Wessels and van Loggerenberg IT Governance: Theory and Practice

IT Governance: Theory and Practice

Eugene Wessels Johan van Loggerenberg

Department of Informatics Department of Informatics
University of Pretoria University of Pretoria
johan.vl@up.ac.za johan.vl@up.ac.za

ABSTRACT
IT governance aims to align business and information technology strategies. Organizations adopt IT governance
to ensure efficiency, decreased costs and increased control of IT infrastructures. Some believe that IT
governance will improve organizational accountability, thereby resulting in return on investments. IT
governance frameworks, such as COBIT and ITIL, are internationally accepted and promote these benefits.
Even though literature promotes IT governance, practitioners perspectives of IT governance might not always
agree. In a recent survey, 76% of CEOs and CIOs were aware of the benefits offered by IT governance
frameworks, yet only 42% of them had any intention of implementing such a framework. This paper provides a
limited indication of the perspectives organizations have on IT governance in comparison with theoretical
perspectives offered by the literature.

Key words
Keywords: IT governance, corporate governance, IT management, ITIL, COBIT

INTRODUCTION
IT governance aims to align business and information technology strategies effectively and efficiently. Boards
of directors, executives and IT Managers adopt IT governance in their businesses to ensure efficiency, decreased
costs and increased control of IT infrastructures (Van Grembergen, 2003: 242). Patel (2002: 3163) included
product and service quality in the definition of IT governance. He believes that IT governance will improve
organizational accountability, resulting in return on investments. IT governance frameworks such as COBIT and
ITIL (Carroll, Ridley & Young, 2004: 233) are internationally accepted and promote these benefits. ITIL,
described as the best practices for an organizations IT processes, is the most widely accepted framework for the
management and delivery of information technologies, according to Kim (2003: 13). COBIT, in turn, is defined
as the best framework to balance organizational IT goals and business objectives, according to Carroll, Ridley &
Young (2004: 233). It is important to note that these two frameworks share a limited, if any, amount of
functionality, even though they both qualify as IT governance frameworks.
Even though literature promotes IT governance forcefully (Hoffman (2003: 14), practitioners perspectives of IT
governance might not always agree. In a recent survey, conducted by Price Waterhouse Coopers, the following
unanticipated result was revealed: 76% of various CEOs and CIOs are aware of the benefits offered by IT
governance frameworks, yet only 42% of them had any intention of implementing such a framework.
This study focuses on organizational perspectives of IT governance, and specifically on benefits it claims to
offer. The result of this research will deliver a limited indication of the perspectives organizations have on IT
governance in comparison with theoretical perspectives offered by the literature.

THE RESEARCH PROBLEM

The literature consistently emphasizes the importance of IT governance within organizations by promoting the
benefits that IT governance claims to deliver toorganizations them. Many organizations have implemented their
individual IT governance frameworks in the hope of obtaining the advantages that these frameworks propagate.
Evidently, these implementations come at a high cost, which many organizations are prepared to pay when
considering the compensations of such a framework.
However, an increasing amount of literature suggests that inconsistent perspectives and unrealized benefits of IT
governance are being published. One might begin to consider the validity of the statement made by Koch
(2002) that IT governance is often more theoretical than practical.

Proceedings of the Conference on Information Technology in Tertiary Education, Pretoria, South Africa, 18 20 September
2006
Wessels and van Loggerenberg IT Governance: Theory and Practice

The research problem addressed in this paper is that there seems to be incongruence between the various
theoretical elements of IT governance, as proclaimed by IT governance framework developers, and the practical
perspectives perceived by organizations. Such examples include the management of IT governance, the
relationships that IT governance has with corporate governance, as well as IT management and the benefits IT
governance claims to deliver. This puts doubts in the mind of the executives having to allocate funding and
other resources to the implementation of IT governance, and therefore scientific investigation of the phenomenon
is required.

RESEARCH OBJECTIVES
This paper addresses various theoretical aspects of IT governance as well as the perspectives organizations have
on it. The main research question addressed in this paper is as follows: Is practicing IT Governance consistent
with the literature on the subject?
This paper attempts to answer the main research question by answering the following secondary research
questions:
What is IT governance?
What is the relationship between corporate governance, IT governance and IT management?
Which IT governance frameworks exist?
What are the theoretical benefits of an implemented IT governance framework as promoted by the
literature?
Do organizations obtain the theoretical benefits promised by the implementation of an IT governance
framework?

RESEARCH METHODOLOGY
In order to identify the perceptions that organizations have about IT governance, the key aspects of IT
governance as presented in literature, were identified. Only a limited number of academic publications focus on
IT governance and many cover the topic rather broadly. Other resources, typically consisting of industry
standards and frameworks such as COBIT, are also available. A limitation is that the majority of literature
resources are practitioner-oriented and not academically accredited, as confirmed by Carroll, Ridley & Young
(2004: 239).
The empirical study followed a qualitative approach. Three companies were identified and interviews conducted
with knowledgeable managers in order to provide a foundation for the empirical research. Semi-structured
interviews, mostly consisting of open questions, were conducted with specific managers of the three companies.
The objective of the interviews was to obtain answers to the research questions. Several critical points were
discussed and if the interview permitted it, some points enjoyed detailed attention.

DEFINING IT GOVERNANCE
According to most of the literature on the subject, the most important aspect of IT governance is the alignment of
an organizations IT operations with its business strategies. Van Grembergen (2003: 242) defines IT governance
as the organizational management of IT and business processes; but specifically in such a way that IT and
business are integrated. Patel (2002: 3167) agrees that IT governance is the alignment of IT with business
objectives, or in other words, the delivering of business opportunities from IT. This may not be as easy as it
seems. Burn & Szeto (1999: 197) state that the process of aligning business and IT is critical and increasingly
problematic. The basic description of IT governance as the fusion of business and IT, is also supported by
Parker, Peterson & Ribbers (2002: 3143). They state that IT governance is based on lateral decision-making
processes between the organisation and its IT divisions. This is in line with the view that Schwarz & Hirscheim
(2003: 131) have on IT governance, with the exception that they highlight the importance of organizational
strategies.
The inclusion of organizational strategies is vital when defining IT governance. The formulation of an
organizational strategy should reflect the blending of IT strategies and business strategies, as a way to ensure
effective IT governance (Parker, Peterson & Ribbers, 2002: 3143). Exler (2003) states that the success of an
organizations strategy will rely immensely on how executives incorporate IT into the organizational
environment.
Many organizations define IT governance as a set of processes in which IT-related costs are restrained. As
stated by Hoffman (2003: 14), IT governance is a way to ensure that technological and IT labour costs are

Proceedings of the Conference on Information Technology in Tertiary Education, Pretoria, South Africa, 18 20 September
2006
Wessels and van Loggerenberg IT Governance: Theory and Practice

disciplined. Koch (2002) supports this aspect as part of his definition of IT governance. He states that
organizational units must be consistent in their IT governance, in order for business objectives to be aligned.
Kan (2003: 2) highlights another important IT governance aspect. He states that IT governance is a way of
guaranteeing the delivery of the expected benefits of IT. Ross & Weill (2004a) agree that IT governance is a
technique used to ensure the expected deliverables of IT, by ensuring the realization of the desirable IT
behaviour.
The IT Governance Institute (2000) expands on this definition by adding that IT governance is the delivery of IT,
while balancing risks. Risks can be minimized with the correct organizational decision-making structures and
the assignment of roles and responsibilities.
This paper defines IT governance as: A framework of IT-related processes, disciplined to deliver maximum IT
value, in order to complement business strategy, while balancing risks.

CORPORATE GOVERNANCE
Corporate governance is defined by Sohal & Fitzpatrick (2002: 97) as a setting in which others can manage
their tasks effectively. They expand on this definition by stating that corporate governance is the response to
the question on what must be done to add value to an organization, while including activities as administration,
coordination, appraising and planning. While this definition may seem very broad, corporate governance does
cover various aspects within an organization.
Corporate governance is a term describing what an organisation must do, how it must be done and the
structures required to do it, according to Koch (2002). This includes organizational policies, structures and
management processes (Schwarz & Hirschheim, 2003: 130). These processes and structures help ensure that the
organizational vision, values and strategies are realized, by supporting the key decisions that are directed by
corporate governance (Ross & Weill: 2004a). Patel (2002: 3165) states that corporate governance will ensure
the proficient and successful use of organizational resources, thus realizing their goals.
A profound statement which reads that without good governance, you wont get good decisions consistently,
was made by Koch (2002). He also divides corporate governance into two main sections:
Executive frameworks -e.g. committees, boards, policies.
Management responsibilities - to implement, maintain and report on these frameworks.
Interestingly enough, Nelson (2004: 28) emphasizes the role of shareholders in his definition of corporate
governance. He summarizes corporate governance as a set of constraints on the managers and shareholders
relating to organizational performance and value.
The allocation of roles and responsibilities is critical for an organization in order to successfully accomplish its
functions, when implementing corporate governance (Hwang, 2002: 14).
The final important aspect of corporate governance is the protection of shareholders interests (Exler, 2003).
This can be accomplished by the effective balancing of business opportunities and risks (Kan, 2003: 2). Exler
(2003) agrees that risk management is a critical aspect of corporate governance.

IT/IS MANAGEMENT
Information Technology- or Information System management is the execution of the processes of supervising IT
effectively and efficiently (Sohal & Fitzpatrick, 2002: 98). Therefore, it encapsulates the ensuring of
achievements within given boundaries, of deliverables set by higher management.
The management of Information Technology or Information Systems is considered by Lin & Pervan (2003: 15)
to be a technical issue. Therefore, as IT management may have a more hands-on view of the organizations IT
environment, it is their responsibility to suggest and manage new projects. The IT manager is also responsible
for the escalation of project information, which may include data on project development status, budgets and
staff performance. Bearing in mind that the IT manager ideally is in close contact with the organizations
employees, the statement by Siriram & Snaddon (2003: 2) is credible. They state that IT management can
influence employee performance significantly and that IT management also consists of the management of
lower-level employee activities such as scheduling, performance appraisals, training, logistics, team
collaboration and motivation.

THE RELATIONSHIP BETWEEN IT GOVERNANCE, CORPORATE GOVERNANCE AND IT MANAGEMENT

IT governance focuses on the IT-related aspects within a corporate governance framework (Kan 2003: 2).
Carroll, Ridley & Young (2004: 239) agree that IT governance is only one part of corporate governance. An
important point made by Exler (2003) is that IT governance should not be implemented separately from

Proceedings of the Conference on Information Technology in Tertiary Education, Pretoria, South Africa, 18 20 September
2006
Wessels and van Loggerenberg IT Governance: Theory and Practice

corporate governance. Exler (2003) also confirms that IT management is an element of corporate governance.
This proves that IT management and IT governance are both parts of corporate governance. In a study done by
Parker, Peterson & Ribbers (2002: 3148) it was demonstrated that if business management is not committed to
IT management, misinterpretations and inconsistency are to be expected. Bearing in mind that IT governance
aims to align business and IT, this point strongly supports the proposition that IT management is only one aspect
of IT governance.
A typical organization has corporate governance, IT governance and IT management present. Corporate
governance is the combination of various specialized governance frameworks such as financial governance and
IT governance; the latter focusing purely on the IT function within the organization. Another example is asset
governance, which predictably governs all functions that assets play within organizations. Chances are that these
sub-components of corporate governance might overlap, for example, an asset function might use IT - such as
hardware and software - to calculate its monthly depreciation for financial statements. Corporate governance
must align these sub-components in order to ensure that all sub-components move in the same direction towards
a common organizational goal.
IT governance itself also has a relationship with IT management. IT management may occur in various business
units within an organization, even if the business unit is not dedicated to a pure IT function, and only uses IT to
complete other business functions. It is primarily these encapsulated business units that do not have uniform and
consistent functions such as IT expenditure, IT functions and IT strategies, to name but a few. IT governance is
designed to group the IT function of these business units and to centrally discipline it.

IT GOVERNANCE FRAMEWORKS
As discussed earlier, an IT governance framework is unique to each organization. However, there is no
shortageof generic frameworks to govern IT effectively within organizations. Barton (2004) agrees that even
though these frameworks vary in content, they are all designed to improve the efficiency of IT. Anthes (2004:
41) also recognizes the differences in the various IT governance frameworks but mentions the similarities and
overlapping between them too. According to Anthes (2004: 41), all IT governance frameworks do have the
same goal of gaining maximum benefits for IT.

ITIL
The IT Infrastructure Library (ITIL) framework was originally developed by the UK Government and consists of
a set of best practices that is collected and updated by a wide range of practitioners. The ITIL version used in
this study was Version Two.
Kim (2003: 13) describes the ITIL framework as a process-based approach to IT activity, and states that ITIL is
not focused on technology, but rather based on processes critical to organizations. The ITIL framework defines
a set of best practices for these processes. Kim (2003: 13) suggests that organizations use ITIL to identify and
improve business processes, using a set of best practices and then maturing these processes by using appropriate
technologies.
The Office of Government commerce (2002: 1-4) and the Central Computer and Telecommunications Agency
(2000: 4-5) has divided the ITIL framework into the following sets:
The Business Perspective
Service Delivery
Service Support
ICT Infrastructure Management
Application Management
Planning to implement Service Management
Security Management.
The Business Perspective set aims to improve management perceptions concerning the ICT infrastructure, as part
of their business processes, and to gain an understanding and appreciation of Service Management standards and
best practices. This includes issues such as business continuity management, partnerships and outsourcing,
change survival and business practice transformation through radical change.
The Service Delivery set identifies which services the organization must deliver in order to provide the users
with adequate support, and includes capacity management, financial management for IT services, availability
management, service level management, IT service continuity management and customer relationships
management.

Proceedings of the Conference on Information Technology in Tertiary Education, Pretoria, South Africa, 18 20 September
2006
Wessels and van Loggerenberg IT Governance: Theory and Practice

The Service Support set has the aim of ensuring that the services supporting various business functions are
accessible to customers, without any difficulties. Issues such as service desks, incidents management, problem
managements, configuration management, change management and release management are discussed.
The ICT Infrastructure Management set covers more technical issues such as network service management,
operations management, management of local processors, computer installation and acceptance and systems
management.
The Application Management set focuses on the complex software development lifecycle process, specifically
emphasizing the integration between business objectives and application development. Application
Management relates to various issues discussed in the previous four sections.
The Planning to implement the Service Management set explains the challenging process of introducing IT
governance (specifically ITIL) into an organization, together with the approach and steps of implementing it.
Finally, the Security Management set is dedicated to all security-related issues within an organization to ensure
the secure delivery of all organizational services.

Strengths of ITIL
The main strength that ITIL offers is its reputation. ITIL has shown itself to be entrenched and mature by
providing a detailed focus on the quality of IT production and operational processes. Because ITIL is based on
best practices, it is an excellent tool for enhancing operational systems (Anthes, 2004: 42).

Weaknesses of ITIL
ITIL does, however, have a few limitations. The development of quality management services and the failure to
address a software development life cycle are the major restrictions of ITIL. Quality issues relating to
operational systemsare not addressed by ITIL (Anthes, 2004: 42). Instead, these can be measured and improved
by using ISO 9000 or Six Sigma.

COBIT
The framework for Control Objectives for Information and Related Technology (COBIT) was developed by the
IT Governance Institute (ITC) and aims to balance IT risks with investments in IT controls (Carroll, Ridley &
Young, 2004: 234). The COBIT version used in this study was Version Three.
The IT Governance Institute (2002: 4-5) developed the COBIT framework, which consists of 34 high-level
control objectives, and is divided into the following main domains:
Planning and Organisation
Acquisition and Implementation
Delivery and Support
Monitoring.
The Planning and Organization domain consists of control objectives on IT strategy, information architecture, IT
organization and relationships, IT investments, communication management aims and directions, human
resources management, external requirements compliance, risks assessment, and project and quality
management.
The Acquisition and Implementation domain is concerned with automating key solutions, application software,
technology infrastructure, procedures development and maintenance, system installation and accreditation, and
change management.
The Delivery and Support domain, in turn, provides control objectives on service levels, the management of
third-party services, performance and capacity management, systems security assurance, cost identification and
allocation, user education, configuration management, incident management, data management, facilities
management and operations management.
The Monitoring domain focuses on issues such as the assessment of internal controls, the obtaining of
independent assurance, process monitoring and independent auditing.

Strengths of COBIT
Because COBIT is extremely audit-orientated, it provides excellent checklists for various aspects of IT within
organizations (Anthes, 2004: 43).

Proceedings of the Conference on Information Technology in Tertiary Education, Pretoria, South Africa, 18 20 September
2006
Wessels and van Loggerenberg IT Governance: Theory and Practice

Weakness of COBIT
The COBIT framework is very much generic. It only documents the directions that IT must follow and not how
to follow these directions. COBIT, like ITIL, also fails to address software development life cycles. The main
shortcoming of the COBIT framework is the fact that it doe not cater for continuous process improvement
(Anthes, 2004: 43).

THE THEORETICAL BENEFITS

IT governance claims to deliver the following benefits:

Decreased Risks (Carroll, Ridley & Young, 2004: 233)

Calder & Watkins (2002: 65) divide risks into two sections: speculative risks and non-speculative risks.
Speculative risks are closely related to business strategy, i.e. an organization can either gain profit or suffer
losses. These types of risks can be predefined abstractly and can, to some extent, be expected to materialize.
Non-speculative risks are the risks organizations experience from which only a loss can occur. Non-speculative
risks occur unexpectedly and limited provision can be made for these crises.
As discussed earlier, IT governance, amongst others, aims at the alignment of IT and business strategies. Thus it
is reasonable to state that IT governance aims to reduce speculative risks by ensuring that IT complements the
organizational business strategies. Non-speculative risks are also minimized through the processes and standards
specified in an IT governance framework.
IT risks should never be underestimated. IT governance should be implemented as a protective measure, risk
management being an excellent example.
Efficiency and Control of IT Functions (Van Grembergen, 2003: 242)
An overwhelming 80% of production downtime consists of operator error and application failures, each
contributing 40% (Office of government commerce, 2002: 5). Operator errors consist of issues like lack of
procedures, backups and errors. Application failures include untested releases and poor change management, to
name but a few. From these figures the need for effective IT management is undeniable.
IT governance frameworks like ITIL provide excellent guidelines for sound application and service management
and are essential for the long-term viability of an organization.

Best Practices of IT Functions (Kim, 2003: 13)

COBIT and ITIL provide extensive sets of predefined processes, contributed by various experienced
practitioners all over the world. Since these processes are only defined on a high level, they usually require
some sort of customization before they are implemented. As an IT governance framework matures, processes
might be continuously revised and customized to be more effective within the organizations culture.
The implementation of best practices as replacements for ineffective existing processes is a main characteristic
and benefit of IT governance frameworks like ITIL.
Clear Allocation of Roles and Responsibilities for IT Functions (Hwang & Liu, 2003: 11)
Roles within an IT governance framework are the behaviour or function that each individual plays which
contribute to the IT function within the organization. Responsibilities are the specific actions an individual must
be accountable for. The role of the CIO, for example, might be to supervise and steer IT governance while the
responsibilities of the CIO might be to assure business strategies and IT are aligned or that the IT governance
framework is effectively implemented. The allocation of roles and responsibilities to employees will result in
each process having an owner, who is given the responsibility to manage the process.
IT governance aims to reduce ownerless processes by assigning roles and responsibilities, and in turn appointing
people to prevent these processes from failing.

Effective Management of IT (Schwarz & Hirscheim, 2003: 129) (Hwang & Liu, 2003: 13)
As discussed earlier, the CEO, CIO, unit managers and an IT governance committee all have different
management responsibilities relating to IT within an organization. IT governance creates a clear and common
direction for these executives to work towards and in accordance with.
By disciplining IT-related functions and creating clear roles and responsibilities for IT processes, IT governance
will ease the burden on managers.

Proceedings of the Conference on Information Technology in Tertiary Education, Pretoria, South Africa, 18 20 September
2006
Wessels and van Loggerenberg IT Governance: Theory and Practice
Increased IT Control and Standards (Hwang & Liu, 2003: 13)
Controls are not only required to detect, prevent and correct unlawful events, but also to try to ensure that
objectives are achieved (IT Governance Institute, 2000: 3).
The key to effective controls is not to implement as many controls as possible chances are that the framework
will drastically decrease in effectiveness. The target of an IT governance framework should be to implement the
maximum control with the minimum processes.
Standards are the criteria according to which IT functions must be carried out. Quality standards like ISO 9000
are practised globally and are important components of an organizations IT governance framework.
IT governance raises the need for effective controls and standards within an organisation and is usually
implemented using ISO 9000 and / or ISO 19977, to name but a few.

Improved Product or Service Quality More Satisfied Clients (Patel, 2002: 3163)
Both the IT governance frameworks COBIT and ITIL provide a comprehensive set of processes and standards,
which is developed to not only improve an organizations product, but also to increase customer service.
According to the Central Computer and Telecommunications Agency (2002: 27), world-class service can
influence the success or failure of organizations to a significant degree, and can be considered a competitive
advantage. IT governance aims to deliver customer service as a competitive advantage.

Control (Hoffman, 2004: 6) and Lower (Patel, 2002: 3163) IT-Related Costs
One of the main goals of IT governance is to create uniformity and consistency of all IT-related issues within
organizations. IT governance prohibits business units from managing their IT functions as individual
preferences. Instead, all IT functions of business units are managed consistently.
IT governance aims to manage IT consistently and on a high level, in order to create uniformity, which in turn
will improve the control of IT and decrease IT costs.

Prioritize IT Initiatives (Hoffman, 2004: 6)

In a typical organization either business or IT departments can initiate IT projects. IT governance is a
mechanism that allows IT projects to be neutrally reviewed and prioritized, without the interference of the
organizational politics that usually influence these decisions.
IT governance consists of formal processes that employees must conform to, including the management of IT
initiatives, with the aim of preventing unauthorized IT projects.

Assure Expected IT Benefits (Kan, 2003: 1)

Bearing in mind both the cost and importance of IT within organizations, the anticipated deliverables of IT
projects mustmaterialize. One of the main aims of IT governance is to protect organizations against the potential
failures of IT projects. As an organizations IT governance frameworks matures, a secure and established IT
environment will help organizations to gain the maximum benefits offered by IT.
In other words, IT governance aims to deliver the full potential of IT initiatives.

Alignment Between IT and Business Strategies (Parker, Peterson & Ribbers, 2002: 3143)
The alignment of IT with business strategies is the most important aim of IT governance and has been
extensively discussed in the previous sections. Closely related to this point is another advantage offered by IT
governance, which is the consistency of IT strategies (Hwang & Liu, 2003: 13): there is no point in aligning
business strategies with IT, if the IT strategies itself are contradictory.
The alignment of IT with business strategies is considered to be the most urgent reason for organizations to
implement IT governance.

Return on Investment (Patel, 2002: 3163)

Many organizational initiatives forcefully promote return on investment and IT governance is no exception.
However, as this study indicates, the major benefits of IT governance will only be harvested as the framework
matures over time. For an IT governance framework to be effectively implemented, processes must first become
established within the organization, as discussed in detail earlier in this paper.
The return on investment by implementing IT governance is a benefit that is only realized over a period of time,
and by the successful maintenance of the framework.

Proceedings of the Conference on Information Technology in Tertiary Education, Pretoria, South Africa, 18 20 September
2006
Wessels and van Loggerenberg IT Governance: Theory and Practice
Increased Organizational Success (Kan 2003: 2) and Value (Hwang, 2002: 15)
Organizational success is the collaboration of various processes, of which IT governance is only one.
Nevertheless, effective IT governance does contribute enormously towards the success and value of an
organisation.

Shareholders Contentment with the Organizations Success (Parker, Peterson & Ribbers, 2002: 3143)
Closely related to the discussion on return on investment and increased organizational success and value, IT
governance also aims to increase the satisfaction of the shareholders of an organization. This not only includes
financial issues like savings on IT costs - which could potentially implicate bigger dividends - but also gives
shareholders ease of mind regarding their investments. At the bare minimum, IT governance might serve as a
mutual platform for the executive committee and shareholders to communicate.

Competitive Advantage (Patel, 2002: 3163)

By implementing an IT governance framework, organizations can strengthen their IT processes, which in turn,
could give organizations an edge over their competitors. Organizations can implement IT governance as a way
to market a cheaper product by cutting IT-related costs, or they could produce better services by having
disciplined IT processes. Competitive advantage is of utmost importance for organizations, in order to gain
market share.
In most organizations, initiatives that can contribute towards a competitive advantage are embraced without
much consideration. Competitive advantage is one benefit that IT governance offers, which forces organizations
to seriously consider the implementation of such a framework.

PARTICIPANTS IN THE EMPIRICAL STUDY

The topics presented in the previous sections were discussed with volunteers in organizations with the aim of
documenting their general perceptions of IT governance. Each of the topics discussed with the organizations
was compared with the literature in order to assist the researchers in formulating an opinion.
Owing to the confidentiality of the interviews, the the three companies will be referred to as EduSoft, ServiceSA
and BankSA. These are imaginary names.

EduSoft
EduSoft is an organization based in South Africa, with various offices located internationally, employing 200
employees. EduSoft specializes in the development of software packages for the higher education market and
the company expects significant market increase in their market segment within the near future. EduSoft is in
the initial stages of implementing an IT governance framework internally, but the implementation process has
not materialized yet. Nevertheless because it had done adequate investigations on available IT governance
frameworks and the process of implementing a customized version, EduSoft was included in the paper for the
purpose of identifying their expectations of IT governance. Two candidates where interviewed, namely the CEO
and the manager responsible for the implementation of the framework.

ServiceSA
ServiceSA is one of the worlds largest ICT service providers and has offices in 23 countries worldwide -
consisting of 43500 employees in total. It has 1500 multinational clients and supports a global network,
spanning 40 countries. ServiceSA offers a number of services, including software development and
maintenance, but their niche lies in the management of their clients IT infrastructures (outsourcing). ServiceSA
has, in their opinion, nearly perfected the management of IT governance. They are so confident about their
ability to implement IT governance frameworks successfully, that they have created a team dedicated to
outsourcing their knowledge to other organizations, assisting clients in implementing effective ITIL frameworks.
The person interviewed plays a leading part in the implementation of the processes defined in their IT
governance framework.

BankSA
BankSA is a leader in the South African banking industry and has approximately 32000 employees. BankSA
offers their financial services to personal, commercial and corporate clients residing locally and internationally,
including the United States, United Kingdom, China, Singapore, Hong Kong and the rest of Africa. BankSA
uses the latest information technology in offering their services to various South African locations. They believe
that without IT, their organization would cease to exist. BankSAs Head of IT strategy was interviewed, being
the person responsible for IT governance. The interviewee is well qualified and has represented BankSA at

Proceedings of the Conference on Information Technology in Tertiary Education, Pretoria, South Africa, 18 20 September
2006
Wessels and van Loggerenberg IT Governance: Theory and Practice

various conferences focusing on IT governance, often including excellent presentations by the interviewee
himself.

RESULTS OF THE INTERVIEWS CONDUCTED

The following section describes the interviewee responses to the interview questions. This papers conclusions,
relating to these opinions as well as the literature survey conducted, are presented in a separate section.

IT Governance Relationships
Both candidates at EduSoft agreed that corporate governance includes IT governance. However, their opinions
were divided on the relationship that IT governance has with IT management. The CEO of EduSoft was of the
opinion that IT governance includes IT management, but is not limited to it. The manager argued that IT
governance and IT management are one and the same. ServiceSA also confirmed that IT governance is one of
many aspects that corporate governance includes. According to ServiceSA, IT governance is the implementation
of the processes defined by IT management thus IT management consists of IT governance. BankSA was
under the impression that corporate governance consists of IT governance, and IT governance in return consists
of IT management.
Both the literature and empirical study agree that IT governance is part of corporate governance. However, the
inconsistent perspectives which organizations have on the relationship between IT governance and IT
management, motivates the researchers to agree with the literature: IT management is one aspect of IT
governance.

Designing an IT Governance Implementation

EduSoft believes that IT governance should be an initiative created out of corporate governance, and that the
processes must be defined at business unit level. ServiceSA also supports the statement that IT governance
should be implemented as a hybridof a top-down and bottom-up approach. In contrast to this, BankSA is of the
opinion that IT governance must be designed entirely at top level, thus implementing it using a top-down
approach.
According to the literature survey, the implementation process of an IT governance framework is closely related
to the culture of the organization. Some organizations have strong top managements, for which a centralized
top-down IT governance implementation would be very effective. However, if an organization has strong
representatives in the various business units, a moredecentralized, bottom-up approach might be preferred.
Therefore, the researchers acknowledge the fact that no single proposition would be an ideal solution.
Nonetheless, The researchers are of the opinion that IT governance should be implemented centrally as a hybrid
of a top-down and bottom-up approach. Top management should initiate the process of developing an IT
governance framework. This is because top management carries the responsibility for corporate governance, and
a critical aspect of IT governance is its aim to be aligned with corporate governance. Thus, IT governance
should originate from a top-down method. But, in order for the framework to be comprehensive, business units
must also participate in the development process. Using a bottom-up method, initiated and supported by top
management, will ensure the involvement of the business units. When the requirements of top management
meet the inputs of the business units, a well balanced IT governance framework may be developed and
maintained.

The Management of IT Governance

According to EduSoft, the CEO carries the ultimate responsibility for IT governance, while the CIO will mostly
manage the day-to-day IT governance operations. EduSoft also states that an IT governance committee is
compulsory and will ideally consist of the CEO, CIO, CFO, representatives of business units, internal auditors
and, on an advisory basis, external auditors. ServiceSA also supports the point made by EduSoft that the CEO
carries the ultimate responsibility for IT governance. However, as ServiceSAs board of directors does not
include the CIO, a specific IT manager, by a team of experts, acts as an IT governance committee. They are
responsible for IT governance management. BankSA, on the other hand, has a very complex and business-
oriented committee responsible for the management of IT governance. The person mainly responsible for
directing the committee is the CIO. As many as thirteen business representatives and two IT experts are
included as members of the committee. An extremely important function of the committee is the secretariat.
According to BankSA, the secretary, who is also responsible for the logistics of IT governance, is critical to the
success of their IT governance.
The researchers are of the opinion that the management of IT governance is strongly related to the
implementation of IT governance, in the sense that both are unique, depending on an organizations culture.

Proceedings of the Conference on Information Technology in Tertiary Education, Pretoria, South Africa, 18 20 September
2006
Wessels and van Loggerenberg IT Governance: Theory and Practice

While the literature strongly supports the proposition that the CIO should manage IT governance, no consistency
could be established between the organizations perspectives on who should manage IT governance.
The researchers conclusion concerning the role-player that should manage IT governance is fairly closely
aligned with that of Ross & Weill (2004b). The executive ultimately responsible for IT governance is the CIO.
Because the CEOs position within an organizational structure is more senior, the CEO is responsible for the
corporate governance. The CEO must ensure that IT governance is aligned with corporate governance, in order
for an organizations departments to work in a common direction. Typically, an organizations CEO will
nominate the CIO to be responsible for IT governance. The CIO must implement and maintain the IT
governance framework, and will typically assemble an IT governance committee to assist in the design,
implementation and maintenance of it. It is the responsibility of the CIO to inform the CEO about the status of
their IT governance framework on a regular basis, and to ensure that IT-related strategies and goals remain well
defined and aligned with the rest of the organization.

THE BENEFITS EXPECTED AND GAINED BY IMPLEMENTING IT GOVERNANCE FRAMEWORK

In the following section a comparison is drawn between the theoretical benefits and the expected benefits, as
reported by the organizations.

The Organizations Perspectives

Being in the initial phases of implementing IT governance, only EduSofts expectations are illustrated in Table
1, to follow. EduSoft has very idealistic and theoretical expectations of the deliverables of IT governance. This
comes as no surprise, bearing in mind that EduSoft has done exhaustive research on IT governance and that they
intend to implement a framework for the very reasons promoted by the literature. EduSoft aims to achieve 47%
of the benefits promoted by the literature. The main motivation for EduSoft to implement an IT governance
framework, is the protection of shareholder interests, by implementing best practices to minimize IT-related
risks. Surprisingly, although the alignment of IT with business strategy was mentioned during the interview, it is
not considered a major reason to implement IT governance. Another strong motivation for EduSoft to adopt an
IT governance framework is that their clients require them to do so. Furthermore, EduSoft believes that the
framework could offer them advantages in their marking campaign.

Proceedings of the Conference on Information Technology in Tertiary Education, Pretoria, South Africa, 18 20 September
2006
Wessels and van Loggerenberg IT Governance: Theory and Practice

REASONS FOR IMPLEMENTING IT ORGANISATION

GOVERNANCE
EduSoft ServiceSA BankSA
E A E A E A

Theoretical benefits:

1. Decreased risk management * * * * *

2. Efficiency and control of IT functions * * *
3. Best practices of IT functions * * * * *
4. Clear allocation of roles and responsibilities
* * * * *
for IT functions
5. Effective management of IT
6. Increased IT control and standards * *
7. Improved product/service quality more
* *
satisfied clients
8. Control and lower IT-related costs * * *
9. Prioritize IT initiatives * *
10. Ensure expected IT benefits * * *
11. Alignment between IT and business
* * *
strategies
12. Return on investment
13. Increased organizational success * *
14. Shareholders contentment * * *
15. Competitive advantage * *

Practitioners benefits:

Marketing * * *
Client Expectations * *

Table 1: Expected Benefits of IT Governance

Like EduSoft, ServiceSAs reason for implementing IT governance is not the alignment of IT and business.
Instead, examples of the main motivations to implement IT governance are the establishment of standards, cost
prevention and the delivery of expected IT objectives, by using best practices. One of the foremost reasons why
ServiceSA has decided to implement IT governance is the dual advantages it offers to their organization.
ServiceSA itself not only expected major internal benefits, but also recognized and grasped a business
opportunity in outsourcing their expertise to other organizations. Before implementation, BankSA expected 67%
of the theoretical benefits to materialize. A satisfactory 71% of these benefits were obtained, of which 29% were
not anticipated before implementation. The benefits ServiceSA achieved after implementation are roughly in
line with the benefits expected before implementation, with the major exception of costs. According to
ServiceSA, their IT-related costs did not drastically decrease, if at all. A benefit that entirely overwhelmed
ServiceSAs expectations was their marketing expectations. This not only includes the ease of mind clients have
regarding their investments in ServiceSA, but also the market share they have gained by delivering these services
to clients. The expectations that BankSA had when implementing IT governance, were extremely business-
oriented; unlike the previous two organizations discussed. The alignment of IT and business strategy was the
foremost motivation for BankSA to implement a framework. Differing from EduSoft and ServiceSA, BankSA
makes extensive use of IT in order to achieve their business goals. Thus, BankSAs primary objectives are

Proceedings of the Conference on Information Technology in Tertiary Education, Pretoria, South Africa, 18 20 September
2006
Wessels and van Loggerenberg IT Governance: Theory and Practice

business-oriented, and not IT-oriented. Almost five years after BankSAs initial IT governance framework
implementation, they are still in the process of aligning IT, in order to complement their business strategies.
Even though BankSA admits that it hasnt yet reached the point of total satisfaction, its progress for an
organization of its magnitude is more than satisfactory. BankSA confesses that they have hoped to see more
confident IT decisions being made by business representatives one benefit IT governance failed to deliver.
LikeServiceSA, BankSA also failed to cut IT costs drastically by implementing IT governance. Some of the
main benefits BankSA did achieve by implementing an IT governance framework are: increased value from IT
investments, secure shareholder investments and the prioritization of IT projects by business representatives. In
total, BankSA claims to have achieved a superb 91% of the theoretical benefits identified before implementation.

INTERPRETATION OF THE RESULTS

Only three benefits were expected and achieved by the two organizations that have implemented an IT
governance framework. These benefits are:
Decreased risk management
Best practice of IT functions
Clear allocation of roles and responsibilities for IT functions.
One benefit was commonly expected, but failed to materialize, namely controlling and lowering IT costs. The
two organizations that have successfully implemented an IT governance framework both indicated that their IT-
related costs did not drastically decrease, if at all.
Another interesting observation is the fact that both the IT organizations, EduSoft and ServiceSA, did not
convincingly recognize the Alignment between IT and business strategies as a prime expected benefit resulting
from the implementation of an IT governance framework.
The percentage of theoretical benefits expected by practitioners, that have materialized, is presented in Figure
5.1. An average of 54% of the theoretical benefits promoted by the literature, were recognized by organizations
as benefits they expected; which makes it reasonable to state that organizations do not implement IT governance
for the diverse benefits promoted by the literature. However, 81% of the benefits the organizations did
anticipate, have materialized.

EXPECTED BENEFITS MATERIALIZED BENEFITS

Figure 5.1 Expected and Materialized Benefits

CONCLUSIONS AND RECOMMENDATIONS

This final section contains the conclusions from this research and makes recommendations for further research.

Organizations are uncertain about the management of IT governance.

The empirical study indicated that the perspectives organizations have on the management of IT governance are
inconsistent with the literature. This conclusion is supported by the fact that organizations have clearly
identified management-related factors as possible threats to the success of an IT governance framework.

Proceedings of the Conference on Information Technology in Tertiary Education, Pretoria, South Africa, 18 20 September
2006
Wessels and van Loggerenberg IT Governance: Theory and Practice
Organizations implement an IT governance framework to achieve only a limited or specific number of
benefits as promoted by the literature.
The literature propagates a lengthy list of possible benefits organizations can achieve by implementing an IT
governance framework. It was found that in practice, organizations only identified a few benefits as the
motivation to implement a framework. It would seem that organizations implement IT governance with the main
objective of solving specific problems within their organizations, rather than preventing future IT-related
failures. Even though organizations do implement IT governance to prevent future IT-related failures, it is not
their main motivation.

The majority of benefits anticipated by organizations before the implementation of an IT governance

framework, eventually materialized.
Even though the list of expected benefits by organizations is relatively limited compared to the list propagated by
the literature, most of the expected benefits eventually materialized. The time period for organizations to
achieve these benefits is unique to each organization. The empirical study suggested at least one year for an
implemented IT governance framework to deliver its first benefits.

Organizations do not experience a drastic decrease in IT-related costs by implementing an IT governance

framework.
This benefit is strongly promoted by the literature, but in practice fails to materialize. However, even though
organizations IT costs remain much the same after the implementation of an IT governance framework, they
now achieve much more value from IT initiatives than previously. Value, for example, includes more IT
projects within the same budget as well as better IT management with less effort.

IT organizations do not implement IT governance frameworks with the aim of aligning business strategies
with IT initiatives.
This result is unexpected, as the main definition of IT governance is to aim and align business and IT strategies.
The researchers concluded that, for IT organizations, information technology is the business they conduct with
clients and therefore their business and IT would automatically be aligned. In other words, because IT
organizations prime product or service offered to clients is information technology (e.g. development of
software), and not a means of complementing a non-IT-related product or service (e.g. financial services), their
IT and business is integrated by default.
Based on the comparison between the literature and the empirical study, the researchers identified a limited
number of similarities between the organizational perspectives of IT governance and the viewpoints of the
literature. Therefore, the majority of topics discussed in this research indicated an inconsistency between the
organizations and the literature. Consequently, the researchers are of the opinion that the organizational
perspectives of IT governance are not consistent with the viewpoints of the literature.

REFERENCES
1. ANTHES, G.H. 2004. Model Mania. Computer World (US), 8 March 2004, vol.38, no.10, p.41-44.
2. BARTON, N. 2004. This Years Model: Performance Improvement Complements IT Best Practices
Frameworks. [Online]. Available: http://www2.cio.com/analyst/report2669.html [Cited 9 August 2004].
3. BURN, M.J. & SZETO, C. 1999. A comparison of the views of business and IT management on the
success factors for strategic alignment. Information and Management, 28 September 1999, vol.37, no.4,
p.197-216.
4. CALDER, A. & WATKINS, S. 2002. IT governance: data security & BS 7799/ISO 17799: a manager's
guide to effective information security. London: Kogan Page.
5. CARROLL, P., RIDLEY, G. & YOUNG, J. 2004. COBIT and its utilization: a framework from the
literature. System Sciences, January 2004, p.233-240.
6. CENTRAL COMPUTER AND TELECOMMUNICATIONS AGENCY. 2002. Service Support. London:
The Stationery Office.
7. EXLER, R. 2003. IT governance frameworks. [Online]. Available:
8. http://www2.cio.com/analyst/report1559.html [Cited 16 June 2004].
9. HOFFMAN, T. 2003. Disparate views of IT governance spark debate. Computer World (US), 5 May
2003, vol.37, no.18, p.14.

Proceedings of the Conference on Information Technology in Tertiary Education, Pretoria, South Africa, 18 20 September
2006
Wessels and van Loggerenberg IT Governance: Theory and Practice

10. HWANG, J.D. 2002. Information resources management: new era, new rules. IT Professional,
November/December 2002, vol.4, no.6, p.9-18.
11. IT GOVERNANCE INSTITUTE. 2000. COBIT 3rd edition executive summary. [Online]. Available:
http://www.isaca.org/execsum.pdf [Cited 28 June, 2004].
12. KAN, A.R. 2003. Managing a multi-billion dollar IT budget. Software Maintenance, September 2003, p.2.
13. KIM, G. 2003. Sarbanes-Oxley, Fraud Prevention, and IMCA: A Framework for Effective Controls
Assurance. Computer Fraud & Security, September 2003, vol.2003, no.9, p.12-16.
14. KOCH, C. 2002. The powers that should be Governance. [Online]. Available:
http://www.cio.com/archive/091502/powers.html?printversion=yes [Cited 30 March, 2004].
15. LIN, C. & PERVAN, G. 2003. The practice of IS/IT benefits management in large Australian
organisations. Information and Management, October 2003, vol.41, no.1, p.13-24.
16. NELSON, J. 2004. Corporate governance practices, CEO characteristics and firm performance. Journal of
Corporate Finance, 27 February 2004, p.1-32.
17. OFFICE OF GOVERNMENT COMMERCE. 2002. Application Management. London: The Stationery
Office.
18. PARKER, M.M., PETERSON, R.R. & RIBBERS, P.M.A. 2002. Designing information technology
governance processes: diagnosing contemporary practices and competing theories. System Sciences,
January 2002, p.3143-3154.
19. PATEL, N.V. 2002. Global e-business IT governance: radical re-directions. System Sciences, January
2002, p.3163-3172.
20. PATEL, N.V. 2003. Health informatics governance: researching deferred IS/IT mechanisms. System
Sciences, January 2003, p.244-250.
21. ROSS, J. & WEILL, P. 2004a. Recipe for good governance. [Online]. Available:
22. http://www.cio.com/archive/061504/keynote.html [Cited 3 April, 2004].
23. ROSS, J. & WEILL, P. 2004b. Ten principles of IT governance. [Online]. Available:
http://hbswk.hbs.edu/tools/print_item.jhtml?id=4241&t=strategy [Cited 12 November, 2004].
24. SCHWARZ, A & HIRSCHHEIM, R. 2003. An extended platform logic perspective of IT governance:
managing perceptions and activations of IT. Journal of Strategic Information Systems, 2003, vol.12, no.12,
p.129-166.
25. SIRIRAM, R. & SNADDON, D.R. 2003. Verifying links in technology management, transaction processes
and governance structures. Technovation, 3 October 2003, p.1-17.
26. SOHAL, A.S. & FITZPATRICK, P. 2002. IT governance and management in large Australian
organisations. International Journal of Production Economics (Elsevier Science), 2002, vol.75, no.1, p.97-
112.
27. VAN GREMBERGEN, W. 2003. Introduction to the minitrack "IT governance and its mechanisms"
HICSS 2003. System Sciences, January 2003, p.242

Proceedings of the Conference on Information Technology in Tertiary Education, Pretoria, South Africa, 18 20 September
2006