The evaluation and improvement of it governance

Lorences, Patricia Pérez; Ávila, Lourdes Francisca García

doi:10.4301/S1807-17752013000200002

Abstract

The present article aims to propose a general procedure to evaluate and improve the Information Technology (IT) Governance in an organization, considering the Business - IT alignment and risk management. The procedure integrates management tools such as business processes management, risk management, strategic alignment and the balanced scorecard. Additionally, to assess the IT Governance level we proposed an indicator based on the process maturity. The concepts and ideas presented here had been applied in four case studies, verifying their implementation feasibility. The results indicate a low level of IT governance and the existence of several problems primarily in the Plan and Organize and Monitor and Evaluate domains.

IT Governance; IT Management; IT Strategic Alignment; IT Risk Management; IT Governance Assess; IT Governance Improvement

1 INTRODUCTION

Information technologies (IT) have revolutionized the business world irrevocably and in the context of the information age companies increase their IT investments, becoming a major competitive component for companies (Dehning, Dow, & Stratopoulos, 2004Dehning, B., Dow, K. E., & Stratopoulos, T. (2004). Information technology and organizational slack. International Journal of Accounting Information Systems, 5(1), 51-63.). Specific studies have shown empirically: the positive relationship between corporate profitability and the use of IT in business processes (Piñeiro Sánchez, 2006Piñeiro Sánchez, C. (2006). Un estudio transversal sobre la contribución de las tecnologías de la información al éxito empresarial.Revista Europea de Dirección y Economía de la Empresa, 15(2), 61-78.); the elevation of the productivity (Neirotti & Paolucci, 2007Neirotti, P., & Paolucci, E. (2007). Assessing the strategic value of Information Technology: An analysis on the insurance sector.Information & Management, 44(6), 568-582.), the improvement in the performance of processes inducing elevation enterprise performance (Prasad & Heales, 2010Prasad, A., & Heales, J. (2010). On IT and business value in developing countries: A complementarities-based approach. International Journal of Accounting Information Systems, 11(4), 314-335.), and the improvement in the performance of services (Roberto Giao, Mendes Borini, & Oliveira Júnior, 2010Roberto Giao, P., Mendes Borini, F., & Oliveira Júnior, M. d. M. (2010). The influence of technology on the performance of Brazilian call centers. Journal of Information Systems and Technology Management, 7(2), 335-352.).

The implementation of these resources is not enough to obtain the expected uses of IT. These resources only offer a potential that the company should develop and adapt to their specific business context, using management skills. Neirotti and Paolucci prove with their study (Neirotti & Paolucci, 2007Neirotti, P., & Paolucci, E. (2007). Assessing the strategic value of Information Technology: An analysis on the insurance sector.Information & Management, 44(6), 568-582.) that companies show a successful return on IT investment, have better IT management practices that allow them to adapt their organizational routines to meet business needs. Similarly, a study of more than 400 Brazilian companies showed that companies that adopt IT governance mechanisms have an improvement in their financial performance, primarily in relation to profitability (Lunardi, Becker, & Macada, 2012Lunardi, G. L., Becker, J. L., & Macada, A. C. G. (2012). Um estudo empírico do impacto da governança de TI no desempenho organizacional. Producao, 22(3), 612-624.). Other research (Kobelsky, Hunter, & Richardson, 2008Kobelsky, K., Hunter, S., & Richardson, V. J. (2008). Information technology, contextual factors and the volatility of firm performance. International Journal of Accounting Information Systems, 9(3), 154-174.) y (Yao, Liu, & Chan, 2010Yao, L. J., Liu, C., & Chan, S. H. (2010). The influence of firm specific context on realizing information technology business value in manufacturing industry. International Journal of Accounting Information Systems, 11(4), 353-362.) shows that the influence of IT on the future profits of the company depends on various contextual factors such as quality of management and strategic alignment. It is essential to have a clear strategic vision of the role of IT in business (Laurindo, Shimizu, Caravalho, & Rabechini Junior, 2001Laurindo, F. J. B., Shimizu, T., Caravalho, M. M., & Rabechini Junior, R. (2001). O papel da tecnologia da informação (TI) na estratégia das organizações. Gestão e Produção, 8(2), 160-179.). There is empirical evidence (Bulchand-Gidumal & Melián-González, 2011Bulchand-Gidumal, J., & Melián-González, S. (2011). Maximizing the positive influence of IT for improving organizational performance.The Journal of Strategic Information Systems, 20(4), 461-478.) that the planning and management of IT influence the allocation of human resources and IT, which have positive effects on organizational performance. Management efforts to sustain high levels of IT capability translate into sustainable competitive advantages (Huan, Ou, Chen, & Lin, 2006Huan, S.-M., Ou, C.-S., Chen, C.-M., & Lin, B. (2006). An empirical study of relationship between IT investment and ï¬rm performance: a resource-based perspective. European Journal of Operational Research, 984-999.), (Bharadwaj, 2000Bharadwaj, A. S. (2000). A resource-based perspective on information technology capability and ï¬rm performance. An empirical investigation. .MIS Quarterly, 24(1), 169-196.), (Masli, Richardson, Sanchez, & Smith, 2011Masli, A., Richardson, V. J., Sanchez, J. M., & Smith, R. E. (2011). Returns to IT excellence: Evidence from financial performance around information technology excellence awards. International Journal of Accounting Information Systems, 12(3), 189-205.).

The evaluation and improvement of IT governance is extremely important because it allows companies to control if they are really making effective management of their IT, to ensure maximum benefits and management of the associated risks.

Investigations in hundreds of companies around the world have revealed a trend toward the increased maturity level in the area of IT in organizations; however, there is a lot left for improvement. In 2008 (ITGI, 2009ITGI. (2009). IT Governance Global Status Report 2008.: IT Governance Institute.) and 2010 (ITGI, 2011ITGI. (2011). Global Status Report on the Governance of EnterpriseIT: IT Governance Institute.) the IT Governance Institute implemented a comprehensive study in organizations of various sectors in 23 countries representing all continents. Based on the results of the study, it is a fact that the vast majority (92%) of respondents are aware of the problems with the use of these resources and the need to take action in this regard. The research reflects the importance of how IT continues to grow and has significantly increased interest in adoption and implementation of best practices, but there are still many incidents. While security and compliance are important elements mentioned, people are the most critical problem. 58% of respondents considered insufficient the number of IT people in their organizations, which is the main problem presented. The second problem, reflected by 48%, refers to the incidents relating to the provision of services. Then 38% of the respondents said the lack of IT staff skills is another problem. Moreover, it was found that communication between IT and users is improving, but slowly. Although the gap is significant for improving the alignment with the business strategy, 36% of the respondents indicated that the alignment between IT strategy and corporate is bad or very bad.

These results confirm the relevance and importance of having tools to improve governance of these resources. Hence, enterprises need help to raise the level of IT governance, under the conditions and requirements imposed by today's business environment and prospects. The objective of the study reported in this paper was to develop a general procedure to assess and improve IT Governance in an organization, considering the Business - IT alignment and risk management.

In this paper, some concepts of IT governance are recapitulated in section 2 and the propose procedure is presented in Section 3. The main results of the case studies are analyzed in section 4, and conclusions are described in section 5.

2 LITERATURE REVIEW

Information technology (IT) has become pervasive in current dynamic and often turbulent business environments. While in the past, business executives could delegate, ignore or avoid IT decisions, this is now impossible in most sectors and industries. This major IT dependency implies a huge vulnerability that is inherently present in IT environments. IT of course has the potential not only to support existing business strategies, but also to shape new strategies. In this mindset, IT becomes not only a success factor for survival and prosperity, but also an opportunity to differentiate and to achieve competitive advantage. (Wim Van Grembergen & De Haes, 2009Van Grembergen, W., & De Haes, S. (2009). Enterprise Governance of Information Technology. Achieving Strategic Alignment and Value. New York: Springer Science + Business Media.).

IT governance specifies the decision rights and accountability framework to encourage desirable behavior in the use of IT (Peter & J, 2004Peter, W., & J, R. (2004). IT governance: how top performers manage IT decision rights for superior results. Boston, MA: Harvard Business School Press.). This behavior relates to the form of the leadership, and organizational structures and processes that ensure that the organization's IT sustains and extends the organization's strategies and objectives (ITGI, 2009ITGI. (2009). IT Governance Global Status Report 2008.: IT Governance Institute.). The scope of IT governance are not single decisions themselves but the determination which decisions need to be made, who can contribute to the decision-making processes and who is eventually eligible to make the decision. In this sense, every company has IT governance, but only an explicitly designed one is able to align IT effectively and efficiently to the goals of the company.

IT governance addresses the definition and implementation of processes, structures and relational mechanisms in the organization that enable both business and IT people to execute their responsibilities in support of business/IT alignment and the creation of business value from IT-enabled business investments (Wim Van Grembergen & De Haes, 2009Van Grembergen, W., & De Haes, S. (2009). Enterprise Governance of Information Technology. Achieving Strategic Alignment and Value. New York: Springer Science + Business Media.). Multiple researchers share the same view of IT Governance (e.g. (Peterson, 2004Peterson, R. R. (2004). Integration Strategies and Tactics for Information Technology Governance Strategies for Information Technology Governance (pp. 37-80). United States of America and United Kingdom: Idea Group Publishing.); (Wim Van Grembergen, De Haes, & Guldentops, 2004Peterson, R. R. (2004). Integration Strategies and Tactics for Information Technology Governance Strategies for Information Technology Governance (pp. 37-80). United States of America and United Kingdom: Idea Group Publishing.); (Van Bon, 2008Van Bon, J. (2008). This is NOT IT Governance. UPGRADE The European Journal for the Informatics Professional, 9(1), 5-13.))

IT governance essentially places structure around how organizations´ IT strategy aligns with business strategy. This IT-business alignment will ensure that organizations continue to achieve their strategies and goals, and implement ways to evaluate its performance. One special aspect of IT governance is that it considers the interests of all stakeholders and ensures that processes provide measurable results. This situation is possible with lateral IT governance structures, with the involvement of all levels of management (Prasad, Heales, & P, 2010Prasad, A., & Heales, J. (2010). On IT and business value in developing countries: A complementarities-based approach. International Journal of Accounting Information Systems, 11(4), 314-335.).

In recent years, standards, frameworks, and best practices addressing different aspects of IT management and governance have emerged and matured. Among these, the most mentioned are: ITIL (Commerce, 2011Commerce, O. o. G. (2011). ITIL v.3. Information Technology Infrastructure Library. http://www.itil-officialsite.com/.
http://www.itil-officialsite.com/... ) and ISO/IEC20000 (ISO, 2011ISO. (2011). ISO 20000: Information technology -- Service management. http://www.iso.org/iso/catalogue_detail?csnumber=51986.
http://www.iso.org/iso/catalogue_detail?... ) which address IT service management. The ISO/IEC 38500:2008, corporate governance of information technology, provides a framework for effective governance of IT to assist those at the highest level of the organizations (Standardization, 2008Standardization, I. O. f. (2008). ISO 38 500. Corporate Governance of Information Technology. www.iso.org. accessed 1February 2011.
www.iso.org... ). The standard assists top management to understand their legal, regulatory, and ethical obligations in respect of their organizations' use of IT. ISO27000 (ISO, 2012ISO. (2012). ISO/IEC 27000: Information technology -- Security techniques -- Information security management systems. http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=56891.
http://www.iso.org/iso/home/store/catalo... ) referred to information security and IT BSC (W. Van Grembergen, 2000Van Grembergen, W. (2000). The Balanced Scorecard and IT Governance.Information Systems Control, 2.) (W. Van Grembergen, 2000Van Grembergen, W. (2000). The Balanced Scorecard and IT Governance.Information Systems Control, 2.) as an adaptation of the BSC to the IT environment. The Control Objectives for Information and related Technology (COBIT) is an approach to standardize good information technology security and control practices. COBIT provides tools to assess and measure the performance of 34 IT processes of an organization (ITGI, 2007ITGI. (2011). Global Status Report on the Governance of EnterpriseIT: IT Governance Institute.). COBIT framework has an integration nature, responding adequately to the governance of IT and its alignment with business objectives.

Searching the literature, organizations can follow a few supporting mechanisms to guide their implementation of IT governance, integrating all the IT governance´s aspects with a strategic approach, and they could be used as a support for its assessment and improvement. Therefore, it was necessary to develop a method.

3 PROCEDURE TO EVALUATE AND IMPROVE THE IT GOVERNANCE

The proposed procedure was divided into four phases as shown in figure 1 to ensure the cycle of continuous improvement for IT governance.

Fig. 1
Procedure to evaluate and improve the IT governance

The first phase is dedicated to the Evaluation of the current state of IT governance in the organization. It begins with the conformation of the team and the second stage proceeds with the general characterization of the organization. The third stage is dedicated to analyzing the alignment of IT resources to the business objectives of the organization, proposing a set of tools to carry out this assessment. In the fourth stage we propose a specific procedure to analyze IT risk management, whcih let you get an assessment of risks in the organization. Because of its importance as a reflection of the actions of IT management, stage five is characterized by employee level of satisfaction with IT services and resources. The maturity diagnosis takes place at the sixth stage and the calculation of a comprehensive indicator of IT governance that characterizes the current state of the organization take place in stage 7. This phase of the procedure culminates with the proposal of improvement actions, depending on the assessment (stage 8).

In the second phase, the Design of the IT governance process is carried out, defined under the BPM approach. It begins with modeling and analysis of the As-Is process in stage 9, which allows the identification of opportunities for improvement in the process, from the results of the previous phase. Stages 10 and 11 describe in detail the selection and design of the sub-processes. This phase ends with the design of the To-Be process, including its modeling and the approval of the suggestion. Already in the third phase, Implementation, we proceed to execute the process designed. The general procedure ends with a Controlphase which is the "engine" of continuous improvement, because depending on the results, it might involve a return to earlier stages. We propose the calculation of indicators to monitor the sub-processes implemented and we designed a generic scorecard as a tool management control of IT, based on the principles of IT BSC, and it must be redefined by the organization. To monitor the achievement of the procedure objectives a final stage dedicated to the recalculation of the proposed indicator is included, which also includes situation analysis and ends with the proposal of improvement measures.

3.1 Phase 1: IT Governance Evaluation

Stage 1: Conformation of the team

The first stage is aimed at the conformation of the team, which will feature the full implementation of the procedure. It includes: Definition of the team structure, determination of members quantity and selection of the personnel, assignment of responsibilities and tasks, and the training of staff.

Stage 2: General description of the organization

This second stage corresponds to the general characterization of the organization under study, which should,in particular, appreciate the value of information technology to achieve their business objectives. It includes: Description of the organization general data, and identification of the objectives and business processes.

Stage 3: Analysis of IT resources and alignment to business objectives

At this stage we will analyze the impact of IT in achieving business goals and current conditions of the company to meet these requirements. It includes the following steps:

Carry out an inventory of IT resources of the organization

The folowing should be identified: the applications, infrastructure and staff; which are required to plan, organize, acquire, implement, deliver, support, monitor and evaluate the systems and information services. We propose an inventory model that is a format table useful to organize the information for categories and its impact classification.
Classify the IT resources in terms of their impact on business

From the inventory of IT resources in the organization we proceed to classify them individually, according to their impact on the business, into: Strong, Medium or Weak. To do that, we design an algorithm as shown in Figure 2, considering the current and potential importance of IT resources, and its ease of replacement.

Once each one is classified, we proposed a set of indices useful to determine the impact of each type of IT resource (applications, infrastructure and staff)on the business and the global impact of all resources
Evaluate business processes according to their degree of dependence on IT

The literature offers few precedents where it is allowed to establish the dependence on IT from a business process to be classified into one scale. Little (Little, 1981Little, A. D. (1981). The Strategic Management of Technology. Cambridge. Massachussets. U.S.A.) establishes one scale to assess the technological position in an enterprise and (Brito Viñas, 2000Brito Viñas, B. (2000). Modelo conceptual y procedimientos de apoyo a la toma de decisiones para potenciar la función de Gestión Tecnológica y de la Innovación en la empresa manufacturera cubana., UCLV, Villa Clara, Cuba.) modify that propose, but in both cases it is a breadth scale, which is not specific for IT. (Jiménez Quintana, 2002Jiménez Quintana, C. (2002). Indicadores de Alineamiento entre Procesos de Negocios y Sistemas Informáticos., Universidad de Concepción.) defines a set of measures that assess: the business process degree of automation, the support degree of information systems and the support degree of information systems on-line. We used these bases and our empirical experience to define a qualitative scale for the degree of dependence on IT in three levels: Strong, Medium or Weak.
Analyze the correlation between IT resources and requirements of the organization based on business objectives

Fig. 2
Algorithm to classify the IT resources in terms of its impact on business

Once there is the classification of IT resources according to their impact on the business and evaluation of business processes according to their degree of dependence on IT, in this step we analyze the alignment between the two aspects. To support this analysis the matrix shown in Figure 3 was developed. The proposed matrix is useful to analyze the alignment and possible strategies to follow. It is based primarily on the following elements: Strategic Alignment Model (Luftman, 2004), the IT strategic grid to examine the strategic role of IT McFarlan and McKenney (MacFarlan & macKenney, 1983MacFarlan, F. W., & macKenney, J. (1983). Corporate Information Systems Management. Homewood, Illinois: Richard D. Irwin Inc.) and Matrix Technology Management (Edwards & Bytheway, 1991Edwards, W., & Bytheway. (1991). The Essence of Information Systems. Hemel Hempstead: Prentice Hall International.).

Fig. 3
Matrix (dependence on business processes / impact of IT resources), alignment analysis

Stage 4: Analysis of IT risks and their management

At this stage we analyze the management of IT risks in the enterprise. For this, we propose a specific procedure, structured in nine steps as shown:

1. Establish the strategic context of risk

• Are critical IT resources identified?
2. Identify threats

• Are threats identified?
3. Identify vulnerabilities

• Are vulnerabilities identified?
4. Analyze controls

• Which controls are implemented?
5. Determine probability level

• Is the likelihood of a threat to act on a determined vulnerability, considering existing controls?
6. Analyze impact

• Have you analyzed the impacts of a threat to act on vulnerability?
7. Determine risk level

• Have you determined the risk levels?
8. Recommend controls
9. Document results

The content and tools of each step, guidance for the implementation of the diagnonis to obtain the risks, and on the other hand, provide the necessary elements to answer the question proposed, enabling the analysis of IT risk management.

Stage 5: Characterization of employee satisfaction with the resources and IT services

The special importance of employee satisfaction with IT resources and services motivated the inclusion of this stage in the diagnostic procedure. A survey was designed to characterize employee satisfaction with infrastructure, applications, IT staff and services.

Stage 6: Making the maturity diagnosis of the IT control objectives

The first step of this stage is to define the domains and control objectives to diagnose. A general proposal was made starting from COBIT 4.1 framework, which must be adapted by the team considering elements to be added or removed depending on the characteristics of the organization. Then we proceed with the collection, verification and analysis of information to determine the maturity level of each control objective according to the maturity models defined by COBIT.

Stage 7: Assessment of IT governance in the organization

At this stage we assess IT governance in the organization, for which we propose an indicator to evaluate the level of IT Governance (I_GTI). The equations and model evaluation were developed by the authors considering the maturity level of each control objective and the assumption that these control objectives do not have the same importance in the enterprise. The steps to develop this stage are:

I. Determination of the relative importance of domains and control objectives

II. Assessment of the domains and control objectives

We propose the assessment of each control objective through the following expression:

EOC_dg: Assessment of the control objective "d" of the domain "g"

W_dg: Weight (relative importance) of the control objective "d" of the domain "g"

NM_dg: Maturity level of the control objective "d" of the domain "g"

The sum of the assessments of the control objectives gives the domain result

RD_g: Result of the domain "g"

The evaluation of each domain is calculated using the following expression:

ED_g: Evaluation of the domain "g"

Wg: Weight of the domain "g"

III. Determination of indicator I_GTI. Graphical representation of results

The indicator to evaluate the level of IT Governance (I_GTI) is calculated as shown:

We define the scale for assessment of IT Governance from Non-existent level to Optimized, as shown in table 1considering the maturity levels proposed in COBIT. The determination of intervals was made using the simulation of results. We propose a graphical representation of results, using control radars and Cause-Effect graphics like shown in figure 4.

Thumbnail

Table 1
Scale for assessment of IT Governance

Fig. 4
Graphical representation of results, using control radars and Cause-Effect graphics

IV. Preparation of evaluation report

From the results obtained in the previous stages, this step is required to produce a report which includes assessing: the analysis of IT resources and alignment to business objectives, analysis of IT risk management, the analysis of the characterization of employee satisfaction, and a list of domains and control objectives that reflected greater difficulty. The main problems affecting IT governance in the organization should be noted.

Stage 8: Proposal for corrective, preventive and / or improvement actions

Once made, the IT governance diagnosis, the report prepared by the team may indicate the need for corrective, preventive and / or improvement actions, as applicable. At this stage we proceed to develop the proposal for such actions.

3.2 Phase 2: Design of the IT governance process

The design phase has been formed under the approach of Business Process Management (BPM). The analysis of the current state of IT governance in the organization was realized in the previous phase, so in case there is a defined IT process in the organization, phase 2 begins with As-Is process modeling, otherwise it goes to stage 10.

Stage 9: Modeling and analysis of As-Is process

At this stage we model the IT governance process that currently exists in the organization. We recommend using BPMN for business process modeling. The team should define the notation and the tool to use for modeling. The modeling of the current situation allows the identification of opportunities for process improvement. From the diagnosis made we could point the deficiencies that might exist in the structure of the current process. Also, we could point the need to incorporate new sub-processes or activities based in the COBIT framework.

Stages 10 and 11 correspond to the proposed improvements to the AS-IS process.

Stage 10: Determination of required sub-processes

At this stage the analysis includes: COBIT processes that are pertinent or not in the organization and what processes are required in correspondence with the characteristics of the organization, which are not covered in the COBIT framework.

Stage 11: Design or redesign of each sub-process

At this stage the processes based on COBIT should be redesigned according to the characteristics of the organization. The design of the new additional processes is required. The elements to consider are: overview of sub-process, description of sub-process activities, inputs and outputs of sub-process, RACI Chart (Responsibility, Accountable, Consulted, Informed), goals and metrics of the process.

Stage 12: Design of To-Be process

Once each sub-process is redefined, we design the To-Be process, showing how to relate those sub-processes connected by their inputs and outputs. The steps in this stage are: Modeling the To-Be process, Evaluation and approval of the designed process, Redesign based on the assessment and Document the To-Be process.

3.3 Phase 3: Implementation

Stage 13: Develop an implementation plan

To ensure the successful performance of the designed process, an implementation plan should be established. This plan includes the actions to be taken into consideration to ensure the transition from the As-Is process to the To-Be process. The plan also defines the priorities that order the implementation of sub-processes, based on its importance for the enterprise.

Stage 14: Gradual implementation of sub-processes

From the priorities identified in the implementation plan, at this stage, we proceed to gradually implement sub-processes. In the implementation, it is of utmost importance to ensure the commitment of top management to achieve successful results. This commitment must be tangible through active participation, willingness to change, resource allocation, internal communications, process monitoring and taking actions to achieve goals. The preparation and training of managers and staff of the organization through training programs focused on developing knowledge and skills in IT governance can be useful at this time.

3.4 Phase 4: Control

This phase focuses on evaluating and controlling the behavior of the IT governance in the organization, with the IT process implementation. This phase constitute the "motor" of continuous improvement for the procedure, which may involve a return to earlier stages in terms of results. IT process control does not require that this has been fully implemented; it can be carried out independently by each sub-process, allowing you to make decisions during the implementation phase and maintain a control and monitoring system to ensure the successful completion of the actions provided. To control the overall performance of IT governance in the organization, we also propose to determine the IT Governance Level indicator proposed in the first stage, analyzing its behavior with respect to the state it was before implementing the improvements in the organization. IT balanced scorecard has also been designed.

Stage15: Control of sub-processes

At this stage it is proposed to calculate the KPI (Key Performance Indicators) during the performance of a subprocess and KGI (Key Goals Indicators) after implemented, to determine if they achieve their objective. KPIs allow determining how well the IT process is performing to achieve the goal, indicating whether it is feasible to achieve a goal or not. KGIs define measurements to inform if an IT process reached its business requirements.

Stage 16: Management control Tool. IT BSC

As a tool for management control at this stage we proposed to design a balanced scorecard for IT. We propose a generic design based on IT BSC (W. Van Grembergen, 2000) . This design and the proposed indicators should be adapted by the organization in terms of the IT process designed, their interests and special characteristics.

Stage 17: IT Process Evaluation

17.1 Recalculation of the IT Governance Level indicator

The recalculation of the indicator allows a comparison of the behavior results of the current situation, once the IT process is implemented. This check allows to verify the effectiveness of the proposed process and establishes the relevant improvements if necessary.

17.2 Situation analysis

If the proposed process is suitable for IT governance in the organization and has led to tangible improvements, its performance will need to be reviewed periodically. The return to stage 2 could be necessary, depending on the characteristics of the organization and changes that might be generated internally or externally. If the organization's performance has not evolved positively, we must analyze the causes. The analysis might reveal problems in the implementation of the process or its design, in which case we will proceed to improve it. Also to be considered external events that, during the period considered for assessment, could have influenced these results.

3.17 Proposing improvements

After the situation analysis we proceed to the proposal of measures contributing to the continuous improvement. To achieve the necessary improvements, this analysis can include the return to phases 2 or 3 of the procedure for the redesign of the process, depending on the deficiencies identified in its initial design or its implementation. If the return is not necessary, we continue with the implementation and consolidation of IT process in the organization.

4 RESULTS

The application of the procedure in four case studies lets us verify their implementation feasibility as effective methodological instruments to, first of all, assess the IT governance in these enterprises focusing on the main problems, and in second place to determine improvement opportunities that contribute to IT-Business alignment and risk management.

We consider achieving a balance between the enterprise selected, including two software development enterprises and two commercial enterprises. In this article we presented a synthesis of the results in one software development enterprise and the global analysis for the rest. The application of the procedure in this enterprise allows the design and implementation of a new IT governance process according to their peculiarities. The IT governance improvement is evident in the elevation of the indicator to evaluate the level of IT Governance since 25.87% to 44.81%, resulting from a considerable improvement in all domains as shown in figure 5 (red color represent the early assess).

Fig. 5
Graphical representation of results, using control radars.

The IT BSC design includes four perspectives. It was selected a set of metrics balancing key performance indicators and key goals indicators, to guarantee the proactively in the monitoring of IT governance at the enterprise.

In the other enterprises the first stage was finalized, identifying the problems and the improvement actions recommended. These results are showed in (Pérez Lorences, 2010Pérez Lorences, P. (2010). Procedimiento para evaluar y mejorar la gestión de tecnologías de la información en empresas cubanas. Universidad Central Marta Abreu de Las Villas, Villa Clara, Cuba.). The calculi of the indicator to evaluate the level of IT Governance showed all case studies´ results under the 40%, denoting a low level and the existence of several problems primarily in the Plan an Organize and Monitor and Evaluate domains. The analysis proves that a lack of adequate IT governance exists, based on business requirements.

The successful application of the procedure in the companies studied, both in software companies, trading companies, demonstrated its applicability to entities with different characteristics, being evidenced adequate operational flexibility. The ability to select the control objectives to be evaluated and to determine the relative importance they have on the company to obtain an assessment of their level of management, to ensure the flexibility of its application. This was demonstrated when methodological tools of the evaluation phase were applied to the software case studies. Similarly, it was found in the case of the other two companies under study, both traders. The flexibility of their instruments was demonstrated, making them desirable in principle, by other similar organizations, which support to a greater or lesser extent, their business on information technologies.

5 CONCLUSION

In this paper, we presented a new general procedure to analyze, evaluate, monitor and improve IT Governance in an organization. The procedure considers the alignment between business processes and IT resources, IT risk management, the approach of process maturity, the principles of Business Process Management and IT Balance Scorecard. All this is complemented by the COBIT framework, expression of best practices in the IT governance field. The structure and content of the phases proposed ensure the cycle of continuous improvement for IT governance. The evaluation phase integrates the best practices of the COBIT framework with tools of IT resources alignment and risk management, considering employee satisfaction, thus allowing a comprehensive assessment of IT governance in the organization. The design and implementation phases, based on the assessment and best practices, guide the construction of the IT governance process as a central proposal for improvement. The inclusion of a control phase is vital to ensure continuous improvement; this phase allows the monitoring, balancing goal and performance indicators that ensure proactive improvement actions.

REFERENCES

Bharadwaj, A. S. (2000). A resource-based perspective on information technology capability and ï¬rm performance. An empirical investigation. .MIS Quarterly, 24(1), 169-196.
Brito Viñas, B. (2000). Modelo conceptual y procedimientos de apoyo a la toma de decisiones para potenciar la función de Gestión Tecnológica y de la Innovación en la empresa manufacturera cubana, UCLV, Villa Clara, Cuba.
Bulchand-Gidumal, J., & Melián-González, S. (2011). Maximizing the positive influence of IT for improving organizational performance.The Journal of Strategic Information Systems, 20(4), 461-478.
Commerce, O. o. G. (2011). ITIL v.3. Information Technology Infrastructure Library. http://www.itil-officialsite.com/.
» http://www.itil-officialsite.com/
Dehning, B., Dow, K. E., & Stratopoulos, T. (2004). Information technology and organizational slack. International Journal of Accounting Information Systems, 5(1), 51-63.
Edwards, W., & Bytheway. (1991). The Essence of Information Systems Hemel Hempstead: Prentice Hall International.
Huan, S.-M., Ou, C.-S., Chen, C.-M., & Lin, B. (2006). An empirical study of relationship between IT investment and ï¬rm performance: a resource-based perspective. European Journal of Operational Research, 984-999.
ISO. (2011). ISO 20000: Information technology -- Service management. http://www.iso.org/iso/catalogue_detail?csnumber=51986.
» http://www.iso.org/iso/catalogue_detail?csnumber=51986
ISO. (2012). ISO/IEC 27000: Information technology -- Security techniques -- Information security management systems. http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=56891.
» http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=56891
ITGI. (2007). COBIT 4.1 Control Objectives for Information and related Technology. : IT Governance Institute.
ITGI. (2009). IT Governance Global Status Report 2008: IT Governance Institute.
ITGI. (2011). Global Status Report on the Governance of EnterpriseIT: IT Governance Institute.
Jiménez Quintana, C. (2002). Indicadores de Alineamiento entre Procesos de Negocios y Sistemas Informáticos, Universidad de Concepción.
Kobelsky, K., Hunter, S., & Richardson, V. J. (2008). Information technology, contextual factors and the volatility of firm performance. International Journal of Accounting Information Systems, 9(3), 154-174.
Laurindo, F. J. B., Shimizu, T., Caravalho, M. M., & Rabechini Junior, R. (2001). O papel da tecnologia da informação (TI) na estratégia das organizações. Gestão e Produção, 8(2), 160-179.
Little, A. D. (1981). The Strategic Management of Technology Cambridge. Massachussets. U.S.A.
Luftman, J. (2004). Assessing Business-IT Alignment Maturity Strategies for Information Technology Governance (pp. 99-128). United States of America and United Kingdom: Idea Group Publishing.
Lunardi, G. L., Becker, J. L., & Macada, A. C. G. (2012). Um estudo empírico do impacto da governança de TI no desempenho organizacional. Producao, 22(3), 612-624.
MacFarlan, F. W., & macKenney, J. (1983). Corporate Information Systems Management Homewood, Illinois: Richard D. Irwin Inc.
Masli, A., Richardson, V. J., Sanchez, J. M., & Smith, R. E. (2011). Returns to IT excellence: Evidence from financial performance around information technology excellence awards. International Journal of Accounting Information Systems, 12(3), 189-205.
Neirotti, P., & Paolucci, E. (2007). Assessing the strategic value of Information Technology: An analysis on the insurance sector.Information & Management, 44(6), 568-582.
Pérez Lorences, P. (2010). Procedimiento para evaluar y mejorar la gestión de tecnologías de la información en empresas cubanas Universidad Central Marta Abreu de Las Villas, Villa Clara, Cuba.
Peter, W., & J, R. (2004). IT governance: how top performers manage IT decision rights for superior results Boston, MA: Harvard Business School Press.
Peterson, R. R. (2004). Integration Strategies and Tactics for Information Technology Governance Strategies for Information Technology Governance (pp. 37-80). United States of America and United Kingdom: Idea Group Publishing.
Piñeiro Sánchez, C. (2006). Un estudio transversal sobre la contribución de las tecnologías de la información al éxito empresarial.Revista Europea de Dirección y Economía de la Empresa, 15(2), 61-78.
Prasad, A., & Heales, J. (2010). On IT and business value in developing countries: A complementarities-based approach. International Journal of Accounting Information Systems, 11(4), 314-335.
Prasad, A., Heales, J., & P, G. (2010). A capabilities-based approach to obtaining a deeper understanding of information technology governance effectiveness: evidence from IT steering committees.International Journal of Accounting Information Systems, 11(3), 214-332.
Roberto Giao, P., Mendes Borini, F., & Oliveira Júnior, M. d. M. (2010). The influence of technology on the performance of Brazilian call centers. Journal of Information Systems and Technology Management, 7(2), 335-352.
Standardization, I. O. f. (2008). ISO 38 500. Corporate Governance of Information Technology. www.iso.org. accessed 1February 2011.
» www.iso.org
Van Bon, J. (2008). This is NOT IT Governance. UPGRADE The European Journal for the Informatics Professional, 9(1), 5-13.
Van Grembergen, W. (2000). The Balanced Scorecard and IT Governance.Information Systems Control, 2.
Van Grembergen, W., & De Haes, S. (2009). Enterprise Governance of Information Technology. Achieving Strategic Alignment and Value New York: Springer Science + Business Media.
Van Grembergen, W., De Haes, S., & Guldentops, E. (2004). Structures, Processes and Relational Mechanisms for IT Governance Strategies for Information Technology Governance (pp. 1-36). United States of America and United Kingdom: Idea Group Publishing.
Yao, L. J., Liu, C., & Chan, S. H. (2010). The influence of firm specific context on realizing information technology business value in manufacturing industry. International Journal of Accounting Information Systems, 11(4), 353-362.

Publication Dates

Publication in this collection
Aug 2013

History

Received
31 Jan 2012
Accepted
10 Apr 2013

This is an Open Access article distributed under the terms of the Creative Commons Attribution Non-Commercial License, which permits unrestricted non-commercial use, distribution, and reproduction in any medium, provided the original work is properly cited.

[1] Bharadwaj, A. S. (2000). A resource-based perspective on information technology capability and ï¬rm performance. An empirical investigation. .MIS Quarterly, 24(1), 169-196.

[2] Brito Viñas, B. (2000). Modelo conceptual y procedimientos de apoyo a la toma de decisiones para potenciar la función de Gestión Tecnológica y de la Innovación en la empresa manufacturera cubana, UCLV, Villa Clara, Cuba.

[3] Bulchand-Gidumal, J., & Melián-González, S. (2011). Maximizing the positive influence of IT for improving organizational performance.The Journal of Strategic Information Systems, 20(4), 461-478.

[4] Commerce, O. o. G. (2011). ITIL v.3. Information Technology Infrastructure Library. http://www.itil-officialsite.com/.
» http://www.itil-officialsite.com/

[5] Dehning, B., Dow, K. E., & Stratopoulos, T. (2004). Information technology and organizational slack. International Journal of Accounting Information Systems, 5(1), 51-63.

[6] Edwards, W., & Bytheway. (1991). The Essence of Information Systems Hemel Hempstead: Prentice Hall International.

[7] Huan, S.-M., Ou, C.-S., Chen, C.-M., & Lin, B. (2006). An empirical study of relationship between IT investment and ï¬rm performance: a resource-based perspective. European Journal of Operational Research, 984-999.

[8] ISO. (2011). ISO 20000: Information technology -- Service management. http://www.iso.org/iso/catalogue_detail?csnumber=51986.
» http://www.iso.org/iso/catalogue_detail?csnumber=51986

[9] ISO. (2012). ISO/IEC 27000: Information technology -- Security techniques -- Information security management systems. http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=56891.
» http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=56891

[10] ITGI. (2007). COBIT 4.1 Control Objectives for Information and related Technology. : IT Governance Institute.

[11] ITGI. (2009). IT Governance Global Status Report 2008: IT Governance Institute.

[12] ITGI. (2011). Global Status Report on the Governance of EnterpriseIT: IT Governance Institute.

[13] Jiménez Quintana, C. (2002). Indicadores de Alineamiento entre Procesos de Negocios y Sistemas Informáticos, Universidad de Concepción.

[14] Kobelsky, K., Hunter, S., & Richardson, V. J. (2008). Information technology, contextual factors and the volatility of firm performance. International Journal of Accounting Information Systems, 9(3), 154-174.

[15] Laurindo, F. J. B., Shimizu, T., Caravalho, M. M., & Rabechini Junior, R. (2001). O papel da tecnologia da informação (TI) na estratégia das organizações. Gestão e Produção, 8(2), 160-179.

[16] Little, A. D. (1981). The Strategic Management of Technology Cambridge. Massachussets. U.S.A.

[17] Luftman, J. (2004). Assessing Business-IT Alignment Maturity Strategies for Information Technology Governance (pp. 99-128). United States of America and United Kingdom: Idea Group Publishing.

[18] Lunardi, G. L., Becker, J. L., & Macada, A. C. G. (2012). Um estudo empírico do impacto da governança de TI no desempenho organizacional. Producao, 22(3), 612-624.

[19] MacFarlan, F. W., & macKenney, J. (1983). Corporate Information Systems Management Homewood, Illinois: Richard D. Irwin Inc.

[20] Masli, A., Richardson, V. J., Sanchez, J. M., & Smith, R. E. (2011). Returns to IT excellence: Evidence from financial performance around information technology excellence awards. International Journal of Accounting Information Systems, 12(3), 189-205.

[21] Neirotti, P., & Paolucci, E. (2007). Assessing the strategic value of Information Technology: An analysis on the insurance sector.Information & Management, 44(6), 568-582.

[22] Pérez Lorences, P. (2010). Procedimiento para evaluar y mejorar la gestión de tecnologías de la información en empresas cubanas Universidad Central Marta Abreu de Las Villas, Villa Clara, Cuba.

[23] Peter, W., & J, R. (2004). IT governance: how top performers manage IT decision rights for superior results Boston, MA: Harvard Business School Press.

[24] Peterson, R. R. (2004). Integration Strategies and Tactics for Information Technology Governance Strategies for Information Technology Governance (pp. 37-80). United States of America and United Kingdom: Idea Group Publishing.

[25] Piñeiro Sánchez, C. (2006). Un estudio transversal sobre la contribución de las tecnologías de la información al éxito empresarial.Revista Europea de Dirección y Economía de la Empresa, 15(2), 61-78.

[26] Prasad, A., & Heales, J. (2010). On IT and business value in developing countries: A complementarities-based approach. International Journal of Accounting Information Systems, 11(4), 314-335.

[27] Prasad, A., Heales, J., & P, G. (2010). A capabilities-based approach to obtaining a deeper understanding of information technology governance effectiveness: evidence from IT steering committees.International Journal of Accounting Information Systems, 11(3), 214-332.

[28] Roberto Giao, P., Mendes Borini, F., & Oliveira Júnior, M. d. M. (2010). The influence of technology on the performance of Brazilian call centers. Journal of Information Systems and Technology Management, 7(2), 335-352.

[29] Standardization, I. O. f. (2008). ISO 38 500. Corporate Governance of Information Technology. www.iso.org. accessed 1February 2011.
» www.iso.org

[30] Van Bon, J. (2008). This is NOT IT Governance. UPGRADE The European Journal for the Informatics Professional, 9(1), 5-13.

[31] Van Grembergen, W. (2000). The Balanced Scorecard and IT Governance.Information Systems Control, 2.

[32] Van Grembergen, W., & De Haes, S. (2009). Enterprise Governance of Information Technology. Achieving Strategic Alignment and Value New York: Springer Science + Business Media.

[33] Van Grembergen, W., De Haes, S., & Guldentops, E. (2004). Structures, Processes and Relational Mechanisms for IT Governance Strategies for Information Technology Governance (pp. 1-36). United States of America and United Kingdom: Idea Group Publishing.

[34] Yao, L. J., Liu, C., & Chan, S. H. (2010). The influence of firm specific context on realizing information technology business value in manufacturing industry. International Journal of Accounting Information Systems, 11(4), 353-362.

Intervals I_GTI(%)	IT Governance Assessment

(95≤ I_GTI ≤100)	Level 5: Optimized
(75≤ I_GTI <95)	Level 4: Managed
(55≤ I_GTI <75)	Level 3: Defined
(35≤ I_GTI < 55)	Level 2: Repeatable
(15≤ I_GTI < 35)	Level 1: Initial/Ad Hoc
(I_GTI< 15)	Level 0: Non-existent

Brasil