The emergence of IT Governance
The cases of Enron, Worldcom and other corporate and financial scandals in the early years of the century have raised the significance of corporate governance and control. Regulatory environments have been formed with quite distinctive characteristics, depending on the needs of each country, and the needs of specific industries. The implementation of the controls required by regulations such as Sarbanes - Oxley for the publicly listed organisations in the U.S. and Basel II for European banks relies heavily on IT. That dependency, combined to the required controls on IT itself, have forced top-level executives to have a look towards the proper management and governance of the information and communication technologies that power their organisations.
At the same time, the high percentage of failed IT projects, ranging between 60% and 90% depending on the definition of failure, has alarmed many executives who see their resources to be wasted on failed projects, to be followed by more failed projects. Clear decision processes and proper project management aiming at efficiency and effectiveness, are the obvious answers to the problem; both of which point directly to IT Governance.
The high cost of IT investments, which is more than half of the annual CAPEX for most organisations, calls for control, accountability and risk management, not to mention cost reduction. Information security, industrial espionage, regulations for the confidentiality of the data and the privacy of employees and customers, are all gracefully handled by a proper IT Governance structure.
These are only some of the reasons that have led quite a few organisations worldwide to add IT Governance in their board agenda.
The status in Greece
Greece has control regulations for specific industries only, such as telecommunications, an industry largely affected by the Hellenic authority for communication security and privacy. Other industries are affected by pan-European control regulations, such as banking industry that needs to comply with MIFID and Basel-II alongside the directives issued by the Bank of Greece. Finally, just a few companies are listed in foreign stock exchanges such as NYSE - listed PTT, subsequently affected by the SOX act.
Nevertheless, although the environment in Greece is complex, and the IT infrastructure is no simpler than any other country's, there is no published empirical academic research on the status of IT Governance in Greece. Even surveys that are conducted in wider geographical areas and not to a specific country do not usually include Greece; probably because it is a small market. The only data that has been found are some papers mentioning the benefits of IT Governance, as taken from the international practice; the data though is not adapted to local needs and circumstances.
This research, titled "IT Governance in Greece: Status, Drivers and Barriers" aims to evaluate and present the IT Governance related practices in Greece. What percentage of Greek companies are using IT Governance frameworks and best practices, which is the preferred framework between the two prevalent (ITIL and CobIT), and which is the decision model selected by the companies that employ IT Governance. An attempt will be made to find any relationships between these results, and the size of the organisation or the size of the IT department. The reasons for which Greek organisations select to implement or not an IT Governance framework will also be linked to that data and outsourcing strategies which are known to require careful governance will be evaluated. For the organisations that choose to not implement a formal governance framework, the barriers to implementation will be analysed, as well as the potential good practices which do not constitute a framework, nevertheless help to the prudent governance of an organisation's IT assets and resources.
The research questions that are expected to shed some light to the main areas of the status of IT Governance in Greece are formulated as follows:
- The penetration of ITIL and CobIT in Greece as IT Governance frameworks
- Which are the most common factors that prevent or delay the acceptance and deployment of an IT Governance framework (barriers)?
- Which are the most common reasons that led organisations to deploy, or plan the future deployment of an IT Governance framework (drivers)?
- Which (if any) are the management methods used if a full IT Governance framework is not deployed?
The author has followed a career path in Information Technology for the last 15 years, acquiring positions of raising responsibilities. In alignment to that career path, the MBA was considered a good choice, providing a broader view on all areas of management such as organisational behaviour and culture, human relationships, finance and marketing, strategy and implementation. The subject of this dissertation combines the two worlds, that of management and of information technology, giving a more thorough and business - oriented view to the author's subject of work. Beyond the obvious curiosity that is created by the lack of data in the Greek market in which the author lives and works, there has always been an interest in IT Governance, IT management and risk management, and this dissertation comes to cover at least some of these areas.
Structure of the dissertation
The rest of the dissertation has a typical structure - the introduction that was just provided constitutes the chapter one.
Chapter two provides a review of the existing literature and previous studies on IT Governance; that should form the basis for the research that was necessary for this dissertation.
Chapter three analyses and justifies the methodology that was used for the sampling, the data collection and data analysis methods that were selected. This chapter also presents and analyses some limitations related to the methodology, and presents the ways in which these limitations may affect the data analysis and the conclusions.
Chapter four is the data analysis, in which all data that were collected are analysed and presented, relations are drawn and comparisons to findings from previous research are performed in order to fully answer the research questions set in this dissertation.
Chapter five draws on the conclusions of the previous chapter. It summarizes the research objectives, the findings and the implications of the results. Generalization issues and data validity is further discussed. This chapter provides also recommendations for future studies, identifying details that were not included in this survey and questions that have emerged from the results of the current dissertation. Finally, this chapter reflects on the dissertation, assessing the weaknesses of the work performed and the obstacles faced; it also identifies the areas in which the author has gained knowledge and experience.
A literature review is vital to any research project, in order to collect, present and critically analyse, what is already known in the subject under research. The evaluation of previous research leads to a better understanding of the subject, of the areas of consensus between academics and practitioners, and the points of conflict and potential gaps.
Towards the answer of the status of IT Governance in Greece, an attempt will be made to explain the term "IT Governance" and clarify any misconceptions regarding IT Governance and IT Management. The different types of IT Governance models that have been developed in the past, along with the key roles in IT Governance, will be identified, presented and compared.
The necessity for IT Governance as suggested in the literature will be evaluated, and the most commonly mentioned benefits and implementation barriers will be presented, in order to serve as potential answers to the questionnaire of the research. Previous reports on management methods that may be used instead of a full framework implementation will also be evaluated for the same reasons.
The definition of IT Governance
IT Governance is a subject that has gained significant focus during the last years. As a term, IT Governance, has too many definitions in the literature (Buckby, Best and Stewart, 2009; Lee and Lee, 2009; Lee, Lee and Lee, 2009). Simonsson and Ekstedt (2006) tried to find a common definition on 60 different relative articles; and came up with yet another definition, which includes many of the previous ones.
The definitions used by researchers, depend on their view on what IT Governance can offer to an organisation. IT Governance is sometimes perceived as a framework or a process for auditing the use of the IT infrastructure and operations. Some other times sometimes it is perceived as an IT decision making tool which allocates the decision rights in order to encourage a predictable behaviour in the use of IT, while for others IT Governance is a branch of corporate governance focusing on the control and the strategic view of IT (Musson, 2009). Not few have used definitions that mix and match more than one of these views, such as Peterson (2004), Higgins and Sinclair (2008) and Simonsson and Johnson (2007).
A definition that is, in the author's opinion, quite clear and inclusive, is the following:
"IT Governance is a framework for the leadership, organizational structures and business processes, standards and compliance to these standards, which ensures that the organization's IT supports and enables the achievement of its strategies and objectives." (Calder, 2007)
Lee and Lee (2009) make the link of IT Governance with Corporate Governance. They suggest that IT Governance is a mix of Corporate Governance and IT Management; meaning that IT Governance addresses the transparency and control that corporate governance focuses upon, and the efficiency and effectiveness that IT management aims at. IT Governance as part of the corporate governance is also suggested by Peterson (2004), Bhatttacharjya and Chang (2009), O'Donohue, Pye and Warren (2009).
Several researchers have pointed out that IT Governance is not the same as IT Management. The former refers to the definition of who has the rights for major decision making, while the later refers to the actual making of the decisions and the implementation itself (Broadbend, cited in Buckby et al., 2009; Calder, 2009; Sambamurthy and Zmud, 1999; Toomey, 2009; Van Grembergen and De Haes, 2009).
Regarding the subject and scope of IT Governance, the IT Governance Institute suggests five distinct but interacting domains: The Strategic Alignment, Value Delivery, Risk Management, Resource Management and Performance Management.
The need for IT Governance
The need for IT Governance has not been extensively debated; almost everybody agree that the proper governance of IT is necessary. The reasons though provided to support this argument vary, and the organisations do not seem to have been persuaded by that position.
A quite common reason provided to support the necessity of IT Governance, is the increased complexity of the IT infrastructure that is caused by the amount of data that an organisation holds, and the role of this information (Laplante and Costello, 2006). IT is not only complex, but it also has its own fast changing and unique conditions, as such the need to apply sound management disciplines and controls is even greater (NCC, 2005).
Risk management is one more reason for IT Governance. Risk is caused by the growing dependency of organisations on IT resources which should not be neglected; the percentage of companies that are vitally dependent on IT for their continuing operation, was over 75% in 2004 (KPMG, cited at Musson, 2009). That dependency makes the potential unavailability of IT - based services a significant problem for organisations such as banks and hospitals. The lack of availability is not the only danger caused by that dependency; cyber crime, fraud, information inaccuracy are just a few more issues that need proper identification and management (Van Grembergen and De Haes 2009).
Instead of implementing IT solutions, the focus now has shifted to changing the business processes, to be enabled by IT. The solutions implemented are generally more complex due to this shift, and subsequently there is a greater risk with the implementation of IT-enabled business processes (Higgins and Sinclair, 2008). From the management perspective, that dependency means that management needs to be more aware of the critical IT risks, and to be assured that they are adequately managed (NCC, 2005).
High organisational performance is another reason found in the literature, although that one is debatable. Liew believes that IT Governance can ensure proper measurement and preservation of an achieved performance (cited at Bhattacharjya and Chang, 2009), nevertheless Young has pointed out through a literature review that there is no convincing evidence that superior business performance is a result of any of IT Governance guidelines (Young, 2006).
Typically, IT investments are significantly high. They account for over 50% of the average organisation's annual total capital investment (Baschab and Piot, 2007; Carr, 2003; Weill and Woodham, 2002), as such their management in a responsive, effective and efficient way is usually a requirement that should be set by the management board. On the monetary field, cost optimisation of the IT projects and service delivery, are also considered important issues by several researchers (Bhattacharjya and Chang, 2009; Fairchild et al, 2009; Menken, 2009; Peterson, 2004).
The amount of money spent is important, but the need that the enterprise's investment in IT is in harmony with its objectives is usually considered more significant (Buckby et al, 2009). This is called Business - IT Alignment, which is a quite old issue; several studies from mid-80s have focused on the alignment of the IT operations with the business objectives (Brown and Magill, 1994). Some researchers do not agree with the need for the Business - IT alignment at all (Sillince and Frost, 1995). Koh and Maguire (2009) also suggest that Business - IT alignment maybe the wrong strategy for smaller businesses, which may be agile enough to change course quickly following the new ICT arrivals in the business. They also mention that Venkatraman questions the logic behind alignment; nevertheless, this is a false interpretation of Venkatraman's study, who clearly states that IT needs to support the business logic. Carr (2003) has written one of the most controversial articles on the issue, stating that IT is not able to provide the competitive advantage that organisations need. Laplante and Costello (2006) make clear that they do not agree with that view, while Harris, Herron and Iwanicki (2008) get the opportunity to provide metrics on the value that IT can provide, instead of just dismissing Carr's argument.
According to a different should of thought, Business - IT alignment has been identified as a significant management concern (Brown and Magill, 1994; Cameron, 2007; Kashanchi and Toland, 2006; Silvius, 2007) and effort is put in order to identify the potential benefits of Business - IT alignment. In fact, a recent study by Nash (2009) proves a positive correlation between firm level sales and the so-called Strategic Alignment Maturity; i.e. the maturity level of the business - IT alignment.
By considering Business - IT alignment as something that organisations want to achieve, it is yet another reason to exercise governance of the IT. The relationship between IT governance and Business - IT alignment has been proven (BMC Software, 2007; Musson and Jordan, 2006). Additionally, IT governance is strongly suggested by researchers as the best option for the maintenance of the alignment of IT to the continuously evolving organisational needs (Cameron, 2007; Harris et al, 2008; Pultorak, 2006; Sambamurthy and Zmud, 1999).
Although Business - IT Alignment is a common issue, it puts IT in a passive role; it makes it a follower. Proper governance can transform IT from a follower to a leader; IT is able to set the business agenda and partially affect the organisation's strategic objectives (Addy, 2007; Baschab and Piot, 2007; Weill and Woodham, 2002).
A research by NCC (2005) has identified a potentially widening gap between what IT departments think the business requires, and what the business thinks the IT department is able to deliver. This can be addressed by IT Governance, through which an organisation - wide view of IT may be generated and promoted (Laplante and Costello, 2006; Weill and Woodham, 2002). That means that IT should have a thorough understanding and a participation in the improvement of business processes and their interdependencies. The other way round is also important, i.e. organisations need to obtain a better understanding of the value delivered by IT, both internally and from external suppliers. Measures are required in business (the customer's) terms to achieve this. Key elements for that understanding include the enterprise - wide view of IT budget (Addy, 2007; Weill and Woodham, 2002).
One more reason found in the literature to promote IT Governance, is the compliance to regulatory requirements. Specific legislation and regulatory requirements, such as Sarbanes - Oxley Act (SOX) almost dictate the use of an IT governance framework (Buckby et al., 2009; Higgins and Sinclair, 2008). Others, such as HIPAA (Health Insurance Portability and Accountability Act) and Basel-II do not dictate, but certainly describe an IT Governance framework through their requirements for accountability on investments, information security and assurance, risk management and decision processes (Harris et al, 2008; Higgins and Sinclair, 2008; Pultorak, 2006; Network Frontiers, 2008; NCC, 2005; van Grembergen and De Haes, 2009).
Yet another commonly stated key benefit of proper IT Governance is clear and transparent decision making regarding IT resources (Baschab and Piot, 2007; Brown and Grand, 2005; Lee and Lee, 2009; Tshinu, Botha and Herselman, 2008). The lack of clarity and transparency for the decision - making process, can lead to reluctance to take risks, and subsequently failure to seize technology opportunities (NCC, 2005) Separate decision processes followed by the IT and business, may mean that there is not enough shared ownership and clarity of resources, which also means that there may be a lack of accountability.
IT Governance models
Although IT Governance sets the decision - making process, it does not define who decides. IT Governance decision authorities may be structured in different models, depending on the organisation. The three prevailing ones are the centralized, decentralized and federal (hybrid) according to their modes of distributing authorities and responsibilities for decision-making (Brown and Magill, 1994; Fairchild et al, 2009; Peterson, 2004; Sambamurthy and Zmud, 1999), while the pair of centralized / decentralized may also be found as the only choices (Laplante and Costello, 2006; Robb and Parent, 2009).
Ross and Weill (2002) and Cameron (2007) expressed their quite strong preference on centralized IT Governance model, i.e. decisions being made centrally, but Ross and Weill revisited that view in 2004; they suggested that there are six (6) archetypes / models of IT Governance, on 5 different IT domains. From more centralised to less centralised, they identified Business monarchy, IT monarchy, Federal, IT Duopoly, Feudal and Anarchy. The two monarchies are quite clear, meaning that Business or IT respectively has the major responsibility for decisions. Anarchy is quite clear as well, meaning that there is no standardization. Federal and IT duopoly involve business executives and IT executives in the decision making process, with federal to give more power to the business than IT duopoly. Finally, feudal archetype brings the decision level down to business units or processes. The IT domains on which decisions need to be made, are IT principles such as funding and role of the IT in the business, IT Architecture which refers to the identification and development of the core business processes of the enterprise and relative information, IT infrastructure, business application needs such as the owner of the outcome of each project and IT investment and prioritization. That model classification from Ross and Weill is unique; as stated earlier, most other researchers have selected a simpler classification scheme.
Ein-Dor and Segev (cited at Tavakolian, 1989) found that the revenue of the organisation is positively related to centralized IT Governance - but there is no relation between the governance model and the size of the organisation. There is empirical proof that a link between the IT structure with the organisational competitive strategy exists; conservative organisations are more centralised than aggressive ones (Tavakolian, 1989). These results are supported by more recent research with consistent findings; Weill and Woodham (2002) and Weill and Ross (2004) found that top performing firms on profit were mostly centralized, while top performers on growth were mostly decentralized. A link between the organisation's industry type and level of de-centralization of IT Governance has not been found (Ahituv et al, cited at Brown and Grant, 2005).
It has to be noted that the model of IT Governance in an organisation may also be "dictated" by external factors, such as SOX which promotes a centralized IT Governance model, while Australian governance frameworks (mainly, AS 8015) drive the organisations towards a de-centralized IT Governance model (Robb and Parent, 2009).
IT Governance Frameworks
Information Technology Infrastructure Library
The Information Technology Infrastructure Library (ITIL) is a framework of best practices for IT Service Management. It is comprised of five books which focus on five different aspects of IT Service Management and Service Lifecycle:
- Service Strategy
- Service Design
- Service Transition
- Service Operation
- Continual Service Improvement
Each one of the books, defines a set of processes such as IT Financial Management, Supplier Management, Change Management, Incident Management and Service Measurement and Reporting; a total of 23 processes are defined with a set of actions and roles required for each process.
The definition of several of the processes and the subsequent roles is consistent with the IT Governance definition we used earlier; nevertheless a big amount of the defined processes such as event management and validation and testing, are much more focused on the management part than to that of the governance. ITIL is considered to be the framework that is closer to service management than control, from the other two frameworks, CobIT and ISO/IEC 38500:2008 and has a more narrow scope than CobIT (Van Grembergen and De Haes, 2009; Simonsson and Ekstedt, 2006; Simonsson, Johnson and Wijkström, 2007; Sallé, 2004; McBride, 2009).
That focus of ITIL to service delivery and management was more obvious in version 2, which did not address issues such as Risk Management, Performance Monitoring and IT Governance (generic strategic direction and alignment) at all. As such it was mostly perceived as a framework for service desk management. Although the effectiveness of ITIL version 2 to the alignment of IT with business objectives has been repeatedly pointed out (BMC Software, 2007; Harris et al, 2008; Pultorak, 2006) and even experimentally proven (Kashanchi and Toland, 2006), it was never the primary driver for ITIL adaptation. A survey conducted by Bruton Consultancy for the Helpdesk Institute Europe (now renamed as Service Desk Institute) for the value that ITIL has brought in companies that have implemented it, indicated that the contribution of ITIL to the business strategy was not even considered as an issue by the majority of the correspondents (70%). The same holds for the perception of the participants on the competitive advantage that may be provided by proper IT management through ITIL. More than half (66%) responded that this was not considered in the decision for ITIL implementation (Bruton, 2005).
With version 3, ITIL gained a broader scope than version 2 and added significant emphasis on business strategy. That change, led some IT management consultants to declare ITIL version 3 as inappropriate for helpdesk and service management processes (Bruton, 2007), not strange since version 2 focused on processes while version 3 focuses on Business Value (Harris et al, 2008).
Beyond the "not strategic enough" type of criticism, ITIL has also been criticised as a flawed and uneven framework. Dean Meyer identifies pitfalls in its implementation; nevertheless, he also states that it is an implementation issue and not a framework issue (Meyer, 2009 - web site). ITIL has also been characterized as a too generic framework, which is not able to provide value if used off-the-shelf without significant adaptations (Baschab and Piot, 2007), an unfair criticism as ITIL is promoted as a set of best practices, not as a complete, fits-all framework. This concession should invalidate yet another criticism raised by Simonsson (2008), the lack of a maturity model. Another criticism of ITIL is that the documentation is not free (Bhattacharjya and Chang, 2009). That is a valid point, nevertheless the cost of the books is quite low for companies (less than £400 for the whole set). Other criticisms include the stifling of the creativity of those who implement it, and that it becomes a goal by itself having a heavy administrative burden (Addy, 2007). All these points are valid, but they can be attributed to the extension of ITIL.
Control Objectives for Information and related Technology
Control Objectives for information and related Technology (CobIT) is a control framework developed by the IT Governance Institute. CobIT defines processes and controls, and uses the grouping of activities in four domains:
- Plan and Organise
- Acquire and Implement
- Deliver and Support
- Monitor and Evaluate
Each domain contains a set of processes, 34 at total, and each process defines specific controls, which sum up to 210 for all processes. CobIT defines inputs and outputs, as well as a maturity model for each process, making the control of compliance a very easy task. RACI (responsible, accountable, consulted and informed) charts are also provided, drawing a clear guideline on who should be involved in every process step. Goals and metrics, in the form of outcome measures (key goal indicators - KGIs) and performance indicators (key performance indicators - KPIs) respectively are also provided, mapping business goals to IT goals, which can be achieved by one, or the interaction of several processes.
CobIT is generally used where there is a need for auditing functions, in comparison with ITIL, which is better suited to operational process improvement (O'Donohue et al, 2009). In contrast to ITIL, CobIT has extensive documentation available free of charge, including the framework itself and several case studies. Several implementation documents though are only available for purchase, such as CobIT Quickstart, while others are available free for ISACA members or for purchase for non-members such as Security Baseline and User Guide for Service Managers.
Several consultants and practitioners criticise CobIT that it only states the obvious, that it is very high level, is only a generic framework and does not provide specific and repeatable implementation steps (Culmsee, 2009; Toigo, 2005). This is not a common view, as others find CobIT to be quite prescriptive (Pultorak, 2006; Robb and Parent, 2009). That may be explained by the fact that although CobIT framework itself is indeed high - level, a different publication is provided by ISACA, named "CobIT Control Practices" which is quite prescriptive. Academics criticise CobIT as providing little support for improved decision making, although many metrics are defined (Simonsson and Johnson, 2006). Others state that CobIT is expressed almost entirely in terms of process, focusing on how to govern but not what to govern (Lee et al, 2009). Another criticism states that CobIT is significantly more focused on auditing, largely ignoring other aspects of governance such as software development and service delivery (NetFrontiers, 2005). CobIT is also characterized as a framework that needs significant knowledge and know how for a successful implementation (Simonsson et al, 2007), and that it takes time to introduce solid IT Governance through it (Rogers, 2009); although the opposite would be strange, given the wide area of processes and functions that CobIT addresses.
Finally, while ITIL is known as the framework that guides you on how to get where you want to be, CobIT merely focuses on where you should be; that may be good or bad, depending on one's point of view and needs.
ISO / IEC 38500:2008
The "International Organization for Standardization" (ISO) attempted to solve the confusion between IT Management and IT Governance, and at the same time provide guiding principles on IT Governance, in the recently published ISO/IEC 38500:2008.
Because ISO/IEC 38500 establishes principles to guide the behaviour of organisations, it complements frameworks that focus on process, such as ITIL and COBIT. Thus, with the right frameworks or processes, complemented by the right behaviours, organisations are more likely to establish highly effective systems of governance. After all, it has been stated that ITIL and CobIT are not mutually exclusive; they are rather complementary and organisations will probably benefit from a mixed approach, adopting what is more applicable in every case, from the two frameworks (Chickowsky, cited at Bhattacharjya and Chang, 2009). ISO/IEC 38500 can also be combined with these two and ITGI has even issued a specific document demonstrating how and which specific CobIT and ValIT controls support the adoption of the standard's principles and implementation approach. Nevertheless, ISO/IEC 38500:2008 is very recent to be evaluated. As of the time of conducting this research, there is not enough information on the implementation, benefits or drawbacks of ISO 38500:2008.
Common drivers for IT Governance implementation
While the need for IT Governance has well been described, the benefits sought, i.e. the reasons for the implementation of an IT Governance framework vary, sometimes depending on the point of view of the observer.
As drivers, we consider the motivator factors, which may lead an organisation to the implementation of an IT Governance framework.
For IT Managers, IT Governance is a mechanism for the alignment of the IT with business on the projects that are going to be pursuit. For IT Auditors, it is mainly a control mechanism that can help them achieve compliance with regulations, and to manage the risks that are related to IT projects better. For IT Service management professionals, IT Governance ensures that not only the IT services offered are aligned to the current and future business needs, but they are also managed for efficiency, effectiveness and specific quality objectives (Pultorak, 2006).
Recent surveys have indicated that the most important benefits expected from the implementation of an IT Governance framework are proper risk management, the resource management of IT, the performance measurement of IT and the business - IT alignment. Along these, cost reduction, productivity improvements and organisation wide view of IT are commonly mentioned. (ITGI, 2008; BMC Software, 2007; Milne and Bowles, 2009; Yanosky and McCredie, 2007). Some industry specific drivers are also found, such as the collection of community input for educational services
The order of significance varies, and is found to be significantly related to industry and the chosen framework, despite the fact that neither the organisation's industry, nor the size affects significantly the business value that may be achieved from ICT Governance (Buckby et al., 2009).
Common barriers to IT Governance implementation
As barriers, we define the factors, which may delay, postpone or make the implementation of an IT Governance framework an option that is not suitable for an organisation.
IT Governance is sometimes regarded more as a cost burden than a strategic asset to the business; especially for small and medium enterprises, while for larger ones the benefits are more obvious (O'Donohue et al, 2009).
Recent research surveys have indicated several barriers for an IT governance implementation. The most common ones are the available budget and the justification of the expected return on investment - meaning that the benefits of an IT - Business alignment are not clear. That leads to yet another commonly stated reason: the lack of knowledge and understanding of IT governance. Staffing issues, insufficient planning and lack of top management support are mentioned in a lesser extent (ITGI, 2008). The culture of the organisation is usually considered as a barrier to implementation; informal organisations are not supposed to be able to support, or accept such a framework. An IT Governance framework requires participation from several parties - business units, and a careful coordination of the rollout project, the lack of any of those can hinder the implementation project and decision (Yanosky and McCredie, 2007). The implementation of an IT Governance framework is usually a significant change to an organisation's structures and processes. As such all problems related to change management apply to that change too; lack of commitment from key individuals, insufficient skill development and training, cultural barriers and personnel and business' resistance to change may lead the project to failure if not properly managed (Peterson, 2004)
IT Governance implementation details
For successful IT Governance, literature refers to several mechanisms, benchmarks and bodies.
The IT strategy committee consists of board members and is responsible for the provision of insight and advice to the board of directors for all IT strategy issues, assuring that IT Governance is adequately addressed as part of IT Governance (NCC, 2005; ITGI, 2009). The IT steering committee consists of high - level executives, representatives from multiple divisions or functions, and has the task to link IT and business strategies by setting strategic directions, which match the corporate needs to the technology potential. The IT steering committee may also include external stakeholders such as consultants and vendors, as its role is advisory (NCC, 2005; Peterson, 2004). Although these two committees are often mentioned separately, Rau questions the need of the existence of two separate entities, pointing out that this separation is only achievable by either very large or very IT dependent organisations (Rau, 2004). On the other hand, Meyer suggests that the steering committee is usually ineffective if used on its own, because it serves many roles. He suggests, what most companies do, a systemic model using several controls, with the oversight (performed by appropriate committees) to be just one such control.
An equally important factor is the clear and unambiguous definition of decision authorities (Meyer, 2004). Clark (2005) identifies five key governance decisions: the way that IT will create value for the business, the way to build shared services, the technical guidelines and standards that will be used, the applications that are needed and the amount that need to be invested and the prioritization of that amount. That list includes all three strategic decisions suggested by Ross and Weill (2002) and even adds some, but ignores the decisions, which are of executing nature: the quality level of the IT services required and the risks that will be accepted on security and privacy, as well as the identification of the people who are responsible for failed IT initiatives.
An established risk management process is also considered important for the success of IT Governance, mainly towards the risk management goal (ITGI, 2008; Pultorak, 2006).
These committees and mechanisms are complemented by systems. The Corporate Communication Systems may increase awareness of business and IT, on the importance of the other's perspective, thus smoothing potential conflicts (Ali and Green, 2007; ITGI, 2009); other communication methods found in the literature include the designated IT business relationship manager (Milne and Bowles, 2009). Significantly more important though, are the performance measurement systems which provide management with metrics and analyses based on these, on how IT is performing the current operations, based on the idea of "if you can't measure it, you can't manage it" (Salle, 2004; Baschab and Piot, 2007)
Although the value that will be generated by proper and formal IT Governance will be delivered to the business, the IT division is usually the leader and champion of IT Governance; a somehow strange fact but not unique as the same leading role was assumed by IT in the era of business process re engineering (Cater-Steel, 2009). Research has proven that CIOs are mostly the ones championing and driving the IT Governance project, although that role may also assumed by CEOs, and / or other higher level executives, but much more rarely by IT (non - executive) managers (ITGI, 2009; Yanosky and McCredie, 2007).
Other IT Governance and management options
Six Sigma is a methodology that was developed by Motorola, initially used as a defect control tool, nowadays is used as an improvement measurement tool in several IT departments and is considered as a quality management method (Menken, 2009; Pultorak, 2006)
It is not mutually exclusive to ITIL or CobIT, as there are reports of implementation of both frameworks, ITIL and Six Sigma.
It is sometimes called an IT Governance Framework (Higgins and Sinclair, 2008), although it is mostly a management tool than a complete framework. It does not have a maturity model and can only be applied on existing processes that need improvement; in comparison to ITIL and CobIT that additionally provide process definitions.
Balanced scorecard provides, as its name states, a balanced view of the goals that have been set by the organisation. It is a good performance measurement tool, which can highlight Business and IT alignment, but it is too descriptive and high level if used as an overall IT Governance framework. In order to be used efficiently as a framework, its metrics needs to be properly defined and what should be measured, should be already known to the company - a task that is not easy, since both CobIT and ITIL also define which processes need to be developed. Although Balanced Scorecards are not IT specific, several IT balanced scorecards have been developed by researchers and practitioners, and can be used as starting points.
Proper project management methodology has also been mentioned in the literature as a way to minimise risk and raise efficiency and effectiveness. Methodologies such as Prince-2 and PMP are widely used in the IT industry, nevertheless they suffer from the same sins that balanced scorecards and six sigma do; they do not define which processes are required.
Smaller implementation of larger frameworks are also present in several organisations; ITIL small scale and CobIT Quick Start are the suggestions by OGC and ISACA respectively for organisations that are too small to implement ITIL and CobIT in full deployment, or do not consider IT to be a core strategic function; i.e. their business does not depend on IT. The usability of these two frameworks has never been evaluated academically, and their penetration in the industry remains unknown. On the other hand, implementation of selected processes and functions is not so rare; quite a lot organisations have implemented a service desk process, incident management and event monitoring and management processes, while some of them use standardized (or not) key performance indicators (KPIs) to measure the performance of their IT function (Addy, 2007; Simonsson and Ekstedt, 2006; Pultorak, 2006).
Finally, a significant number of researchers point out the need for a formal communication method as an IT management tool, probably because the clear information exchange in requirements, results and incidents, is critical to Business - IT alignments (Rau, 2004; Fletcher, 2006; Peterson 2004).
In the methodology chapter a presentation of the research methods chosen, as well as a justification for these choices will be provided. The term research methods refer to the sampling of the data, the data collection methodology and the data analysis. Limitations and problems encountered during the process will also be presented and the decision and results of the pilot will be explained.
Justification of choice for Quantitative approach
By conducting a literature review on research methods, the author identified many advantages of a quantitative approach, relevant to the specific research. Objectivity is ensured by the standardised numerical format that makes the results directly comparable, reducing the potential bias of subjective interpretations (Aaker et al., 2001) and the low possibility of the reviewer's personality to affect the result (Hague, 2006). The research questions that are set, focus on numbers and percentages. The goal is to identify the percentage of Greek companies that utilise IT Governance frameworks, which framework is the most preferred one and how much has any of the common barriers and drivers (offered from a pre - defined list) affected the decision for the implementation (or not) of an IT Governance project. All that data is strictly quantitative; as such, a quantitative analysis was considered the most suitable method.
In case that the potential barriers and drivers were not indicated by prior data, qualitative analysis could, and probably should have been used; that was not the case since the literature review identified results from different surveys, of over 1500 total participants providing these factors that were used as the set of possible answers. Another goal of the specific research was to compare the findings with similar previous research, and to devise correlations between IT governance status and other parameters such as outsourced functions, industry type and company size. Comparisons and correlations between variables are better served by a quantitative analysis, while similar prior research was conducted with quantitative methods.
Data collection methodology
Data collection was performed through self - administered questionnaires (SAQs). That method is known to minimize the interaction between the researcher and the respondents, and to maximize the objectivity of the research (Blaxter, Hughes and Tight, 2001).
SAQs in general may be sent and returned by email, by post or even posted on a website. They can be completed on one's free time, in contrast to interviews (either phone or face-to-face interviews) that require specific time to be arranged between the interviewer and the respondents. Travel time and physical contact are not required for the SAQs, as such people from remote regions may be addressed (O'Lear, 1996). SAQs are considered more reliable than interviews, because every respondent gets the same set of instructions and the same questions in the same order and way. Finally, taking into account the workload of the researcher and the potential participants, a low interaction method that would let the participants choose when they would participate, was deemed the most appropriate one.
SAQs have some significant disadvantages too; they usually generate lower response rates when compared to other methods such as interviews (Anonymous, 2008); it is consequently crucial that as many people as possible are invited to participate. Closed questions limit the respondents' set of possible answers, so careful design is required in order to make sure that most common options are present. Even in that case, there is still the possibility that some answers that the respondents would like to choose may not be included in the set of possible answers. Misunderstandings of the questions may pose a problem since the researcher does not have the opportunity to provide clarifications, so in these cases, the questionnaire's proper design is of paramount importance and a pilot is deemed necessary. Finally, postal SAQs may have a high cost for printing and posting.
One of the most convenient ways of self-administered questionnaires, and the one chosen in the current research project, is the web - based model. Web based SAQs provide some additional advantages: they may be anonymous, an option that may extend the comfort zone of the respondents, in an attempt to minimize the social desirability bias effect. They also have low requirements on resources and time. Time is saved in several stages of the process; there is no need for sending or hand - delivering the questionnaire to the potential participants, collecting the questionnaire either via post (postal delay) or personally. Time is saved not only for the researcher; the participants also avoid visiting post offices or finding post drop-boxes if stamped envelopes are delivered. Time is also saved because, with the proper use of a database or flat file for storage of the results, no data transcription is required and the data clearing is minimized.
Web based surveys offer various interaction methods; drop down select boxes offer the possibility to present many more options than in a typical paper form. Client - side validation may enhance the reliability of the data, while branching and skip logic is significantly better when compared to paper forms (Davison et al., 2009). Web based surveys have also been found to be cheaper than phone or mail surveys.
Disadvantages mentioned in somehow older research for the web based SAQs, include the probably limited respondent access to the internet, the computer or internet literacy, the speed of the connection and the different browser and computer specifications of the participants; all of which are irrelevant in the current research. Bertot and McClure (cited on Duffy, 2002) suggest a hybrid approach using web based and paper surveys when a small portion of the population of interest has internet access. Nevertheless, the target group for this survey is highly IT literate, since 97% of organisations in Greece with more than 10 employees have broadband internet connection (Anonymous, 2008). Additionally, most web based survey sites are compatible with the majority of client configurations these days. The one selected (FreeOnlineSurveys) was tested and proved to provide full functionality in 3 different web browsers (Internet Explorer version 8, Mozilla Firefox version 3.5, Google Chrome version 3.0) in Windows based operating systems (Windows XP and Windows Vista).
Except of those irrelevant disadvantages, there are some valid arguments too. These include the possibility of mischievous responses, the respondent's perception on anonymity and confidentiality and the multiple submissions, either accidental or volitional (Duffy, 2002).
Finally, the response rate is a significant disadvantage. Although both lower and higher response rates have been identified, when compared to other surveying methods (Davison et al., 2009), most researchers agree that web based SAQs have a lower response rate than typical SAQs; which is the lowest of all data collection methods. Response rate can be improved by some techniques; follow-up reminders is the technique that affects most the response rate (Crawford, Couper and Lamias, 2001); careful questionnaire design for length and a balance between simplicity and beauty are two more such techniques (Deutskens et al., 2004). Finally, the response rate may also be increased by offering incentives.
One of the most appropriate sampling methods for web based questionnaires is found to be the self-selection sampling; especially when the research focuses on a particular group of internet users or users from different areas (Coomber, 1997; O'Lear, 1996). That description highly matches the target group, which were Senior Executives and IT managers in Greece; according to prior research, these are the groups of people that are involved in IT Governance implementation and decision making. The survey was announced in Linkedin, a social networking site, an international interconnected network of professionals. The announcement of the survey was done passively, i.e. there was only a post on specific groups' message boards and there were no emails sent. That decision ensures the self - selection.
Data collection process
In order to overcome the disadvantages related to the data collection method, several techniques were used, either successfully or unsuccessfully.
Davison et al (2009) suggests that the endorsement of a credible organisation may be both an incentive to participation in the survey and an indication of fair use regarding the confidentiality of the data collected. Unfortunately, two attempts of the author to contact the local chapter of ISACA were in vain since there was no response at all, so that method could not be used. The executive summary of the research was offered as an incentive to the participants who would voluntarily fill in their email in the last question of the questionnaire; it was stated in the announcement and invitations for participation, and it was visible before the first question of the survey. That method has been proven efficient by Deutskens et al (2004).
Significant effort was put in order to keep the time required for the completion of the questionnaire, less than 30 minutes, without significant loss in the information, although Hague (2009) does not agree that this is a factor affecting the response rate. There is a consensus though that sending reminders after the first announcement of the questionnaire, improves the response rate, which was done.
The questionnaire was announced in the following LinkedIn Groups:
Questionnaire design and pilot
The questionnaire was designed around the research questions and the target was to provide answers to the research questions, by directly using or indirectly evaluating the questionnaire responses. The questions of the questionnaire were of three types; multiple choice questions allowing only one selection, multiple-choice questions allowing more than one selections and Likert - type scales. The last ones were used for the rating of different statements such as the self - assessment of the respondent's familiarity with IT Governance frameworks and the perception of the impact of several factors in the decision of implementation of an IT Governance framework. According to Rattray and Jones (2005), prior research on the subject may provide potential answers to closed questions. Four recent questionnaires of varying relevancy to the subject where evaluated, and the set of potential answers to the questionnaire, was derived from these.
Some data in the questionnaire was nominal such as the company industry, while other is categorized ordinal, such as the organisation's size and the budget of the IT department. Finally, data exist that is non-categorized ordinal, specifically the data that was collected through Likert - type scales. In attitude measuring questions, a five-point scale was used, in order to minimise non response bias which has been found to be increased by the absence of a neutral option (Burns and Groove, cited at Rattray and Jones, 2005). On the other hand, in rating questions in which there is not a "neutral" meaning, a four-point scale was used.
There were several sections in the questionnaire, and the software guided the participants to the appropriate section according to their previous answers. Thus, only a part of the questions were visible in every respondent; obviously thought the flow rules were predefined, as such two persons with the same set of answers, would follow the exact same path.
The first section collected demographic data and led automatically to the second section that collected information about the status of the organisation the respondents were describing. The third section depended on the status of IT Governance implementation. The following sections attempted to measure the maturity of the implementation using proxy measurement, and to identify the benefits expected from the implementation, the reasons that delay or block the implementation, as well as distinct management methods used. The flow of the questionnaire is better explained by the following flowchart:
Pilots are quite significant in SAQs due to their fixed design. Issues that can be evaluated during the pilot include the readability and clarity of the questions and possible answers, the rationality of the flow of the questions, the potential lack of any data that would be required in the analysis phase. For the specific survey, one more aspect that was tested was the branching flow of the questionnaire. The pilot was conducted with 5 participants who were approached directly. The pilot resulted in slight change of some answers and a minor correction in the questionnaire flow. The results of the pilot phase were not included in the results, partially because the changes that were made in the answers after the feedback from the participants meant that the results could not be objectively merged.
Data analysis methodology
The analysis of the data that was collected through the questionnaires was performed on PASW Statistics V. 18 (previously known as SPSS). The software was used in order to calculate descriptive statistics, correlations and internal consistency of the questionnaire, as well as the generation of some simple graphs. Most of the graphs, and definitely the more complex ones, were created with MS Excel 2007, mainly due to the unfamiliarity of the author with the Chart Builder of PASW. Special attention was paid to the correct formatting of the charts in order to avoid misinterpretation of the data, due to common mistakes such as tick marks, axis scales, secondary grid lines and 3-d effects (Su, 2008).
Simple, descriptive statistics were used for a high-level view of the research questions. That means frequencies, standard deviation and means although they were mostly presented graphically, through pies and bar charts. In depth analysis of that high-level view included the creation of indexes, such as "IT Governance Index" and "IT Governance Model", as well as a correlation analysis in order to identify the factors that create that view.
The internal consistency of the indexes was tested with Cronbach's alpha. That statistic uses the inter-item correlations, in order to verify that the constituent items measure the same domain. That roughly indicates that the parameters that create the index are correct, since the use of any other parameters to create the same index, would produce the same results. There is a cut-off value for Cronbach's alpha, which is usually set at 0.7 for the scale to be considered adequate, while a value of 0.8 usually identifies a good scale.
Correlation, the term that refers to the association of two variables, may be calculated through several methods, including the most commonly used Pearson product - moment correlation coefficient, the Spearman's rho (rank - order coefficient) and the point biserial coefficient, some of which were used in different cases. These methods identify the existence of a tendency of two values to change together. If the increase of the one leads to the increase of the other, then we have a positive correlation, whereas if the one decreases as the other one increase (and vice versa) then we say that we have a negative correlation. If the variables are unrelated, there is no correlation. The values of correlation range from -1 (100% negative correlation) to +1 (100% positive correlation).
The method that was used in every test depended on the type of the variables that were to be tested for association; dichotomous variables were tested using point-biserial coefficient, while Spearman's rho was used when either both variables were ordinal or nominal, or the distribution was not normal. The normality of the distribution was tested by the Shapiro-Wilk method, since this is the suggested method when the number of participants is low (Boslaugh and Watters, 2008).
The correlation index on its own is not enough for conclusions, as it may be attributed to chance. Thus, it is useful to evaluate the statistical significance, which identifies the possibility of the correlation to be simply a coincidence. The statistical significance was calculated through the t-test. The most common significance levels, i.e. the possibility usually looked for, is 0.05, nevertheless in cases it was as low as 0.01. Finally, in most cases the test was chosen to be two-tailed, since it makes more sense to test for positive or negative correlation, than to decide that only one way is possible before seeing the results.
All these details are provided in the data analysis chapter, on every correlation that has been identified.
The methods that were employed for data collection, sampling and analysis usually cause some limitations to every research; that one could not be an exception.
The selection of self-administered questionnaires with closed questions in order to be analysed quantitatively, along with the limitations of the web based surveying tool, resulted to the lack of free text options. Consecutively, drivers and barriers to IT Governance and management and control methods employed may have been missed because they simply were not presented as options to the participants. That is called "information bias"; although the choices that were presented to the participants were collected from previous research, it is a fact that a different design, and probably a different web based survey provider might give the chance to use a mixed approach of quantitative and qualitative analysis by adding some open questions, thus avoiding that type of bias.
The use of non-probability volunteer sampling significantly lowers the generalisability of the research and a significant problem was identified with the response rate; it was much lower than expected, making the sampling technique questionable. A more aggressive method such as personal email invitations (convenience method) or a mix of convenience and snowball might have yielded better results. Additionally, the announcement of the questionnaire during the Christmas holiday season may have affected the response, since the response rate raised significantly after the New Year, when there were workdays with over 6 responses.
In order to answer to the research questions and to draw results from the collected data, this chapter focuses on the analysis of that data. The direct findings are presented and some indirect findings are explained, while correlations are also looked for in order to obtain a deeper understanding of the status of IT Governance in Greece.
Generic and demographic data
The number of the respondents who started to complete the survey was 57, nevertheless 13 of them stopped at some time before the completion. That is a 22.8% which is somehow higher when compared to the 14% reported by Davison et al (2009). Unfortunately, no data is available regarding the number of the visitors of the web page (i.e. those who read the invitation and proceeded to the page of the survey, but read the instructions and some of the questions and chose not to start the survey). These 13 incomplete responses were totally removed from the research during the data cleaning process. No duplicate answers were found; that may somehow be attributed to the fact that the questionnaire was protected from multiple submissions through cookies. That means that accidental resubmissions were impossible. Unanswered questions were not found in the questionnaire other than these 13 that were removed; that is probably because the questionnaire did not allow for empty responses.
Several descriptions were provided by the respondents as their job title; IT Managers though represented the majority as they accounted for 43.2%. Other IT personnel and Business managers, who are usually not involved in the IT Governance process, accounted for less than 25% of the participants.
Figure 2 shows the industry participation of the respondents. Industries with small participation are grouped under the term "other", which includes Building & Construction, Education, Oil / Gas & Utilities, Industrials, Consumer services, Basic materials & Wholesale.
The banks & financial institutions as well as the technology & telecommunications industries are over - represented compared to the Greek market in which they accounted for 2% in 2002 (NSSG, 2003). On the other hand, the section of business services is well represented, and all others are under - represented.
Size of the respondent's organisation
Previous research had indicated that there is no link between the size of the organisation and the IT Governance maturity. In order to test this theory in the Greek market, the participants' organisation size, was evaluated.
More than half of the participants were from large companies, both in terms of revenue and of number of employees. In Greece, 98% of the companies have up to 10 employees; as such, the sample refers only to larger companies. The difference is expected due to the over-representation of specific sections.
Characteristics of the IT Departments
The relevance of the IT department's size to the maturity of IT Governance has never been investigated, so that data was also collected in order to identify possible correlations.
The IT Departments were found to be relatively large both in terms of budget and in terms of employees. A recent study (Computer Economics, 2009) indicates that the operational budget of an IT department is between 1,5% to 2% of the revenue of the organisation for the last 6 years. That means that more than half of the organisations should have a budget for the IT Department of 150,000 to 200,000 €; consistent with the research findings that more than half were under 400,000 €. Since the budget of the IT departments indicates that many organizations had over 50 million in revenue, the breakdown of the categories of the organisations' revenue is considered inadequate; a more detailed analysis in the upper categories could provide better insight. The same holds for the breakdown of the categories of the organisation's size as indicated by the numbers of IT employees; over 30% of the participants should have more than 1000 employees, since a report by Gartner (2009) puts the number of IT employees slightly over 6% of the total number of employees in an organisation. Although that data is mostly related to American companies, there is no reason to consider them invalid.
Status of IT Governance in Greece
The main concept of this dissertation is to identify the status of IT Governance in Greece. The majority of the participants stated their perception on their organisation's IT Governance maturity as non - existent to low:
One of the main questions that this research aims to answer, is the attitude of the Greek organisations with regard to IT Governance. The current research indicates that IT Governance is in the agenda of less than half of the Greek organisations. A significant percentage, approaching 20% is yet undecided, which leaves a 34% to have decided that IT Governance will not be an issue for at least the next year.
These results indicate a significantly lower IT Governance acceptance, than those that were reported by ITGI for Europe in 2007. While Europe was in "implementation phase" with 50% of the organisations in either the implementation process or having fully implemented an IT Governance framework, Greece two years later hardly reaches 30%.
One might argue that the decision for the implementation of an official and structured IT Governance framework should not be the only indication of proper IT Governance in an organisation. For that reason, an "IT Governance Index" was created. That index constitutes by eight practices that relate to prudent IT Governance:
- the existence of an IT Strategy committee
- the existence of an IT Steering committee
- documented and clear project ownership
- documented and clear decision rights for IT budget
- documented and clear decision rights for business process prioritization
- existence and monitoring of key performance (outcome) indicators
- existence of a risk management process and relevant authorities
- the documentation of the IT architecture
The Cronbach's alpha for that set of items and for the whole set of the participants is 0.84 which is a very high value and definitely higher than 0.7 which is generally considered acceptable. Nevertheless, when the test was performed for the individual categories depending on IT Governance implementation attitude, the results were different and the Cronbach's alpha was lower.
The lower alpha values may be partially due to the lower sample sizes, and partially due to the different attributes. The result for the organisations that have not decided either positively or negatively towards IT Governance implementation should not be taken into account due to the very low alpha value, which indicates that the index is not reliable for that sample.
Not surprisingly, these results are in alignment with the subjective rating that the respondents reported as their organisation's IT Governance Maturity. Actually, excluding the participants who have not decided yet on the implementation of an IT Governance framework, clear and strong correlations have been found between the three metrics:
The following chart indicates the subjective IT Governance Maturity which ranges from non-existent to very high (red bars referenced on the left axis) and the objective IT Governance Index which ranges from 0 to 1 (blue line referenced on the right axis), grouped by the IT Governance attitude of the organisation (on the horizontal axis). Once again, although the data for "Undecided" are provided, their reliability is questionable.
Of the elements that make up the IT Governance index, the most commonly used are the definition of project ownership and the existence of documented IT architecture, while the less commonly used is the IT Strategy Committee. Only 18% of the participating organisations do not use any of these practices.
Prior research has indicated that neither the company size, nor the company industry affect the decision for IT Governance implementation. In order to verify these findings, a correlation analysis was performed. The distribution of the collected data is not normal, indicated by a Shapiro - Wilk test (values between 0.01 and 0.024), as such the correct method for correlation investigation is Spearman's rho.
There has not been found any correlation between the organisation size in either revenue or number of employees and the IT Governance Maturity. The later has also been proven to not be significantly affected by the budget of the IT Department, nevertheless, there is a clear, although weak correlation between the maturity of the IT Governance and the number of employees in the IT Department, with a Spearman's rho at 0.416, significant at the 0.01 level (2 tailed).
Although correlations are usually shown with scatter plots, in this case there are too many samples overlapping, as such a bubble chart was selected to be used instead, with the bubble size to get bigger according to the number of samples in every point.
IT Governance model
Depending on the decision authorities for different IT related domains, several models and classifications have been developed for the IT Governance an organisation may employ. In order to identify the decision model employed by Greek organisations, the decision rights of the five domains that were suggested by Ross and Weill (2002) where evaluated. These decision domains are:
- IT principles, meaning the IT funding and the position of IT in the organisation
- IT architecture, meaning the core business processes that need to be developed, technical capabilities, the type of information that is generated and technological choices
- IT infrastructure, meaning the critical services that need to be developed and supported, as well as outsourcing decisions
- Business application needs, meaning business process authorization and prioritization, project ownership, possible exceptions to standardized practices, and
- IT investment and prioritization, meaning setting priorities for service developments, IT portfolio, and balancing innovation with standardization
According to that data, most companies have a monarchy, which is either Business or IT dominated. It has to be noted that there are no organisations having a consistent model other than monarchy, for all the decision domains.
Although a relationship was found in previous research between revenue and governance model, the current research does not support that view, since no correlation could be established between IT Governance model and organisation revenue, or any other parameter. Specifically, all organisations evaluated, had a monarchy model regardless of their revenue.
IT outsourcing is considered as one of the most challenging tasks that boards need to address, due to the complexity, that outsourcing brings in the, already complex, IT infrastructure (ITGI, 2003). Although Fletcher (2006) characterizes that statement as arbitrary and unsupported, Laplante and Costello (2006) provided an extended list of more than ten risks directly related to outsourcing while Rouse (2009) points out the significance of governing outsourced functions.
The current research indicates an extensive, but not aggressive use of IT outsourcing by Greek organisations. Nevertheless, a correlation has not been established between the outsourcing strategy of Greek organisations and neither the organisation industry, not the IT Governance Maturity, in contrast with the findings from Dahlberg and Lahdelma (2007) who identified a correlation between amount of outsourcing and IT Governance Maturity.
Less than 30% of the participants outsource two or more IT functions. The most commonly oursourced function, by almost half of the participants, is the IT application development and customization. The second choice is the Infrastructure Operations. The least commonly outsourced functions are the IT Strategy and Architecture.
Penetration of ITIL and CoBIT as IT Governance frameworks
Most of the respondents were more familiar with ITIL and other IT Governance frameworks than with CobIT for which 45% state that they have no or low familiarity with.
Excluding the companies that do not intend to implement an IT Governance framework, or have not decided yet, the rest of the participants were asked on the framework they have decided to implement. ITIL is clearly the framework of choice, either on its own (38,1%), or combined with CobIT (38,1%). The option "other" comes third with 14,3% with CobIT to be the least preferred framework, by only 9,5% of the respondents.
The sample is too small to evaluate differences between the three categories: those that intend to implement, those that have implemented and those that are in the implementation process. Nevertheless, the companies that consider implementation in the future, are considering the mix of CobIT and ITIL more than ITIL or CobIT alone.
For the few organisations that have implemented either ITIL, or a mix of ITIL and CobIT, the subjective rating of ITIL and CobIT conformance is also presented. The scale is from "the processes do not exist or are not obeyed" to "all processes exist and are followed". Participants stated that most or all of the suggested CobIT processes are defined and followed.
On ITIL conformance, participants indicated a lower conformance, with some to most of the suggested processes to be defined and obeyed.
Drivers to IT Governance Implementation
The reasons, for which organisations decide to implement an IT Governance framework, may vary. A sample size of 21 participants is used to investigate these reasons. That sample consists of those that have implemented, are in the implementation phase, or are considering implementation of an IT Governance framework.
The most important reason for such an implementation is the need for increase in the efficiency of the IT processes, while the least important is the cost reduction. Participants rated the importance of the reasons in a scale from 1 to 5, meaning that they strongly disagree (1) to strongly agree (5) that the specific reason was important for the decision of implementation of an IT Governance framework; the results are as follows:
In average as a value, the results have a similar view. While decision coordination scores high in the "Strongly agree" area, it also scores high in the "Disagree" area; consecutively as an average it has a lower score than the providence of organisation - wide view to the IT :
For comparison, it has to be stated that recent studies with larger samples, have found risk management to be the most commonly reason mentioned by organisations that implement CobIT, with resource management, performance measurement and business - IT alignment to be following at a distance (ITGI, 2008). That study was a worldwide one, nevertheless it did not include Greece. Organisations that are implementing ITIL, indicate the Business - IT Alignment as the most significant benefit sought, closely followed by productivity improvements (BMC Software, 2007). Cost reduction is the third more common reason, with 30% of the participants in comparison with over 50% for the other two reasons. That study was focused in EMEA, with the participation of Greek companies to be unknown.
Another prior survey, which only included Northern American institutes providing higher education, indicated as the most important reason for IT Governance to be by far the alignment of IT with institutional goals (73.5%), followed by the promotion of an institution - wide view of IT (50.7%) and collection of community input (38.1%) (Yanosky and McCredie, 2007). The later is obviously an education - specific target. Cost reduction was the fifth most important reason, with 25%. It has to be noted that in this particular survey, the application of a performance framework to IT was denoted as the least important reason with 7.5%, significantly lower than the second position and 25% of the other, cross - industry surveys, which did not contain education though.
Finally, a fourth survey performed in North America, United Kingdom and Australia, identified that the cost reduction, the efficiency and the resource utilisation as the primary reasons for IT Governance, followed by compliance and regulatory requirements. Decision making, prioritization and oversight were considered less important (Milne and Bowles, 2009).
These surveys, indicate a differentiation of the benefits expected, based on the industry and the governance framework chosen. Nevertheless, the current research did not indicate any correlations between the importance of the drivers for the IT Governance implementation and any other demographic parameter. The parameters that were evaluated were the company industry, the organisation size in revenue and number of employees, the size of the IT department in number of employees and budget and the IT Governance framework selected for implementation.
Several correlations between the drivers were found though.
Finally, there is only one correlation between the performance measurement and the job title with a Spearman's rho of 0,438, significant at p<0.05. That indicates that upper level executives consider the performance measurement more important than lower level IT personnel, including IT managers.
Barriers to IT Governance Implementation
Organisations that choose to not implement an IT Governance framework may do so for a variety of reasons. The sample used for that evaluation contains 15 respondents, specifically the ones that stated that implementing an IT governance framework was not in their plans.
Although most participants had shared views in the reasons for implementation, the same can not be stated for the barriers to implementation. The differences are big in the ratings of the reasons by the participants.
Correlations were identified within the barriers using Spearman's rho two - tailed tests. They are though the obvious ones, since lack of funding can be attributed to lack of management support, and difficulties in implementing processes indicates an informal organisational culture. Additionally, if there is no management support and there is no clear link between strategic objectives and how they can be served by IT, the implementation of an IT governance framework is not requested.
Correlations were also identified between the barriers and demographic characteristics. One of the most important ones is a negative correlation between the number of employees in the IT department (and the organisation overall) and the lack of a clear benefit. The smaller the organisation, the less clear is the benefit from the implementation of an IT governance framework. The most significant though is that of the benefit and the company industry, with organisations in the Technology and telecommunications sector to state that there is no clear benefit from the implementation. The remaining correlations should be expected, such as a negative correlation between the budget of the IT department, and the belief that there is not enough personnel.
In prior surveys, the major implementation obstacles were deemed the budget and the expected return on investment by approximately 30% of the participants in one worldwide survey, while staffing problems and lack of top management support are not that important (ITGI, 2008). On a different survey, in Northern American educational institutes, the informal culture of the organisation is considered the most important problem, by approximately 42% of the respondents, followed by the lack of participation from necessary parties by 40% (Yanosky and McCredie, 2007). Finally 55% of a survey conducted by BMC Software (2007) in EMEA identified as the most significant barrier to implementation, the high requirements in time and resources.
Other IT Management practices
As it has been pointed out, not every organisation uses an IT Governance framework, despite the benefits that such an implementation bears. It has been proven that the IT Governance is related to better performance, but that does not necessarily mean the use of a formal IT governance framework. Due to that reason, it is expected that most organisations use some way of managing and governing their IT assets and resources. That way may be less, equally or even more efficient than a typical framework, although that is part of a different research.
It is thus interesting to identify the options used by organisations that do not implement a formal governance model. Out of eleven known management tools and processes, the 15 participants that are not planning to implement a governance framework, stated the ones that they use:
Key performance indicators are promoted by both CobIT and ITIL and are considered as necessary for the monitoring of the performance of the defined processes. Incident management, service desk and event management are core processes of ITIL service operations, while project management is a necessary part of the domain "Plan and Organise" in CobIT. Six Sigma and Balanced scorecard are even suggested as complete governance frameworks by some researchers (Van Grembergen and De Haes, 2009; Harris et al, 2008).
Although one out of five organisations uses just one such method, while two more are not using any, there is a remaining 40% that uses two or more management practices.
The aim of the current dissertation was to provide a thorough understanding of the current status if IT governance in Greece, through empirical research. This final chapter draws conclusions from the collected and analysed data and identifies the contribution to research and knowledge that this dissertation brings. Points that need further investigation - identified as either problems or opportunities that have been raised from that research form the recommendations section, enriched with restrictions of the current research. Finally, the overall evaluation of the current dissertation forms the reflections section.
The dissertation focused on the status of IT Governance in Greece. In order to identify that status, the intention was to evaluate the attitude of Greek organisations towards IT Governance. For the confinement of the scope, all the participants worked in Greek companies at the time of their responses - by their declaration.
There were four partial research questions and are two distinct sets of participants: the ones that do not choose to implement a framework, and those that do or have done so in the past. Each one of the research questions was addressed to either the whole set of respondents, or a partial subset.
Status of IT Governance in Greece
For the whole set of the participants, the status was evaluated both subjectively by their own perception on IT Governance maturity, and objectively identifying the existence of mechanisms and practices known to promote good IT Governance. Actually, three different metrics provide the same outlook, with internal correlation: 45% of the participants consider their organisation's IT Governance maturity to be average or high. The organisations that have IT Governance in their agenda are 48%. Finally, more than 45% of the participants, use four or more of the eight known practices that promote the use of proper IT Governance. Organisations with bigger IT departments in terms of personnel, are found to have higher IT Governance maturity, possibly due to the fact that there is enough personnel to take over roles that are required for segregation of duties and controls.
The decision model used by Greek organisations is a strong monarchy. That means that decisions are mostly made by only a part of the organisation. The funding of IT, its place in the organisation, the prioritization of each needs, the IT portfolio and the needs for business applications, project ownership and even exceptions to standardized practices, are all decided by senior executives such as CEOs and CIOs. On the other hand, IT architecture and IT infrastructure are mostly decided by IT managers and executives. That means that business representatives have low or no participation in decisions that affect their business flows and operations, and that fact may hinder the benefits that may be acquired by an alignment between business and IT.
Outsourcing, a special case that requires careful IT Governance, is widely used in Greek organisations as 70% of the participants stated that their organisations outsource at least one IT function. Nevertheless, no relationship has been found between the outsourcing intensity and IT Governance maturity.
Penetration of ITIL and CobIT
Nowadays there are two large IT Governance frameworks in wide use: ITIL and CobIT. Over 65% of the respondents stated that their familiarisation with ITIL is average or more; 40% consider it high or very high. The status is quite different with CobIT, with 55% to consider their familiarisation with it to be average or more, and only 23% to consider it high or better. Almost 65% of the respondents stated that their familiarisation with other frameworks is average or more. That might include ISO 38500:2008, or AS 8015 as complete frameworks in the sense that they are used in the current dissertation. That might also include lighter sets of guidelines such as balanced scorecard and six sigma, or even ISO 9000 for quality management, ISO 20000 which targets service management, and ISO 27000 which targets information security. Unfortunately, a clarification to that answer was not requested.
The framework that is mostly selected by organisations for implementation is ITIL, either on its own, by 38% of the respondents, or in combination with CobIT, by another 38%. CobIT on its own is only chosen by less than 10% of the respondents. That makes the ITIL to CobIT ratio 4:1 which is not strange, since auditing and control regulation is practically non-existent in Greece. As such, a control - oriented governance framework is not as appealing as a service management oriented one.
Finally, on the compliance front, for the low number of respondents it is clear that they have all achieved a very good conformance to the processes suggested by the framework they choose: average 80% on ITIL and 95% on CobIT.
Drivers to implementation
Not all organisations have the same needs, as such it is expected that not all organisations use IT Governance for the same reasons. Despite that obvious statement, the differences identified in the drivers to implementation were small; efficiency increase and business - it alignment are the most important ones, while cost reduction does not seem to be a comparatively significant reason for the implementation of a formal framework. There are two sets of drivers that seem to create clusters. The one set is the efficiency increase, the business - it alignment, the performance measurement and the creation of an organisation - wide view of IT; they are the four more important reasons and the respondents seem to consider them related. The second set consists of cost reduction needs and the coordination of different decision processes; they also seem to be considered as related. Regulatory compliance is a reason that is not linked to any other one, and that, combined with the first identified cluster, which is much better related to service lifecycle than to control, may also explain the clear preference of ITIL over CobIT. An interesting point is that although most reasons for implementation have the same significance among the job roles of the respondents, performance management is considered more important by higher-level executives than lower IT managers.
Organisational issues are the more commonly identified barriers to implementation of a formal framework; the informal organisation culture is the most significant factor, followed by the lack of guidance from organisation's strategic objectives and personnel problems - shortage and lack of training. Funding issues and problems in process definitions and implementation are in lesser extent important, although they are linked to the organisation culture. One of the most important parameters in the implementation - that of upper management support, is not considered such a significant problem when compared to others, such as the funding and the participation of the required parties. Participants working in smaller organisations in terms of employees and organisations with small IT departments do not identify clear benefits from such an implementation, while IT shortage problem is considered as more important by IT departments with smaller budget.
Other governance and management practices
Although a formal framework provides implementation guidance and specific and measurable outcome to pursuit, it is a fact that it may be an unnecessary burden and cost to some organisations that only depend lightly on IT. Additionally, as discussed earlier, the organisation's culture may not be suitable for extended controls and processes, and the personnel available may not be enough or adequately trained. For these reasons, organisations may choose to implement some known management and governance practices; actually, 3 out of 5 do just that. The use of key performance indicators, the setup of a service desk, incident management process and event monitoring tools are the most common ones for the participants of the current research, indicating a clear choice of ITIL based practices.
Overall, IT Governance is appealing to less than half of the organisations in Greece. The main reasons are the increase of the efficiency of the IT department, the achievement of IT - Business alignment and the capability to measure the IT department's performance. Almost three out of four of the organisations choose ITIL, either on its own or in combination with CobIT. ITIL is also the framework two out of three of the participants are familiar with. Organisations that implement an IT Governance framework rely mostly on senior executives and IT managers for the decisions related to several IT issues, leaving the business units out of the decision model.
The organisations that choose to not rely on a formal framework do so because they consider that their culture is not compatible to the definition and conformance to processes. Smaller organisations are also not convinced about the benefits that IT Governance can offer them. More than half of these organisations choose to use selected practices that they may see fit to their business processes, such as performance measurement and service desk.
The current research project brought up several shortcomings and raised several opportunities for further research. Mostly large organisations responded in the current survey, which was falsely - as proven - designed for smaller ones, thus information that may be important is missing. In order to better identify relationships and trends in the Greek market, a more detailed analysis is required in the upper range of the size of the organisations. Furthermore, the sampling method that was used, resulted in overrepresentation of the telecommunications, technology and financial institutes, thus making the results non generalisable. As financial services have been proven to attain higher business - it alignment than other sectors (Silvius, 2007), the results may be skewed and present a deeper presentation of IT governance than it actually is. It is suggested that a similar research be performed using a different sampling method, such as stratified random sampling in order to be able to reflect the current Greek market, in terms of company industry and organisation size.
Further investigation is also required in order to identify what the participants may mean when stating "Other" as their choice for IT governance framework. At least two of the questions could be further explained; that could have been possible if a different data collection method was used. Structured interviews, instead of self-administered questionnaires, is a good candidate as that would allow the interviewer to further clarify the answer provided. Structured interviews are quite similar to self-administered questionnaire. In the current research, each driver and barrier was characterized as important on not on its own, and not in comparison with others; some questions could be rephrased, having the respondent do a comparative marking in order to explain better the perception of significance of the drivers and barriers.
Finally, there are several
- Ali, S. and Green, P. (2007). IT Governance Mechanisms in Public Sector Organisations: An Australian Context, Journal of Global Information Management, Vol. 15, Issue 4, pp. 41-63
- Addy, R. (2007). Effective IT Service Management: To ITIL and beyond!, Heidelberg: Springer-Verlag
- Anonymous (2008). eEurope/i2010 Ratings for Greece, Athens: Observatory for the Greek Information Society.
- Baschab, J. and Piot, J. (2007) The Executive's Guide to Information Technology, Second Edition. New Jersey: John Wiley & Sons, Inc.
- Bhattacharjya, J. and Chang, V. (2009) Adoption and Implementation of IT Governance: Cases from Australian Higher Education. In A. Cater-Steel (Ed.), Information Technology Governance and Service Management: Frameworks and Adaptation. Hershey - New York: Information Science Reference. pp. 82-100.
- Blaxter, L., Hughes, C. and Tight, M. (2001) How to research; Second Edition, Buckingham: Open University Press
- BMC Software (2007). Proving the Business Case for ITIL: The Experiences of EMEA IT Directors in Implementing ITIL - Drivers and Barriers to Success, Houston: BMC Software
- Boslaugh, S. and Watters, P.A. (2008) Statistics in a Nutshell, Sebastopol: O'Reilly Media Inc.
- Brown, C.V. and Magill, S.L. (1994). Alignment of the IS Functions with the Enterprise: Toward a Model of Antecedents, MIS Quarterly, Vol. 18, No. 4, pp. 371-403
- Brown, A.E. and Grant, G.G. (2005). Framing the Frameworks: A Review of IT Governance Research, Communications of the Association for Information Systems, Vol. 15, pp. 696-712.
- Bruton, N. (2005) ITIL - has it been worth it?, accessed 13/12/2009, http://www.noelbruton.com/ITILHasItBeenWorthIt.pdf
- Bruton, N. (2007) Is It The End For ITIL?, accessed 13/12/2009, http://www.noelbruton.com/Is%20It%20The%20End%20For%20ITIL.pdf
- Buckby, S., Best, P. and Stewart, J. (2009) The Current State of Information Technology Governance Literature. In A. Cater-Steel (Ed.), Information Technology Governance and Service Management: Frameworks and Adaptation. Hershey - New York: Information Science Reference, pp. 1-43.
- Calder, A. (2007) IT Governance: A Pocket Guide, Cambs: IT Governance Publishing.
- Cameron, B. (2007). IT Leadership Maturity Checkup, Forrester Research, Inc.
- Carr, N.G. (2003). IT Doesn't matter, Harvard Business Review, Volume 81, Issue 5, pp. 41 - 49
- Cater-Steel, A. (2009) Information Technology Governance and Service Management: Frameworks and Adaptations, Hershey - New York: Information Science Reference.
- Clark, A.J. (2005) IT Governance: Determining Who Decides, Research Bulletin, Educause Center for Applied Research, Volume 2005, Issue 24
- Computer Economics (2009) IT Spending & Staffing Benchmarks 2009/2010 - Executive summary, accessed 9/11/2009, http://www.computereconomics.com/forms.cfm?id=12
- Coomber, R. (1997) Using the Internet for survey research, Sociological Research Online, Vol. 2, No. 2
- Crawford, S. D., Couper, M.P. and Lamias, M.J. (2001) Web-surveys: Perceptions of burdens. Social Science Computer Review, Vol. 19, No 2, pp. 146-162
- Culmsee, P. (2009) The one best practice to rule them all, accessed 27/12/2009, http://www.cleverworkarounds.com/category/sharepoint/governance/cobit/
- Dahlberg, T. and Lahdelma, P. (2007) IT Governance Maturity and IT Outsourcing Degree: An Exploratory Study, Proceedings of the 40th Hawaii International Conference on System Sciences
- Davison, R. M., Kam, C. S. P., Li, M. Y., Li, Y. and Ou, C.X.J. (2009). Web-Based Surveys in China. In G. M. Hunter and F. B. Tan (Eds.), Handbook of Research on Information Management and the Global Landscape. Hershey, New York: Information Science Reference. pp. 164-184.
- Deutskens, E., De Ruyter, K., Wetzels, M. et al. (2004). Response Rate and Response Quality of Internet-Based Surveys: An Experimental Study, Marketing Letters, Vol. 15, Issue 1,pp. 21-36
- Duffy, M.E. (2002). Methodological Issues In Web-based Research, Journal of Nursing Scholarship, Vol. 34, Issue 1, pp. 83-88
- Fletcher, M. (2006) Five Domains of Information Technology Governance for Consideration by Boards of Directors, MSc thesis, Applied Information Management, University of Oregon
- Gartner (2009) IT Key Metrics data, accessed 15/1/2010, http://www.gartner.com/it/products/consulting/key_metrics_data.jsp
- Hague, P. (2006) A Practical Guide to Market Research, Surrey: Grosvenor House Publishing Ltd
- Harris, M.D., Herron, D.E. and Iwanicki, S. (2008). The Business Value of IT: Managing Risks, Optimizing Performance and Measuring Results, Boca Raton: Auerbach Books
- Higgins, L.N. and Sinclair, D.T. (2008) A New Look at IT Governance, The Journal of Corporate Accounting & Finance, Vol. 19, Issue 5, pp. 31 - 36
- ITGI (2003) Board Briefing on IT Governance, Second Edition, Rolling Meadows: IT Governance Institute
- ITGI (2008) IT Governance Global Status Report - 2008, Rolling Meadows: IT Governance Institute
- ITGI (2009) ITGI Enables ISO/IEC 38500:2008 Adoption, Rolling Meadows: IT Governance Institute
- Kashanchi R. and Toland, J. (2006) Can ITIL contribute to IT/Business Alignment? An initial Investigation, WIRTSCHAFTSINFORMATIK, Vol. 48, Number 5, pp. 340-348.
- Koh, S.C.L and Maguire, S. (2009) Information and Communication Technologies Management in Turbulent Business Environments, Hershey - New York: Information Science Reference
- Laplante, P.A. and Costello, T. (2006) IT Best Practices: CIO Wisdom, IT Pro, January/February 2006, pp. 17-23
- Lee, J. and Lee, C. (2009) IT Governance-Based IT Strategy and Management: Literature Review and Future Research Directions. In A. Cater-Steel (Ed.), Information Technology Governance and Service Management: Frameworks and Adaptation. Hershey - New York: Information Science Reference. pp. 44-62.
- Lee, J., Lee, J.W. and Lee, J.Y. (2009) A Comparative Case Study of Three Korean Firms: Applying an IT Governance Framework. In A. Cater-Steel (Ed.), Information Technology Governance and Service Management: Frameworks and Adaptation. Hershey - New York: Information Science Reference. pp. 145-162.
- Menken, I. (2009) Implementing ITIL Service management, not an 'out of the box' approach, Brisbane: Emereo PTY Ltd
- Meyer, D.N. (2004) Systemic IS Governance: An Introduction, Information Systems Management, Fall 2004, pp 23 - 34
- Milne, K. and Bowles, A. (2009) How IT Governance Drives Improved Performance, White Paper, accessed 12/1/2010, http://www.itpi.org/home/white_papers.php
- Musson, D. (2009) IT Governance: A Critical Review of the Literature. In A. Cater-Steel (Ed.), Information Technology Governance and Service Management: Frameworks and Adaptation. Hershey - New York: Information Science Reference. pp. 63-80.
- Musson, D. and Jordan, E. (2006) The Benefits of IT Governance. European Conference on Information Systems, Goteborg, Sweden.
- Nash, E.M. (2009) IT and Business Alignment: The Effect on Productivity and Profitability, IT Professional, November/December 2009, pp. 31-36
- Network Frontiers (2008) IT Compliance Frameworks: Where the UCF fits, Lecanto, Florida, US: Schaser-Vartan Books
- NCC (2005) IT Governance: Developing a successful governance strategy, Manchester: The National Computing Centre
- O'Donohue, B, Pye, G, and Warren, M.J. (2009) The impact of ICT Governance within Australian Companies. In A. Cater-Steel (Ed.), Information Technology Governance and Service Management: Frameworks and Adaptation. Hershey - New York: Information Science Reference. pp. 163-177.
- O'Lear, R. M. (1996) Using electronic mail (e-mail) surveys for geographic research: Lessons from a survey of Russian environmentalists, Professional Geographer, Vol. 48, Issue 2, pp. 209-217
- Peterson, R (2004). Crafting Information Technology Governance, Information Systems Management, Fall 2004, pp. 7-22.
- Pultorak, D. (2006). IT Governance: Toward a Unified Framework Linked to and Driven by Corporate Governance. In CIO Wisdom II: More Best Practices. : Prentice Hall. pp. 283-320.
- Rattray, J. and Jones, M.C. (2005) Essential elements in questionnaire design and development, Journal of clinical nursing, Vol. 16, pp. 234 - 243
- Rau, K.G. (2004) Effective Governance of IT: Design Objectives, Roles, and Relationships, Information Systems Management, Fall 2004, pp. 35 - 42
- Robb, A. and Parent, M. (2009) Understanding IT Governance: A case of two Financial Mutuals, Journal of Global Information Technology, Vol. 17, Issue 3, pp. 59 - 77
- Ross, J.W. and Weill, P. (2002). Six IT Decisions Your IT People Shouldn't Make, Harvard Business Review, Vol. 80, Issue 11, pp. 84 - 91
- Sallé, M. (2004) IT Service Management and IT Governance: Review, Comparative Analysis and their Impact on Utility Computing, accessed 4/1/2010, http://www.hpl.hp.com/techreports/2004/HPL-2004-98.pdf
- Sambamyrthy, V. and Zmud, R.W. (1999). Arrangements for Information Technology Governance: A Theory of Multiple Contingencies, MIS Quarterly, Vol. 23, No. 2, pp. 261-290
- Sillince, J. and Frost, C. (1995). Operational, environmental and managerial factors in non-alignment of business strategies and IS strategies for the Police Service in England and Wales, European Journal of Information Systems, Vol. 4, Issue 2, pp. 103-115
- Silvius, A.G.J. (2007) Business & IT Alignment in theory and practice, Proceedings of the 40th Hawaii International Conference on System Sciences
- Simonsson, M. (2008) Predicting IT Governance performance: A Method for Model - Based Decision Making, PhD thesis, Royal Institute of Technology, Stockholm, Sweden
- Simonsson, M. and Ekstedt M. (2006) Getting the Priorities Right: Literature vs Practice on IT Governance, Proceedings of Technology Management for the Global Future, 2006. PICMET 2006, pp. 18-26.
- Simonsson, M., Johnson, P. and Wijkström, H. (2007) Model-based IT Governance maturity assessments with Cobit, The 15th European Conference on Information Systems, Switzerland
- Simonsson, M. and Johnson, P. (2006) Assessment of IT Governance - A Prioritization of COBIT, Proceedings of the Conference on Systems Engineering Research, Los Angeles, USA
- Su, Y-S. (2008). It's easy to produce chartjunk using Microsoft Excel 2007 but hard to make good graphs, Computational Statistics and Data Analysis, Vol. 52, Issue 9, pp. 4594 - 4601
- Tavakolian, H. (1989) Linking the Information Technology Structure with Organizational Competitive Strategy: A Survey, MIS Quarterly, Vol. 13, No. 3, pp. 309-317
- Toigo, J.W. (2005) ISO and ITIL and COBIT, oh my!, accessed 27/12/2009, http://www.drunkendata.com/?p=203
- Toomey, M. (2009). Waltzing with the Elephant: A comprehensive guide to directing and controlling information technology, Victoria, Australia: Infonomics Pty Ltd.
- Tshinu, S.M., Botha, G. and Herselman, M. (2008) An Integrated ICT Management Framework for Commercial Banking Organisations in South Africa, Interdisciplinary Journal of Information, Knowledge and Management, Volume 3, pp 39 - 53
- Van Grembergen, V. and De Haes, S. (2009) Enterprise Governance of Information Technology, New York: Springer.
- Weill, P. and Ross, J.W. (2004). IT Governance in One Page, Cambridge Massachusetts: Center for Information Systems Research, MIT Sloan School of Management, CISR WP No. 349
- Weill, P. and Woodham, R. (2002) Don't Just Lead, Govern: Implementing Effective IT Governance, Cambridge Massachusetts: Center for Information Systems Research, MIT Sloan School of Management, CISR WP No. 326
- Yanosky, R. and McCredie, J. (2007) IT Governance: Solid Structures and Practical Politics, ECAR Symposium, Boca Raton, Florida
- Young, R.C. (2006) What is the ROI for IT Project Governance? Establishing a benchmark, 2006 IT Governance International Conference, Auckland, New Zealand