Enhancing IT governance practices: A model and case study of an organization's efforts

https://doi.org/10.1016/j.accinf.2007.07.002Get rights and content

Abstract

For many organizations, Information Technology (IT) enabled business initiatives and IT infrastructure constitute major investments that, if not managed properly, may impair rather than enhance the organization's competitive position. Especially since the advent of Sarbanes–Oxley (SOX), both management and IT professionals are concerned with design, implementation, and assessment of IT governance strategies to ensure that technology truly serves the needs of the business. Via an in-depth study within one organisation, this research explores the factors influencing IT governance structures, processes, and outcome metrics. Interview responses to open-ended questions indicated that more effective IT governance performance outcomes are associated with a shared understanding of business and IT objectives; active involvement of IT steering committees; a balance of business and IT representatives in IT decisions; and comprehensive and well-communicated IT strategies and policies. IT governance also plays a prominent role in fostering project success and delivering business value.

Introduction

Failures, unfulfilled promises, and disappointments associated with IT initiatives are rife (Hollaway, 2005, ITGI, 2002b, Willcocks et al., 2002). Publicized examples include Nike's supply chain software that resulted in a US $200 million loss (Songini, 2001) and Hershey's experience of a major IT induced nightmare immediately before their Halloween season (The Wall Street Journal, 1999). Unfortunately, only 29% of all IT projects succeed (The Standish Group, 2004) with CIOs of Fortune 1000 companies estimating that 40% of all their IT projects failed to yield a positive return (Watters, 2004).

Many organizations make huge investments in IT to secure or maintain competitive advantages (Applegate et al., 2003). IT-enabled business investment projects are still believed to present the possibility of higher rates of return on investment than traditional types of investments (ING Investor Relations, 2004). The success of many organizations depends on how effectively they manage and control IT to ensure that the expected rewards are realized. Effective IT governance generates real business benefits such as enhanced reputation, trust, product leadership, and reduced costs. As examples, IBM implemented supply chain improvements that saved US $12 billion by reducing inventory levels and the UK Royal Mail adopted business and accounting systems that resulted in a positive profitability change of £3 million per day (ITGI, 2006).

IT governance arrangements encompass mechanisms that enable business and IT executives to formulate policies and procedures, implement them in specific applications, and monitor outcomes (Weill and Broadbent, 1998). Thus, governance arrangements include structural, process, and outcome metric dimensions. Structural arrangements consist of the organizational units and roles responsible for making IT-related decisions. Process dimensions focus on the implementation of IT management techniques and procedures in compliance with established IT strategies and policies. Outcome metrics are the mechanisms used to assess the effectiveness of IT governance and to identify improvement opportunities.

To date, little experience-based research has investigated what IT governance arrangements work best (Weill and Ross, 2004). Devising IT governance arrangements is challenging because the success of IT strategies and procedures is contingent upon a variety of internal and external factors, such as workgroup interdependencies, value chain alliances, and competitive environments. Furthermore, successfully implementing an IT governance framework is also a complex endeavour because organizations must integrate the unique expertise of diverse stakeholders and service providers. For example, sharing domain knowledge promotes effective business manager involvement in IT planning as well as IT manager participation in business planning (Kearns and Sabherwal, 2006/07).

The purpose of this study is to increase our understanding of the factors influencing IT governance structures, processes, and outcome metrics. This study addresses the gap that exists between theoretical frameworks, prior empirical research, and contemporary practices on effective IT governance. This study develops a model of the factors influencing IT governance effectiveness in an organization and enriches the existing IT governance research by providing an in-depth case study of both structural and non-structural IT governance arrangements. This research is expected to help organizations in a number of ways. First, it provides insights that executive management can use to establish effective IT steering committees. Second, the research can assist organizations develop ideas for implementing their IT strategies and policies. Third, it can assist IT management to identify action plans for establishing IT project metrics. Fourth, the study can serve as a reference to which organizations can compare their IT governance effectiveness.

The remainder of this paper consists of four sections. Section 2, the next section, provides an overview of IT governance, presents the research model, and develops the five propositions examined in this research. Section 3 describes the case study used to examine factors associated with effective IT governance and successful IT implementations. Section 4 reports the results from investigating each of the five propositions. Section 5, the final section, summarizes the overall research project, acknowledges the major limitations, and offers suggestions for future research.

Section snippets

COSO, CobiT, and IFAC

The Committee of Sponsoring Organizations of the Treadway Commission (COSO),1 a voluntary private sector organization, seeks to improve financial reporting through business

Research method

A case study was designed to identify and examine the factors believed to be relevant to IT governance effectiveness and IT implementation success. Organization M has a long history throughout Australia and New Zealand. Organization M was selected for this study because of its complex, dynamic, and information intensive environment. The organization is a large (over 3000 staff), multi-divisional (5 business units), established organization with in-house responsibilities for IT. The organization

Assessment of IT governance effectiveness

Evaluating IT governance performance involves assessing the level of effectiveness in delivering the four objectives identified by Weill and Ross (2004). A fifth objective, compliance with the legal and regulatory requirements, was included in the assessment. Table 1 lists the items used to assess the effectiveness of each of the five objectives and provides a measure of overall IT governance effectiveness. When assessing governance performance, senior managers first identified the importance

Conclusions, limitations, and future research

This research study was motivated by the desire to improve our understanding of how large and complex organizations devise, implement, and assess their IT governance arrangements. This research investigated the factors influencing the IT governance effectiveness and project implementation success. Data (both quantitative via closed-ended questions and qualitative via open-ended questions) were collected from a single case site in which the governance structural variables were studied at the

References (76)

  • B.W. Boehm

    Software risk management: principles and practices

    IEEE Softw

    (1991)
  • M. Broadbent

    The right combination

    (2003)
  • S. Bushell

    Retooling retail

    (2003)
  • R. Butler et al.

    Strategic investment decisions: theory, practice and process

    (1993)
  • R.N. Charette

    Software engineering risk analysis and management

    (1989)
  • H.H. Clark et al.

    Grounding in communication

  • C. Clark et al.

    Building change-readiness IT capabilities: insights from the Bell Atlantic experience

    MIS Q

    (1997)
  • E. Coakes

    Focus issue on legacy information systems and business process change: the role of stakeholders in managing change

    Commun ACM

    (1999)
  • CobiT 4.1

    Rolling meadows

    (2007)
  • Committee of the Sponsoring Organizations of the Treadway Commission (COSO)

    Internal control — integrated framework

    (1992)
  • J. Cross et al.

    Transformation of the IT function at British petroleum

    MIS Q

    (1997)
  • R.L. Daft

    Organization theory and design

    (2004)
  • O. El Sawy et al.

    IT-intensive value innovation in the electronic economy: insights from Marshall industries

    MIS Q

    (1999)
  • K. Ewusi-Mensah

    Critical issues in abandoned information systems development projects

    Commun ACM

    (1997)
  • B. Farbey et al.

    How to assess your IT investment: a study of methods and practice

    (1993)
  • G.I. Green et al.

    After implementation what's next? Evaluation

    J Syst Manage

    (1983)
  • C. Hasting

    The new organization: growing the culture of organizational networking

    (1993)
  • A.C. Hax et al.

    The strategy concept and process: a pragmatic approach

    (1996)
  • L. Hitt et al.

    Productivity business profitability, and consumer surplus: three different measures of information technology value

    MIS Q

    (1996)
  • K. Hollaway

    KPMG Highlights IT Project Failures

  • ING Investor Relations

    IT investment and shareholder return

  • ITGI

    Board briefing on IT governance. Information technology governance institute

  • ITGI

    IT governance executive summary. Information technology governance institute

  • ITGI

    IT strategy committee. Information technology governance institute

  • ITGI

    IT control objectives for Sarbanes–Oxley and board briefing on IT governance. Information technology governance institute

  • ITGI

    Enterprise value: governance of IT investments, the Val IT framework

    (2006)
  • A.M. Johnson et al.

    The effect of communication frequency and channel richness on the convergence between chief executive and chief information officers

    J Manage Inf Syst

    (2005)
  • J. Kaplan

    Strategic IT portfolio management: governing enterprise transformation

    (2005)
  • Cited by (214)

    • Security First, Security by Design, or Security Pragmatism – Strategic Roles of IT Security in Digitalization Projects

      2022, Computers and Security
      Citation Excerpt :

      Existing works shed light on the contextual factors that affect decisions regarding IT security and entailed investments. Bowen et al. (2007) pointed out that IT-related decision-making can be an essential part of the IT governance mechanism to achieve strategic alignment (Wu et al., 2015). In this paper, we use the conceptual work on IT security investment decision-making as a theoretical lens to elaborate on IT security's strategic role in the context of digitalization projects that builds on the essential components of a technology-organization-environment framework (Depietro et al., 1990) (see Figure 1).

    View all citing articles on Scopus
    View full text