systems in the Technical University of Lisbon and director at the INOV research institute. Miguel has been working as a consultant for 20 years, published four teaching books in Portuguese as well as more than 50 research papers in international conferences and journals.

Designing a new Integrated IT Governance and IT Management Framework Based on Both Scientific and Practitioner Viewpoint ABSTRACT IT Governance (ITG) has been recognized as a CIO top-10 issue for more than five years and has risen in priority between 2007 and 2009. There are several Frameworks to help organizations in ITG implementation but these lack scientific viewpoint, are complex, and also overlap each other. However, besides the existence of several frameworks to help organizations in ITG implementation, most organizations keep designing their own Framework. Such statements reinforce the possibility of improvements in the existing Frameworks. In this paper we make a literature review to leverage ITG Contingency factors, ITG general guidelines and main ITG and IT Management (ITM) areas in order to provide a scientific viewpoint validation. Therefore we integrate our artefacts and propose a new integrated ITG framework. We then evaluate our artefacts with expert’s interviews so as to provide practitioner viewpoint validation and also map our artefacts with current theories. Finally, we conclude our research with main contributions and future work. Keywords: Governance; Information Technology Governance; Information Systems; Guidelines; Contingency Factors; Information Technology Areas; Survey.

Designing a new Integrated IT Governance and IT Management Framework Based on Both Scientific and Practitioner Viewpoint Ruben Pereira, Instituto Superior Técnico/INOV, Portugal Miguel Mira da Silva, Instituto Superior Técnico/INOV, Portugal

INTRODUCTION Since IT has become crucial to the support, sustainability and growth of the business (Law and (Ngai, 2005; Quereshil et al., 2009), this pervasive use of technology has created a critical dependency on IT that calls for a specific focus on IT Governance (ITG) (De Haes and Grembergen, 2008). Some studies have shown that companies which have good ITG models generate higher returns on their IT investments than their competitors (Lunardi et al., 2009; Webb et al., 2006). With IT investments making up a significant portion of corporate budgets and increased external pressure to control and monitor costs, effective ITG is seen as a vital way to ensure returns on IT investments and improved organizational performance (Jacobson, 2009). ITG elevates information to a key organizational asset and treats governance of information at par with governance of other assets, such as human, financial, intellectual, and relationship assets (Fasanghari et al., 2008). Organizations can no longer afford to have ITG by default or bad ITG by design (Symons, 2005). ITG is not only designed to achieve internal efficiency in the IT organization, such as deploying good IT processes and making sure that means and goals are documented. The final goal of good ITG is rather to provide the business with the support needed to conduct business in a good manner (Simonsson et al., 2008 a). ITG has been a concern in the last 20 years. However, good ITG is no longer a “nice to have”, but a “must have” and can contribute to higher returns on assets at a time when business is increasing their technology investment (Webb et al., 2006). Indeed, Gartner states that ITG has been recognized as a CIO top-10 issue for more than five years and has risen in priority between 2007 and 2009 (Gerrard, 2009). Despite ITG relevance for business success, conceiving the ITG model is just the first step, implementing ITG as a sustainable solution is the next challenging step (Fasanghari et al., 2008), and, as we will see, it is not easy. The purpose of this paper is to examine both the previous and the current research in ITG, and propose an integrated IT Governance and Management Framework based on literature and experts’ knowledge. To better understand where we are heading and where we currently stand, a review of where we started is needed.

In the next section we introduce the problem this research intends to contribute to solve. Afterwards we describe the research methodology we used in this research to support our proposal. We follow with a related work regarding ITG topic including ITG definition, ITG and ITM differences, and current ITG frameworks. Then we describe our proposal to help solve the problem and how we evaluated it. We finish with conclusion about the research as well as learnings and future work. PROBLEM There are studies that show the positive effect of good ITG in organizations, for example Weill and Ross (2004) and Lingyu et al. (2010). However, there are also evidences that IT keeps being badly managed and governed (Bernroider, 2008; Bingi et al., 1999; Buckhout et al., 1999; Gallagher and Worrel, 2008; Gao et al., 2009; Lunardi et al., 2009; Scott, 1999; Shpilberg et al., 2007). Such fact requires a deeper analysis. Despite the existence of several frameworks to help organizations in ITG implementation, ITIL (Taylor et al., 2007; Taylor et al., 2007a; Taylor et al., 2007b; Taylor et al., 2007c; Taylor et al., 2007d) and COBIT (Information Technology Governance Institute, 2007) are among the most used and adopted frameworks (Broussard and Tero, 2007), most organizations keep designing their own Framework (Broussard and Tero, 2007; Radovanovic et al., 2010; Ridley et al., 2004). Such fact is not surprising since most frameworks state that there is no single “best” IT organizational structure or governance arrangement because IT needs to respond to the unique environments within which it exists (Agarwal and Sambamurthy, 2002; Information Technology Governance Institute, 2007; Lunardi et al., 2009) but does not specify the factors that can influence each ITG implementation. Plus, frameworks are seen as complex (Pereira and Mira da Silva, 2010) (Appendix A), too general (Morimoto, 2009), lacking a theoretical foundation from a scientific viewpoint (Goeken and Alter, 2009), overlaping each other (Pereira and Mira da Silva, 2011; Sahibudin et al., 2008), and hard to implement (Nicewicz-Modrzewska and Stolarski, 2008). Such statements reinforce the possibility of improvements in the existing Frameworks. The theory that “each case is a different case” about ITG implementation led us to the theory of the contingency factors which we define as: Factors that, depending on organizations’ context, may influence the ITG implementation are a possibility that an organization must be prepared for, even if they are not likely or intended.

As there is a clear need for methodological support for the actual tasks and challenges of IT Management (ITM) and ITG, it is surprising that little attention is paid to these questions (Goeken and Alter, 2009). The main problem this research contributes to solve is the following: There are many frameworks for IT Governance. However, organizations still fail to implement IT Governance due to frameworks complexity and overlap. RESEARCH METHODOLOGY The research methodology that will be used in this paper is Design Science Research (DSR). Toward the end of the 1990s DSR began growing in popularity for use in scholarly investigations in IS. DSR methodology is conducted in two complementary phases, build and evaluate. In contrast with behavior research, design-oriented research builds a “to-be” conception and posteriorly seeks to build the system according to the defined model taking into account restrictions and limitations (Osterle et al., 2011). Design science addresses research through the building and evaluation of artefacts designed to meet the identified business needs (Hevner et al., 2004) instead of analyzing existing IS in order to identify causal relations (Osterle et al., 2011). Few researchers attempted to perform empirical studies on ITG topic (Brown and Grant, 2005). Hence, we build and evaluate new and innovative artefacts following the design research paradigm (Hevner et al., 2004). We argue that a better understanding of ITG implementation guide from different and sometimes complementary points of view can be accomplished. Based on the four design artefacts produced by design science research in IS (constructs, models, methods and instantiations), we will focus on constructs and models. Constructs are necessary to describe certain aspects of a problem domain and allow the development of the research project’s terminology (Schermann et al., 2009). In other words, they provide the language in which problems and solutions are defined and communicated (Schon, 1983). Models use constructs to represent a real world situation, the design problem and the solution space (Simon, 1996). The constructs that we propose will be the contingency factors, ITG implementation guidelines, and main ITG and IT Management areas. The model will be the integrated ITG and IT Management framework. The research methodology applied is divided according to the two processes of design science research in IS; build and evaluate. The build process is composed by two stages

whereas and the evaluation process is comprised by only one (Table 1). This kind of research approach was already used in other research papers as De Haes and Grembergen (2008) and Vicente and Mira da Silva (2011). In the first stage, we started with literature review. Because research in some of the proposed constructs is poorly explored/synthesized or even in the early stages, part of this research is exploratory rather than hypothesis testing. Table 1 – Research Methodology BUILD Construct Definition -

Domain definition Contingency factors definition ITG implementation guidelines definition ITG main areas

Framework Construction - Analyze the relationship between constructs - Integrate constructs

EVALUATE Evaluation - Literature review - Interviews - Mapped theories

Exploratory research often builds on secondary research, “such as reviewing available literature and/or data or qualitative approaches such as informal discussions with customers, employees, management or depth interviews, focus group projective methods, case studies or pilot studies” (De Haes and Grembergen, 2008). Our research strategy for ITG implementation guidelines, ITG contingency factors, and ITG and IT Management main areas was based on literature review. The approach used in this paper follows the conceptcentric methodology of IS literature reviews as outlined in Webster and Watson (2002). Österle et al. also point four principles that design-oriented IS research must comply with, and that we followed (Osterle et al., 2011): 

Abstraction. This paper proposes an integrated framework; hence it must be abstract in order to generalize the ITG domain.



Originality. The artefact proposed is not present in the body of knowledge of the domain.



Justification. The various methods proposed to evaluate the artefact should justify it.



Benefit. An integrated framework comprising the alignment of main areas, guidelines, differentiated factors and frameworks knowledge can assist organizations in a better understanding of the domain of ITG, as well as in a better implementation of ITG, and also stimulate the scientific community to research this topic. Additionally, we followed the guidelines for design science research proposed by

Hevner (2004). These guidelines are: design as an artefact; problem relevance; design

evaluation; research Contributions; research rigor; design as a search process; and communication of research. A design artefact is complete and effective when it satisfies the requirements and constraints of the problem that it was meant to solve. In this paper we evaluated our artefacts through interviews as well as literature review. We also map our artefacts to some current theories to prove the completeness of our work. In addition, by submitting these research results to respected international conferences, we also used the appraisal of the scientific community as evaluation criteria. RELATED WORK Governance is a concept that can be used in many contexts. There are many different types of governance and we should make a brief review of them in order to understand each one and which governance we will focus on: 

Corporate Governance – is the system by which organizations are directed and controlled (Grembergen and De Haes, 2008); it is the responsibility delegated by stakeholders and the public, defined by legislators and regulators, and shared by boards, in some measure, with managers (Webb et al., 2006).



Enterprise Governance – is a set of responsibilities and practices exercised by the board and executive managers, with the goal of providing strategic direction, ensuring that plans and objectives are achieved, assessing that risks are proactively managed, and assuring that the enterprise’s resources are used responsibly (Grembergen and De Haes, 2008).



IT Governance (ITG) – Literature has demonstrated a lack of a clear shared understanding of the term ITG. None of the definitions reflect all of the elements of the framework, possibly indicating that authors do develop definitions to support their particular focus (Webb et al., 2006). We identified several ITG definitions in many articles and books, with minor differences (Fasanghari et al., 2008; Gerrard, 2010; Grembergen and De Haes, 2008; Guney and Cresswell, 2010; Jacobson, 2009; Nabiollahi and Sahibuddin, 2008; Park et al., 2006; Selig, 2008; Simonsson and Ekstedt, 2006; Symons, 2005; Webb et al., 2006; Weill and Ross, 2004). These types of governance are correlated and cannot be dissociated from each other.

We should look at them as “whole Governance” with dependencies and relations between them and an order to be followed. However, ITG already developed into a discipline in its own rights (Simonsson and Ekstedt, 2006). Since ITG cannot exist in isolation, but must be a

sub-set of enterprise governance (Symons, 2005), and is also commonly referred to as a subset of corporate governance (Lunardi et al., 2009; Webb, 2006), we conclude that ITG is the most specific and focused of the identified types of governance. In this paper we will focus on ITG. ITG Definition ITG is a relatively new field of research and still missing a consensus definition. Since IT and IS are highly related, the lack of clarity about the concept of ITG is not surprising given that IS is a relatively new discipline that has emerged in a variety of different background disciplines including, but certainly not limited to, social sciences and computing sciences (Goeken and Alter, 2009; Webb et al., 2006). Many studies continue to focus on defining ITG (Peterson, 2003; Webb et al., 2006) and, as we can see by Table 2, many definitions have been proposed. A consensus about ITG definition still does not exist. The purpose of this research is not to decide which the most appropriate ITG definition is, or even propose a new one; however, the concern is stated and a historical review of the main ITG definitions in the literature presented. Table 2 – ITG Definitions Researcher

Year

Brown and Magill

Reference

1994

ITG decisions the locus of responsibility for IT functions.

Luftman

1996

ITG is the degree which the authority for making IT decisions is defined and shared among management, and the processes managers in both IT and business organizations apply in setting IT priorities and the allocation of the IT resources.

Sambamurthy and Zmud

1999

ITG refers to the patters of authority for key IT activities.

Grembergen

2000

Weill and Vitale

2002

Schwarz and Hirschheim

2003

IT Governance Institute (ITGI)

2004

Weill and Ross

2004

Craig et al.

2005

Webb et al.

2006

ITG is the organizational capacity by the board, executive management and ITM to control the formulation and implementation of IT strategy, and in this way ensure the fusion of business and IT. ITG describes a firm’s overall process for sharing decision rights about IT and monitoring the performance of IT investments. ITG consists of IT-related structures or architectures (and associated authority patterns), implemented to successfully accomplish (IT imperative) activities in response to an enterprise’s environment and strategic imperatives. ITG is the responsibility of the board of directors and executive management. It is an integral part of enterprise governance and consists in the leadership and organizational structures and processes which ensure that organization’s IT sustains and extends the organization’s strategies and objectives. ITG is specifying the decision rights and accountability standard to encourage desirable behavior in using IT. ITG is the process by which decisions are made around IT investments. How decisions are made, who makes the decisions, who is held accountable, and how the results of decisions measured and monitored are all parts of ITG. The strategic alignment of IT with business such that maximum business value is

Simonsson and Ekstedt

2006

Gerrard

2010

achieved through the development and maintenance of effective IT control and accountability, performance management, and risk management. ITG is the preparation for, making of and implementation of IT-related decisions regarding goals, processes, people and technology on a tactical or strategic level. ITG is the process that ensures the effective and efficient use of IT in enabling an organization to achieve its goals. The definition contains certain key concepts:  ITG is composed of processes with the inputs, outputs, roles and responsibilities inherent in a process definition. (However, the definition does not talk about how these are processed)  The role of ITG “ensures”, as opposed to “executes”.  The goal of ITG is defined as a business goal, not just IT-related.  Key performance measures, identified as effectiveness and efficiency, together represent business value

IT Governance vs. IT Management (ITM) Another important concern is the difference between ITG and ITM as people tend to confuse the concepts. However, they are not the same thing. An important distinction between governance and management is made by Gallagher and Worrel (2008) who states that while executives and managers administer, develop, implement and monitor business strategies on a day-to-day basis, boards and other governance structures deal with overall organization policy, culture and direction (Webb et al., 2006). Yet, Grembergen and De Haes (2008) state that while ITM focuses on effective and efficient internal supply of IT services and products, and the management of current IT operations, ITG focuses on performing and transforming IT to meet present and future demands of the business and its customers. ITG is much broader than ITM, especially because governance involves all organizational issues regarding IT – like definition of politics, IT decision-making rights and responsibilities, investment and projects approval, maintenance and monitoring of all existent IT, and so on (Lunardi et al., 2009). Effective governance should be used to establish guardrails to keep business and ITM on track (Gerrard, 2009). If a company wants to grow and be successful, it must not only manage its IT resources, but also use them throughout the company as part of the governance structure (Wilbanks, 2008). ITG and ITM are strongly dependent of each other and should not be isolated. Future ITG frameworks should include both topics and their relation. Frameworks Over the last years, several frameworks and best practices have been designed, developed, proposed, and others updated from many sources in order to mitigate some ITG gaps as well as improve other ITG topics. For example, International Standard ISO/IEC 38500 (2008) and COBIT 5 (Information Technology Governance Institute, 2007).

There are many frameworks, but the majority is too specific for a certain domain. However, there are few that are more general and complete than COBIT (Information Technology Governance Institute, 2007), ITIL (Taylor et al., 2007; Taylor et al., 2007a; Taylor et al., 2007b; Taylor et al., 2007c; Taylor et al., 2007d), Capability Maturity Model Integration for Services (CMMI SVC) (Forrester et al., 2009), and IT Capability Maturity Framework (IT-CMF) (Costello, 2010; Curley and Kenneally, 2011). In this chapter we will analyze each of the most complete frameworks. We will also explain what the main problems related with these frameworks are, regarding ITG implementation. ITIL is a well-established framework in practice and one of the best-known and adopted (Information Technology Governance Institute, 2004). However, ITIL lacks theoretical foundation from a scientific viewpoint (Goeken and Alter, 2009). Besides, ITIL is focused on Service Management which can be seen like a part of ITG and, as such, cannot be considered a framework to implement ITG. Nevertheless, ITIL is an imperative framework to be taken into consideration by organizations as part of their ITG implementation. ITIL books also lack a reference to contingency factors that organizations could use to more properly plan their ITG implementation. Hence literature states that each ITG implementation is different so these contingency factors should be clearly evidenced in ITG frameworks. Organizations also tend to get confused about what they should implement first. A usual way to mitigate this problem is to present a maturity model to guide organizations. ITIL lacks this feature, although a previous study by Pereira and Mira da Silva (2011) was conducted in order to develop the first maturity model for ITIL. OGC perceived this gap and is also working toward an official maturity model for ITIL V3. Alternatively, COBIT is another well-established framework in practice and one of the best-known and adopted frameworks in the world (Information Technology Governance Institute, 2004). Many organizations are forced to implement COBIT by mandatory regulations and others just recognize COBIT as a good reference for ITG implementation. COBIT is very complete but also very complex which makes organizations think twice before adopting it as their official ITG framework. That is probably one of the reasons, the main one perhaps, why most organizations keep choosing to develop their own framework. Similarly to ITIL, COBIT is a complete framework with very important practices that should be taken into consideration by organizations. COBIT contains a set of important

practices and objectives that organizations should follow. However, as stated by COBIT (Information Technology Governance Institute, 2004), the most important ITG practices and objectives differ from organization to organization but COBIT does not present any help for this concern. COBIT is also pointed out in literature as lacking a theoretical foundation from a scientific viewpoint (Goeken and Alter, 2009). As a framework for control, COBIT is too general. Therefore, there is space for a more profound and specific guidance in order to help organizations in ITG implementation, which could be fulfilled by other frameworks or more specific best practices. COBIT also lacks the identification of contingency factors as well as the association of such contingency factors to COBIT’s control objectives. Another well-establish framework is CMMI-SVC that identifies 24 processes with several practices and sub-practices and introduces (unlike ITIL) a maturity model that brings a new perspective to the organizations, helping them choose what they need to implement first. Similarly to ITIL, CMMI-SVC addresses part of ITG which makes it not suitable for ITG implementation, but a good framework for the implementation of a part of ITG. An advantage of CMMI-SVC is the maturity model which guides organizations in what they should implement first. However, CMMI-SVC also lacks identification of the contingency factors that could differentiate ITG implementation from organization to organization, and without these contingency factors CMMI-SVC also lacks a deep rationalization about how factors can influence the different organizations in the different areas of ITG. Summarizing, the maturity model provides a first roadmap for organizations but, since each case is different, the implementation should certainly be different for each organization. At last but not least, IT-CMF was developed by the Innovation Value Institute (IVI) in Ireland. The motivation was based on: “The lack of existing frameworks and the huge appetite from other top Business and IT executives for such an approach” (Costello, 2010) (Curley and Kenneally, 2011) One of the main goals of IT-CMF is:

“introduce a new framework that stresses the connection to business value in a significant and measurable way” (Costello, 2010) The previous statement, in the authors’ opinion, is not present in other frameworks of the market as ITIL and COBIT. The main goal of IT-CMF is to fortify guidance on ITBusiness connection. However, we conclude that some processes are not covered by ITCMF, such as IT Compliance Management or IT Quality Management, and these processes are also very important for business value achievement. Again, this framework also lacks the identification of some contingency factors that could influence ITG implementation in the several different organizations’ contexts. We have described the most adopted and relevant frameworks. Nevertheless there are several other frameworks, each one with a focus on specific sub-themes of ITG. Frameworks do not cover most themes of ITG but are extremely detailed and concise in the theme or themes they cover. This specificity makes organizations certify their employees in some of these frameworks in order to train personnel in a certain area. The objective of this Section was to highlight the weaknesses of the currently most complete and used frameworks and reinforce the need to develop new theories and approaches about ITG. PROPOSAL In the academic literature a number of authors compiled reviews to support their own conceptual or empirical papers (Brown, 1997; Brown and Grant 2005; Brown and Magill, 1994; De Haes and Grembergen, 2008; Losso and Goeken, 2010; Sambamurthy and Zmud 1999; Sambamurthy and Zmud, 2000; Simonsson and Ekstedt, 2006; Tavakolian, 1989). In his section we will describe our proposals based on ITG literature review. We present the contingency factors that can influence the ITG implementation by each organization, as well as the general ITG implementation guidelines and the main ITG and ITM areas.

Contingency Factors ITG implementation is influenced by external and internal factors (Xue et al., 2006). Nevertheless, literature fails to reveal a clear and concise identification of these factors. From a literature review originated a number of substantive conclusions regarding the contingency

factors to ITG implementation. Contingency factors include: organizational culture and structure, strategy, size, regional differences, industry, maturity, ethic and trust. A summary of the contingency factors as well as their literature references is presented in Table 3. We now describe each of the proposed Contingency Factors in detail: Culture – Corporate culture plays an invaluable role in the enterprise development. Management of culture is to make employees care about enterprise (Jiandong and Hongjun 2010) and its context refers to managing IT workers and workplaces in such a way that the social processes, which reflect the interactions among groups of people with differing worldviews, are taken into account (Weisinger and Trauth 2003). Surveys of CEOs during the past few years have identified organizational culture as one of the largest inhibitors to change and related business performance improvements (Gerrard 2009), which means corporate culture can influence the success of ITG implementation (Fink and Ploder, 2008). Structure – The structure of IT is one of the major recurring issues in literature (Adams et al., 2008; Gallagher and Worrel, 2008; Goeken and Alter, 2009; King, 1983; Peak and Azadmanesh, 1997; Sambamurthy and Zmud, 1999). Most of the existing literature approaches the topic of ITG from existing or proposed structures point of view (Webb et al., 2006). IT has not only changed the traditional ways people acquire information, but has also broken old patterns of production management and profoundly changed firm’s organization structure in space and time. Organization structure is the necessary condition to the achievement of business goals by organizations (Gao et al., 2009). Organizational structure has been identified by literature as a concern that should be taken into consideration in ITG implementation. Size – Some studies have attempted to discover the effect of organization size on ITG (Brown and Grant, 2005; Cochran, 2010; De Haes and Grembergen, 2008). Sambamurthy and Zmud (1999) state that the size of the firm influences the ITG mode through its effect on the mode of corporate governance. There is also evidence that many small organizations lack standardized project management practices (Cochran, 2010). Industry – IT has a wide range of applicability across almost all industries (Tanriverdi, 2006). Some ITG studies only focus on a specific kind of industry (De Haes and Grembergen, 2008) while others on more than one, like Simonsson et al. (2008b) who conducted interviews in separate industries and collected different results. ITG means different things in distinct industries, evident by the different regulations that have been developed (Webb et al., 2006).

Regional Differences – Some studies have been made about regional differences in ITG implementations. For example, Weisinger and Trauth (2003) pointed out the importance of aspects like language, local laws, and national information infrastructures. Another study performed by Aagesen et al. (2011) made a cross-country comparative study where they found different ITG implementations, while Fink and Ploder (2008) performed some regional case studies in different countries. Maturity – IT has matured so much that, in many ways, IT is a commodity. However, specialized resources are still needed (Cochran, 2010). The use of ITG maturity measurements is one of the means to evaluate the success of ITG (Dahlberg and Lahdelma, 2007). Some studies have been performed and interesting conclusions collected: a study compared different organizations and determined that, in general, high performers have more mature ITG structures and processes (De Haes and Grembergen, 2008); another study identified possible requirements for good ITG maturity assessments (Simonsson and Johnson, 2008); and another study yet concluded that there is a correlation between ITG performance and ITG maturity indicators (Simonsson et al., 2008b). Strategy – How to accomplish strategic alignment between business and IT in the complex and dynamic environment of the real world remains a great unanswered challenge for the CIO and CEO (Ekstedt et al., 2004; Silva et al., 2006; Tallon and Kraemer, 1998). Therefore ITG should be dealt with as a business strategy (Park et al., 2006). Some research projects focus on how strategic alignment impacts business performance (Simonsson and Johnson, 2008). Strategy had even already been proposed by Brown and Grant as a possible contingency factor of ITG (Brown and Grant, 2005). Ethical – To promote ethical business practices, an organization needs a leader who is committed to something more than profits. Ethical awareness in corporate governance has a strong effect to ensure employee trust in the workplace (Memiyanty and Putera, 2010). In the interviews performed by Maidin and Arshad (2010) most of the interviewees agreed that ethic of compliance is an important aspect for ITG practices. Trust – Many scholars claim that the concept of trust and cooperation is crucial for solving or at least minimizing governance failure (Memiyanty and Putera, 2010). Table 3 – Contingency Factors of ITG Implementation Contingency Factors Organizational Culture

Literature (Brown and Grant, 2005) (Fink and Ploder, 2008) (Gerard, 2009) (Hosseinbeig et al., 2011) (Jiandong and Hongjun, 2010) (Maidin and Arshad, 2010) (Symons, 2005) (Weisinger and Trauth, 2003)

Organizational Structure Size Industry Regional Differences Maturity Strategy Ethical Trust

(Adams et al., 2008) (Aagesen et al., 2011) (Cochran, 2010) (De Haes and Grembergen, 2008) (Gallagher and Worrel, 2008) (Gao et al., 2009) (Guney and Cresswell, 2010) (Hosseinbeig et al., 2011) (Lunardi et al., 2009) (Park et al., 2006) (Shpilberg et al., 2007) (Symons, 2005) (Web et al., 2006) (Brown and Grant, 2005) (Cochran, 2010) (De Haes and Grembergen, 2008) (Jacobson, 2009) (Lunardi et al., 2009) (Brown and Grant, 2005) (De Haes and Grembergen, 2008) (Gerard, 2009) (Jacobson, 2009) (Jiandong and Hongjun, 2010) (Simonsson et al., 2008(b)) (Tanriverdi, 2006) (Aagesen et al., 2011) (Fink and Ploder, 2008) (Gallagher and Worrel, 2008) (Shpilberg et al., 2007) (Weisinger and Trauth, 2003) (Cochran, 2010) (Dahlberg and Lahdelma, 2007) (De Haes and Grembergen, 2008) (Park et al., 2006) (Simonsson and Johnson, 2008) (Simonsson et al., 2008(a)) (Simonsson et al., 2008(b)) (Brown and Grant, 2005) (Dahlberg and Lahdelma, 2007) (De Haes and Grembergen, 2008) (Jacobson, 2009) (Park et al., 2006) (Silva, and Chaix, 2008) (Symons, 2005) (Maidin and Arshad, 2010) (Memiyanty and Putera, 2010) (Memiyanty and Putera, 2010)

In this section we identified the main contingency factors that organizations should take into consideration before implementing ITG. Considering each the organization’s context, these factors must be used in the first steps of ITG implementation. In the next section we will identify the general guidelines that should be followed by all types of organizations no matter their context. ITG Guidelines Guidelines have been designed, used, and adopted in several domains, e.g. Bohl et al. (2002), Goeken and Alter (2009), Hevner et al. (2004), Herzwurm and Pietsch (2008), MullerRathgeber et al. (2008), Simonsson et al. (2008b), Takata et al. (2004) and Ungar and Parameswaran (2005). Guidelines should be considered an instrument that ought not to be underestimated since they are necessary to obtain a uniformity regarding functionality and optics, as well as a desired quality level (Bohl et al., 2002). In this section, we will present our proposed guidelines for ITG implementation. Smith and Mosier (1986) suggest that every guideline development effort should begin and end by acknowledging other people’s significant contributions. Therefore, reviewing available ITG literature is an essential part for developing appropriate guidelines. Also, guidelines can be based on experience - either practical, or derived from research (Aagesen, 2011). In the available literature, both approaches can be seen (Hevner et al., 2004).

We have studied the main literature in the area and proposed a set of guidelines (Table 4) that organizations should follow in order to increase ITG implementation success rate. These guidelines provide a high level picture of ITG’s main steps while, at the same time, describe “What we need” and “How to do it” to follow those steps. Guideline 1 and 2 – For many years now, companies seeking to deliver higher business performance by harnessing IT have focused on alignment (Fink and Ploder, 2008; Shpilberg et al., 2007). Many researchers have studied the strategy alignment concern, e.g. Webb et al. (2006), and currently many companies also recognize that IT and business priorities must be tightly linked (Shpilberg et al., 2007). In fact, to create a sustained value for organizations, the development of the IT strategy must be closely connected to the business one (Luftman, 2000). When there is alignment, IT delivers services that are crucial to the company’s strategies, operation, or user needs (Fink and Ploder, 2008). In recent literature, strategy is included in several frameworks proposed by researchers, e.g. Simonsson et al. (2008b), Gerrard (2010) and Lingyu et al. (2010), and strategy alignment is identified as an important issue for ITG (Grembergen, 2000; Information Technology Governance Institute, 2004; Weill and Ross, 2004; Simonsson and Ekstedt, 2006; Webb et al., 2006). Therefore, IT strategy alignment is one of the most important steps in ITG implementation (Fink and Ploder, 2008; Gerrard, 2010; Symons, 2005; Xiao-wen et al., 2009). Some authors even state that ensuring the alignment between business and IT is one of the primary goals of ITG (Nabiollahi and Sahibuddin, 2008; Symons, 2005; Xiao-wen et al., 2009). Guideline 3 – ITG can be deployed using a mixture of various structures, processes and relational mechanisms (Grembergen et al., 2003; Peterson, 2003; Peterson et al., 2002; Weill and Ross, 2004). A well-matured ITG framework should be based on three major elements: structures, processes and communication (Nabiollahi and Sahibuddin, 2008; Symons, 2005). With ITG structures, process and relational mechanisms, organizations aim at securing that IT delivers value to the business in a transparent manner, that accountabilities are organized to support the maximum delivery of business value from IT, and that risks are mitigated according to business needs (Dahlberg and Lahdelma, 2007). The definitions of structures, processes and relational mechanisms are given by Peterson (2003):



ITG structures – “structural (formal) devices and mechanisms for connecting and enabling horizontal, or liaison, contacts between business and ITM (decisionsmaking) functions”



ITG processes – refer to “formalization and institutionalization of strategic IT decision making or IT monitoring procedures”



The relational mechanisms – are about “the active participation of, and collaborative relationship among, corporate executives, ITM, and business management”. Relational mechanisms are crucial in an ITG framework and paramount for attaining and sustaining business IT alignment, even when the appropriate structures and processes are in place (Callahan and Jeyes, 2003; Henderson et al., 1993; Keill et al., 2002; Smaczny, 2001). Guideline 4 – ITG is composed of processes with inputs, outputs, roles and

responsibilities inherent to a process definition (Gerrard, 2010). Actually, the effective management of organizational IT resources, enabling the provision to achieve its goals, is done through a set of IT processes (Webb et al., 2006). With the alignment of IS strategy and business strategy, it is important that an organization designs ITG processes to be closely in tuned with those of its corporate governance (Webb et al., 2006). Simonsson and Ekstedt (2006) identified the implementation and management of IT processes as a dimension of ITG in which IT decisions are made and carried out. Agarwal and Sambamurthy (2002) also identify a set of IT processes that should be present and managed in every IT function to convert foundation IT capabilities into business applications and services. Guideline 5 – Even without consensus among academics and practitioners about how it should be done, IT/business alignment should be measured in an organization along with what procedures ought to be taken to maintain and improve IT/business alignment (Silva and Chaix, 2008). The decision’s implications should also be monitored and measured (Simonsson and Ekstedt, 2006) always bearing in mind that how the results of decisions are measured and monitored is part of ITG (Symons, 2005). Not just IT/business alignment, but also IT processes maintenance has to be measured, evaluated and controlled in order to implement ITG (Nabiollahi and Sahibuddin, 2008). Furthermore, monitoring and measuring have been used by several researchers in their frameworks as an important step for ITG implementation, e.g. Dahlberg and Lahdelma (2007), Lingyu et al. (2010) and Nabiollahi and Sahibuddin (2008).

Grembergen (2003) even identified the control of the performance as a main element of ITG. The elements for implementing effective ITG are performance drivers that provide indicators on how ITG is achieving (Silva and Chaix, 2008). Guideline 6 – Many frameworks (ITIL, COBIT, amongst others) were developed and proposed. These frameworks describe goals, processes, and organizational aspects of ITM and control. They are created and put to use in practice (Goeken and Alter, 2009). While there is no single, complete, off-the-shelf ITG framework, there are a number of frameworks available that can be useful for developing a governance model (Symons, 2005). Many researchers encourage the use of such frameworks and standards to help in ITG implementation, e.g. Jaafar and Jordan (2009), Nabiollahi and Sahibuddin (2008), Silva and Chaix (2008), Symons (2005) and Webb et al. (2006). Table 4 – ITG Guidelines What do we need?

How to do it?

1 Where do Vision and IT/business we want to objectives be?

IT/business strategies IT/business goals

At this step we will need to collect: - Vision, mission, strategy and IT goals - Vision, mission, strategy and business goals - Porter (SWOT) - use the goals and strategies of stakeholder/customer groups to drive the definitions of principles and policies to guide the usage of IT in an organization

IT/business alignment, 2 ITG Where are maturity, we now? IT/business strategic plan

Core competences Assess IT department and maturity Assess enterprise Assess business/IT alignment

This is an important point. At this step we will assess/define business/IT strategic alignment. Meetings with IT and business should be established in order to achieve correct IT/business. Many tools designed by the previously identified main studies in the area can be used. (Luftman, 2000) (Weill and Ross, 2004)

Structures, processes, and relational mechanisms

Collect information about the culture, strategy, structure, etc., of the organization and integrate them in the resulting documents of previous steps

After collecting all the outputs from the previous step (Where are we now?) we are almost able to decide which mechanisms are needed to move from the state identified in the first step (Where do we want to be?). Before, we must conduct a study to discover possible influences of the kind of industry of the organization, present organizational culture and structure, organization size and, finally, consider regional differences. With these two powerful kinds of information, we are then able to create an ITG team to provide the executive support and instruct the organization in the decision of which structures, processes and relational mechanisms will be needed to correctly and appropriately implement ITG to the organization’s environment.

(Fasanghari et al., 2008) (Jiandong and Hongjun, 2010) (Jacobson, 2009) (Simonsson and Ekstedt, 2006) (Dahlberg and Lahdelma, 2007) (Symons, 2005) (Jaafar and Jordan, 2009) (Sambamurthy and Zmud, 1999) (Hosseinbeig et al., 2011)

IT processes

Materialize the plan defined in the previous step

The materialization of the previous step is not easy; indeed, we believe it to be the most difficult step to perform. The implementation of the processes will show us if they were well chosen, but it requires time and resources. In addition, it will change the organization and we cannot just look for one best practice framework or standard to guide us.

(Dahlberg and Lahdelma, 2007) (Gerrard, 2009) (Luftman, 2000) (Simonsson et al., 2008(b)) (Maidin and Arshad, 2010) (Symons, 2005)

IT Balance Metrics Scorecard Measuremen Enterprise ts Balance Scorecard

In order to control our performance, we should use a balance scorecard to analyze the most important information. To simply adopt an IT balance scorecard or just an enterprise balance score card is not the right choice. We heavily recommended the adoption of both that, in the future, should be analyzed independently and sometimes together.

(Fasanghari et al., 2008) (Dahlberg and Lahdelma, 2007) (Webb et al., 2006) (Gerrard, 2009) (Simonsson et al., 2008(a)) (Dahlberg and Lahdelma, 2007) (Silva, and Chaix, 2008) (Symons, 2005) (Jaafar and Jordan, 2009) (Maidin and Arshad, 2010) (Sambamurthy and Zmud, 1999)

Standards Best practices Frameworks

Present and future best practices frameworks and standards, as well as important researches in the area, should be taken into consideration by organizations. This will ensure that organizations stabilize and continue being attentive to the market and to quickly perform small changes, if necessary.

(Simonsson et al., 2008(a)) (Adams et al., 2008) (Luftman, 2000) (Dahlberg and Lahdelma, 2007) (Sambamurthy and Zmud, 1999) (Mellis, 1998)

Guideline

3 What do we need to get there?

4 How do we get where we want to be? 5 How do we know we have arrived there? 6 Are we following the market’s

About what?

Be aware of best practices frameworks and standards

Literature (Gao et al., 2009) (Dahlberg and Lahdelma, 2007) (Webb et al., 2006) (Gerrard, 2010) (Gerrard, 2009) (Agarwal and Sambamurthy, 2002) (Luftman, 2000) (Simonsson et al., 2008(b)) (Shpilberg et al., 2007) (Maidin and Arshad, 2010) (Ploder, 2008) (Symons, 2005) (Jaafar and Jordan, 2009) (Gao et al., 2009) (Dahlberg and Lahdelma, 2007) (Webb et al., 2006) (Gerrard, 2010) (Gerrard, 2009) (Agarwal and Sambamurthy, 2002) (Luftman, 2000) (Simonsson et al., 2008(b)) (Shpilberg et al., 2007) (Maidin and Arshad, 2010) (Ploder, 2008) (Symons, 2005) (Jaafar and Jordan, 2009)

best practices? 7 How do we know we are doing it right?

Compliance Audit

Audit regularly Internal and external compliance

Collect information to 8 improve and Improvemen How do innovate in order t to prepare we keep it Innovation organization for on track? current and future challenges

Nowadays more than ever organizations must be in compliance with several regulations (internal and external), best practices, and be audit. This is a strong sign of the increasing importance of measure organizations in order to ensure that they are doing their work correctly. (Dahlberg and Lahdelma, 2007) (Jacobson, Organization’s complexity is high, mainly if they are mid or big 2009) (Jaferian et al., 2008) companies. To not implement control is sooner or later a synonym of failure. Compliance must be implemented across all the organization, not just for a few processes or departments since all organizations must be under compliance. Organizations are constantly changing for many reasons. One crucial function is the continual improvement responsible for centralizing several improvements sources. Similarly to the previous step (compliance), the continual improvement must cross all the organization and not just part of it.

(Agarwal and Sambamurthy, 2002) (Shpilberg et al., 2007) (Maidin and Arshad, 2010) (Sambamurthy and Zmud, 1999) (Jacobson, 2009) (Guney and Cresswell, 2010)

Guideline 7 – Business development and changes in the supervision environment, internal rules and regulations tend to get more and more miscellaneous. Regulatory compliance mandates are becoming increasingly pervasive and burdensome in many countries, and compliance function is coming under ever increasing pressure by recent regulatory developments (PrinceWaterHouseCoopers, 2008). Some research has begun to focus on the audit and control aspects of ITG, e.g. Jacobson (2009). Implementation of policies defines specific procedures and practices for compliance with each affected area, along with the method of oversight, compliance enforcement, and an escalation/appeal process to deal with requests for waivers or other exceptions that might be allowed (Gerrard, 2010). Therefore, organizations should ensure they are compliant with all the previous statements including regulations, processes, activities, etc. Guideline 8 – IT now plays a more prominent role in corporate agility, enabling speedy and continual business innovation in products, services, channels, and supply and demand chain management (Agarwal and Sambamurthy, 2002). Technology is constantly changing and complexity increases with change. Nowadays, agility presents a challenge for many IS (Gallagher and Worrel, 2008). Firms are investing heavily on enterprise digital platforms to support innovations in their “ecosystems” – that is, their business partnerships with customers, suppliers, and other specialist firms (Agarwal and Sambamurthy, 2002). A survey has concluded that many organizations spend 80% of their IT budget in maintenance, upgrades and less than 20% on new applications and capabilities (Shpilberg et al., 2007). However, for ITG implementation to be effective, organizations need to continually design governance (Weill and Ross, 2004), transforming and positioning IT for meeting future business challenges (Silva and Chaix, 2008). Decisions about business innovations require significant levels of collaboration and partnership between IT and business executives (Agarwal and Sambamurthy, 2002).

In this Section we identified general guidelines for ITG implementation. These guidelines are high level and intend to give a perspective from where organizations must begin their ITG implementation. These guidelines are general and do not change with each organization context. In the next Section we will leverage the main ITG and ITM areas. Main Areas In this section we describe each proposed area in detail. Table 5 presents a summary of the areas as well as the correspondent literature from which we leveraged our areas. The first area identified was Strategy Management. The rationale behind the nomination of such process as one of the main IT processes will be described in detail in next paragraphs. Firms cannot be competitive if their business and IT strategies are not aligned (Bartenschlager and Goeken, 2009). IT strategic planning has received growing emphasis and is a major component of ITG (Hamaker and Hutton, 2004). It is a topic which is increasingly taken into consideration by different disciplines of information management in practice and science, e.g. ITG (Bartenschlager and Goeken, 2009; Information Technology Governance Institute, 2007). Indeed, the alignment of business and IT is one of the fundamental challenges for practice and science nowadays (Forrester, 2007). ITG comprises the formulation and implementation of IS/IT strategy as an essential function to ensure business/IT alignment (De Haes and Grembergen, 2004). IT strategic alignment is one of the main focuses of ITG (Fasanghari et al., 2008; Maidin and Arshad, 2010). ITG drives strategic alignment between IT and the business (Brown and Magil, 1994) and, when there is alignment, IT delivers services that are crucial to the company’s strategies, operation, or user needs (Huang and Hu, 2007). Good ITG ensures, for example, that IT investments are aligned with business strategy (Symons, 2005). To create a sustainable value for organizations, the development of IT strategy must be closely linked to the business strategy (Fink and Ploder, 2008). Avison (2006) asserts that there is a direct relationship between the failure of an IT strategic alignment and the failure of an organizational (business) goal, due to miss-implementation of ITG or the lack of governance (Hosseinbeig et al., 2011). The study performed by Simonsson and Ekstedt (2006) concluded that literature and practitioners identify strategy as one of the top priorities. Strategic alignment is being used in several frameworks created by researchers in the last

years (Agarwal and Sambamurthy, 2002; Nabiollahi and Sahibuddin, 2008; Tanriverdi, 2006; Webb et al., 2006). An effective alignment of business and IT should not only take place at a strategic level, as Luftman claims (2008), but should also be accompanied by aligning processes as well, caused by the perception that an appropriate support of business activities can only be accomplished by thinking both areas (Bartenschlager and Goeken, 2009). Besides all these evidences, how to accomplish strategic alignment between business and IT in the complex and dynamic environment of the real world remains a great unanswered challenge for the CIO and CEO (Ekstedt et al., 2004; Silva et al., 2006; Tallon and Kraemer, 1998). The second area identified was Service Management. The rationale behind the nomination of such process as one of the main IT processes will be described in detail in next paragraphs. IT is an expense item that exists to serve business. People need to change their mindsets since IT has to think in terms of providing a service, not just providing technology (Jun et al., 2010). Failure of IS can cause tremendous business losses by stopping manufacturing lines. Also, the enterprise needs to enable flexible and agile responses to market conditions. In order to meet these business requirements, an IT organization is required to offer high-quality IT services (Park et al., 2006). Service-oriented ITM concept concentrates especially on the management of IT services. Accordingly a large number of models, methods and concepts were developed, intended to help guarantee service-oriented ITM (Hosseinbeig et al., 2011). ITIL is the most widely used framework for IT service management (Lahtela et al., 2010). ITIL states that, for example, organizations must have a service level agreement (SLA) between business processes and IT services as an important mean for assessing alignment and, as a decision-making tool, for improving management of the business and ITG alignment (Silva and Chaix, 2008). The third area identified was Resource Management. The rationale behind the nomination of such process as one of the main IT processes will be described in detail in the following paragraphs. IT resource management is an important process for an IT department (Maidin and Arshad, 2010; Tanriverdi, 2006) and IT resources should be properly managed if organizations want to grow and be successful (Wilbanks, 2008). Multi-business firms, for

example, have an opportunity to exploit cross-unit IT synergy by using common IT resources and management processes across their business units (Tanriverdi, 2006). Enterprise Resource Planning (ERP) is seen as key in supporting business processes in many organizations (Bernroider, 2008) due to its potential in resolving the problem of fragmented information (Muscatello and Chen, 2008). ERP involves the seamless integration of processes across functional areas such as finance or human resources (Bernroider, 2008). An ERP system enables an organization to integrate all the primary business process in order to enhance efficiency and maintain a competitive position (Nah and Lau, 2001). ERP systems have become vital strategic tools in today’s competitive business environment (Lingyu et al., 2010). The fourth area identified was Risk Management. The rationale behind the nomination of such process as one of the main IT processes will be described in detail next. While many organizations recognize the potential benefits that technology can yield, the successful ones also understand and manage the risks associated with implementing new technologies (Fasanghari et al., 2008). There are evidences in the literature of the benefits of the IT Risk Management implementation (Askary et al., 2012). With more of an organization built on IT, risks associated with IT are often the same as risks to the business (Symons, 2005). Risk plays an increasingly vital role in contemporary organizational infrastructures due to a multitude of operational, technical and regulatory reasons. Current risk management methodologies are often static in nature and cannot meet the demands of operational practices. IT risk assessment in particular is often not integrated into the business management process but rather executed in parallel (Schmidt and Albayrak, 2010). Because of the rising importance of IT, the importance of operational risks in this context will rise (Radovanovic et al., 2010). IT has been considered one of the main risk factors of organizations (Grembergen et al. 2003). Risk management is an important process in an IT department and an objective that drives ITG (Dahlberg and Lahdelma, 2007; Gerrard, 2010; Maidin and Arshad, 2010; Nabiollahi and Sahibuddin, 2008; Webb et al., 2006). Good ITG ensures that IT investments are optimized and delivering value within acceptable risk boundaries (Symons, 2005). The fifth area identified was Development Management. The rationale behind the nomination of such process as one of the main IT processes will be described in detail in the next paragraphs.

IT requires flexible and agile responses whenever market conditions change. In the past few years, agile software development has emerged as a promising solution to the problem of software development complexity (Wang and Vidgen, 2007). IT service providers use applications to support their business processes (Mayerl et al., 2005) and as such IT needs to develop specific software (Lunardi et al., 2009). The need for specialized ITM functionality and information generates a multitude and diversity of management applications that can be recognized in an IT provider’s scenario (Mayerl et al., 2005). For example, to execute IT processes, IT provider’s employees use different management applications (Mayerl et al., 2005). Software tools are important for IT management, like for example for Project Management (Tatnall and Shackleton, 1996). Nowadays there is still space for the development of better management solutions for IT (Mayerl et al., 2005). Actually, organizations must stop spending more than 80% of their IT budget in maintenance, patches, upgrades and other routine expenses, and less than 20% on the development of new applications and capabilities (Shpilberg et al., 2007). There are also studies in literature about software development in IT companies as for instance (Wang and Vidgen, 2007). The sixth area identified was Architecture Management. The reasoning behind the nomination of such process as one of the main IT processes will be described in detail in the subsequent paragraphs. One of the most common approaches to ITM today is enterprise architecture (Simonsson and Ekstedt, 2006). In fact, IT architecture and infrastructure is a present concern of ITM (Agarwal and Sambamurthy, 2002; Fink and Ploder, 2008; Gerrard, 2010; Silva and Chaix, 2008; Tanriverdi, 2006). Architecture can be viewed at various levels, including hardware, network, system, application, business process and enterprise level (Armour et al., 1999; Richardson et al., 1990). Agile IT architectures and infrastructures allow rapid customization and modification of systems and the products and services they support, thereby providing agile organizations the capacity to explore and exploit market opportunities (Gallagher and Worrel, 2008). Architectural governance is viewed as a necessary condition for ensuring success (Aagesen et al., 2011). Much work is today available on the topic of enterprise architecture. Most prominently, there are a number of enterprise architecture (which define and interrelate data, hardware, software, and communication resources, as well as the supporting organization required to maintain the overall physical structure required by the architecture (Richardson et

al., 1990; Zachman, 1987)) frameworks that support IT decision makers (Simonsson and Ekstedt, 2006). The seventh area identified was Project Management. The rationale behind the nomination of such process as one of the main IT processes will be described in detail in the following paragraphs. Researchers are increasingly recognizing the importance of the implementation of project management (Fan, 2010). At the moment, numerous IT projects over-emphasize the technology research and applications, but neglect the function of project management (Fan, 2010). Shpilberg (2007) states: “Once IT systems are like a swamp: Projects just get bogged down” This statement reinforces that the Project Management process should be taken into consideration as several authors state, like for example Fink and Ploder (2008), Gerrard (2010), Maidin and Arshad (2010) and Natovich (1998). Survey data suggests that about three-quarters of IT projects are canceled or fail to deliver expected results on time and on budget (Shpilberg et al., 2007). According to Maizlish and Handler (2005), 50% of managers said they could have accomplished value with 50% of the cost, and only 52% of the projects reached strategic value. In the literature, there are several studies about IT project management, (Gallagher and Worrel, 2008) for example, performed a case study in which several product versions implementation took much longer than the timeline originally targeted. Fan states that effective approaches to integrating modern project management ideology and methods with IT during the implementation of IT projects are very significant (Fan, 2010). Another study yet concluded that a project office could enforce proper project management procedures in small organizations (Cochran, 2010). The eighth area identified was Quality Management. The rationale behind the nomination of such process as one of the main IT processes will be described in detail in the next paragraphs. IT services can be defined as “the collective effect of service performances which determine the level of satisfaction of a user with the service”. Since IT services are built and delivered on top of IT infrastructures, the quality of IT services is highly dependent on the quality of IT infrastructures (Silva and Brito e Abreu, 2010). Actually, the quality of an IT organization can be internally and externally measured (Simonsson and Johnson, 2008).

Simonsson and Johnson (2008) have even listed several criteria for evaluating perceived IT quality. Also, improving service quality in IT infrastructure management continues to be a critical driver for business growth (Diao et al., 2009). Others studied the criteria for assessing the quality of IT applications which must reflect organizational needs for redesign, alignment and integration (Corea and Levy, 2007), and stated there is a need to take a more critical perspective when assessing IT applications’ quality (Corea and Levy, 2007). The ninth area identified was Investment Management. The reasoning behind the nomination of such process as one of the main IT processes will be described in detail next. Defining how much money to invest on IT and how the distribution of IT investment must be, in terms of maintenance, services, human resources, or a new project, is really important (Lunardi et al., 2009), and inevitably require planning (Pita et al., 2011). IT has been considered one of the main risky factors of organizations (Grembergen et al., 2003), and both the lack and excess of these investments can compromise the structure and the operations of the firm (Lunardi et al., 2009). The concern about how IT and IT investments are managed has recognized that “getting IT right” this time will not be about technology, but about the way IT is governed (Peterson, 2003). ITG directly influences the benefits generated by organizational IT investments (Weill, 2004; Weill and Broadbent, 1998). Although many organizations realize that IT is becoming not only a significant expense but also one of their main organizational assets, decisions about IT adoption, implementation, and management are still complex, wasting a lot of money in bad IT acquisitions (Jeffery and Leliveld, 2004; Mcafee, 2004). Some studies have shown that companies which have good ITG models generate superior returns on their IT investments than their competitors (Lunardi et al., 2009; Webb et al., 2006). Many companies have spent about 50% of all capital investment on IT (Bloem et al., 2006). However, there are studies which found that enormous IT investment did not bring about significant benefits (Gao et al., 2009). With IT investments making up a significant portion of corporate budgets and increased external pressure to control and monitor costs, effective governance is seen as a vital way to ensure returns on IT investments and improved organizational performance (Dahlberg and Kivijarvi, 2006). Effective business investment projects, for example, require the coordination of investment and change across business functions and at the appropriate level of authority (Gerrard, 2009). Organizing IT investments must become a priority. There

is a growing trend on large organizations to elevate IT performance to the board of director’s level (Symons, 2005). IT investments and decision-making processes have a significant impact on organizational success (Xue et al., 2006). Organizations must have a proper planning in IT investment, highlighting ITG practices by realizing that the advantage of deploying ITG model is crucial to retrieve a competitive advantage and thus decrease the rate of IT project failures (Maidin and Arshad, 2010). Companies cannot build effectiveness unless they hold IT and the business accountable for delivering expected results on time and on budget (Shpilberg et al., 2007). As a summary, Investment Management is an important IT process in the literature (Agarwal and Sambamurthy, 2002; Fink and Ploder, 2008; Weill and Ross, 2004). The tenth area identified was Outsourcing Management. The rationale behind the nomination of such process as one of the main IT processes will be described in detail in the subsequent paragraphs. The roots of IT outsourcing date back to the 1960s and 1970s (Dahlberg and Lahdelma, 2007), but recent outsourcing changed and Grover et al. (1996) have identified some of the main changes. During the 1990s some research discovered that selective outsourcing leads to higher IT outsourcing success than total outsourcing (Lacity and Willcocks, 1998; Lacity et al., 1996). Due to the large variety of IT outsourcing arrangements, there are differences in interrelations between IT outsourcing and ITG (Dahlberg and Lahdelma, 2007). Supply-side governance is becoming more problematic because of weakness in control and coordination of supply-side governance domains (Gerrard, 2009). For example, IT offshore outsourcing is a well-established practice, especially in software development (Kuni and Bhushan, 2006) and there is also evidence that many organizations consider outsourcing their IT development projects as an alternative risk-mitigation approach (Natovich, 1998). Despite this increasingly popular trend, the initial expectations of cost reduction and risk mitigation of offshore outsourcing and outsourcing are not reached. On the one hand, offshore outsourcing has many hidden costs. Risk of transition, learning needs, communications overheads, setup times, ramping up durations, scope creeps, government regulations, and so on, are not taken into account in the initial estimation of the relationships (Kuni and Bhushan, 2006). On the other hand, by outsourcing an organization might not eliminate the traditional IT risks but rather exchange them for equally fatal vendor risks (Natovich, 1998).

However, an effective IT organization needs a wide variety of capabilities. Traditionally, most organizations did as much as they could in-house. Today, nearly all the capabilities are available from a range of suppliers. Choosing the right source for a capability, maximizing effectiveness while minimizing costs, is thus a critical consideration (Shpilberg et al., 2007). Therefore, researchers have been analyzing IT outsourcing as a key element of ITG (Ang and Straub, 1998; Aubert et al., 2004). Research has focused on determining the appropriate degree of IT outsourcing as well as on prescriptive models to assist with IT outsourcing decision-making (Jacobson, 2009). When outsourcing turning over has happened once, the responsibility of the IT function is no longer to develop, maintain and deliver the outsourced service(s). The role of the IT function shifts to sourcing, outsourcer-vendor relationship management, and to service level monitoring for outsourced IT services (Dahlberg and Lahdelma, 2007). For these reasons, outsourcing management has been identified by some researchers as an important IT process (Gerrard, 2010; Tanriverdi, 2006). Many CIOs emphasize their need to understand the tasks being outsourced, so that vendors could be held accountable. That often means doing the job yourself until you understand enough to send it outside (Shpilberg et al., 2007). The eleventh area identified was Support Management. The rationale behind the nomination of such process as one of the main IT processes will be described in detail in the next paragraphs. IT support organizations consist of a network of support groups, each one with a team of operators. Real-life IT support organizations implement complex organizational, structural, and behavioral processes according to the strategic objectives defined at the business management level (Bartolini et al., 2010). Incident management is the process through which IT support organizations manage to restore normal service operations after a service disruption. The complexity of real life enterprise-class IT support in organizations makes it extremely hard to understand the impact of organizational, structural and behavioral components on the performance of the currently adopted incident management strategy and, consequently, which actions could improve it (Bartolini et al., 2010; Gupta et al., 2008). Problem management is an essential element of delivering IT service management. The objective of problem management is to minimize the impact of problems on the organization (Jun et al., 2010). Problem management is also a critical and expensive element

for delivering IT service management and touches various levels of managed IT infrastructure (Diao et al., 2009). Service Desk (also known as Help Desk) should be used as the single point of contact for the users who need help running their IT systems and are used by customers to report IT issues in enterprise systems (Bartolini et al., 2010; Gupta et al., 2008). Customers contact the service desk for various purposes, such as information, configuration change, problem being faced by the customer, and so forth (Gupta et al., 2008). In order to tune the performance of the IT support organization, it is necessary to evaluate the possible improvements brought by realignments of the current incident or problem management strategy, or by the adoption of alternative strategies (Bartolini et al., 2010). The twelfth area identified was Compliance Management. The rationale behind the nomination of such process as one of the main IT processes will be described in detail in the subsequent paragraphs. Business development and changes of supervision environment, internal rules and regulations tend to get more and more miscellaneous (Yang, 2009). Regulatory compliance mandates are becoming increasingly pervasive and burdensome in many countries (Marvin et al., 2007) and compliance function is coming under ever increasing pressure by recent regulatory developments (PriceWaterhouseCoopers, 2008). Organizations have been reactive, depending on manual or point solutions. This means the business becomes extremely fragmented. The result is complexity, redundancy, and failure (Rasmussen, 2010). The ad-hoc, reactive approach to compliance brings complexity, forcing organizations to be less agile (Rasmussen, 2009). Understanding compliance requirements and fully complying with them is a complex and challenging task (Gudivada and Nandigam, 2009). The Sarbanes-Oxley Act of 2002 placed emphasis on tightening the control of corporate governance, with control of IT seen as an important piece of the overall governance picture (Tuttle and Vandervelde, 2007). Since IT is becoming pervasive in any organization, IT decisions cannot be based primarily upon technology updates, storage capacity or cost savings independently of legal and compliance considerations (Little, 2007). IT departments must insure that their applications meet all compliance requirements that govern their products, services, and other activities (Gudivada and Nandigam, 2009). IT compliance is mainly about metering and auditing software licenses, authorization and authentication for IT resource usage, physical security for computer systems, data

centers, policies and procedures for IT operations and help desk support, protecting the privacy of data stored on computer systems, and prevention and detection of illegal activities. Since corporations heavily depend on IT systems for their daily operations, IT systems play a greater role in meeting the compliance requirements (Gudivada and Nandigam, 2009). Nowadays, there are researchers focusing their studies on the audit and control aspects of ITG (Jacobson, 2009). The thirteenth area identified was Improvement & Innovation Management. The rationale behind the nomination of such process as one of the main IT processes will be described in detail in the next paragraphs. The widespread adoption of IT and IS creates greater opportunities for innovation in enterprise management (Jianping and Fang, 2011). IT has become a valuable asset and resource in all meanings of contemporary business strategy literature (Dahlberg and Lahdelma, 2007). However, IT requires flexible and agile responses whenever market conditions change. The critical role of management in the adoption of innovations is reflected in diverse branches of the literature (To and Ngai, 2007). As these needs become more critical, the role of IT has come to be essential (Park et al., 2006). IT enables enterprise agility or the ability to sense and respond to changes in a competitive environment (Gallagher and Worrell, 2008). IT now plays a more prominent role in corporate agility, enabling rapid and continual business innovation in products, services, channels, and supply and demand chain management (Agarwal and Sambamurthy, 2002). Actually, the fast pace of IT innovation, combined with pressures for reform and performance improvement, make ITG a major concern (Guney and Cresswell, 2010). IT innovation, evolving customer preferences and requirements, disruptions in the supply chain, and regulatory developments are market forces that demand business to adapt quickly (Broussard and Tero, 2007). ITG is a dynamic social process in which parties continually (re)define new routines and procedures (Guney and Cresswell, 2010). Moreover, ITG faces a dual demand of contributing to present business operations and performance; and transforming and positioning IT for meeting future business challenges (Silva and Chaix, 2008). Continuous alignment is a current concern of ITG (Maidin and Arshad, 2010). Table 5 – ITG and Management Main Areas Main Area Strategy Management

Description

Topics/subjects

Responsible for business/IT objectives and alignment, Demand Management, contingency factors, and other reasons pointed out as Market analyze, possible differentiators of ITG. IT/Business strategy plan/definition/alignment

Literature (Fasanghari et al., 2008) (Nabiollahi and Sahibuddin, 2008) (Lingyu, 2010), (Webb et al., 2006), (Simonsson and Ekstedt, 2006), (Guney and Cresswell, 2010), (Silva and Chaix, 2008), (Gerrard, 2010), (Agarwal and Sambamurthy, 2002), (Symons, 2005), (Tanriverdi, 2006), (Tanriverdi, 2006),

Service Management

Resource Management

Risk Management

Development Management

Responsible for service definition, service catalogue, service portfolio, service levels, and other subjects about provided services. Accountable for the correct management of the organization’s resources, like people, technology, applications, and so on Training is included.

Service Level Management Service Portfolio Human resource, Hardware, Software, Capacity and Configuration Mngt., Information Mngt.

Responsible for the correct assurance of the business’ continuity by anticipating and preventing possible risks of the IT department, which are correlated with business risk.

Disaster recovery, Backups and security Management, Business continuity, Identity and access Management Responsible for the design and development of software Application Management as well as its maintenance. Application maintenance

Architecture Management

Responsible for the design of the necessary IT architecture and architectures for the good functioning of the IT engineering department. Infrastructure Management

Project Management

Accountable for the management of the entire IT Project Portfolio department projects, all kinds of projects Management Project Management

Quality Management

Investment Management

Outsourcing Management Support Management Compliance Management

Responsible for the assurance of the required procedures to guarantee functionality and provide services and products with the required quality. In charge of assuring the correct financial functioning of the IT department and of providing budget, costs, and financial plans.

Quality control Product Quality Management Portfolio and Value Mngt., Define budgets, Manage costs

This area manages all the aspects concerning Manage contracts outsourcers, as contracts, service levels, relations, etc. Control outsourcers

Responsible for user interaction and mainly keeps user Incident and Problem Mngt. satisfaction Service desk Accountable for the control of internal and external Audit, Policy and Report regulations, as well as report and measurement. Mngt., Internal Control

Responsible for the management of the improvements Analyze reports and options

Improvement and innovations that can be required or provided by the Prospection, Improvement and Change Management and Innovation entire IT department. Management

(Simonsson and Johnson, 2008), (Simonsson et al.,, 2008(a)), (Shpilberg et al., 2007), (Maidin and Arshad, 2010), (Ploder, 2008) (Park et al., 2006) (Silva and Chaix, 2008), [ITIL], (Hosseinbeig et al., 2011) (Jun et al., 2010) (Lahtela et al., 2010) (Dahlberg and Lahdelma, 2007), (Lingyu, 2010), (Guney and Cresswell, 2010), (Silva and Chaix, 2008), (Agarwal and Sambamurthy, 2002), (Gallaghe and Worrel, 2008), (Shpilgerg et al., 2007), (Tanriverdi, 2006), (Tanriverdi, 2006), (Shpilberg et al., 2007), (Maidin and Arshad, 2010), (Symons, 2005) (Lunardi et al., 2009), (Fasanghari et al., 2008), (Dahlberg and Lahdelma, 2007), (Nabiollahi and Sahibuddin, 2008), (Webb et al., 2006), (Gerrard, 2010), (Symons, 2005), (Maidin and Arshad, 2010), (Natovich, 1998), (Schmidt and Albayrak, 2010) (Lunardi et al., 2009), (Simonsson and Ekstedt, 2006), (Shpilgerg et al., 2007), (Ploder, 2008), (Jacobson, 2009), (Laucins, 2004), (Wang and Vidgen, 2007) (Simonsson et al., 2008(a)), (Silva and Chaix, 2008), (Gerrard, 2010), (Agarwal and Sambamurthy, 2002), (Gallaghe and Worrel, 2008), (Tanriverdi, 2006), (Aagesen et al., 2011), (Ploder, 2008) (Cochran, 2010), (Gerrard, 2010), (Gerrard, 2009), (Gallaghe and Worrel, 2008), (Shpilgerg et al., 2007), (Maidin and Arshad, 2010), (Ploder, 2008), (Natovich, 1998), (Fan, 2010) (Diao et al., 2009) (Guney and Cresswell, 2010) (Hosseinbeig et al., 2011) (Mellis, 1998) (Silva, and Chaix, 2008) (Lunardi et al., 2009), (Gao et al., 2009), (Jacobson, 2009), (Webb et al., 2006), (Gerrard, 2010), (Gerrard, 2009), (Agarwal and Sambamurthy, 2002), (Symons, 2005), (Shpilgerg et al., 2007), (Aagesen and van Veenstra, 2011), (Silva, and Chaix, 2008), (Simonsson et al., 2008(b)), (Maidin and Arshad, 2010), (Ploder, 2008) (Jacobson, 2009), (Dahlberg and Lahdelma, 2007), (Gerrard, 2010), (Gerrard, 2009), (Agarwal and Sambamurthy, 2002), (Shpilgerg et al., 2007), (Tanriverdi, 2006), (Lunardi et al., 2009), (Natovich, 1998), (Kuni and Bhushan, 2006) (Bartolini et al., 2010) (Diao et al., 2009) (Jun et al., 2010) (Maidin and Arshad, 2010) (Silva, and Chaix, 2008) (Breaux et al., 2009) (Jacobson, 2009) (Gerrard, 2010), (Simonsson et al., 2008(b)) (Gudivana and Nandigam, 2009) (Marvin et al., 2006) (Little, 2007) (PriceWaterhouseCoopers, 2008) (Rasmussen, 2009) (Rasmussen, 2010) (Yang, 2009) (Guney and Cresswell, 2010), (Silva and Chaix, 2008), (Agarwal and Sambamurthy, 2002), (Shpilgerg et al., 2007), (Simonsson et al., 2008(b)), (Maidin and Arshad, 2010), (Jianping and Fang, 2011)

In this Section we identified the main ITG and ITM areas based on literature review. These areas must be considered in any IT framework including ITG frame or ITM framework. In the next Section we will describe our proposal for a new ITG and ITM framework that will be designed taking into consideration the previous proposed artefacts (ITG contingency factors, ITG guidelines, and ITG and ITM main areas). IT Governance and Management Framework In this section we present an integrated framework where the relations between our proposed artefacts (constructs) will be shown. It is not possible to design a unique solution for all cases,

however, a more generic, complete, coherent and concise solution can be achieved in order to decrease organization confusion. We cannot forget that IT’s main function is to be a strategic business partner. Figure 1 shows the heart of our framework, which is the first step in our framework design. Governance frameworks must work within the context of an organization’s structure, culture, and strategy (Symons, 2005). Therefore, the framework ought to start by the Strategy Management process during which the organization should align their IT/business strategies (guideline 1 and 2) as well as study the impact of contingency factors in the correspondent type of organization.

Figure 1 – Strategy Management When organizations understand “where they are” and “where they want to be”, they are ready to begin a conscious ITG implementation. Weill and Ross (2004) are clear about the kind of mechanisms that will make the difference in ITG implementation, structures/process/communication (Guideline 3). Once strategy alignment is solved, organizations need to analyze the necessary mechanisms for a successful ITG implementation. In the definitions of these mechanisms, organizations should take into account the output of the previous step, as such, the mechanisms will follow (yellow arrows in Figure 2).

Figure 2 – Mechanisms Addition

Organizations with a mature mix of structures, processes, and mechanisms can achieve a higher degree of business/IT alignment maturity when compared to other organizations (De Haes and Grembergen, 2008; Symons, 2005). Conscious of the need of such mechanisms, we must focus on which processes the IT department will need to implement in order to put into practice the defined mechanisms (Guideline 4). In addition, IT department works as a service provider and has its own suppliers and clients. In Figure 3, we can see three blue boxes that define the three different topics to approach (Providers/Business/Client) as well as the addition of almost all our identified ITG/ITM main areas (excluding Compliance and I&I). These areas ought to serve as a basis, for example, organizations that do not have internal development will not need Development Management. Having the strategy alignment as well as the identification of the necessary mechanisms and IT processes outlined, an organization should ensure that these mechanisms are being implemented among the IT processes. Therefore, organizations ought also to define metrics and measures (Guideline 5) to confirm if the goals defined in the initial steps are being well implemented.

Figure 3 – IT Processes There are several frameworks and new ones are constantly appearing. If organizations want to keep a competitive advantage, they must pay attention to this concern (Guideline 6). In order to include this kind of concerns in our framework, we decided to insert another layer (green layer in Figure 4). The green layer will be responsible for being aware of new

frameworks in the market, decide which framework or frameworks are more appropriate for a certain area giving the areas defined in Guideline 4 (Figure 3). On the one hand, all these frameworks should be controlled in order to assure that the organizations are in conformity (Guideline 7 and the area Compliance). On the other hand, since IT is constantly changing, organizations ought to be capable of identifying current and future improvements (Guideline 8 and the area Improvement and Innovation). These areas cross all other ones presented in Figure 3 and in frameworks (Figure 4). Therefore, we added another layer which completes our integrated ITG and ITM framework.

Figure 4 – Proposed Integrated IT Governance and Management Framework In this Section we designed our ITG and ITM framework based on our previously designed and proposed artefacts. Once this framework was designed taking into consideration such relevant artefacts, our framework adds knowledge to ITG context. In the next Section we evaluate our proposed artefacts with expert interviews and by comparing our artefacts to current theories.

EMPIRICAL EVALUATION In order to validate our artefacts, besides the complete literature review that supports our proposed framework and despite the little empirical work concerning ITG in the literature, we mapped the artefacts with current theories and used the results of a series of expert interviews. Current theories were chosen for being the most similar to our guidelines, which allowed a well-structured comparison to be possible.

Guidelines Evaluation We mapped our guidelines to some of the best-known practices as well as to some guidelines described in the main books of the area. We mapped our guideline with four theories in the literature which can be seen in the next Tables (Table 6, Table 7, Table 8 and Table 9). The structure of the tables is: our guidelines are in rows and theories steps/guidelines/so on in columns. The first theory is described by Selig (Selig, 2008). The authors developed an ITG framework in which they identify five critical ITG imperatives and work areas. In Table 6 we conclude that our guidelines fulfill the areas of work contained in the theory described by (Selig, 2008). However, this theory lacks some completeness leaving some of our guidelines without a match. Table 6 – ITG Imperatives and Work Areas Business Plan/ Objectives 1 2 3 4 5 6 7 8

X X --------------

IT Plan, Objectives, Portfolio Investment and Approvals X X --------------

--------------

--------------

IT Plan Execution & Delivery

-------------X --------------

Performance Management, Controls, Risk, Compliance and Vendor Management

People Development, Continuous Process Improvement & Learning

--------------

--------------

X -------------X

-------------X

These areas are described by the authors as sequential and with the possibility of being iterative. Therefore, we mapped our guidelines to these areas in order to understand whether our guidelines cover them and if they can perform the same function or even more. In Table 6 we present the results of our comparison in which we concluded that our guidelines fulfill the areas of work contained in the previously theory described. In the 1950's Deming proposed that business processes should be analyzed and measured to identify sources of variations that cause products to deviate from customer

requirements. He recommended that business processes be placed in a continuous feedback loop so that managers can identify and change the parts of the process that need improvements. Deming created a (rather oversimplified) diagram to illustrate this continuous process, commonly known as the PDCA (Plan, Do, Check, Act) cycle. This PDCA cycle has been adopted by some frameworks that use the cycle to justify or clarify their guidance, for example ITIL V3, or ISO 20000, or even the Balanced Scorecard. Since this PDCA cycle seems to be important for some relevant frameworks in order to implement an iterative process, and we saw that IT is constantly changing and organizations feel the necessity of an iterative process to control the changes, we decided to map our guidelines with Deming’s cycle phases in order to demonstrate that our guidelines could work as an iterative process. The result is presented in Table 7 where the guidelines designed can fulfill the need of an iterative process and mitigate the risks of the constantly changing IT. Table 7 – Deming Cycle Mapping 1 2 3 4 5 6 7 8

Plan X X

Do

Check

Act

X X X X X X

The third theory was developed by Grembergen and De Haes (2008) in order to help organizations in ITG implementation. De Haes and Grembergen are two respected authors with several articles and books published in this area. In order to understand if our guidelines are aligned with this guide, we mapped our guidelines with it (Table 8). Our guidelines fulfill the De Haes and Grembergen guide. However, since some of them do not have a correspondent activity to the guide, we can conclude that our guidelines are more complete than the guide provided by Grembergen and De Haes (2008). Table 8 – Grembergen and De Haes Guide

X

Set Up Support Communication and awareness Mechanisms

Use Performance Measurement Tools

Manage and Align the IT Investment Portfolio

Install IT Steering and IT Strategy Committees

Manage Roles and Responsibilities

Involve Executive Management and the Board of Directors

Set Up a Clear IT Organization and Decision Structure

Define the Right ITG Process

Define Business Goals and IT Goals 1 2 3 4 5 6 7 8

X X

-------------

X X

X

-------------

-------------

X

X

X X

-------------

-------------

-------------

-------------

X -------------

-------------

The fourth theory is presented by (Selig, 2008) which describes a pragmatic business and IT planning process used successfully in industry, it is called “pressure point analysis”. IT is primarily based on analyzing internal and external pressures and trends, and on addressing six basic questions. After analyzing Table 9 we can observe that our guidelines cover the six steps of the pressure point analysis theory which indicate our guidelines support the constant improving of ITG process. Table 9 – Pressure Points Analysis Where are we? 1 2 3 4 5 6 7 8

Why change?

What could we do?

What should we do?

X

X

How do we get there?

Did we get there?

X X X ----------------------------------

----------------------------------

----------------------------------

----------------------------------

----------------------------------

X ----------------------------------

We can conclude that our guidelines cover the six steps of the pressure point analysis theory which indicate that our guidelines are complete. To sum up, we conclude that our guidelines cover, and even outperform in some cases, the compared theories that reinforce the completeness and consistence of our proposed guidelines. ITG and ITM Main Areas Evaluation

In this section we will evaluate our proposed ITG/ITM main areas by mapping them to other framework areas. In order to select the most appropriated framework we studied the best-known frameworks in the market to understand which of our proposed ITG/ITM main areas were at least in part approached by the current frameworks (Appendix B). We concluded that COBIT is the most complete framework and as such we will map our ITG/ITM main areas with COBIT. This evaluation will verify if our areas cover all the COBIT scope. Since COBIT is mainly based on control objectives, we will not map our main areas directly to the 34 COBIT processes but to the 254 control objectives in order to achieve a more detailed and coherent result. COBIT processes are divided into four main areas: Plan and Organize (PO), Acquire and Implement (AI), Deliver and Support (DS), Monitor and Evaluate (ME). Caption for Figure 5:

 Proposed main area

 Acquire and Implement Control Objectives (AI)

 Monitor and Evaluation Control Objective (ME)

 Deliver and Support Control Objective (DS)

 Plan and Organize Control Objectives (PO)

 LL represents the acronym of the area (PO, or AI, or DS or ME), while P is the number of the COBIT process inside the correspondent area, and C is the number of the Control Objective inside the correspondent process.

In Figure 5 we can see that all the COBIT control objectives were distributed and are mapped to our main ITG and ITM areas, which show that our defined main areas fulfill the completeness of COBIT.

Figure 5 – Map between ITG Framework Areas and COBIT Objectives Figure 5 demonstrates that our proposed ITG/ITM main areas overlap at least the COBIT control objectives and implicitly the COBIT processes. In Appendix A we can also see that most frameworks do not cover all the necessary main areas, which means they just focus on part of ITG. We may conclude that any framework containing all these ITG/ITM main areas would be one of the broadest in the market at the moment. Interviews Since the use of more than one evaluation method is advisable (Bartenschlager and Goeken, 2009), we also evaluated all our artefacts with expert interviews. We performed nine interviews (90 minutes each) with ITG experts (Experts on technology and business management who have strategic alignment and ITG knowledge in their organizations). Seven

interviews were performed in Portugal and two in Ireland by Skype. The interviewees were 3 consultant organizations (1, 2 and 7) and 6 non-consultant (3, 4, 5, 6, 8 and 9) organizations. Table 10 shows a summary of the results. We used colors to make Table 10 easier to read. In contingency factors we used yellow and orange to highlight the first (yellow) and second (orange) choice of the interviewees (we asked them to rank the contingency factors by relevance). We also used the green and red in the “yes/no” questions in order to highlight the positive (green) and negative (red) responses. In ITG and ITM main areas we use the “G” to highlight the governance areas identified by the interviewees. The first two highlighted the need to include Product quality Management inside Quality Management, which we did and, from then on, no more improvements were suggested by interviewees in the ITG areas artefact. The third interviewee was the only one that disagreed with the proposed guidelines. He argued that guidelines 4, 6, and 8 are not needed and a new one about investment decision making between guideline 2 and 3 was missing. However, since we have strong literature support and only one interviewee mentioned this argument, we decided to keep the guidelines without changes. The fifth interviewee stated that such guidelines were not useful since COBIT already has guidelines with such abstraction. Fifth, sixth and seventh interviewees stated that some factors were missing. The fifth and sixth referred the organizations’ financial power (which we believe could be related with organization size since bigger organizations certainly have more financial power and vice versa) while the seventh mentioned the people (which we believe to be related with ethic and trust, as ethic and trust are social values that should cross the entire human resources). Table 10 – Artefacts Evaluation by Experts

3

1

4

3

5

1

6

2 1 2 3

7

2

1

8

1

4

9

2

3

3 4

1

Yes No Yes Yes Yes Yes No No No Yes G G

3

4

Yes No Yes Yes Yes No Yes Yes No No

G

G

4

2

Yes No Yes Yes Yes Yes No Yes No No

G

No Yes Yes No Yes Yes No Yes No No

G

G

No Yes Yes Yes Yes Yes No Yes No No

G

G

3

Innovation

Architecture

Resource

Risk G

Yes No Yes Yes Yes Yes No No No Yes G

2

Compliance

Investment

Strategy

Missing?

Remove?

Complete?

ITG/M Areas Remove step?

Complete?

General?

Useful?

Useful?

Missing?

Complete?

Guidelines

3

2 1

Ethic

3

1

Trust

1

2

Strategy

Size

2

2

Regional D.

Maturity

1

Culture

Industry

Structure

Interviewees

ITG Contingency Factors

G

G

G

No Yes Yes Yes Yes Yes No Yes No No

G

G

Yes No Yes Yes Yes Yes No Yes No No

G

G

Yes No Yes Yes Yes Yes No Yes No No

G

G G G

Several conclusions could be withdrawn from the interviews:  Culture, structure, industry and maturity are seen as the most relevant contingency factors for ITG implementation.  Contingency factors were identified by all the interviewees as a relevant concern and useful as information available at the beginning of ITG implementations.  Regional Differences was the only contingency factor not chosen by the interviewees. However, it could be related with the fact that the interviewees only had experience in one country reality.  Consultant organizations tend to give more importance to industry and maturity.  Non-consultant organizations tend to assign higher relevance to culture and structure.  Most of the interviews see the guidelines as useful, compete and general.  Strategy Management and Investment Management are almost consensual between interviewees as the main ITG areas.  All the areas without any appointment will be assumed as management areas. Moreover, 67% of the interviewees stated that a new framework could solve part of the ITG implementation problem and 78% claimed an integrated ITG and IT Management framework could be very useful. In this Section we evaluated our proposed artefacts. Our guidelines were evaluated with interviews and against other current theories presented in some of the most important literature in the area. As a result of the guidelines evaluation, we conclude that our guidelines are relevant for experts and include more important knowledge than compared theories. Our projected contingency factors were evaluated with interviews and we can assert that contingency factors are relevant, important and complete for experts. The proposed ITG and ITM main areas were mapped against COBIT control objectives which allowed us to conclude that our proposed main areas, which were also evaluated with interviews, are seen by experts as the main ITG ones, leaving almost all other areas as ITM areas. We also mapped our proposed ITG and ITM areas against current frameworks from where we concluded that only COBIT covers all our proposed areas. LEARNINGS Based on both scientific and practitioner viewpoint, which achieved the formalization of the contingency factors, ITG general guidelines and ITG and ITM main areas, this research provided us some important learning in ITG field.. Yet, the way consultant and non-

consultant organizations look at Contingency Factors is quite different. Moreover, it is interesting that existing Frameworks also do not make any reference to the different viewpoints of consultant and non-consultant organizations. This happens because many nonconsultant organizations hire consultant organizations to implement some domains as ITG and such divergent perspectives of what they should be worried or focus on first can be the cause of some problems. Besides the consensual identification of the Strategy and Investment Management as ITG areas by practitioners, few other areas still present dubiety in practitioner’s viewpoint. From the literature few theories were founded to map with our guidelines in order to evaluate them. This fact can indicate the lack of such general directives to provide an initial roadmap to the organizations before ITG implementation. We also perceived that most frameworks in the market intend to focus on a specific area instead of on overall ITG and ITM topic. Such fact calls for an extra effort of the organizations to understand which framework or frameworks are advisable, needed and integrated with organization’s structure. It is known that frameworks do not provide any guidance in contingency factors and also overlap each other so it is expectable that organizations take much more time and waste resources on that journey. Our research also has some limitations. So far we leverage our artefacts based on literature review and also validated them through interviews with experts. However, to achieve more concrete and coherent results, more interviews are required. In the future the achievement of a more concrete and coherent differentiation of the most important Contingency Factors for consultants and non-consultants must be explored. Although more detailed approaches must be achieved in future work to be even more helpful, we present a strongly validated high level framework. CONCLUSIONS From the literature we conclude that researchers in this area have been studying topics as the IT/Business strategy alignment (Bartenschlager and Goeken, 2009; Goeken and Alter, 2009; Simonsson and Johnson, 2008; Simonsson et al., 2008a). Some models have been proposed as well as the impact of ITG in organizations (Bernroider, 2008; Shpilberg et al., 2007; Webb et al., 2006), and how to implement ITG (Goeken and Alter, 2009; Lingyu et al., 2010; Xiao-wen et al., 2009). Some researchers have considerable relevance among the literature: Luftman designed the strategic alignment model; Peter Weill proposed the essential mechanisms for ITG implementation; De Haes and Van Grembergen have been

applying COBIT in several perspectives; Goeken focused on metamodels and also on strategic alignment; and Simonson has been working on several domains as ITG definition or a new ITG tool, which intends to overcome some of the problems with COBIT. However, literature lacks topics as Contingency Factors or general guidelines for ITG implementation which is a considerable part of the contribution of this research. Experts gave an excellent feedback and validated all our artefacts. Few improvements or changes were proposed. Most of them do not question the validity of the artefacts, but simply add something. This makes sense, since we are analyzing information from two different sources (literature and practitioners). We evaluated our guidelines with other current and already published theories. From this evaluation we concluded our guidelines are more complete than all the other theories, so they cover the present-day theories and also add some current concerns of researchers. Following the same logic, with the evaluation of the ITG and ITM main areas we determined that they are complete and cover the main existing frameworks. The proposed ITG framework allows for a better understanding of the formulation and implementation of ITG in a corporate environment. We are aware that is not an exhaustive framework so more detailed approaches can be made in the future. Nevertheless, the validity of the artefacts and the connections between them was based on accepted scientific theories presented in the literature as well as in the experience of ITG experts. Since we have already warned against the main concerns in ITG topic but in a high conceptual level, we believe that future work ought to include a similar approach of the Bartenschlager and Goeken (2009) study. This study should be followed (Figure 6), detailing each area in order to provide a more useful approach for ITG implementation in practice.

Figure 6 – Detailing the domain ITG So far we can conclude that the potential of our artefacts could be better if properly explored. We may now state that we designed a set of artefacts that add important knowledge

to ITG literature and that are helpful in ITG implementation. The developed artefacts can be used as a foundation for future research. The artefacts were validated and well accepted by experts who saw usefulness in them. However, to give a widespread and holistic support to ITG it is not enough to design a framework. Instead, it is necessary to complement it with knowledge of other frameworks and the findings of academic research (Goeken, 2008). As we have already presented the macro level (ITG/ITM framework), future research can include the development of conceptual models for each identified area followed by the main features collected through the main frameworks (including roles, responsibilities, activities, practices, etc.) to that area in the market (micro level). Furthermore, real-world case studies should be performed, always having into consideration the correct identification of the contingency factors (instantiations). From now on case studies must also be organized by the contingency factors in order to add this kind of knowledge to the literature and to be a useful basis for ITG implementations in organizations. Finally, more interviews and publications should also be performed in order to increase the practitioner’s relevance in artefacts validation. ACKNOWLEDGEMENTS The authors would like to thank the anonymous reviewers and the editor for their insightful comments and suggestions. REFERENCES Aagesen, G., van Veenstra, A.F., Janssen, M., & Krogstie, J. (2011). The Entanglement of Enterprise Architecture and IT-Governance: The Cases of Norway and the Netherlands. In: Proceedings of the 44th Hawaii International Conference on System Sciences, Kauai, HI, pp. 1-10.

Adams, C.R., Larson, E.C., & Xia, W. (2007). IS/IT Governance Structure and Alignment: An Apparent Paradox. Proceedings of the 2007 Society for Information Management Academic Workshop (SIM Academic Workshop), Montreal, Canada.

Agarwal, R., & Sambamurthy, V. (2002). Principles and Models for Organizing the IT Function. Management Information Systems Quarterly Executive, 1(1), 1-16.

Ang, S. & Straub, D.W. (1998). Production and Transaction Economies and IT Outsourcing: A Study of the U.S. Banking Industry. Management Information Systems Quaterly, 22(4), 535-552.

Armour, F.J., Kaisler, S.H., & Liu, S.Y. (1999). A big-picture look at Enterprise Architecture. IT Professional, 1(1), 35-42.

Askary, S., Goodwin, D., & Lanis, R. (2012). Improvements in Audit Risks Related to Information Technology Frauds. International Journal of Enterprise Information Systems (IJEIS), 8(2), 52-63.

Avison, D., Gregor, S., & Wilson, D. (2006). Managerial IT unconsciousness. Communications of the Association for Computing Machinery, 49(7), 88-93.

Aubert, B., Rivard, S., & Patry, M. (2004). A Transaction Cost Model of IT Outsourcing. Information & Management, 41(7), 921-932.

Ayat, M., Sharifi, M., Sahibudin, S., & Ibrahim, S. (2009). Adoption factors and implementation steps of ITSM in the target. In: Proceedings of the Third Asia International Conference on Modelling & Simulation, Bali, Indonesia.

Bartenschlager, J., & Goeken, M. (2009). Designing Artifacts of IT Strategy for Achieving Business/IT-Alignment. In: Proceedings of the Fifteenth Americas Conference on Information Systems, San Francisco, CA, paper 494.

Bartolini, C., Stefanelli, C., & Tortonesi, M. (2010). SYMIAN: Analysis and performance improvement of the IT incident management process. Transactions on Network and Service Management, 7(3), 132–144.

Bernroider, E. (2008). IT governance for enterprise resource planning supported by the DeLone-McLean model of information systems success. Information & Management, 45(5), 257-269.

Bingi, P., Sharma, M., & Godla, J. (1999). Critical issues affecting an ERP implementation. Information Systems Management Decision, 16(3), 7-14. Bohl, O., Frankfurth, A., Schelhase, J., & Winand, U. (2002). Guidelines – A Critical Success Factor in the Development of Web-based Trainings. In: Proceedings of the International Conference on Computers in Educational, Auckland, New Zealand, pp. 545-546.

Breaux, T.D., Anton, A.I., Boucher, K., & Dorfman, M. (2009). IT Compliance: Aligning Legal and Product Requirements. IT Professional, 11(5), 54 – 58.

Broussard, F.W., & Tero, V. (2007). Configuration and Change Management for IT Compliance and Risk Management: The Tripwire Approach. White Paper. IDC.

Brown, C.V. (1997). Examining the Emergence of Hybrid IS Governance Solutions: Evidence from a Single Case Site. Information Systems Research, 8(1), 69-95.

Brown, A.E., & Grant, G.G. (2005). Framing the Frameworks: A Review of IT Governance Research. Canadian Association for Information Science, 15, 696-712.

Brown, C.V., & Magill, S.L. (1994). Alignment of the IS Functions with the Enterprise: Toward a Model of Antecedents. Management Information Systems Quarterly, 4(18), 371404.

Buckhout, S., Frey, E., & Nemec Jr., J. (1999). Making ERP succeed. Turning fear into promise. Transactions of Engineering Management, 27(3), 116-123.

Callahan, J., Bastos, C., & Keyes, D. (2003). The evolution of IT Governance at NB Power. In Grembergen, W.V. (Ed.) Strategies for Information Technology Governance (pp. 343356). Hershey, PA: Idea Group Publishing.

Cochran, M. (2010). Proposal of an Operations Department Model to Provide IT Governance in Organizations that Don't have IT C-Level Executives. In: Proceedings of the 43rd Hawaii International Conference on System Sciences, Honolulu, HI, pp. 1-10.

Corea, S., & Levy, M. (2007). Quality of IT support for corporate environmental management: A paradigmatic framework. In: Proceedings of the 2nd International Conference on Digital Information Management, Lyon, France, pp. 424 – 429.

Costello, C. (2010). A New Management Framework for IT. IT Professional, 12(6), 61-64.

Craig, S., Cecere, M., Young, G.O., & Lambert, N. (2005). IT Governance Framework: Structures, Processes, And Communication. Forester Research.

Curley, M., & Kenneally, J. (2011). Using the IT Capability Maturity Framework to improve IT Capability and Value Creation: An Intel IT Case Study. In: Proceedings of the 15th IEEE International Enterprise Distributed Object Computing Conference, Helsinky, Finland, pp. 107 – 115.

Dahlberg, T., & Kivijarvi, H. (2006). An integrated framework for IT governance and the development and validation of an assessment instrument. In: Proceedings of the 39th Hawaii International Conference on Systems Sciences, Hawaii, USA, pp. 194b.

Dahlberg, T., & Lahdelma, P. (2007). IT Governance Maturity and IT Outsourcing Degree: An Exploratory Study. In: Proceedings of the 40th Annual Hawaii International Conference on System Sciences, Waikoloa, HI, pp. 236a.

De Haes, S., & Grembergen, W.V. (2004). IT Governance and its Mechanisms. Information Systems Control Journal, 1.

De Haes, S., & Grembergen, W.V. (2008). Analysing the Relationship between IT Governance and Business/IT Alignment Maturity. In: Proceedings of the 41st Annual Hawaii International Conference on System Science, Waikoloa, HI, pp. 428.

Diao, Y., Jamjoom, H., & Loewenstern, D. (2009). Rule-Based Problem Classification in IT Service Management. In: Proceedings of the IEEE International Conference on Cloud Computing, Bangalore, India, pp. 221-228.

Ekstedt, M., Johnson, P., Lindstrom, A., Gammelgard, M., Johansson, E., Plazaola, L., Silva, E., & Lilieskold, J. (2004). Consistent Enterprise Software System Architecture for the CIO: A Utility-Cost Based Approach. In: Proceedings of the 37th Annual Hawaii International Conference on System Sciences, Big Island, HI.

Fan, D. (2010). Analysis of Critical Success Factors in IT Project Management. In: Proceedings of the 2nd International Conference on Industrial and Information Systems, Dalian, China, pp. 487-490.

Fasanghari, M., NasserEslami, F., & Naghavi, M. (2008). IT Governance Standard Selection Based on Two Phase Clustering Method. In: Proceedings of the Fourth International Conference on Networked Computing and Advanced Information Management, Gyeongju, Corea, pp. 513-518.

Fink, K., & Ploder, K. (2008). Decision Support Framework for the Implementation of ITGovernance. In: Proceedings of the 41st Hawaii International Conference on System Sciences, Waikoloa, HI, pp. 432.

Forrester, E.C., Buteau, B.L., & Shrum, S. (2009). CMMI for Services, Version 1.2 (Tech. Rep.). Software Engineering Institute.

Gallagher, K.P., & Worrel, J.L. (2008). Organizing IT to Promote Agility. Information Technology Management, 9(1), 71-88.

Gao, S., Chen, J., & Fang, D. (2009). The Influence of IT Capability on Dimensions of Organization Structure. In: Proceedings of the Second International Conference on Future Information Technology and Management Engineering, Sanya, China, pp. 269-273. Gerrard, M. (2009). IT Governance, a Flawed Concept: It’s Time for Business Change Governance. Gartner Research.

Gerrard, M. (2010). Defining IT Governance: The Gartner IT Governance Demand/Supply Model. Gartner Research.

Goeken, M., & Alter, S. (2009). Towards Conceptual Metamodeling of IT Governance Frameworks Approach – Use – Benefits. In: Proceedings of the Annual Hawaii International Conference on System Sciences, Big Island, HI, pp. 1-10.

Grembergen, V.W. (2000). The balanced scorecard and IT governance. Information Systems Control Journal, 2, 40-41.

Grembergen, W.V., & De Haes, S. (2008). Implementing Information Technology Governance: Models, Practices, and Cases. Hershey, New York: IGI Publishing.

Grembergen, W.V., De Haes, S., & Guldentops, E. (2003). Structures, Processes and Relational Mechanisms for IT Governance. In Grembergen, W.V. (Ed.) Strategies for Information Technology Governance (pp. 1-36) Hershey, PA: Idea Group Publishing.

Grover, V., Cheon, M.J. & Teng, J.T.C. (1996). The Effect of Service Quality and Partnership in the Outsourcing of Information Systems Functions. Journal of Management Information Systems, 12(4), 89-116.

Gudivada, V.N. & Nandigam, J. (2009). Corporate Compliance and its Implications to IT Professionals. In: Proceedings of the International Conference on Information Technology: New Generations, Las Vegas, NV, pp. 725-729.

Guney, S., & Cresswell, A.M. (2010). IT Governance as Organizing: Playing the Game. In: Proceedings of the 43rd Hawaii International Conference on System Sciences, Honolulu, HI, USA, pp. 1-10.

Gupta, R., Prasad, K.H., & Mohania, M. (2008). Automating ITSM Incident Management Process. Paper presented at the International Conference on Autonomic Computing, Chicago, IL, pp. 141-150.

Hamaker, S., & Hutton, A. (2004). Principles of IT Governance. Information Systems Control Journal, 2, 1-4.

Henderson, J.C., Venkatraman, N. & Oldach, S. (1993). Continuous Strategic Alignment: Exploiting Information Technology Capabilities for Competitive Success. European Management Journal, 11(2), 139-149.

Herzwurm, G., & Pietsch, W. (2008). Guidelines for the Analysis of IT Business Models and Strategic Positioning of IT-Products. In: Proceedings of the Second International Workshop on Software Product Management, Barcelona, Spain, pp. 1-8.

Hevner, A.R., March, S.T., Park, J., & Ram, S. (2004). Design Science in Information Systems Research. Management Information Systems Quarterly, 28(1),75-105.

Hosseinbeig, S., Karimzadgan-Moghadam, D., Vahdat, D., & Moghadam, R.A. (2011). IT strategic alignment maturity and IT governance. In: Proceedings of the 4th International Conference on Interaction Sciences, Busan, Korea, pp. 67-72.

Huang, C., & Hu, Q. (2007). Achieving IT-Business Strategic Alignment via EnterpriseWide Implementation of Balanced Scorecards. Information Systems Management, 24(2), 173184.

Information Technology Governance Institute (2004). Board Briefing on IT Governance. IT Governance Institute, United States of America.

Information Technology Governance Institute (2007). IT Governance Institute: COBIT 4,1. Retrieved January 17, 2012, from http:// www.isaca.org.

International Standard ISO/IEC 38500 (2008). Corporate governance of information technology.

Jaafar, N.I., & Jordan, E. (2009). Information Technology Governance (ITG) Practices and Accountability of Information Technology (IT) Projects – A Case Study in a Malaysian Government-Linked Company (GLC). In: Proceedings of the Pacific Asia Conference on Information Systems, Hyderabad, India.

Jacobson, D.D. (2009). Revisiting IT Governance in the Light of Institutional Theory. In: Proceedings of the 42nd Hawaii International Conference on System Sciences, Big Island, HI, pp. 1-9.

Jaferian, P., Botta, D., Raja, F., Hawkey, K., & Beznosov, K. (2008) Guidelines for designing IT security management tools. In: Proceedings of the Computer Human Interaction for the Management of Information Technology, San Diego, USA, article 7.

Järvelin, K., & Wilson, T.D. (2003). On Conceptual Models for Information Seeking and Retrieval Research. Information Research, 9(1), paper 163.

Jeffery, M., & Leliveld, I. (2004). Best practices in IT portfolio management. MIT Sloan Management Review, 45(3).

Jiandong, Z., & Hongjun, X. (2010). The Research on Staff Well-being in IT Industry in China. In: Proceedings of the International Conference on Optics Photonics and Energy Engineering, Wuhan, China, pp. 48-51.

Jianping, P., & Fang, D. (2010). An Empirical Study of the Influence of Process Management Capability on IT Application Level. In: Proceedings of the 1st International Conference on Information Science and Engineering, Nanjing, China, pp. 2850 – 2853.

Jun, L., XiaoLi, L. & Jun, W. (2010). A problem classification approach in business service management. In: Proceedings of the International Conference on Computer Application and System Modeling, Taiyuan, China, pp. V10-354 - V10-356.

Keill, M. et al (2002). Reconciling user and propject manager perceptions of IT project risk: a Delphi study. Information Systems Journal, 12, 103-119.

King,

J.L.

(1983).

Centralized

versus

Decentralized

Computing:

Considerations and Management Options. Computing Survey, 15, 320-349.

Organizational

Kuni, R., & Bhushan, N. (2006). IT Application Assessment Model for Global Software Development. In: Proceedings of the International Conference on Global Software Engineering, Florianápolis, Brazil, pp. 92 – 100.

Lacity, M.C., & Willcocks, L.P. (1998). An Empirical Investigation of Information Technology Sourcing Practices: Lessons from Experience. Management Information Systems Quaterly, 22(3), 363-408.

Lacity, M.C., Willcocks, L.P., & Feeny, D.F. (1996), The Value of Selective IT Sourcing. Sloan Management Review, 37(3), 13-25.

Little, B. (2007). Whose Data is it Anyway?. Information Professional, 4(3), 38-40.

Lahtela, A., Jantti, M., & Kaukola, J. (2010). Implementing an ITIL-Based IT Service Management Measurement System. In: Proceedings of the Fourth International Conference on Digital Society, St. Maarten, Netherlands Antilles, pp. 249–254.

Laucins, A. (2004). Aligning Organizational Performance to IT Development and Integration. In: Proceedings of the Conference on Advanced Information Systems Engineering, Riga, Latvia, pp. 231-254.

Law, C. C., & Ngai, E. W. (2005). IT Business Value Research: A Critical Review and Research Agenda. International Journal of Enterprise Information Systems (IJEIS), 1(3), 3555.

Lingyu, H., Bingwu, L., Ruiping, Y., & Jianzhang, W. (2010). An IT Governance Framework of ERP System Implementation. In: Proceedings of the Computing Control and Industrial Engineering, Wuhan, China, pp. 431-434.

Losso, S., & Goeken, M. (2010). Application of Best-Practice Reference Models of IT Governance. In: Proceedings of the 18th European Conference on Information Systems, Pretoria, South Africa.

Luftman. J. (1996). Competing in the Information Age: Strategic Alignment. New York: Oxford University Press.

Luftman, J. (2000). Assessing Business-IT Alignment Maturity. Communications of the Association for Information Systems, 4, Article 14.

Luftman, J. (2008). Strategic Alignment Maturity: A Structural Equation Model Validation. In: Proceedings of the 14th American Conference on Information Systems, Toronto, Canada, paper 53.

Lunardi, G.L., Becker, J.L., & Macada, A.C.G. (2009). The Financial Impact of IT Governance Mechanisms' Adoption: An Empirical Analysis with Brazilian Firms. In: Proceedings of the 42nd Hawaii International Conference on System Sciences, Big Island, HI, pp. 1-10.

Maidin, S.S, & Arshad, N.H. (2010). IT governance practices model in IT project approval and implementation in Malaysian public sector. In: Proceedings of the International Conference on Electronics and Information Engineering, Kyoto, Japan, pp. V1-532 - V1-536.

Maizlish, B., & Handler, R. (2005). IT Portfolio Management: Step by Step. Hoboken, New Jersey: John Wiley & Sons.

Marvin, L.A., Mehmet, C. K., Abbas, F., & Brian, L.M., (2006). Reducing the Conflict between Accounting and It brought About by ERP Compliance and Ethical Issues. In: Proceedings of the Technology Management for the Global Future, Istanbul, Turkey, pp. 6065.

Mayerl, C., Vogel, T., & Abeck, S. (2005). SOA-based Integration of IT Service Management Applications. In: Proceedings of the IEEE International Conference on Web Services, Florida, USA.

Mcafee, A. (2004). Do you have too much IT? MIT Sloan Management Review, 45(3), 18-22.

Mellis, W. (1998). Software quality management in turbulent times - are there alternatives to process oriented software quality management? Software Quality Journal, 7(3/4), 277-295.

Memiyanty, A.R., & Putera, M.S. (2010). Ethical Leadership and Employee Trust: Governance Perspective. In: Proceedings of the International Conference on Information and Financial Engineering, Chongqing, China, pp. 848 – 851.

Morimoto, S. (2009). Application of COBIT to Security Management in Information Systems Development. In: Proceedings of the Fourth International Conference on Frontier of Computer Science and Technology, Shangai, China, pp. 625-630.

Muller-Rathgeber, B., Eichhorn, M., & Michel, H.-U. (2008). A unified Car-IT Communication-Architecture: Design guidelines and prototypical implementation. In: Proceedings of the International Conference Vehicular Electronics and Safety, Eindhoven, The Netherlands, pp. 709-714.

Muscatello, J. R., & Chen, I. J. (2008). Enterprise Resource Planning (ERP) Implementations: Theory and Practice. International Journal of Enterprise Information Systems (IJEIS), 4(1), 63-83.

Nabiollahi, A., & Sahibuddin, S. (2008). Considering Service Strategy in ITIL V3 as a Framework for IT Governance. In: Proceedings of the International Symposium in Information Technology, Kuala Lumpur, Malaysia, pp. 1-6.

Nah, F., & Lau, J. (2001). Critical factors for successful implementation of enterprise systems. Business Process Management Journal, 7(3), 285-296.

Natovich, J. (2003). Vendor Related Risks in IT Development: A Chronology of an Outsourced Project Failure. Technology Anaysis and Strategy Management, 15(4), 409-419.

Nicewicz-Modrzewska, D., & Stolarski, P. (2008). ITIL implementation roadmap based on process governance. In: Proceedings of the European University of Information Systems, Denmark.

Orlov, L.M., Cullen, A., & Belanger, B. (2006). IT Execs Boost Focus On Business In 2007. Forrester Research.

Osterle, H., Becker, J., Frank, U., Hess, T., Karagiannis, D., Krcmar, H., Loos, P., Mertens, P., Oberweis, A., & Sinz, E.J. (2011). Memorandum on Design-Oriented Information Systems Research. European Journal of Information Systems, 20,7–10.

Park, H.Y., Jung, S.H., Lee, Y., & Jang, K.C. (2006). The Effect of Improving IT Standard in IT Governance. In: Proceedings of the International Conference on Computational Intelligence for Modelling, Control and Automation, Sydney, Australia, pp. 22.

Peak, D.A., & Azadmanesh, M.H. (1997). Centralization/Decentralization cycles in computing: Market evidence. Information & Management, 31, 303-317.

Pereira, R., & Mira da Silva, M. (2010). A Maturity Model for Implementing ITIL v3. Paper presented at the 6th World Congress on Services (SERVICES-1), Florida, USA.

Pereira, R., & Mira da Silva, M. (2011). A Maturity Model for Implementing ITIL V3 in Practice. In: Proceedings of the 15th IEEE International Enterprise Distributed Object Computing Conference Workshops, Helsinki, Finland, pp. 259 – 268.

Peterson, R.R. (2003). Integration Strategies and Tactics for Information Technology Governance. In Grembergen, W.V. (Ed.) Strategies for Information Technology Governance (pp. 37-80), Hershey, PA: Idea Group Publishing.

Peterson, R.R., Parker, M.M., & Ribbers, P. (2002). Information Technology Governance Processes under environmental dynamism: investigating competing theories of decision making and knowledge sharing. In: Proceedings of the 23rd International Conference of Information Systems, Barcelona, Spain, paper 52.

Pita, Z., Cheong, F., & Corbitt, B. (2011). A Maturity Model of Strategic Information Systems Planning (SISP): A Comprehensive Conceptualization. International Journal of Enterprise Information Systems (IJEIS), 7(3), 1-29.

PriceWaterhouseCoopers (2008). Risk Based Compliance Monitoring & Compliance Function Effectiveness.

Qureshil, S., Kamal, M., & Wolcott, P. (2009). Information Technology Interventions for Growth and Competitiveness in Micro-Enterprises. International Journal of E-Business Research (IJEBR), 5(1), 117-140.

Radovanovic, D., Radojevic, T., Lucic, D., & Sarac, M. (2010). IT audit in accordance with Cobit standard. In: Proceedings of the 33rd International Convention on Information and Communication Technology, Electronics and Microelectronics, Opatija, Croatia, pp. 1137 – 1141.

Rasmussen, M. (2009). Foundations of GRC: Streamlining Compliance. Corporate Integrity. Rasmussen, M. (2010). Value of Common Architecture for GRC Platforms. Corporate Integrity.

Richardson, L., Jackson, B.M., & Dickson, G. (1990). A Principle-Based Enterprise Architecture: Lessos From Texaco and Star Enterprise. Management Information Systems Quaterly, 14, 385-403.

Ridley, G., Young, J. and Carroll, P. (2004). COBIT and its utilization: a framework from the literature. In: Proceedings of the 37th Annual Hawaii International Conference on Systems Sciences, Hawaii, USA, pp. 1-8.

Sahibudin, S., Sharifi, M., & Ayat, M. (2008). Combining ITIL, COBIT and ISO/IEC 27002 in Order to Design a Comprehensive IT Framework in Organizations. In: Proceedings of the Second Asia International Conference on Modeling & Simulation, Kuala Lumpur, Malaysia, pp. 749 – 753.

Sambamurthy, V., & Zmud, R.W. (1999). Arrangements for Information Technology Governance: A Theory of Multiple Contingencies. Management Information Systems Quaterly, 23(2), 261-290.

Sambamurthy, V., & Zmud, R.W. (2000). Research commentary: the organizing logic for an enterprise's IT activities in the digital era: a prognosis of practice and a call for research. Information Systems Research, 11(2), 105-114.

Schermann, M., B¨Ohmann, T., & Krcmar, H. (2009). Explicating Design Theories with Conceptual Models: Towards a Theoretical Role of Reference Models. In: Becker, J., Krcmar,

H.,

Niehaves,

B.

(Ed.)

Wissenschaftstheorie

und

gestaltungsorientierte

Wirtschaftsinformatik (pp 175–194), Heidelberg , Germany: Physica-Verlag,.

Schmidt, S., & Albayrak, S. (2010). A Quantitative Framework for Dependency-Aware Organizational IT Risk Management. In: Proceedings of the 10th International Conference on Intelligent Systems Design and Applications, Cairo, Egypt, pp. 1207-1211.

Schon, D.A. (1983). The Reflective Practitioner: How Professionals Think in Action. New York: Basic Books.

Schwarz, A., & Hirschheim, R. (2003). An Extended Platform Logic Perspective of IT Governance: Managing Perceptions and Activities of IT. Journal of Strategic Information Systems, 2(12), 129-166. Scott, J.E. (1999). The FoxMeyer drugs’ bankruptcy: was it a failure of ERP? In: Proceedings of the Fifth Americas Conference on Information Systems, Milwaukee, USA.

Selig, G.J. (2008). Implementing IT Governance: A Practical Guide to Global Best Practices in It Management. Amersfoort, NL: Van Haren Publishing, Zaltbommel.

Shpilberg, D., Berez, S., Puryear, R., & Shah, S. (2007). Avoiding the Alignment Trap in Information Technology. MIT Sloan Management Review, 49(1), 51-58.

Silva, E., & Chaix, Y. (2008). Business and IT Governance Alignment Simulation Essay on a Business Process and IT Service Model. In: Proceedings of the 41st Annual Hawaii International Conference on System Sciences, Waikoloa, HI, pp. 434.

Silva, E., Plazaola, L., & Ekstedt, M. (2006). Strategic Business and IT Alignment, A Prioritized Theory Diagram. In: Proceedings of the Technology Management for the Global Future, Istanbul, Turkey, pp.1-8.

Silva, L.F., & Brito e Abreu, F. (2010). An IT Infrastructure Patterns Approach to Improve IT Service Management Quality. In: Proceedings of the Seventh International Conference on the Quality of Information and Communications Technology, Porto, Portugal, pp.171-176.

Simon, H. A. (1996). The Sciences of the Artificial. Cambridge, England: MIT Press.

Simonsson, M., & Ekstedt, M. (2006). Getting the Priorities Right: Literature vs Practice on IT Governance. In: Proceedings of the Technology Management for the Global Future, Istanbul, Turkey, pp.18-26.

Simonsson, M., & Johnson, P. (2008). The IT Organization Modeling and Assessment Tool: Correlating IT Governance Maturity with the Effect of IT. In: Proceedings of the 41st Annual Hawaii International Conference on System Sciences, Waikoloa, HI, pp. 431.

Simonsson, M., Johnson, P., & Ekstedt, M. (2008a). IT Governance Decision Support Using the IT Organization Modeling and Assessment Tool. In: Proceedings of the Management of Engineering & Technolog, Cape Town, South Africa, pp. 802-810.

Simonsson, M., Lagerström, R., & Johnson, P. (2008b). A Bayesian network for IT governance performance prediction. In: Proceedings of the International Conference on Electronic Commerce, Innsbruck, Austria, pp. 1.

Smaczny, T. (2001). Is an alignment between business and Information Technology the appropriate paradigm to manage IT in today’s organizations? Management Decisions, 39(10), 797-802.

Smith, S. L., & Mosier, J. N. (1986). Guidelines for designing user interface software (Tech. Rep. ESD-TR-86-278). Bedford, MA: The MITRE Corporation.

Symons, C. (2005). IT Governance Framework. Forrester Research.

Takata, Y., Nakamura, T., & Seki, H. (2004). Accessibility verification of WWW documents by an automatic guideline verification tool. In: Proceedings of the 37th Annual Hawaii International Conference on System Sciences, Hawaii, USA.

Tallon, P. & Kraemer, K. L. (1998). A Process-Oriented Assessment of the Alignment of Information Systems and Business Strategy: Implications for IT Business Value. In: Proceedings of the Americas Conference on Information Systems, Maryland, USA.

Tanriverdi, H. (2006). Performance Effects of Information Technology Synergies in Multibusiness Firms. Management Information Systems Quaterly, 30(1), 57-77.

Tapia, R.S., Daneva, M., & Eck, P.V. (2007). Developing an Inter-Enterprise Alignment Maturity Model: Research Challenges and Solutions (Tech. Rep). The Netherlands, Enschede: University of Twente.

Tarantino, A. (2008). Governance, Risk and Compliance Handbook: Technology, Finance, Environment, and International Guidance and Best Practices. Somerset, NJ: John Wiley & Sons.

Tatnall, A., & Shackleton, P. (1996). IT Project Management: developing on-going skills in the management of software development projects. In: Proceedings of the International Conference Software Engineering: Education and Practice, Dunedin, New Zealand, pp. 400 – 405.

Tavakolian, H. (1989). Linking the Information Technology Structure with Organizational Competitive Strategy: A Survey. Management Information Systems Quarterly, 13, 309-317.

Taylor, S., Iqbal, M., & Nieves, M. (2007). ITIL: Continual Service. Norwith, England: TSO Publications.

Taylor, S., Iqbal, M., & Nieves, M. (2007). ITIL: Service Design. Norwith, England: TSO Publications.

Taylor, S., Iqbal, M., & Nieves, M. (2007). ITIL: Service Operation. Norwith, England: TSO Publications.

Taylor, S., Iqbal, M., & Nieves, M. (2007). ITIL: Service Strategy. Norwith, England: TSO Publications.

Taylor, S., Iqbal, M., & Nieves, M. (2007). ITIL: Service Transition. Norwith, England: TSO Publications.

To, M. L., & Ngai, E. W. (2007). The Role of Managerial Attitudes in the Adoption of Technological Innovations: An Application to B2C E-Commerce. International Journal of Enterprise Information Systems (IJEIS), 3(2), 23-33.

Tuttle, B., & Vandervelde, S.D. (2007). An Empirical examination of COBIT as an Internal Control Framework for Information Technology. International Journal of Accounting Information Systems, 8, 240-263.

Ungar, L.Y., & Parameswaran, R. (2005). Knowledge base to manage the grading and selection of testability guidelines. In: Proceedings of the Autotestcon, Orlando, FL, pp. 444 450

Vicente, P., & Mira da Silva, M. (2011). A Conceptual Model for Integrated Governance, Risk and Compliance. In: Proceedings of the 23rd International Conference on Advanced Information Systems Engineering, London, England, pp. 199-213.

Xiao-wen, L., Xiao-chun, L., & Ke-jin, H. (2009). Design and implementation of IT governance planning decision supporting system. In: Proceedings of the Chinese Control and Decision Conference, Guilin, China, pp. 5629 – 5632.

Xue, Y., Liang, H., & Boulton, W.R. (2006). Information Technology Governance in Information Technology Investment Decision Processes: The Impact of Investment Characteristics, External Environment, and Internal Context. Management Information Systems Quaterly, 32(1), 67-96.

Yang, D.S. (2009). On Problems of China Commercial Banks’ Compliance Risk Management. In: Proceedings of the International Conference of Computer Science and Information Technology, Chengdu, China, pp. 602 – 606.

Wang, X., & Vidgen, R. (2007). Order and Chaos in Software Development: A comparison of two software development teams in a major IT company. In: Proceedings of the Sixteenth European Conference on Information Systems, St Gallen, Switzerland.

Webb, P., Pollard, C., & Ridley, G. (2006). Attempting to Define IT Governance: Wisdom or Folly? In: Proceedings of the 39th Annual Hawaii International Conference on System Sciences, Hawaii, USA, pp. 194a.

Webster, J., & Watson, R.T. (2002). Analyzing the Past to Prepare for the Future: Writing a Literature Review. Management Information Systems Quaterly, 26(2), xiii-xxiii.

Weill, P. (2004). Don't Just Lead, Govern: How Top-Performing Firms Govern IT. Management Information Systems Quarterly Executive, 3(1), 1-1.

Weill, P., & Broadbent, M. (1998). Leveraging the New Infrastructure: How market leaders capitalize on IT. Boston, Massachusetts: Harvard Business School Press.

Weill, P., & Ross, J.W. (2004). IT Governance: How Top Performers Manage IT Decision Rights for Superior Result. Boston, Massachusetts: Harvard Business School Press.

Weill, P., & Vitale, M.(2002). What IT Infrastructure Capabilities are Needed to Implement E-Business Models? Management Information Systems Quarterly Executive, 1(1), 17-34.

Weisinger, J.Y., & Trauth, E.M. (2003). The Importance of Situating Culture in CrossCultural IT Management. In: Proceedings of the IEEE Transactions on Engineering Management, Saint Louis, USA, pp. 26-30.

Wilbanks, L. (2008). IT Management and Governance in Equal Parts. IT Professional, 10(1), 60-61.

Zachman, J.A. (1987). A Framework for Information Systems Architecture. IBM Systems Journal, 26, 276-292.

Appendix A – COBIT 4.1 conceptual map

Appendix B – Frameworks Vs Main Areas

Areas Investment Management COBIT ITIL CMMISVC ITSCM M ITIM ValIT Zachman ISO 20000 BS 15000 BSC P-CMM TOGAF

Frameworks

PMBOK OPM3 PRINCE 2 PMMM Kano Lean eSCM OMBOK ISO 9001 Six Sigma CMMIDEV ISO 17799 ISO 27001 COSO ISO 38500 BABOK SWEBO K UPDM

Service Management

Risk Management

I&I Management

Strategy Management

Support Management

Project Management

Resource Management

Quality Management

Compliance Management

Outsourcing Management

Architecture Management

Development Management