Professional Documents
Culture Documents
IT Governance Strategy For Intro
IT Governance Strategy For Intro
IT GOVERNANCE: AN ARCHITECTURAL
FRAMEWORK BASED ON CONSOLIDATED BEST
PRACTICES
Thami Batyashe*, Tiko Iyamu*
*Cape Peninsula University of Technology, Cape Town, South Africa
Abstract
Due to the continual increase of the significance of information technology (IT), the need to
provide governance in the deployment, use and management of the artefacts is simultaneously
essential. However, even though different frameworks have been employed, the implementation
of IT governance has never been easy for many organisations. This is attributed to many factors,
such as people, process and technological artefacts. IT governance frameworks differ in one area
or another, making their selection challenging for organisations. As a result, some organisations
have more than one IT governance framework. This, on one hand, sometimes results in
duplication of the frameworks’ functionalities, thereby adding to the environment complexity.
On another hand, some IT governance frameworks are short of functions in regard to the
organisation’s objectives. These challenges are attributed to the lack of an architectural
framework, of consolidated best practices.
7
Journal of Governance and Regulation / Volume 5, Issue 1, 2016
Best practice frameworks assist with the infrastructure and other units of the organisation.
governance of IT deployment, use and management. As such, EA like the other IT components needs to
Several best practise frameworks are available to be managed and governed with the aid of a
manage IT and to assist IT to achieve the business framework such as TOGAF.
objectives, through governance (Terblanche, 2011).
Nelson et al., (2004) argued that while companies in 3. RESEARCH METHODOLOGY
a certain industry may not follow all the best
practices, it is widely accepted that “better” The qualitative method and case study approach
companies follow several or a majority of the best were employed in the research. These selections
practices. Some of the commonly employed were based on the research aim, as stated in the
frameworks by many organisations include COBIT, introduction section. The data was analysed
ITIL and TOGAF. interpretively. Myers (2009) argues that qualitative
Control Objectives for Information and related research method, such as case study enables
Technology (COBIT) according to Tuttle and researchers to study phenomena in their natural
Vandervelde (2007) is a globally accepted set of settings. According to Straub, Gefen and Boudreau
tools and processes organised into a framework that (2004), quantitative research is a series of methods
business executives can utilise to make sure that and techniques that permit Information Systems (IS)
their IT is assisting them to accomplish their goals researchers to respond to research queries about the
and objectives. Lainhart IV (2000) argued that COBIT interaction of human beings and computers. The
is so broad that it cannot be applied to every case study approach was employed in the study. Yin
situation and therefore needs to be customised to a (2003) described a case study as “an empirical
particular environment. Not all control objectives, inquiry that investigates a contemporary
high-level or detailed, will be applicable within all phenomenon within its real-life context. The case
organisations as they will depend on the type of study approach is helpful in examining the why, how
industry an organisation operates in. Although a and what questions (among the question series of:
vast number of processes, activities and who, what, where, how and why), which are queries
responsibilities are described, the connection about the present set of events over which the
between them is not specified, for example, the researcher has little or no control (Moon, 2007).
determined helpfulness of an activity and how that RedLeaf Communications in South Africa was used
is reflected in the featured maturity model as the case study.
(Simonsson, Johnson & Wijkström, 2007). RedLeaf Communications was established as a
However, according to Shivashankarappa et al., government enterprise to provide postal and related
(2012) COBIT has not been greatly effective in services to the South African public. RedLeaf
offering tangible benefits around governance, Communications is a South African organisation
controls, audit and other features of organisational with geographically dispersed operations across the
security as it is time-consuming and too much country. The organisation was founded in 1910. The
resource intensive to implement. Another major organisation employs more than 15,546 employees
shortcoming with COBIT and maybe the main reason and operates more than 2,400 outlets throughout
why the framework is not used more frequently by the country. At the time of the study the
organisations is that a great deal of knowledge about organisation consisted of four (4) core divisions and
the framework is needed in order to apply it as a subsidiaries and five (5) support divisions (corporate
tool to support IT governance or evaluate an services). The support divisions are IT, transport
organisation’s IT performance. Hence, a number of services, business support, including finance and
organisations may choose to tailor the information, audit; properties and a retail division.
making it applicable to their specific environment The researcher obtained the necessary
(Simonsson et al., 2007). permission to conduct the study from the
While COBIT is argued to describe what has to appropriate authorities at the organisation, RedLeaf
be done, Information Technology Infrastructure Communications. A total of ten (10) participants
Library (ITIL) provides the practical steps to answer were interviewed. The participants or employees
how it should be done and who should perform each were labelled as follows: RL00 to RL09, for
task (Van Grembergen, De Haes and Gultentops, confidentiality purposes.
2003). One of the major challenges of any Two sets of data were collected based on the
framework is lack of commitment and support from objectives of the study. Both sets were qualitative,
management who do not understand the key role but used different techniques and approaches. The
they must play to support other processes. first set of data was textual, involving
Attracting and justifying funding for ITIL training is documentation relating the different types of
a challenge, since it is typically out of sight of the frameworks. This data was collected from the
customer units. According to Pollard and Cater-Steel vendors and owners of the products. This was
(2009), critical success factors attributed to the primarily to understand the attributes of the various
successful implementation of ITIL include, amongst frameworks and draw contrasts among them. The
others, executive management support, second set of data was collected by means of semi-
interdepartmental communication and collaboration, structured interviews, the goal was to understand
use of consultants, training, and careful software how and why certain frameworks were selected and
selection. implemented in the organisations.
Harris (2010) posited that The Open Group Nemutanzhela and Iyamu (2011, p. 244), stated
Architecture Framework (TOGAF) is an enterprise that the “DoI theory communicates technological
architecture framework that proposes an approach innovation through specific networks, over time,
to design, plan, implement and maintain enterprise among members of society”. DoI relates to ways in
architecture. Enterprise architecture (EA), as which technological concepts, objects or methods, or
articulated by Iyamu and Hamunyela (2013), can a new practice of an old one, move from conception
help organisations to construct strategies and to usage (Chigona & Licker, 2008). The Innovation
integrate them with current processes, IT Decision Process in its five stages is a process that
8
Journal of Governance and Regulation / Volume 5, Issue 1, 2016
happens while people take part in a range of three (e.g. COBIT, ITIL and TOGAF) core IT
activities related to choices (Rogers, 2003). The five governance frameworks in the organisation.
stages according to Rogers (1995) include: Both explicit and tacit knowledge has a crucial
knowledge, occurs when people are cognisant influence on the success or failure of an innovation
of innovation and comprehend its meaning; such as the governance framework in an
persuasion happens when personnel and organisation. This is based on how information is
management shows that they favour or do not shared and used in the selection, implementation,
favour the innovation and need to be persuade; continuous improvement and management of IT
decision involves the acceptance or rejection governance frameworks. According to one of the
of the innovation by the people or management; interviewees, “everybody should be knowledgeable on
implementation is when the personnel or how information about IT governance flows in the
management make a decision to employ the organisation. A suggestion would be to set up a
innovation; and community of practice, a forum where people can
confirmation occurs when personnel and share information about IT governance frameworks
management choose to approve or discard their and processes. This is to help us achieve our goal
choice to endorse the innovation. about IT governance in the organisation (RL02,
Chief Information Officer (CIO), IT executive p14:419-422)”.
managers, senior managers and managers were Explicit and tacit knowledge complement each
categorised as senior and the rest of the employees other, meaning both types of knowledge are
as juniors. The researcher was aided by an essential to innovation. As a result, how employees
employee, nominated by the CIO to identify acquired and used their explicit or tacit knowledge is
potential interviewees. The selection of interviewees important to the selection and implementation of IT
was based on two factors, knowledge and governance framework for the organisation’s
availability: strategic purposes. Considering that the application
Knowledge – employees were selected based of knowledge is critical (whether explicit or tacit),
on their knowledge of the organisation, as well as employees need to be educated, primarily because
the subject of the interview. the organisation, through its board of directors
Availability – it was difficult for the (BoD) depend on their expertise, advice and
researcher to have access to some of the employees. recommendation. One of the interviewees explained
as follow: “A representative of the governance team
4. DATA ANALYSIS AND FINDINGS is tasked on advisory role, to advise and recommend
to the board on the need and propose of IT
governance and policies in the organisation (RL05,
As earlier stated, the data analysis was guided by
p51:1737-1738)”.
DoI, from the perspective of Innovation Decision
Employees evaluate the validity and reliability
Process, which includes knowledge and persuasion,
of information manifesting from their knowledge
decision, implementation, and confirmation (Roger,
before providing advice and recommendations to the
2003).
board of directors. An employee described the
evaluation of information as follow: “So it’s iteration;
4.1. Innovation Decision Process: Knowledge it has to be a constantly evolving process. Put
governance in please, constantly do risk assessments
The selection, implementation and use of the IT to evaluate and give feedback, but more important
governance frameworks depended on two main than anything, constantly check for how the
components, resources and skill. The use of company’s adhering to that governance through
resources and skill were based on the knowledge of compliance (RL03, p34:1109-1111)”.
individuals and groups in the organisation. Explicit knowledge without tacit understanding
The resources that were involved in the rapidly loses its meaning. Explicit knowledge
selection, implementation and management of IT therefore has to be reframed or interpreted using a
governance frameworks at RedLeaf Communications person’s frame of reference so that it can be
included both technical and non-technical factors. understood and then internalised or accepted to
The technical factors were mainly technology others. It could therefore be significantly useful in
infrastructures, which consist of hardware and this context, in that the explicit knowledge that is
software. The governance of the infrastructures was required in the selection of an IT governance
based and driven by individual and group knowledge framework could be extended to tacit knowledge
about the technologies. This shaped how that could be applied in innovative ways to facilitate
infrastructures were selected and managed in the the implementation of the IT governance framework
organisation. Some of the non-technical factors in the organisation. However, this was not the case
included processes and people. The processes that in RedLeaf Communications. One of the interviewees
were employed in the governance of IT artefacts explained her opinion: “employees are sent on
were based on individual’s skills, which manifest training, but when they come back they do not
from knowledge. The selection, implementation and practise what they have learnt. As a result, they
use of IT governance frameworks require special forget what they learnt from the training quite
skills and, therefore, not all employees could be quickly, which was a loss to the organisation as it
tasked to undertake the responsibility. impacts their contributions to how IT governance is
The employees who were assigned the tasks of selected, implemented, and managed (RL07, p69:
IT governance in the organisation were formally 2417-2419)”.
trained. The type of knowledge that was gained from The employees who were involved in IT
the training was a mixture of both explicit (codified governance in the organisation were selected based
knowledge gathered from sources, such as on the managers’ discretion and prerogative. This
documentation and databases) and tacit knowledge was based on the power bestowed on the managers
(non-codified, personal or experienced-based, know- in the organisation. Also, the managers used the
how knowledge). The knowledge guided the power to nominate those that could undertake
selection, implementation and management of the
9
Journal of Governance and Regulation / Volume 5, Issue 1, 2016
training on IT governance. Based on the so that whoever has been exposed to that will know
aforementioned there is a need for a repository, to from now on this is how the behaviour needs to be
store and manage knowledge. The repository will be changed (RL01, p10:292-295)”.
enabled and supported by technology. As activities had been conducted in a certain
The IT steering committee is a sub-committee manner for a long period of time, many of the
of the BoD in the organisation. As at the time of this employees were reluctant, or found it difficult, to
study, the committee was responsible for the IT amend or adjust the ways in which they were
strategy and IT governance framework in the carrying out their day-to-day activities. According to
organisation. Some challenges were experienced with one of the interviewees, “employees felt the selection,
the IT steering committee. One of the most critical implementation, and management of IT governance
challenges was that many of the committee frameworks will not add value to their daily
members did not seem to understand the benefits of operations, or to their day-to-day activities. (RL05,
IT governance frameworks in the organisation. As a p49:1658-1662)”
result, IT governance issues were either delayed or With the implementation of IT governance
did not get the attention they needed. This led to frameworks employees need to perform activities
discouragement of many employees who were such as risk assessments and compliance audits.
tasked with IT governance. One of the employees They perceive these activities as being unnecessary
expressed her frustration as follows: “IT governance and cumbersome. The CIO expressed his concerns in
is a top-down approach; as a result, the actions of the this regard as follows: “The first basic challenge I see
top management affect our activities. The IT is people do not understand the risk that is involved
governance framework that we drafted over a year by not following governance. The second is the
ago has not been reviewed until now (RL04, perception about governance is that it’s a
p35:1155-1157)”. cumbersome unnecessary evil (RL07, p68:2367-
The data found critical factors with respect to 2369)”.
the knowledge stage of the Innovation Decision Lack of awareness and knowledge on the part
Process, namely evaluation of information, need for of employees resulted in some of them feeling
a technology repository and education and training. uncertain about the implementation and
management of IT governance frameworks as it
4.2. Innovation Decision Process: Persuasion differed from what they considered the norm. Some
employees had discussed the advantages and
The success or failure of innovation in an disadvantages of the innovations with peers to try to
organisation is influenced and impacted by determine whether the innovation would add value
employees’ buy-in (management included), which is to the daily operational functions. According one of
often a manifestation of persuasion by the focal the interviewees:, “I’m not sure why the organisation
actors. The selection, implementation and selected and implemented IT governance
management of IT governance frameworks frameworks. During a discussion with a colleague I
necessitate a change in the attitudes of employees gathered and understood why the IT governance
towards the innovation. Employees will either frameworks were selected and deployed, and why
believe in or doubt the innovation and thus develop they need to be managed, once deployed (RL06,
either a positive or negative attitude towards it. This p55:2071-2074)”.
was explained by one of the interviewees: “…one of Such persuasion would lead to a change in the
the challenges is the buy-in of key stakeholders, such attitude of some of the employees. Other factors
as your board members, top management, operation that were revealed were exclusivity and bureaucracy.
management and non-management employees The findings showed that there was exclusiveness in
(RL05, p49:1655-1659)”. the manner in which IT governance frameworks was
Employees can be persuaded to buy into an selected and implemented in the organisation. The
innovation by using different means, such as selection, implementation and management of IT
knowledge, awareness and resources. Employees governance frameworks followed a process that was
need to be made fully aware of the situation to considered to be bureaucratic by some of the
enable them to make an informed decision in the employees who were uncomfortable with the kind of
selection and implementation of IT governance. Such bureaucracy that was instituted in the organisation,
awareness can be created through different media, when it came to the selection and implementation of
such as training and internal dissemination of the IT governance framework. According to one of
information, as well as meetings and discussions the interviewees, “…the bureaucracy in the
amongst peers, which can be utilised both organisation is posing a challenge towards the
consciously and unconsciously in getting buy-in or adoption or rejection of an innovation, this includes
persuading employees in the organisation. lengthy processes and procedures which can take up
Reluctance to deviate from the current way of to months to be finalised has a negative impact on
doing things had an impact on the introduction, innovation. By the time a process is finalised some of
selection and implementation of IT governance in us might have forgotten about the primary aim
the organisation. The findings showed that some of (RL08, p76:2638-2642)”.
the employees at RedLeaf Communications One of the consequences of the bureaucratic
preferred to continue doing what they had always process was the long time it took between selecting
done, seeing that it worked for them. This a particular IT governance framework and when it
emphasised the importance of top management was implemented. This led employees to wonder
instituting a persuasion campaign to influence whether implementing the IT governance framework
employees to adopt the selected IT governance would still be relevant to their environmental
frameworks. One employee explained: “There should settings and the organisation as whole, or not.
appropriate workshops, change management, Employees had to make a decision whether to adopt
discussions to say, this is the new compliance or reject the implementation of IT governance
requirement in the organisation and people need to frameworks.
be involved. It has to be a very interactive approach
10
Journal of Governance and Regulation / Volume 5, Issue 1, 2016
4.3. Innovation Decision Process: Decision “…the selection, implementation, and management of
IT governance framework formalise and put a
Decision making is a daily activity in many structure in place for executing initiatives and
organisations, and RedLeaf Communications is not activities. This includes formal policies that were
an exception. On the one hand effective and formulated, to guide decisions that are made. The
successful decisions are associated with favourable policies were needed because they determine the
outcomes in organisations. However, on the other rules which form the standards, and the standards
hand, ineffective and unsuccessful decisions provide guidance for processes and procedures to
generally have unfavourable results. The decision follow (RL03, p 24:772-777)”.
making process is therefore considered to be critical Decision making is a mental as well as
to organisations. One of the interviewees explained: intellectual process, which requires factors, such as
“…people in strategic position make decisions that knowledge, skills, experience and maturity on the
have financial implication, but those decision makers part of decision maker. Thus the decision to adopt
are not held accountable if the decision has a or reject the selection, deployment and management
negative impact on the organisation, in the context of of IT governance framework requires employees to
IT governance (RL06, p52:1767-1765)”. be knowledgeable and skilful and show an interest
Many of the decisions made at RedLeaf in the innovation.
Communications were based on both the Once the decision to accept the selection of the
organisational and IT strategies. The decision in the IT governance frameworks had been made,
selection, implementation, and management of IT execution (implementation) of such decision was
governance framework needed both the embarked upon and employees who had not been
management and employees to consider the positive involved in the decision making participated in the
and negative consequences and impact the implementation of the decision. This had an impact
innovation would have on the organisation’s on how IT governance was viewed in the
strategy. One of the employees explained that the organisation.
decision to select and adopt IT governance
frameworks was based on the IT strategy activities: 4.4. Innovation Decision Process: Implementation
“I think the factors would be determined by the
strategy of the organisation. The IT strategy should The decision to implement IT governance was
be aligned to the organisational strategy. The IT considered to be critical at RedLeaf
strategy will then be able to determine which Communications. This was attributed to the fact that
frameworks we have to use, because we need to know implementation determines the end, which is the
where we are going, and to go there what we need to means. The implementation process involved both
use, what’s going to work for us, and where’s the technical and non-technical factors, such as
industry going as well. And based on that then you practices, structure, culture, hardware, processes
can make your decision (RL08, p76:2646-2652)”. and individuals. This included the roles and
Another interviewee was of the view that the responsibilities of the factors, which were to employ
decisions to select, implement, and manage IT the innovation and ensure that it functioned
governance frameworks were not based on the properly in the organisation.
strategy, because at the time of this study, there was Successful implementation of an innovation is
no strategy in the IT department. The interviewee facilitated by having a supportive structure and a
further explained: “…there were no overarching culture that embraces the deployment and
strategies which inform or guide employees’ activities management of the IT governance frameworks that
in many circumstances, such as the IT governance. were selected. Referring to the structure of the
Employees are not clear on what their mandates are organisation one of the interviewees stated,
and what is expected of them. It causes confusion “Currently, the structure does not allow for smooth
regardless of whether you have sufficient people to operation between IT and business. There are no
support those function or not. If there is no senior clear roles and responsibilities where everybody
management support and strategic direction, it is knows what is expected of them (RL02, p13:399-
going to fail regardless of how good the skills you 402)”.
have, trying to achieve that governance or manage it It was noticeable that the organisational
(RL02, p23:719-724)”. structure was not clear and there was a lack of
However employees were engaged in activities clearly defined roles and responsibilities, as well as a
that manifested in the adoption or rejection of the lack of overarching strategies informing or guiding
IT governance innovation in the organisation. Some people. One of the employees felt that the culture of
employees found it difficult to adopt the IT the organisation was also a resisting factor in
governance frameworks without proper testing, implementing the innovation and said: “I believe that
evaluation, and assessment of its usefulness and fit our internal culture of making someone else
in their environments. According to one of the responsible for something is very evident at the
interviewees: “…people think about process maturity, moment. Processes are discarded and changed by
deliverables, and whether they can use the anyone and everyone, as it suits them to achieve their
innovation (IT governance framework) to better goals. All the members of the IT Management
enable their activities, and more effectively and Committee level should familiarize themselves with
efficiently. And can I test it, also, do I have evidence King III. So that they can discreetly, look at
that I can deliver to show that the innovation is compliance issues. It is not that people are not aware
working (RL04, p34:1212-1214)”. of things, it’s a cultural issue that we have at the
Those employees who tested and evaluated the moment (RL05, p42:1420-1425)”.
IT governance frameworks influenced the decision Evidently, resistance to innovation can be
to have it adopted in the organisation. This was observed even at IT senior management level.
based on the fact that there was a certain degree of Findings showed that some employees used the
advantage for the organisation. One of the IT governance frameworks to a lesser extent as they
employees provided the following explanation: were unsure about the innovation, while those who
11
Journal of Governance and Regulation / Volume 5, Issue 1, 2016
12
Journal of Governance and Regulation / Volume 5, Issue 1, 2016
13
Journal of Governance and Regulation / Volume 5, Issue 1, 2016
14
Journal of Governance and Regulation / Volume 5, Issue 1, 2016
15