Enhancing IT governance practices: A model and case study of an organization's efforts

Enhancing IT governance practices: A model and case

study of an organization's efforts

Paul L. Bowen

, May-Yin Decca Cheung

, Fiona H. Rohde

⁎

a

College of Business, Florida State University, Tallahassee, Florida 32306-1110, USA b

UQ Business School, The University of Queensland, Brisbane, Queensland 4072, Australia Received 15 July 2006; received in revised form 8 July 2007; accepted 10 July 2007

Abstract

For many organizations, Information Technology (IT) enabled business initiatives and IT infrastructure constitute major investments that, if not managed properly, may impair rather than enhance the organization's competitive position. Especially since the advent of Sarbanes–Oxley (SOX), both management and IT professionals are concerned with design, implementation, and assessment of IT governance strategies to ensure that technology truly serves the needs of the business.Viaan in-depth study within one organisation, this research explores the factors influencing IT governance structures, processes, and outcome metrics. Interview responses to open-ended questions indicated that more effective IT governance performance outcomes are associated with a shared understanding of business and IT objectives; active involvement of IT steering committees; a balance of business and IT representatives in IT decisions; and comprehensive and well-communicated IT strategies and policies. IT governance also plays a prominent role in fostering project success and delivering business value.

© 2007 Elsevier Inc. All rights reserved. Keywords:IT governance; Case study

1. Introduction

Failures, unfulfilled promises, and disappointments associated with IT initiatives are rife (Hollaway, 2005; ITGI, 2002b; Willcocks et al., 2002). Publicized examples include Nike's supply chain software that resulted in a US $200 million loss (Songini, 2001) and Hershey's experience of a major IT induced nightmare immediately before their Halloween season (The

⁎Corresponding author.

E-mail addresses:[email protected](P.L. Bowen),[email protected](F.H. Rohde). 1467-0895/$ - see front matter © 2007 Elsevier Inc. All rights reserved.

Wall Street Journal, 1999). Unfortunately, only 29% of all IT projects succeed (The Standish Group, 2004) with CIOs of Fortune 1000 companies estimating that 40% of all their IT projects failed to yield a positive return (Watters, 2004).

Many organizations make huge investments in IT to secure or maintain competitive advantages (Applegate et al., 2003). IT-enabled business investment projects are still believed to present the possibility of higher rates of return on investment than traditional types of investments (ING Investor Relations, 2004). The success of many organizations depends on how effectively they manage and control IT to ensure that the expected rewards are realized. Effective IT governance generates real business benefits such as enhanced reputation, trust, product leadership, and reduced costs. As examples, IBM implemented supply chain improvements that saved US $12 billion by reducing inventory levels and the UK Royal Mail adopted business and accounting systems that resulted in a positive profitability change of £3 million per day (ITGI, 2006).

IT governance arrangements encompass mechanisms that enable business and IT executives to formulate policies and procedures, implement them in specific applications, and monitor outcomes (Weill and Broadbent, 1998). Thus, governance arrangements include structural, process, and outcome metric dimensions. Structural arrangements consist of the organizational units and roles responsible for making IT-related decisions. Process dimensions focus on the implementation of IT management techniques and procedures in compliance with established IT strategies and policies. Outcome metrics are the mechanisms used to assess the effectiveness of IT governance and to identify improvement opportunities.

To date, little experience-based research has investigated what IT governance arrangements work best (Weill and Ross, 2004). Devising IT governance arrangements is challenging because the success of IT strategies and procedures is contingent upon a variety of internal and external factors, such as workgroup interdependencies, value chain alliances, and competitive environments. Furthermore, successfully implementing an IT governance framework is also a complex endeavour because organizations must integrate the unique expertise of diverse stakeholders and service providers. For example, sharing domain knowledge promotes effective business manager involvement in IT planning as well as IT manager participation in business planning (Kearns and Sabherwal, 2006/07).

The purpose of this study is to increase our understanding of the factors influencing IT governance structures, processes, and outcome metrics. This study addresses the gap that exists between theoretical frameworks, prior empirical research, and contemporary practices on effective IT governance. This study develops a model of the factors influencing IT governance effectiveness in an organization and enriches the existing IT governance research by providing an in-depth case study of both structural and non-structural IT governance arrangements. This research is expected to help organizations in a number of ways. First, it provides insights that executive management can use to establish effective IT steering committees. Second, the research can assist organizations develop ideas for implementing their IT strategies and policies. Third, it can assist IT management to identify action plans for establishing IT project metrics. Fourth, the study can serve as a reference to which organizations can compare their IT governance effectiveness.

The remainder of this paper consists of four sections. Section 2, the next section, provides an overview of IT governance, presents the research model, and develops the five propositions examined in this research. Section 3 describes the case study used to examine factors associated with effective IT governance and successful IT implementations. Section 4 reports the results from investigating each of the five propositions. Section 5, the final section, summarizes the

overall research project, acknowledges the major limitations, and offers suggestions for future research.

2. Background, research model, and proposition development

2.1. COSO, COBIT, and IFAC

The Committee of Sponsoring Organizations of the Treadway Commission (COSO),1 a voluntary private sector organization, seeks to improve financial reporting through business ethics, internal controls, and corporate governance (www.coso.org). COSO currently focuses on enterprise risk management as the means to help management achieve their organization's performance targets, prevent loss of resources, ensure effective reporting, and comply with laws and regulations. As part of good enterprise management, O'Donnell (2005) developed a framework management can use to identify events that should be considered when applying the risk assessment guidelines developed byCOSO (1992).

COSO provides a widely accepted control framework for enterprise governance and risk management (COBIT 4.1). Management's responsibilities include understanding their organiza-tion's IT enterprise architecture and the governance and control that the IT architecture should provide. As a result of SOX, directors are also expected to exercise greater responsibilities relative to IT (Trites, 2004). The IT Governance Institute designed and created COBIT as an educational

resource for chief information officers, senior management, IT management, and control professionals. COBIT presents good practices, representing the consensus of experts, to optimize

IT-enabled investments, ensure service delivery, and provide detailed metrics. COBIT's process

model consists of four domains: Plan and Organize; Acquire and Implement; Deliver and Support; and Monitor and Evaluate. COBIT subdivides these domains into 34 processes which

provide management with an IT control framework that supports the IT-related components of COSO.

The International Federation of Accountants (IFAC) encourages high quality practices by accountants across the globe. IFAC members and associates represent 2.5 million accountants in 118 countries (www.ifac.org). IFAC, through independent standard setting boards, develops international standards relative to ethics, auditing and assurance, education, and the public sector. IFAC promotes adherence to high quality professional standards and seeks to obtain international convergence of these standards. Relative to IT governance, IFAC's IT committee has developed six international guidelines: Managing Security of Information; Managing Information Technology Planning for Business Impact; Acquisition of Information Technology; The Implementation of Information Technology Solutions; IT Service Delivery and Support; and IT Monitoring. These guidelines are targeted to management. Most of these IT guidelines were published in July 2000.

Comparing these guidelines to COBIT, COBIT provides management with more detailed and

up-to-date guidance relative to IT governance. Organizations seeking to implement COBIT

typically identify a minimal subset of these processes as their initial IT control framework. Organizations incrementally add the remaining processes as their experience and resources permit. Organizations also seek to gradually increase the capability maturity model level of the

1

COSO, formed in 1985, was sponsored by five professional organizations: the American Accounting Association (AAA), the American Institute of Certified Public Accountants (AICPA), the Financial Executives International (FEI), the Institute of Internal Auditors (IIA), and the (now) Institute of Management Accountants (IMA).

processes they have implemented. That is, COBIT encourages the creation, evaluation, and continuing improvement of IT services critical to achieving business objectives. This paper describes the efforts of one organization to enhance their IT governance along lines similar to those suggested by the COBIT framework.

2.2. Overview of IT governance

IT governance has a direct impact on how IT is managed within an organization (Sohal and Fitzpatrick, 2002). Although numerous authors discuss IT governance, developing a clear and commonly accepted definition has presented a challenge to the information systems control and audit community (Broadbent, 2003; Van Grembergen et al., 2004). IT governance definitions cover a spectrum from an emphasis on structure through to a focus on process. The common theme in the definitions is that effective IT governance assures investments in IT generate business value and mitigates risks associated with IT implementations (Van Grembergen, 2004). Recently, the IT Governance Institute offered the following definition:“IT Governance is the responsibility of executives and the board of directors, and consists of the leadership, organizational structures, and processes that ensure the enterprise's IT sustains and extends the organization's strategies and objectives” (COBIT 4.1, 2007). Accordingly, this paper views IT

governance as the IT related decision making structure and methodologies implemented to plan, organize, and control IT activities.

2.2.1. IT governance as structure

Much of the prior research on IT governance has focused on the structure and configuration of the IT function and categorizes each organization's IT governance structure as centralized, decentralized, or federal (Sambamurthy and Zmud, 1999).2 Focusing on IT structure alone, however, ignores IT activities and processes that take place within these structures (Sambamurthy and Zmud, 2000). For example, the British Petroleum (Cross et al., 1997), Bell Atlantic (Clark et al., 1997), and Marshall Industries (El Sawy et al., 1999) case studies underscore the considerable gap between scholarly research and contemporary practice. In each case study, the establishment, execution, and evaluation of enterprise decision-making authority for core IT activities was not the only, or even the major, theme of IT governance. Instead, senior IT executives at these organizations focused on other mechanisms, such as sourcing arrangements, strategic alliances, roles, teams, control, and coordinating.

IT governance structure involves the existence of responsible functions for making IT decisions, such as steering committees (Van Grembergen et al., 2004). Staffed by both business and IT executives, the IT steering committee should be the primary governing body for ongoing IT operations and initiatives of the organization, including IT investment projects (Maizlish and Handler, 2005). The IT steering committee is responsible for translating business and strategic goals into actionable plans (Standards Australia, 2005). Successful IT governance requires effective communication among all parties based on constructive relationships (Johnson and Lederer, 2005), a common language, and a shared commitment to IT policies and procedures (ITGI, 2002a).

2

In a centralized structure, corporate IT management has IT decision-making authority concerning IT infrastructure management, IT use, and project management. In the decentralized structure, divisional IT and business-unit management have authority for IT infrastructure management, IT use, and project management. In the federal structure (a hybrid configuration of centralization and decentralization), corporate IT management has authority over IT infrastructure management but divisional IT and business-unit management have authority over IT use and project management.

2.2.2. IT governance as process

IT governance processes involve the implementation of IT management techniques and procedures in compliance with established IT strategies and policies.Kaplan (2005)defines IT governance as the set of processes used by the organization to manage IT,i.e., aligning IT with business objectives, resourcing IT projects, and monitoring IT performance (Vitale, 2001). In particular, IT investment processes involve the identification, acquisition, implementation, and ongoing operation and maintenance activities of IT applications. As a continuous process, effective IT governance provides transparent IT decision making, clear accountabilities, and acceptable and actionable IT measurements. That is, effective IT governance enables business and IT executives to integrate business and IT decisions, implement IT solutions, and monitor IT effectiveness (Ribbers et al., 2002; Broadbent, 2003; Weill and Ross, 2004; Kearns and Sabherwal, 2006/07).

2.2.3. IT outcome metrics

For IT governance to be effective, organizations should monitor their IT performance through appropriate measurement systems (Standards Australia, 2005; COBIT 4.1, 2007). Organizations need multiple sets of metrics to measure their IT operational performance and overall value to the business (Schwarz and Hirschheim, 2003; Willcocks et al., 2002). Recognizing that the business unit assessments of the value of IT may be different across the organization, a structure must be in place to assess the ultimate success of IT (Ross et al., 1999).

Different organizations have different meanings of the term“success”and use different metrics to gauge the success of their IT activities. Previous research on IT success focused on the economic benefits of IT (Bharadwaj, 2000; Hitt and Brynjolffson, 1996). Many organizations have, however, progressed from elementary cost-benefit analyses to an entrepreneurial approach that encompasses the risk, uncertainty, and intangible elements of IT investments including organizational changes facilitated by these investments (Serafeimidis and Smithson, 2000).

2.3. Research model and proposition development

An IT governance framework can be deployed using a mixture of mechanisms. No single

“best”IT governance arrangement exists because IT needs to respond to the unique environments within which it operates (Agarwal and Sambamurthy, 2002). That is, the IT governance design needs to be one that can react quickly to competitive opportunities and efficiently utilise all available resources.

Recall that IT governance encompasses three dimensions: IT governance structure, IT governance process, and IT outcome metrics. The three dimensions are driven by business value. The first dimension, IT governance structure, strives to achieve strategic alignment of IT with the business and includes the mechanisms for decision-making, direction setting, and cascading policies. The second dimension, IT governance process, is driven by embedding accountability into the organization, i.e., establishing the policies and procedures used to implement the IT investment projects. The third dimension, IT outcome metrics, assesses both IT governance structure and processes to ensure that the desired results were and are being obtained.

As illustrated in Fig. 1, IT governance starts by providing IT with direction, i.e., setting business strategies and performance goals. Second, IT investment projects that align with these strategies are developed and resourced. Third, a continuous loop is established by measuring performance and comparing these measurements to objectives, resulting in redirection of activities or changes to objectives, as appropriate. To be successful, an organization needs to be

aware that different strategic contexts require different indicators of value (ITGI, 2002a). Implementing an effective IT governance framework allows business value to be achieved through IT (Kearns and Sabherwal, 2006/07). For effective IT value delivery, IT governance must clearly articulate and implement IT governance arrangements for structure, process, and outcomes. Based on the model shown inFig. 1, five propositions are developed and empirically examined.

2.3.1. IT governance—Corporate related issues

2.3.1.1. IT steering committee composition. IT governance is concerned with the strategic alignment of IT to the business. Effective exchange of ideas and shared understanding of business and IT objectives allow the organizational strategies to adapt harmoniously (Luftman et al., 1999; Johnson and Lederer, 2005). Therefore, IT governance requires significant input from

stakeholders about both strategic business needs and technological capabilities so that organizations can build a clear and comprehensive picture of the connection between business and IT (Zee van der, 2002) and devise IT solutions that transcend functional boundaries (Peterson et al., 2000).

The IT steering committee brings together stakeholders from diverse backgrounds and organizational roles. The executive steering committee monitors IT management and sets IT spending and cost allocations (ITGI, 2003). The IT strategy committee provides directions and assures that individual IT projects align with overall business strategy (ITGI, 2003). The IT steering committee is responsible for project advocacy, and for the provision of adequate resources for both planning and implementation of the IT investment decisions (Parr and Shanks, 2000). Furthermore, compliance with external regulations and internal guidelines should also be overseen by the IT steering committee (Ewusi-Mensah, 1997). If the IT steering committee does not undertake these tasks effectively, desired outcomes are unlikely to be achieved and, in extreme cases, the organization may not comply with regulatory requirements such as SOX.

ITGI (2002c)suggests the membership of the IT steering committee should be composed of sponsoring executives, business unit executives, IT executives, and other key roles such as finance.Weill and Ross (2004)found that effective involvement of the CIO in IT governance is a necessary but not sufficient condition for effective governance. Business unit leaders are also critical in setting high-level architecture and acting as advocates for effective IT governance. An appropriate mix of business and IT executives helps ensure strategic alignment, a balanced portfolio of IT investments, and close coordination of business and IT in the organization. For the IT steering committee to be an effective team, they must have clear goals understood by all members (Sheard and Kakabadse, 2002) and participation by members on a variety of activities and decisions (Mealiea and Baltazar, 2005). The above discussion leads to the following propositions.

Proposition 1a. Higher levels of IT governance effectiveness are associated with a shared understanding of IT and business objectives by members of the steering committee.

Proposition 1b. Higher levels of IT governance effectiveness are associated with active participation of the IT steering committee.

Proposition 1c. Higher levels of IT governance effectiveness are associated with a balanced representation of senior business and IT management on the steering committee.

2.3.1.2. Formulation and communication of IT strategies and policies. Rather than just focusing on purely technology issues, IT management must understand the business, its critical success factors, and how to develop a synergistic portfolio of IT capabilities (Bushell, 2003). Delivering effective IT governance requires an integrative and comprehensive set of strategies to promote more universal views of the value of information and the technology within the business (Van Grembergen, 2004; Kearns and Sabherwal, 2006/07). Critical to the success of IT governance structures and processes is effective communication of IT strategies and policies among all parties. The more effectively management communicates the IT governance mechanisms, how they work, and what outcomes are expected, the more effective are the IT governance processes (Weill and Ross, 2004; Johnson and Lederer, 2005). The above discussion leads to the following propositions.

Proposition 2a. Higher levels of IT governance effectiveness are achieved in the presence of more comprehensive IT strategies and policies.

Proposition 2b. Higher levels of IT governance effectiveness are achieved in the presence of better-communicated IT strategies and policies.

2.3.2. IT governance—Project related issues

2.3.2.1. A priori evaluation and selection of IT investment projects. The objective of the IT investment approval process is to ensure that IT investments generate significant returns to the organization relative to alternative investment opportunities. The range of possible circumstances suggests that no one single evaluation method or metric is likely to fit all cases (Scott Morton, 1990). A complete picture of the likely impacts of an investment can only be given if a balance is achieved between financial and non-financial impact assessments3(Renkema, 2000).

A number of research studies have investigated the relative importance of different risks and have attempted to classify them into categories, such as technology, resource, and business risks (Keil et al., 1998). Each IT investment project may have different levels of acceptable risks and returns. Advocates of IT project risk management claim that by identifying and countering the threats to success, the incidence of project failure can be reduced (Boehm, 1991; Charette, 1989). Early in the system development life cycle, proposed IT investment projects can be examined using a combination of financial, non-financial, and risk analysis (i.e., examined in a more comprehensive manner). Projects subjected to such scrutiny experience a more accurate and complete assessment than projects examined using a less stringent combination of criteria. Obtaining a better appreciation of the risks and returns improves the likelihood of success of these projects relative to projects that experience less rigorous a priori evaluations. The above discussion leads to the following proposition.

Proposition 3. During a priori evaluation the use of more comprehensive sets of value metrics (i.e., combinations of financial, non-financial, and risk) is associated with the success of IT project implementations.

2.3.2.2. Interim evaluation of IT investment project implementation. During the system development stage, interim evaluations are needed so that projected costs and benefits can be revised in the light of updated information about the project. Frequent measurement and evaluation of project management metrics are critical to effective IT governance. The metrics aid in tracking each project's progress, and, when necessary, redirecting or terminating individual projects (Keil, 1995; Keil et al., 2000). Organizations use a variety of indicators for assessing project behaviour or process improvement, e.g., actual versus planned task completions and actualversusplanned resource consumption. Little evidence exists that one type of metrics or one project management methodology is more successful than other methods (Asbrand, 1998). Through a comprehensive set of project management metrics, the organization can provide better control of costs, greater reduction of risks, more substantial improvements in quality, and greater

3

Financial impact assessment addresses the time value of money,i.e., translating costs and benefits into offsetting streams of discounted cash flow (Maizlish and Handler, 2005). The most common financial models applied are net present value (NPV), internal rate of return (IRR), return on investment (ROI), and pay-back methods. Non-financial impact assessment considers mandatory investments where the cost of not investing in a particular project far exceeds the cost of the investment (Maizlish and Handler, 2005). These types of investments include regulatory requirements, competitive responses, and operational necessities whereby sizable losses will occur if investments are not made. The common examples of non-financial value metrics are customer satisfaction, employee satisfaction, service-level improvement, defect reduction, and cycle time improvement.

assurance that the project objectives can be met (Rad and Levin, 2002). Hence, project management metrics enhance the likelihood of implementation success. Thus:

Proposition 4a. The success of IT project implementation is associated with the use of more comprehensive sets of project management metrics during interim project evaluation.

The goal of the formalised project decision making structure is to drive the project to completion. Senior management involvement in or executive support of the structure is a critical success factor to IT project implementation success (Ewusi-Mensah, 1997; Keil et al., 1998). Individuals or committees who take responsibility for IT governance should also exercise important roles relative to the project implementation activities. The activities include setting an appropriate IS development style (Lang et al., 2001), assessing project risk (Keil et al., 1998), ensuring adequate infrastructure (Ewusi-Mensah, 1997), and providing the project with adequate visibility and transparency (Weill and Broadbent, 1998). In addition, the designated individuals or committees provide mechanisms for escalating changes to project resources and timelines (Ewusi-Mensah, 1997) and for establishing a forum for exception handling (Weill and Vitale, 2002). Hence:

Proposition 4b. The success of IT project implementation is associated with the use of greater formalisation of project-decision structure during interim project evaluation.

The literature on strategic use of IT suggests that a very important antecedent to a successful implementation of an information system is a“champion”for the system (Ewusi-Mensah, 1997; Reich and Benbasat, 1990; Beath, 1991). Project champions actively communicate their visions of the project with the project team and obtain support from business stakeholders ( Ewusi-Mensah, 1997). They push the project over or around approval and implementation hurdles. Therefore, the likelihood of success of IT investment projects is substantially improved when one or more project champions are involved (Farbey et al., 1993). Therefore:

Proposition 4c. The success of IT project implementation is associated with higher levels of involvement by the project champion during project development.

2.3.2.3. Ex-post evaluation of IT investment project implementation. The ex-postevaluation phase “closes the loop” on the IT investment implementation process by comparing actuals against estimates to assess performance and identify areas where future IT investment activities can be improved. Some benefits of post-implementation evaluation include compliance with user objectives, improvements in the effectiveness and productivity of the design, and realization of cost savings by modifying systems based on theex-postevaluations (Green and Keim, 1983).

Post-implementation reviews should be conducted to ensure that completed projects are reviewed in a timely manner (Norris, 1996). These reviews should usually occur 3 to 12 months after a project has reached its final completion.4 To ensure independence, objectivity, and consistency the review should be conducted by a group other than the project development team and should use a formalised and documented methodology. The organization should also have policies or procedures that document how information from the post-implementation reviews is to be relayed back to decision makers (Kumar, 1990). This feedback is invaluable for improving

4_{Because there is a great deal of knowledge that can be gained from failed projects, evaluations should also be}

conducted for projects that were cancelled prior to being fully implemented. Although project accountability is important, these evaluations should focus on identifying what went wrong with the project, to learn from mistakes, and to minimize the chances of the mistakes being repeated (Kumar, 1990).

both the system and the business process. Conceptually, a project's implementation success can be determined by the extent to which an organization carries out post-implementation review or evaluation activities. Accordingly:

Proposition 5.The success of IT project implementation is associated with more extensive post-implementation evaluations.

3. Research method

A case study was designed to identify and examine the factors believed to be relevant to IT governance effectiveness and IT implementation success. Organization M has a long history throughout Australia and New Zealand. Organization M was selected for this study because of its complex, dynamic, and information intensive environment. The organization is a large (over 3000 staff), multi-divisional (5 business units), established organization with in-house responsibilities for IT. The organization spends over $200 million on IT capital and operating expenditures each year. Under a major restructuring initiative in early 2000s, the organization formed a business unit structure and evolved into a federal IT governance form so as to align IT functions to the new corporate context. Business systems initiation and development responsibilities, including IT project management, were decentralized to the business units. IT infrastructure development and management responsibilities were centralized to corporate IT. A corporate chief information officer (CIO) was appointed to the centralized IT department. One of the main roles of the department is to provide a structure for identifying opportunities for sharing infrastructure, applications, and data across business units. The CIO responsibilities involve providing strategic IT direction and coordinating IT activities at the corporate level. By early 2002, an IT investment steering committee had been established to review investment project proposals across the organization prior to submission to the board of directors for approval.

Purposeful sampling was used to select the participating projects. At least one project was chosen in each business unit. The selection criteria included staff accessibility and project significance in terms of monetary investments or operational impacts.

In-depth, semi-structured interviews were used to collect the data. All constructs were adapted from existing instruments and underwent pre-testing to ensure construct validity. Appendix A contains the constructs, descriptions, and sources for the questions included in the survey instrument. Each interview contained both closed-and open-ended questions (Appendix B). Besides interviews, internal documents and external reports were also examined.5 The data collection process was undertaken over a 6 month period commencing in April 2005.

Two groups of semi-structured interviews constituted the primary source of data. The first group of nine senior managers participated in the data collection for IT governance structure at the corporate level,i.e.Proposition 1 (decision making) and Proposition 2 (IT strategies and policies). The participants6 were considered knowledgeable about IT governance issues. Approximately 80% (7 out of 9) of the respondents have worked in the organization for more than five years.

5

Examples of internal documents included business plans, IT project plans and audit reports, IT investment proposals, the steering committee charter, and IT governance manuals. External reports included annual reports, organisation charts, and other published reports.

6

IT steering committee participants included the CIO, CFO, and a senior business executive. The non-IT steering committee participants represented the corporate IT function and senior business management groups. The non-IT steering committee participants actively supported the IT steering committee operations by providing technical advice, developing IT governance framework, and monitoring IT governance performance or were business sponsors of IT projects.

The second group of thirteen IT and non-IT participants were selected for the data collection of IT governance processes at the project level,i.e.Section 4.3.1:Propositions 3 (prior evaluation), Section 4.3.2:4 (interim evaluation), and Section 4.3.3:5 (postevaluation). Eight projects were selected. Data were collected from the project managers, business sponsors, and key business representatives who were actively involved in the project evaluation processes.

Approximately 60% of these respondents have worked in the organization for more than five years. At least one participant was selected from each business unit.

4. Results

4.1. Assessment of IT governance effectiveness

Evaluating IT governance performance involves assessing the level of effectiveness in delivering the four objectives identified byWeill and Ross (2004). A fifth objective, compliance with the legal and regulatory requirements, was included in the assessment.Table 1lists the items used to assess the effectiveness of each of the five objectives and provides a measure of overall IT governance effectiveness. When assessing governance performance, senior managers first identified the importance of the five factors in their organization and then rated the organizational performance of each factor. The average assessment for each of the five categories is contained in

Table 1.

To compare with the average governance score of 69 reported inWeill and Ross (2004), the score on the 7-point scale was adjusted to a 100-point scale. The result of overall IT governance effectiveness score for Organization M was 58 out of 100 (4.04/7⁎100). FromTable 1it appears that the most problems are occurring in the effective use of IT for growth area. This

Table 1

IT governance performance

All respondentsN= 9 Mean Max Min Standard deviation

Cost effective use of IT 3.93 6.00 3.00 1.22

Effective use of IT for growth 3.06 5.00 2.00 0.97

Effective use of IT for asset utilisation 4.69 7.00 1.00 1.88

Effective use of IT for business flexibility 3.79 5.00 3.00 0.67 Effective use of IT for compliance with legal and regulatory requirements 4.53 7.00 3.00 1.27

Overall IT governance effectiveness 4.04 5.08 3.00 0.75

Table 2

Descriptive statistics of decision making structure and IT strategies and policies

Proposition Mean⁎ Max Min Standard deviation

Decision making structure

1a: Shared understanding 4.99 7.00 1.50 1.39

1b: Active participation 6.11 7.00 5.00 0.78

1c: Balanced representation 6.22 7.00 4.00 0.94

IT strategies and policies

2a: Comprehensive 4.57 6.00 3.00 0.99

2b: Communicated 4.00 6.00 1.00 1.35

ineffectiveness may, in part, be attributable to the lack of comprehensive and well-communicated IT strategies and policies.

4.2. IT governance—Corporate level

Table 2 presents descriptive statistics for responses to the closed ended questions for the corporate level constructs measured via the 7-point scoring instrument used during the interviews. The associations within the research model were tested using Pearson correlations7 (Table 3).

4.2.1. IT decision making structure—Proposition 1

In early 2002, Organization M established an IT steering committee in response to a number of costly and embarrassing problems with implementation of various IT projects. The IT steering committee was chartered to provide leadership, guidance, and oversight of IT investments at the corporate level. To achieve this mission, the CEO works with a small team of business unit heads including the CIO and the CFO.8The team meets monthly. Their main responsibility is to ratify principles, to handle IT-related investment decisions greater than $500K, and to balance corporate and business unit priorities. All the respondents stated that the IT steering committee had successfully brought the IT budget under control.

4.2.1.1. Proposition 1a—Shared understanding. Proposition 1a predicts a positive association between the effectiveness of IT governance and the level of shared understandings of IT and business objectives exhibited by the IT steering committee members. This proposition was not statistically supported by the responses to the closed-ended questions (Table 3), however, the interview data obtainedviaopen-ended questions demonstrated support in two ways. First, the executive leadership understands both IT and other aspects of business that contribute to placing value on IT. Second, the IT steering committee is accustomed to sharing information and perspectives that can enhance decision making. The IT members of the IT steering committee improve the ability of business leaders to understand the role of IT in business and technologic issues. One interviewee statedIf he [the CIO] doesn't understand the business issues, he has enough knowledge to ask questions that would lead into matching the business requirements with the IT capabilities.Another interviewee supported this positionYou probably don't need to have extensive IT knowledge as long as you have got people who have IT knowledge and can convert the jargon into what it really means to the business.

The collaborative approach taken by the IT steering committee also provides opportunities for members to work together and to develop trust relative to enterprise-wide IT efforts. IT steering

7

Spearman Correlations were also calculated and are only referred to if the conclusions are different.

8

CEO—Chief Executive Officer; CIO—Chief Information Officer, CFO—Chief Financial Officer. Table 3

Pearson correlations (level of significance) of decision making structure Pearson correlations N= 9 1a: Shared understanding 1b: Active participation 1c: Balanced representation

2a: Comprehensive 2b: Communicated

Governance 0.039 0.512 −0.298 −0.251 0.222

Performance (0.460) (0.079) (0.218) (0.258) (0.283)

committee members share their individual knowledge to achieve the goals of providing advice, counsel, and corporate direction for investment proposals and opportunities. The interviewees considered this knowledge sharing increased the effective use of IT. Thus, although no statistically significant support was detected, the open-ended responses indicated qualitative support for Proposition 1a.

4.2.1.2. Proposition 1b—Active participation. Proposition 1b predicts a positive association between the effectiveness of IT governance and the active participation of the IT steering committee in IT initiatives. Responses to the closed-ended questions provide moderate statistical support (Table 3) for Proposition 1b (correlation coefficient = 0.512;p= 0.079). Responses from the open-ended interview questions revealed that, in the past few years, the IT steering committee met regularly to establish architectural principles, outline key projects, and closely manage IT investment priorities. The committee was also involved in the implementation of enterprise systems. Recently, the executive leaders emphasized the value of IT for the organization in performing its mission by committing to transform IT from primarily a back-office function to becoming a strategic enabler. These leaders actively review IT strategies, sometimes even building coalitions with other organizations. The interviewees believed these initiatives have increased the effectiveness of IT within the business. As one interview stated I think we have established strong controls, strong governance, good filter systems, strong IT steering committee involvement, and involvement from the business so IT is not just an IT problem, it's the business as well. Thus, for Proposition 1b, there is both statistical support from the closed-ended responses as well as qualitative support from the open-ended responses.

4.2.1.3. Proposition 1c — Balanced representation. Proposition 1c predicts a positive association between the effectiveness of IT governance and more balanced representation of senior business and IT management on the IT steering committee. This proposition was not statistically supported by the responses to the closed-ended questions (Table 3). The responses obtainedviaopen-ended questions suggested that Organization M's decision making structure, by teaming IT and business leaders, had, however, resulted in generally higher IT governance effectiveness. One interviewee stated that they thought“the steering committee is working well because it has the best coverage of the business.”In particular, the arrangement offers valuable opportunities, e.g., the ability to efficiently and effectively align IT project investments with business strategic objectives. Thus, although no statistically significant support was detected, the open-ended responses indicated qualitative support for Proposition 1c.

4.2.1.4. Key challenges of IT decision making structure. While the interviewees considered that there is a reasonable balance of senior business and IT management on the IT steering committee, one of the most difficult challenges facing the IT steering committee is resolving the different needs of business units that vary markedly in size. The smaller size business units have little/no participation on the committee. Typically, the entire organization benefits by focusing more resources on and shaping policies around the needs of dominant business units.

4.2.2. IT strategy and policy—Proposition 2

Organization M's IT governance structure has its focus in a senior management IT steering committee. To ensure reliability, integration, and cost effectiveness, the committee mandated the organization's highly centralised and standardised IT environment. These principles have consistently guided other key IT decisions at the organization. The IT department is responsible

for enforcing architecture standards. The IT steering committee works to ensure that the business units' commitment to standards does not unintentionally restrict the organization's flexibility to cope with significant changes in the business environment.

While the IT steering committee determines architecture and promotes standard decisions, business leaders take responsibility for identifying IT priorities and alignment processes. Key alignment processes include formal processes for ensuring that daily IT activities are consistent with IT polices,e.g., IT project tracking. According to the interview findings, these multiple IT governance arrangements are not effectively implemented in the organization. As of the end of data collection, senior management has not been able to make IT strategies and policies transparent so that everyone understands and follows the processes for proposing, implementing, and using IT.

4.2.2.1. Proposition 2a— Comprehensiveness. Proposition 2a predicts a positive association between the effectiveness of IT governance and more comprehensive IT strategies and policies. This proposition was not statistically supported by the responses to the closed-ended questions (Table 3). The responses obtained via open-ended questions, however, revealed that the formulation of IT strategies and policies were not effective as of the end of data collection.

First, the strategies and policies did not provide clear directions. The IT steering committee was supposed to develop IT strategies. Due to diversity of business unit priorities and complexity of business unit reporting structures, the formulation of IT strategies and polices proved challenging. Second, the lack of IT and business alignment appeared to have created inconsistent and unrealistic expectations. Third, the IT department had the role of setting policies for IT activities. It issued policies without obtaining appropriate feedback and involvement of the stakeholders. In addition, the documentation was not sufficiently clear to provide what the business units needed in terms of standards and best practices. One interviewee stated thatI don't think we have got good strategies. We are still trying to get our act together.The interviewees believed that the paucity and lack of comprehensiveness of IT policies had lowered the level of IT governance effectiveness. Thus, although no statistically significant support was detected, the open-ended responses indicated qualitative support for Proposition 2a. That is, the interviewees agreed that a positive association exists between the effectiveness of IT governance and more comprehensive IT strategies and policies but that Organization M needed improvements in this area.

4.2.2.2. Proposition 2b — Communication. Proposition 2b predicts a positive association between the effectiveness of IT governance and the quality of communication of the IT strategies and policies. This proposition was not statistically supported by the responses to the closed-ended questions (Table 3). The responses obtained via open-ended questions indicated the communication of IT strategies and policies were not currently effective.

Organization M communicates its IT strategies and policiesviatwo key communication tools: the intranet and senior management announcements. The intranet provides a central communication channel to educate organizational members on IT governance processes. Senior management announcements clarifying priorities and demonstrating commitment usually receive a great deal of attention throughout the organization. A current IT initiative seeks to create a more integrated organization. Integrating formerly autonomous functions and business units involves changes in not only IT but also in business processes and organizational culture.

The use of communication tools such as the intranet and senior management announcements can produce high impact but are challenging to implement. When implemented well, they led to

better IT governance performance. All respondents in this study stated that, through the end of the data collection period, communications of IT strategies and policies had not been effective. One interviewee stated thatthe strategies probably need to be more widely assessable. Not everybody goes to the intranet, so therefore other channels…or other methods could get that information to them. The main issue is that organization members often do not know what decisions are the responsibility of other stakeholders and what decisions are part of their own responsibilities. Thus, they considered that the poor communication of IT strategies and policies had lowered the effectiveness of IT governance. Thus, although no statistically significant support was detected, the open-ended responses indicated qualitative support for Proposition 2b. That is, the interviewees agreed that a positive association exists between the effectiveness of IT governance and the quality of communication of the IT strategies and policies but that Organization M needed improvements in this area.

4.2.2.3. Key challenges of IT strategies and policies. Although Organization M's corporate level governance influences decisions at the business unit level, business units often need their own governance arrangements and corresponding mechanisms. Good governance in a multi-business unit organization requires connections between enterprise wide and business unit governance. These multiple mechanisms had inadvertently created confusion over who is responsible for specific tasks or limited the ability of managers to manage outcomes for which they are responsible. The design of IT governance should clarify management objectives and metrics.

4.3. IT governance—Project implementation success level

In the past few years, Organization M's business objectives emphasized cost reduction and efficiencies to improve operational performance. With the recent additional external pressures, the organization has experienced major impacts on its IT operating environment. Previously financial performance was viewed as a significant indicator of success. The organization now recognises that a more balanced approach is necessary. For IT, providing reliable services has become its priority. For example, the organization has improved its operational and communication systems to ensure a faster and more communicative response to power outages.

Table 4

Descriptive statistics of interim evaluation

Propositionsa Mean⁎ Max Min Standard deviation

Prior evaluation and selection (n = 13)

3: Comprehensiveness of value metrics 5.37 6.73 2.09 1.17

Interim evaluation (n = 12)

4a: Comprehensiveness of project management metrics 6.06 7.00 2.00 1.33 4b: Formalisation of project-decision structure 6.08 7.00 4.00 1.16

4c: Involvement of project champion 5.17 7.00 1.00 1.70

Post-implementation (n = 8)

5: Formalisation of post-implementation evaluation 4.80 5.56 3.95 .056

a

For interim evaluations the sample was reduced to 12 because one of the respondents did not complete the interim evaluation process and was unable to provide scores for this section. For postevaluations sample size is reduced to 8 because five respondents did not participate in theex-postevaluation process and were unable to provide responses to this section.

Eight projects implemented contemporaneously with the changing business conditions were selected in the study. Thirteen participants were interviewed for the eight projects. The average score for overall project implementation success was 5.92 out of 7 indicating that the stakeholders were generally satisfied with the project implementations.Table 4presents descriptive statistics for responses to the closed-ended questions. The project level constructs were measured during the interviews viathe 7-point scoring instrument. The associations within the research model were tested using Pearson correlations9(Table 5).

4.3.1. Prior evaluation and selection—Proposition 3

Proposition 3 predicts that the use of more comprehensive sets of value metrics are associated with the success of IT project implementations. The value metrics should include financial, non-financial, and risk assessments. Responses to the closed-ended questions provide strong statistical support for Proposition 3 (correlation coefficient = 0.801; p= 0.001) indicating a positive association between comprehensive value metrics and IT project success. Responses to the open-ended questions revealed the existence of formal policies or processes for project selection and approval. Decisions are made on the recommendation of the IT steering committee. The IT steering committee meets every month. The committee has a budget for IT related projects and takes a formal portfolio approach to IT investment.

4.3.1.1. Key challenges of prior evaluation and selection. A major challenge facing Organization M in implementing IT project governance is formulating appropriate benefit and performance measurements for IT investments. Many of the existing management framework measures are designed for profit-seeking organizations where the performance measures of NPV, on-time on-budget, and shareholder value are clear.

The process for approving project proposals at Organization M is a key governance issue. Sometimes legitimate project proposals are clouded with political agendas and are not transparent regarding how individual project proposals contribute to the ultimate objectives of the organization. Organization M's failure to produce a long-term enterprise-wide IT strategic plan may have also contributed to exacerbating these and other problems. Interviewees indicated that the approval process sometimes appeared preferential, arbitrary, and unilateral.

4.3.2. Interim evaluation—Proposition 4

With the increase in project investment and accountability, the ability to execute and oversee IT projects has become increasingly important for Organization M. Overseeing IT projects includes issues such as project management metrics, project evaluation procedures, and project champions.

9

Spearman Correlations were also calculated and are only referred to if the conclusions are different. Table 5

Pearson correlations (level of significance) Pearson correlations N= 9 3: Prior evaluation-comprehensiveness of value metrics 4a: Interim-project management metrics 4b: Interim-project decision structure 4c: Interim-project champion 5: Formalisation of post-implementation evaluation Project 0.801 0.704 0.345 0.466 0.583 Success (0.001) (0.005) (0.136) (0.063) (0.065)

4.3.2.1. Proposition 4a — Project management metrics. Proposition 4a asserts that comprehensive sets of project management metrics and methodologies are critical to the success of IT project implementations. Responses to the closed-ended questions provide strong statistical support for Proposition 4a (correlation coefficient = 0.704;p= 0.005) substantiating the positive association between comprehensive value metrics and IT project success (Table 5). Milestones and targets need to be actively monitored to track the progress of each project. The responses to the open-ended interview questions indicated that two criteria were used in Organization M's projects. First, in most projects, the amount of meeting time and budget requirements are commonly evaluated. Second, operating criteria are used to measure application performance,

e.g., number of errors. Thus, for Proposition 4a, there is both statistical support from the closed-ended responses as well as qualitative support from the open-ended responses.

4.3.2.2. Proposition 4b—Project decision structure. Proposition 4b predicts that the success of IT project implementation is associated with the formalisation of project-decision structures. This proposition was not statistically supported by the responses to the closed-ended questions (Table 5). The responses obtained via open-ended questions, however, demonstrated some support. All projects had some level of formalisation of the project-decision structures. The interviewees generally considered that this formalisation had helped in the success of the projects. One interviewee statedWe used X's methodologies which were audited by Y. They also did the QA audit. Among the selected projects, however, four projects with large monetary investments established their own steering committees to track the project progress. The committees were ultimately accountable for project delivery and responsible for addressing issues such as project risks and organizational capacity. This greater than normal, formalised project support and reporting structure was widely acknowledged as a key critical success factor for these particular projects. It also influenced both the allocation of resources and the commitment to change management. Thus, although no statistically significant support was detected, the open-ended responses indicated qualitative support for Proposition 4b.

4.3.2.3. Proposition 4c — Project champion involvement. Proposition 4c predicts that the success of IT project implementation is associated with higher levels of involvement of project champions. Responses to the closed-ended questions provide moderate statistical support (Table 5) for Proposition 4c (correlation coefficient = 0.466; p= 0.063). Responses to the open-ended questions revealed that having a project champion was important. The project champions were typically a visible senior manager or a team committed to promoting the implementation process and to enabling changes in related processes. In particular, the project champion's leadership skills play a critical role in implementation success. The project champion must continually resolve conflicts and manage resistance, as well as manage change. As one interviewee statedThere was one person, one channel, one avenue for people to communicate any issues or ask any questions.

Thus, for Proposition 4c, there is both statistical support from the closed-ended responses as well as qualitative support from the open-ended responses.

4.3.2.4. Key challenges of interim evaluation. The IT steering committee is mainly focused on project approval activities. Once project funds are approved, most projects do not remain subject to the same rigor for ongoing governance processes such as active executive involvement, monitoring, and measuring benefits. Top management support and involvement is generally accepted as a key factor to success. Participant comments indicated that the IT steering committee has only a limited awareness of how the project benefits are delivered and how risks are managed. As a result, outright cancellation of

a project and initiative is often difficult for either logical or political reasons. The research findings also revealed that a project would often need to be a complete disaster for it to be tagged as a failure.

Project oversight occurs at many levels both internal and external to departments/business units. However, varied opinions exist as to how much oversight is necessary and when it should occur. Some business project sponsors delegated their oversight responsibilities to external consultants or contractors. These extra personnel were usually an expense of the department/ business unit because the corporate IT department did not have the resources to undertake such resource intensive tasks. The burden of meeting the corporate IT department's oversight requirements was considered by some participants to be excessive, redundant, and, at times, trivial. In particular, some participants felt that the corporate IT department's oversight requirement for a department/business should have been tied to the capability of the organizational unit. On the other hand, some participants felt that independent oversight was an absolute must, because departments/business units cannot effectively police themselves.

4.3.3. Ex-post evaluation—Proposition 5

Proposition 5 predicts that the formalisation of post-implementation evaluations is associated with the success of IT project implementation. Responses to the closed-ended questions provide moderate statistical support (Table 5) for Proposition 5 (correlation coefficient = 0.583;p= 0.065). The responses to the open-ended questions indicated that the respondents agreed that the lessons learned are valuable in refining and improving project standards and controls. Organization M did not develop a project culture or discipline to conductex-postevaluations after new systems were implemented. One interviewee statedPeople seem to have a culture of accepting what they have got. The IT steering committee did not oversee IT project implementation. Therefore, the main barriers of post-implementation review were management commitment to continuous improvement and sanitised reporting with problem issues buriedi.e., sometimes it appears that

We are happy that the system seems to be working ok, and we don't want to tinker with it any further. We don't want to really measure its effectiveness.

4.3.3.1. Key challenges of ex-post evaluation. The organization has focused on the easily quantified traditional measures of success,i.e.,“on time”and “on budget.”These two metrics were also consistent with the participants' definition of project success. The capability to accurately assess benefits delivered, however, remains poor. According to the researcher's observations, the overwhelming majority of users are still complaining about the performance of some applications studied in this research. To consistently measure and demonstrate project success, the organization should shift away from traditional time and cost measures.

5. Conclusions, limitations, and future research

This research study was motivated by the desire to improve our understanding of how large and complex organizations devise, implement, and assess their IT governance arrangements. This research investigated the factors influencing the IT governance effectiveness and project implementation success. Data (both quantitativeviaclosed-ended questions and qualitativeviaopen-ended questions) were collected from a single case site in which the governance structural variables were studied at the corporate level and IT governance process variables were studied at the project level.

The results obtainedviathe use of the quantitative data supported the propositions in a small number of instances. Due to the limited size of the dataset, the responses to open-ended questions were also examined. The summary findings for each proposition are contained inTable 6.

With regard to the proposed research framework, and consistent with previous studies, Proposition 1 is supported qualitatively. That is, interview responses from the open-ended questions indicated that higher levels of IT governance effectiveness is associated with a shared understanding of IT and business objectives among the members (Section 4.2.1.1:Proposition 1a) and a more active IT steering committee (Section 4.2.1.2:Proposition 1b) comprised of a balanced representation of senior business and IT management (Section 4.2.1.3:Proposition 1c).

Analysis of the responses to the open-ended questions indicate that a lack of comprehensive and poorly communicated IT strategies and policies reduces the effectiveness of IT governance (Section 4.2.2.1: Proposition 2a and Section 4.2.2.2: Proposition 2b),i.e., the more management communicates formally about the existence of IT strategies and policies, how they work, and what outcomes are expected, the more effective is IT governance.

The study's results moderately support the assertion that the success of IT project implementation is characterized by more comprehensive sets of value metrics (i.e. financial, non-financial, and risk), rather than formal bureaucratic structures (Section 4.3.1:Proposition 3). Moreover, IT project implementation success is associated with comprehensive sets of project management metrics (Section 4.3.2.1:Proposition 4a), greater formalisation of the project-decision structure (Section 4.3.2.2:Proposition 4b), and the presence of a project champion (Section 4.3.2.3:Proposition 4c). The findings indicate that a critical step in implementing effective IT governance is the development of the discipline to track and communicate the progress of individual IT projects thereby allowing stakeholders to systematically influence IT implementation decision making, learn from their performance, and develop a shared understanding. The results also indicate that formalisation of post-implementation review is moderately related to IT project implementation success (Section 4.3.3:Proposition 5).

From a theoretical perspective, this empirical research contributes to the existing research by developing a model of the factors influencing IT governance effectiveness and examining the relationshipsviaan in-depth single case study in a large and complex organization. The model

Table 6

Summary of overall results

Propositions Supported statistically Supported by open-ended questions

Decision making structure

1a: Shared understanding No Yes

1b: Active participation Moderate Yes

1c: Balanced representation No Yes

IT strategies and policies

2a: Comprehensive No Yes

2b: Communicated No Yes

Prior evaluation and selection

3: Comprehensiveness of value metrics Strong Yes

Interim evaluation

4a: Comprehensiveness of project management metrics Strong Yes 4b: Formalisation of project-decision structure No Yes

4c: Involvement of project champion Moderate Yes

Post-implementation

seeks to encapsulate our knowledge about the top-down development of structural mechanisms, implementation of process mechanisms, and assessment of outcomes. This study focused on the organizational factors and methodological comprehensiveness that adequately describe and explain IT governance performance and project implementation success. The findings validated the assertions that IT governance is not solely concerned with the formal allocation of IT decision-making authority. Irrespective of the locus of control, developing collaborative management styles and adequate communication capabilities should be included for the effective governance of IT (Peterson et al., 2000; Weill and Ross, 2004).

For IT practitioners, this study indicates that organizations implement their governance arrangements through a combination of structures, processes, and outcome metrics. Furthermore, these IT governance arrangements do not act in isolation. Several principles were observed for devising effective IT governance. First, complex organizations require multiple decision making structures providing more opportunities for contradictions and disconnections. The IT steering committee10should unambiguously define its responsibilities and objectives. Business units often need their own IT governance processes in IT project implementations. IT implementation success requires connections between the corporate and business unit governance. Well-formulated IT strategies and policies can provide these connections. The use of performance metrics and project champions can aid significantly in controlling IT development processes and monitoring IT operations quality.

The usual caveats associated with interview-based research apply here. Within these caveats the most significant limitation is the small sample size upon which to base the statistical conclusions. The small sample did not allow more advanced techniques to be used. With data being collected from only one case study firm, the additional limitation of generalizability of results also applies. Furthermore, the researchers relied upon the business analyst within the case study firm to help with the identification of the groups for receiving the questionnaire and also for the interviews.

The results of this study suggest several areas for future research. First, more in-depth case studies across a variety of industries, as well as a large scale survey of enterprise practices would likely provide valuable insights. These case studies should also attempt to examine a variety of levels of governance effectiveness. Second, this case study documents a change of landscape of the IT marketplace over the past few years. Today, external partners serve a very active role in many organizations' IT governance arrangements. Monitoring the IT performance of joint ventures has become a priority and suggests that the research model could be extended to incorporate external partners. Third, there is a need to better understand the dynamics of organizational adaptation of the IT governance decision making structure in response to the changing organizational and industry contingencies. Further studies can examine the attitude of multiple business units to IT governance within a large and complex organization. Fourth, IT governance is critical to organizational learning about IT value. The alignment of IT governance with IT value drivers seems particularly fruitful for future research. Fifth, case studies, including action research, should be conducted in organizations attempting to implement the COBIT

framework.

10

A balanced membership of the IT steering committee facilitates input about both strategic business needs and technology capabilities. Effective IT governance requires active involvement of the IT steering committee and shared understanding of IT and business objectives. A participative management style, with an emphasis on collaboration and communication, is important. The business unit leaders provide significant additional leverage when they are effectively involved. Their involvement means that there are fewer surprises for personnel who are affected by changes in policies and procedures, and engenders trust in the organization's leadership.

Appendix A. Summary of Construct

Construct Variable Operationalisation Source

Decision making structure

1a: Level of shared understanding of business and IT objectives

Low High Clark and Brennan

(1991),Daft (2004), Hasting (1993) Shared understanding

•Mutual knowledge, mutual beliefs, and mutual assumptions

•Shared effort to achieve objectives, finding solutions to problems, and meeting the needs of all stakeholders in timely and efficient manner

7-point scoring instrument: respondent explanation of scores

1b: Degree of active participation

Low High Coakes (1999),

Waddock et al. (2003) Active participation

•Involve in IT decision making •Formulate IT strategies and policies •Implement IT strategies and polices •Evaluate IT projects

7-point scoring instrument: respondent explanation of scores

1c: Balanced representation of senior business and IT management

Low High Weill and Ross

(2004) IT steering committee composition

•Sponsoring executive •Business executive •Non-executive •CIO •Key advisors

7-point scoring instrument and respondent's explanation of scores IT strategies and

policies

2a: Level of comprehensiveness

Low High Hax and Majluf

(1996) IT strategies and policies

formulation

•Provide direction—stability, control, flexibility, business alignment •Formal and clear—documented, consistency

7-point scoring instrument and respondent's explanation of scores

2b: Level of communication effectiveness

Low High Peng and

Litteljohn (2001) Communication approaches

•Accessibility—senior management announcement, formal committee, office of CIO, working with nonconformists, web-based portals, manuals

•User understanding and feedback 7-point scoring instrument and respondent's explanation of scores A priori evaluation and selection of IT investment project 3: Level of comprehensiveness of value metrics

Low High Butler et al.

(1993) Value metrics

•Set specific and measurable goals

•Match business requirements, control, market share improvement, competitive position

A priori evaluation and selection of IT investment 3: Level of comprehensiveness of value metrics Low High Value metrics

•Select the appropriate evaluation methods such as financial assessment, non-financial assessments, and risk assessments 7-point scoring instrument and respondent's explanation of scores Interim evaluation of IT investment project implementation 4a: Level of comprehensiveness of project management metrics

Low High Ewusi-Mensah

(1997),Nah et al. (2003)

Project management metrics •Employ sound project

management technique and control metric

•Document project risks and critical success factors 7-point scoring instrument and

respondent's explanation of scores 4b: Level of

formalisation of project-decision structure

Low High

Project decision structure

•Provide a structure to which to escalate changes to project costs, timelines etc

7-point scoring instrument and respondent's explanation of scores 4c: Level of involvement of project champion Low High Project champion

•Communicate mandates and their implications

•Share a global view of the project with project team and project benefits with the business stakeholders 7-point scoring instrument and respondent's explanation of scores Ex-post evaluation of IT investment project implementation 5: Level of formalisation of post-implementation evaluation

Low High Kumar (1990)

Post-implementation evaluation

•Ensure data remains complete, accurate and valid during its input, update and storage

•Assess regularly over time for operation quality and compliance with control requirements.

•Ensure problems and incidents are resolved, and the cause investigated to prevent any recurrence •Management oversees the control process 7-point scoring instrument and

respondent's explanation of scores IT outcomes Corporate level

assessment IT governance performance effectiveness

Low High Weill and Broadbent

(1998),Willcocks et al. (1997) IT governance performance

•Cost effective use of IT •Effective use of IT for growth •Effective use of IT for asset utilisation •Effective use of IT for business flexibility •Compliance with legal and

regulatory requirements

7-point scoring instrument: explain grade Strategic and financial objectives such as profitability, revenue, market share, customer satisfaction as indicated by internal reports and annual reports

Appendix A(continued)