IT governance defined
In this section, a short literature survey will be conducted. The results will be presented in a final comparative table. Before starting defining IT governance it necessary to make some remarks:
- IT governance is not a just trendy word. As explained before: IT governance matters.
- IT governance is not (only) a regulatory compliance.
- IT governance is not IT management.
- IT governance is not only for IT people.
- IT governance does not have one universal accepted meaning or definition.
Different scholars investigated the concept of IT governance and they created a rich literature on this field, however, a common definition is missing. The goal of this section is to review the most important definitions and to present a short overview to the reader (see table 2). To create this overview, literature with the keyword "IT governance" was searched in the data base EBSCO which was used to extract IT governance definitions from peer review journals during the years 2006-2011. By considering that period, possible new definitions of IT governance that have been published after the popular book of Ross & Weill (2004) might be included in this survey. In total, 40 publications were found and 16 relevant academic articles were identified and surveyed from the available articles. These 16 publications were selected because they deal explicitly with IT governance topics. For comparative purposes, the ISACA website and Google Scholar were consulted in the search of different concepts or definitions.
This literature survey from EBSCO shows that many popular IT governance concepts appear in the academic journals. Across the 16 papers, IT governance concepts were applied alone or in combination with another IT governance definition. Moreover, two papers deal with IT governance topics but do not deliver/contain/apply any precise/partial definition. Table 1 shows all the definitions found in EBSCO. Many definitions already found in EBSCO reappear in Google Scholar and on the ISACA website. Table 2 shows the source of the definitions found in EBSCO and their frequencies. In order to enrich this analysis, the widely cited definition of Luftman (2003) found in Google Scholar has been included in Table 1 and Table 2.
Table 1: Definitions of IT governance
|
Author and sources
|
IT governance definition
|
|
Ross & Weill (2004). It appears in: Google Scholar, EBSCO
|
"specifying the decision rights and accountability framework to encourage desirable behaviour in the use of IT"
|
|
Van Grembergen (2004).It appears in: Google Scholar, EBSCO
|
"IT governance is the organisational capacity exercised by the board, executive management and IT Management to control the formulation and implementation of IT strategy and in this way ensure the fusion of business and IT"
|
|
Webb (2006).It appears in: Google Scholar, EBSCO
|
"IT governance is the strategic alignment of IT with the business such that maximum business value is achieved through the development and maintenance of effective IT control and accountability, performance management and risk management."
|
|
Board Briefing on IT governance 2nd Edition. It appears in: ISACA
|
"IT governance is the responsibility of the board of directors and executive management. It is an integral part of enterprise governance and consists of the leadership and organisational structures and processes that ensure that the organization's IT sustains and extends the organisation's strategies and objectives."
|
|
ISO 38500 (2008).
It appears in: EBSCO
|
"The system by which the current and future use of ICT is directed and controlled. It involves evaluating and directing the plans for the use of ICT to support the organisation and monitoring this use to achieve plans. It includes the strategy and policies for using ICT within an organisation."
|
|
Luftman (2003). It appears in: Google Scholar
|
"IT governance is the term used to describe how the processes and authority for resources, risk, conflict resolution, and responsibility for IT is shared among business partners, IT Management, and service providers. Project selection and prioritization questions are included here."
|
Table 2: Frequencies across the 16 papers from EBSCO
|
Definition
|
Frequency
|
Definition found in
|
|
Board Briefing 2nd Edition (2003)
|
7
|
Edephonce & Nfuka (2011); Bart & Turel (2010); Simon, Poston, Kettinger (2009); Merhout & Havelka (2008); Syaiful Ali (2006); Posthumus, Solms, King (2010)
|
|
Grembergen et al. (2004)
|
6
|
Simonsson, Johnson, Ekstedt (2010); Butler & Butler (2010); Posthumus, Solms, King (2010); De Haes & Grembergen (2010); De Haes & Van Grembergen (2008); Merhout & Havelka (2008)
|
|
ISO 38500 (2008)
|
1
|
Turel & Bart (2010)
|
|
Ross & Weill (2004)
|
2
|
Xue, Liang, Boulton (2006); Heart, Maoz, Pliskin (2010)
|
|
Webb et al.(2006)
|
1
|
Heart, Maoz, Pliskin (2010)
|
|
Defintion is not specified.
|
2
|
Wilkin & Chenhall (2010);Tanriverdi (2006)
|
In table 3, definitions are explored and compared in an agnostic way. Three comparative categories are added the "what", "who" and "how" of IT governance. The "what" refers to question: what is the goal of IT governance? The "who" deals with roles and responsibilities and it is connected with the question of who is responsible or accountable for IT governance? The "how" deals with the elements which make IT governance possible. The "how" category is associated to the question: what are the elements that ensure IT governance? (elements of the "who" category are excluded in the "how" category).
Table 3: General aspects of the definitions
|
Author and source
|
What
|
Who
|
How
|
Special elements of the definition
|
|
Ross & Weill (2004)
|
X
|
X**
|
X
|
"Desirable behaviour"
|
|
Van Grembergen (2004)
|
X
|
X
|
X**
|
IT governance as "an organizational capacity"
IT management is also responsible for IT governance
Control the formulation and implementation of IT strategy
|
|
Webb (2006)
|
X
|
-
|
X
|
Performance management, risk management, control
|
|
Board Briefing on IT governance 2nd Edition
|
X
|
X
|
X
|
Leadership
|
|
ISO 38500 (2008)
|
X**
|
-
|
-
|
IT governance as a system
|
|
Luftman (2003)
|
X
|
X
|
X
|
Resources, risk, conflict resolution, business partners, IT Management, service providers
|
** Not explicit in the definition, but information is implied in the author's paper or book.
All these six definitions focus have as goal the alignment of IT with the business. However, some relevant differences exist between them. With respect to roles and responsibilities, Luftman (2003), Board Briefing 2nd Edition (2003) and Ross & Weill (2004) do not mention in their definition, at least explicitly, the multiple stakeholder nature of IT governance. For instance, the Board Briefing 2nd Edition (2003) delegates the official responsibility to board members and executive management. In the case of Luftman (2003), some stakeholders are explicitly included such as business partners, IT Management, and service providers, however, other relevant players such as executive managers are not mentioned. Beyond the explicit content, it should be stated that all definitions implicitly include different roles or stakeholders in their related literature. Additional elements come to light among the definitions. The Board Briefing 2nd Edition (2003) advocates for "leadership" and "processes" to ensure IT governance. Luftman (2003), ISO 38500 (2002) and Van Grembergen (2004) include the word "control" or "monitor".
In order to formalize this comparison, definitions will be evaluated with formal and specific academic concepts such as "business/IT alignment", "structures", "processes", "relations", and "control". Business/IT alignment means that the IT is in harmony with the business. Business/IT alignment is not an easy task and organization need formal methods or frameworks to be successful. Many model and tools for Business/IT alignment exist, for example, the enhanced SAM model by (Maes 1999) which is an extension of the popular SAM by Henderson & Venkatraman (1993). A brief description of these models is available in appendix 7.
Beyond "Business/IT alignment", other concepts need an introduction for the comparison. The word "structure" refers to decision making rights and responsibilities as well as their relevant contingent archetypes; for example IT duopoly or IT monarchy (Ross & Weill 2004; Brown & Grant 2005). The term "process" refers to strategic IT decision making, monitoring and controlling (Van Grembergen 2004). The concept of relations "include business/IT participation and partnerships, strategic dialogue and shared learning" (Van Grembergen 2004). In the context of IT governance, IT control can defined as a set of policies, procedures and practices that assurance a good functioning of IT governance (CobiT 4.1 2007; Webb 2006). Furthermore, IT should be clear stated that achieving good functioning IT governance is not only about compliance but also about business value (Bloem et al. 2005).
Table 4: Elements of IT governance
|
Important elements of IT governance
|
Ross & Weill (2004)
|
Van Grembergen (2004)
|
Webb (2006)
|
Board Briefing 2nd Edition (2003)
|
ISO 38500 (2008)
|
Luftman (2003)
|
|
Business/IT alignment
|
yes
|
yes
|
yes
|
yes
|
yes
|
yes
|
|
Structures
|
yes
|
yes
|
partially
|
yes
|
-
|
partially
|
|
Processes & relations
|
-
|
yes
|
-
|
yes
|
partially
|
yes
|
|
Control
|
-
|
yes
|
yes
|
yes
|
yes
|
-
|
* "yes" means covered "and "partially" refers to partially covered.
Elements from Table 4 and other foundations from the IT evaluation field will be combined to create an integrative IT governance definition:
An IT governance system embraces the introduction and oversight of structures, processes and relations in order to create business value.
This definition is supported by the following comments:
- "An IT governance system" refers to the systems theory idea that any system can be defined as "a collection of elements connected in such a way that no elements are isolated from other elements" (De Leeuw 1990).
- "Structures", "processes" and "relations" refer to the concepts already defined in this section.
- "Oversight" refers to control mechanism of the system.
- "Business value" is determined by all financial and non-financial consequences- thus not only benefits (Renkema & Berghout 1997). See composition of the term "value" in table 5 below.
Table 5: Financial and non-financial consequences (Renkema & Berghout 1997)
|
Consequences
|
Positive
|
Negative
|
Summation
|
|
Financial
|
Returns
|
Costs
|
Profitability
|
|
|
Cash inflow
|
Cash outflow
|
Cash result
|
|
Non-financial
|
Positive contribution
|
Negative contribution
|
Non-financial contribution
|
|
Financial and non-financial combined
|
Benefits
|
Burdens
|
Value
|