10/27/21

Governance and Strategic

Management of Digital Business
(G&SM of DB)
TJS8 (UTU/TSE) – 457655 (ÅA)
Lecture 2: IT Governance - Corporate Governance
Influenced Principles Applied to Govern IT Management
Tomi Dahlberg, Ph.D.
Professor (Management of Digital Business), Board Professional

Fall 2021 Email: tomi.dahlberg@utu.fi, phone +358 50 550 5718

1 G&SM of DB ÅA: 457655 & TSE: TJS8 / Fall 2021 ©Tomi Dahlberg
©Tomi Dahlberg
1

2
Alueellisen tietohallintoyhteistyömallin
TJS8-457655 Fall 2021
suunnitteluprojekti
Lecture 2 - Contents
1. Introduction: From strategic objectives to IT governance
2. IT governance executed by an (IT) governance body means the
“management of IT management”
3. The six best practice principles of IT governance (ISO/IEC
38500)
4. Structures, processes and relational mechanisms - the
implementation of IT governance
5. The past, present and future of IT governance research and
practise
Fall 2020
2 ©Tomi Dahlberg
G&SM of DB ÅA: 457655 & TSE: TJS8 / Fall 2021 ©Tomi Dahlberg

1
 10/27/21

1. The strategy analysis and strategy process of an enterprise

starts by establishing an understanding about the competitive
landscape of an enterprise – the RBV approach
ü Establish understanding about the competitive landscape of an enterprise:
– Industry and its business drivers such as economic development, customer expectations and behavior, market
actors and entrants, technology development, regulatory development, … (or Porter’s five forces)
– Assess the strengths and weaknesses of the enterprise’s capabilities (=resources) and competencies (=ability to
use resources) as well as business opportunities and threats / vulnerabilities

ü Digital strategy means that IT, OT and digital data strengths and weaknesses are
amalgamated into business strategy – IT not considered afterwards with a separate process
– IT, OT and digital data (technology) are the enablers for the activities that an enterprise carries out combine with
workforce and capital, and the means to transform enterprises

ü So-called Resource Based View (RBV) with its variations, e.g. blue ocean strategy, is
currently the dominant strategy approach
– What are the rare, difficult to imitate and difficult to migrate resources and capabilities that create value to
customers so that they distinguish our enterprise from our competitors in the eyes of our stakeholders and by
doing that establish competitive advantage

3 G&SM of DB ÅA: 457655 & TSE: TJS8 / Fall 2021 ©Tomi Dahlberg

Deep understanding about the competitive landscape of the

enterprise is then turned into strategic objectives and their
implementation plans
Typical strategic objectives of an enterprise (and its divisions / businesses) over a given
period of time with concrete measurable metrics:
– Increase market share, revenues (financial)
– Increase profitability, e.g. cut costs to increase EBITDA, ROA, (financial)
– Offer more competitive products, services, designs, … (customer)
– Sustain agility in responding to market changes (customer)
– Improve customer care time to reduce churn and to increase loyalty (customer)
– Automate and integrate processes internally and externally (internal processes)
– Harmonize technology and data (internal processes)
– Bring new innovative products and services to markets (learning and growth)
– Acquire new skills and competences and/or strengthen existing (learning and growth)

Establish implementation programs, projects, must win battles (something

comparable) with concrete objectives - and agree accountabilities for their
achievement, which is the first step of (corporate and IT) governance
4 G&SM of DB ÅA: 457655 & TSE: TJS8 / Fall 2021 ©Tomi Dahlberg

2
 10/27/21

During the strategy process it is often necessary to consider

where are needs of improvals and renewals

Vision &
Values & Oparative
Drivers Results are
Business Business Model &
short of
strategy model Strategic
Corporate targets
choices
strategy
Revise,
Revise,
change Revise & improve
change
Renewal of How we ways to operate
Business
vision and make money
strategy
businesses

5 G&SM of DB ÅA: 457655 & TSE: TJS8 / Fall 2021 ©Tomi Dahlberg

The role of corporate and IT governance is to agree how

the strategy of an enterprise is implemented
ü The board of an enterprise representing owners is typically accountable (=owner) for the
strategy of an enterprise and management (e.g. CEO, C-level executives and their
committee)is accountable for the implementation of the strategy

ü Corporate governance can be seen as a contract between owners and the management
on how to implement the strategy of the enterprise in order to achieve the strategic
objectives and how to divide the benefits of achieved benefits between owners and the
management

ü Contents from strategy perspective

– What are the business objectives and their measurable success metrics?
– Who are accountable for the achievement of the business objectives?
– What are the capabilities and competencies (e.g. processes) that lead to the achievement of
business objectives?
– What risks could jeopardize the achievement of the business objectives and how are such
risks mitigated?

6 G&SM of DB ÅA: 457655 & TSE: TJS8 / Fall 2021 ©Tomi Dahlberg

3
 10/27/21

Corporate and IT Governance is an contract between the

providers of funds (investors, owners) and the management
(the users of the funds)
Shleifer and Vishny (1997, p.741)
“In most general terms, the financiers and the manager sign a contract
that specifies what the manager does with the funds, and how the returns
are divided between him and the financiers. Ideally, they would sign a
complete contract, that specifies exactly what the manager does in all
states of the world, and how the profits are allocated” .

The signing of a complete contract is impossible in practice due to

various uncertainties.
“Therefore, investors and the manager agree on control rights, which are
used to respond to uncertainties as they occur. The activities of setting
objectives, agreeing accountabilities and putting controls in place to
secure the achievement of objectives have become descriptive
characteristics of corporate governance.”

7 G&SM of DB ÅA: 457655 & TSE: TJS8 / Fall 2021 ©Tomi Dahlberg

OECD offered a practical definition for corporate

governance (in 1999)
Corporate governance (enterprise/ organization governance)
ü “Is the system by which business corporations are directed and controlled
• Corporate governance structures specify the distribution of rights and
responsibilities among different participants in the corporation, such as, the
board, managers, shareholders and other stakeholders,”
= Allocation of rights and responsibilities
• “and spells out the rules and procedures for making decisions on corporate
affairs.”
= Description of decision-making processes and the achievement of objectives
• “By doing this it also provides the structure through which the company
objectives are set, and the means of attaining those objectives and monitoring
performance.”
= structure for objective setting, monitoring and related reporting
(OECD Principles of Corporate Governance, April 1999)

8 G&SM of DB ÅA: 457655 & TSE: TJS8 / Fall 2021 ©Tomi Dahlberg

4
 10/27/21

Governance of IT extends Corporate Governance to IT -

and could be described with practitioners’ concepts as
ü Agreement on how responsibilities for the most important “uses” of IT (OT and
digital data) in an enterprise are arranged
– Between enterprise head-quarter executives (including function heads)
– Business unit executives
– IT function / unit executives

ü Agreement covers the selection of IT services (hardware, software,

communication, support services,…), their development (=implementation and
development maintenance) and operations (=usage and corrective
maintenance) as well as the steering of IT services (=strategies and
architecture)

ü Agreement specifies how the execution of responsibilities are mandated /

allocated, directed and reported with measurable metrics

9 G&SM of DB ÅA: 457655 & TSE: TJS8 / Fall 2021 ©Tomi Dahlberg

IT governance could also be described in this way as

ISACA did in 2003 and Weill and Ross did in 2004

ü The purpose of IT governance is to

– “enable both business and IT to execute their responsibilities in support of
business and in the creation of business value from IT investments (ISACA).”

ü The benefits of IT governance

– “IT governance effectiveness is positively associated with organizational
performance (Weill and Ross)”
– Performance Is measurable e.g. with the balanced scorecard dimensions (Van
Grembergen and De Haes 2009)
• Financial benefits
• Customer benefits
• Learning and growth benefits
• Internal and business process benefits

10 G&SM of DB ÅA: 457655 & TSE: TJS8 / Fall 2021 ©Tomi Dahlberg

10

5
 10/27/21

2. IT Governance Means the Management of IT Management:

Picture shows how they are related (Weill and Ross, 2004)

Business
Orientation

External

IT Governance

IT
Internal Management

Time
Present Future
Orientation

11 G&SM of DB ÅA: 457655 & TSE: TJS8 / Fall 2021 ©Tomi Dahlberg

11

IT Governance process consists of EDM and IT

Management of PDCA tasks (ISO/IEC 38500)

Governance
Body:
EDM
Evaluate
Direct
Monitor

Management
Body: PDCA
Plan
Do
Check
12 Act
© Tomi Dahlberg

12 G&SM of DB ÅA: 457655 & TSE: TJS8 / Fall 2021 ©Tomi Dahlberg

12

6
 10/27/21

“Corporate Governance of Information Technology

Framework for good corporate governance of IT”

Model
Directors (=governance body) should govern IT through three main
tasks:

1. Evaluate the current and future use of IT

2. Direct preparation and implementation of plans and policies to

ensure that the use of IT meets business objectives

3. Monitor conformance to policies, and performance against the

plans

13 G&SM of DB ÅA: 457655 & TSE: TJS8 / Fall 2021 ©Tomi Dahlberg

13

Well implemented IT governance improves enterprise

performance
ü Enterprises which govern their IT excellently have been discovered (Weill &
Ross, 2004, n=256) to:
– Receive 40 % more value from their investments in IT
– Grow 20 % faster measured with revenue growth and show 20 % higher profitability
– Be able to learn and adapt better in their IT related activities

ü Enterprises which have aligned their business and IT and also run IT
efficiently on the basis of a solid architecture (Sphilberg &alia, 2006, n=503)
use less money and receive more value from IT:
– Enterprises where IT is aligned to business without solid architecture suffer from so called
”IT alignment trap”. They use more money to receive less

ü Ability of enterprises to achieve competitive benefits from the use of IT is

polarized to the ends of value creation scale (E&Y and TD, 2008 and 2009):
– Only a small fraction (10-20%) of Finnish enterprises had received strategic benefits from
the use of IT and showed capabilities to manage IT strategically

ü The use of IT governance best practices improves the alignment of business

and IT (De Haes and Van Grembergen, 2009)

14 G&SM of DB ÅA: 457655 & TSE: TJS8 / Fall 2021 ©Tomi Dahlberg

14

7
 10/27/21

3. Governance bodies need to follow six principles in the

governance of IT (1) (ISO/IEC Standard 38500 family)

Principles of IT governance (ISO/IEC 38500:2017)

1. Responsibility: Individuals and groups within the organization understand and accept
their responsibilities in respect of both supply of, and demand for IT. Those with
responsibility for actions also have the authority to perform these actions.

2. Strategy: The organization’s business strategy takes into account the current and
future capabilities of IT; the strategic plans for IT satisfy the current and ongoing
needs of the organization’s business strategy.

3. Acquisition: IT acquisitions are made for valid reasons, on the basis of appropriate
and ongoing analysis, with clear transparent decision making. There is appropriate
balance between benefits, opportunities, costs, and risks, in both the short term and
the long term.

15 G&SM of DB ÅA: 457655 & TSE: TJS8 / Fall 2021 ©Tomi Dahlberg

15

Governance bodies need to follow six principles in the

governance of IT (2) (ISO/IEC Standard 38500 family)

Principles of IT governance (ISO/IEC 38500:2017)

4. Performance: IT is fit for purpose in supporting the organization, providing the

services, levels of service and service quality required to meet current and future
business requirements.

5. Conformance: IT complies with mandatory legislation and regulations. Policies and

practices are clearly defined, implemented and enforced.

6. Human Behaviour: IT policies, practices and decisions demonstrate respect for human
behaviour, including the current and evolving needs of all the ‘people in the process’.

16 G&SM of DB ÅA: 457655 & TSE: TJS8 / Fall 2021 ©Tomi Dahlberg

16

8
 10/27/21

The ISO/IEC 38500 IT Governance has proved to be

influential globally, within the EU and Finland
- legal regulatory status within the EU & Finland
ü ISO/IEC 38500:2008 was accepted via so called fast-lane acceptance within ISO and IEC to an
international standard by adopting an Australian national standard as the base(now 38500:2017)
ü Soon 38501 (reference model) and 38502 (implementation guide) followed, each now with one update
ü Implemented into ISO/IEC 20000 (Management of IT services) and ISO/IEC 27000 (Management of
data security)
ü Governance of data standard 38505 part 1 and part 2 were accepted in 2017 and 2018 – extend
38500 to the governance of data
ü Governance of artificial intelligence is in draft phase after work started in 2018 and governance of IT
projects was accepted as new work item project in 2019
ü The reference model has been implemented to the TOGAF architecture framework
ü The principles and the reference model are implemented into the COBIT framework

ü ISO/IEC 38500 and 38505 accepted as CEN (European) and SFS (Finnish) standards and translated
into Finnish

ü Academic research includes research on IT network and IT ecosystems governance

17 G&SM of DB ÅA: 457655 & TSE: TJS8 / Fall 2021 ©Tomi Dahlberg

17

4. Issues considered when IT governance is implemented –

there is a separate lecture on each topic
ü How Business and IT are aligned
– How business impacts IT and vice versa

ü How IT decision making rights are arranged and agreed

– For key IT decisions, cascade down to other areas such as digital data related
decisions, IT services decisions, Cyber security decisions, etc.

ü How IT function is organized with links and relations to business

– CIO-CEO, CIO-executive committee, CIO-Board of directors, IT-function –
business units, IT-function – other functions such as marketing, IT
professionals – other professionals

ü How the business value of IT is measured and reported (benefits

realization
– IT performance (e.g. costs) and business impact /value (e.g. revenue growth)

18 G&SM of DB ÅA: 457655 & TSE: TJS8 / Fall 2021 ©Tomi Dahlberg

18

9
 10/27/21

Weill and Ross (2004) defined five key IT decision areas

in their matrixed approach to IT governance framework for
which accountabilities need to be agreed

IT Principles Decisions
High-level statements of how It is used in the business

IT Infrastructure
IT Architecture Decisions IT Investment and
Decisions Centrally coordinated, IT Prioritisation
Organising logic for data, shared services that pro- Decisions
applications and infra- vide the foundation for theDecisions about how
structure captured in a setenterprises IT capacity much and where to invest
of policies, relationships, in IT, including project
and technical choices to Business Application approvals and
achieve derired business Needs justification techniques
and technical standard- Specifying the business
isation and integration need for the purchased
or internally developed
IT applications

19 G&SM of DB ÅA: 457655 & TSE: TJS8 / Fall 2021 ©Tomi Dahlberg

19

In the Finnish SteerIT process model (2005), six IT governance process areas are
used to share the responsibility between corporate, business and IT executives and
measure the maturity of each of the 28 process task

Planning Execution Evaluation

Contingency
Factors
Competitive
4. Monitoring of IT
strategy and
Resources, IT Risks 1. Benefits and
business
and IT Management
objectives Costs (=Business
Value of IT Use)
3. Alignment of
Business and IT
Beliefs
about IT 2. Opportunities and
5. Monitoring of IT Risks
Performance (= Business Value of
Governance of
Measurement IT opportunities)
business, business
practices,
organizational and
performance
measurement
culture 6. IT Governance Development
(=Perceived Status of IT Governance)

20 G&SM of DB ÅA: 457655 & TSE: TJS8 / Fall 2021 ©Tomi Dahlberg

20

10
 10/27/21

In SteerIT, the CMM model (Capability Maturity Model) is

applied to evaluate the maturity of IT governance – here it is
shown in the context of IT strategic planning
ü 0 – non-existent
– IT strategic planning is not performed
ü 1 – Initial ad hoc
– The need of IT strategy planning is recognized but there is no structured business
process in place
ü 2 – Repeatable and intuitive
– IT strategic planning is understood, performed but not documented or communicated
systematically
ü 3 – Defined process
– A policy defines how and when IT strategic planning is conducted, IT strategic planning
follows a structured approach known to all
ü 4 – Managed and measured
– IT strategic planning is a standard procedure and exceptions would be noticed by
management, comparisons to peers are done
ü 5 – Optimized
– IT strategic planning is a documented living process, is continuously considered in
business goal setting and results in discernable business value through investment in
IT, comparisons to peers demonstrate that the enterprise is among the highest quartile

21 G&SM of DB ÅA: 457655 & TSE: TJS8 / Fall 2021 ©Tomi Dahlberg

21

Structures, processes, and relational mechanisms

are IT governance practices used to implement ITG
(Van Grembergen)

Structures Processes:
Examples: IT organization, CIO’s Examples: strategic IT planning, (IT)
role, IT steering groups, … balanced scorecard SLA, COBIT,…

Alignment

Relationship mechnisms
Examples: discussions between most
important stakeholders, job rotations,
premises,…

These concepts have been adopted from organizational theory

22 G&SM of DB ÅA: 457655 & TSE: TJS8 / Fall 2021 ©Tomi Dahlberg

22

11
 10/27/21

23
Structure, processes and relational mechanism
practices – with the concepts of a layman

ü An organization with a hierarchy or agreements on who make various IT decisions are

structures
– Structure is needed to define boundaries – e.g. what do we govern
– Structure is needed to split a whole into manageable pieces – e.g. key IT decision-making
areas

ü Processes describe sequences of tasks carried out by an organization with objectives

that describe the expected outcomes of performing tasks and expected benefits
– The governance of the planning, development and operation of an IT service is an example

ü Relational mechanisms describe how the skills and competencies of people with
different education, experiences, values and beliefs are brought together to execute a
governance process within a governance structure

23 G&SM of DB ÅA: 457655 & TSE: TJS8 / Fall 2021 ©Tomi Dahlberg

23

On-site lecture
The article of De Haes and Van Grembergen (1)
124 De H
ü The (research) ideas of the article

RQ1: How are organisations is the Strategic Alignment Model

implementing IT governance? et al. (1993), addressing the requi
business strategies, IT strategies, bu
IT Governance IT processes. Other researchers hav
model with additional insights (e.g
Processes
Feuer et al., 2000, Maes, 1999) an
Business/IT
alignment specific business/IT alignment defi
Structures degree to which the information
objectives and plans support and a
Relational RQ2: What is the relationship business mission, objectives and p
mechanisms between IT governance and Chan, 2002). However, in a more re
business/IT alignment?
man and Rajkumark (2007) point o
IT governance The success of
practicesFigure 1. Research framework.
Business-IT ment definitions in literature are
alignment only on how IT is aligned (e.g., con
24 G&SM of DB ÅA: 457655 & TSE: TJS8 / Fall 2021 ©Tomi Dahlberg
integrated, linked, synchronized)
24 Alignment must also address how th
functions” (Peterson, 2003) (e.g. steering committees). IT with IT. Alignment must focus on
governance processes refer to “formalisation and institu- ness are aligned with each other; IT
tionalisation of strategic IT decision making or IT moni- drive business change.” For this r
toring procedures” (Peterson, 2003) (e.g. IT balanced adhere to the concepts of the Strate
scorecard). The relational mechanisms finally are about 12 on
(Henderson et al., 1993), focusing
“the active participation of, and collaborative relation- gies and operational processes, and
ship among, corporate executives, IT management, and directional nature of alignment as
business management” (Peterson, 2003) (e.g., training). man and Rajkumark (2007).
 10/27/21

What was discovered in

the article of De Haes and Van Grembergen
IT Governance Implementations and its Impact on Business/IT Alignment 135
ü Baseline IT governance practices in Finance industry (Belgium)

Table 8. Key Minimum Baseline

S6 IT steering committee (IT investment evaluation / prioritisation at executive / senior management level)
P3 Portfolio management (incl. business cases, information economics, ROI, payback)
P9 IT budget control and reporting
R8 IT leadership
S9 IT project steering committee
S5 CIO (Chief Information Officer) reporting to CEO (Chief Executive Officer) and/or COO (Chief Operational Officer)
P8 Project governance / management methodologies

QUESTIONS:
1. What was interesting in the article? Valuable?
issues. During the interviews, three out of four organisa- Recommendations for Practitioners
Whatinvolvement
2. board
tions stated that do you think in ITof these baseline
governance is IT governance practices?
not feasible and
3. probably not required. The
Did It governance representa-
practices improveA recommendation to practitioners resulting from these
business-IT alignment?
tives of the shareholders are more concerned with the findings is that the best approach to implement IT gover-
core financial Could
4.services this approach
activities be used
and less worried in other
about contexts?
nance is to start with setting up these seven key mini-
(operational) IT issues. Another IT governance practices mum baseline IT governance practices. This core set of
that was indicated as not being relevant for alignment practices should be supplemented with other key prac-
purpose25was “COSO/ERM.”
G&SM of DB ÅA:While
457655 the latter
& TSE: TJS8 /was recogn- ©Tomi
Fall 2021 tices that are highly effective and relatively easy to imple-
Dahlberg
ised as probably a very good framework for general inter- ment. At the initial stages of such IT governance project,
nal control, the value for governance or impact on
25 sufficient attention should be given to relational mecha-
alignment did not appear at all. nisms to ensure commitment of all the involved people
in the process. Once the “governance culture” is embed-
ded in the implemented structures and processes, these
Conclusions relational mechanisms require less attention.

5. The past, present and future of IT Governance

As a general conclusion of this exploratory study, this
research revealed that IT governance is indeed high on Future Research
For what reasons did the IT governance concept
the agenda. Our research suggests that there is a clear
relationship between the use of IT governance practices It was explained in the beginning of this manuscript that

emerge? Research related reasons

and business/IT alignment. It appeared that highly
aligned organisations do indeed leverage more mature IT
the focus of this research was on the Belgian financial
services sector only, negatively impacting the generalis-
governance practices compared to poorly aligned organi- ability of this research. However, it can be expected that
sations. many conclusions might apply to other sectors as well.
Theoretical work in academic research 1990s->
Some detailed conclusions were drawn regarding IT Further research could support that assumption but
governance structures, processes and relational mecha- should also address the impact of specific contingencies
ü Need to that
nisms. It was demonstrated solveit isthe sotocalled
easier implement ”IT investment paradox”
such industry, according
geography, to organisation
size of the which and/or
investments into IT had
IT governance structures compared to IT governance pro-
cesses. It also appeared that relational mechanisms are
not materialized in productivity increase
IT department, business strategy, etc.
In addition, this research is based on a “snapshot in
very important ü inITthe
value creation
beginning stagesresearch (how does
of an IT gover- IT create
time,” and futurevalue to business,
research IT to verify how
could be dedicated
nance implementation project and become less impor- implementations evolve over time. For example, this
tant when the ITbalanced
governancescore card isresearch)
framework embedded research provides indications that relational mechanisms
ü IT organization principles research (what
into day-to-day operations. For some specific IT gover-
is an ideal organization model
are more important in the initiating phases of IT gover-
nance practices, the research provides indications that nance, but monitoring an organisation over time could pro-
for IT)
contradict existing literature. A good example is the vide valuable data to support or refute this statement.
involvement of the board of directors in IT governance, Finally, it should be noted that this research is explor-
ü Business
which is promoted by many and authorsIT alignment
in literature,research
but (whatin are
atory the the
firstissues of business
place instead of hypothesis testing
was not supported andin IT
thisalignment
research. This which are related
research also to business
(amongst othervalue
reasonsdelivery)
due to the small sample size). It
provides a key minimum baseline of seven IT governance does however provide some interesting potential hypotheses
practices that each organisation at least should have and to be tested in further (parametric and/or non-parametric)
supplement with practices that are highly effective and statistical correlation research, for example to further vali-
easy to implement. When an organisation wants to date the accuracy of the defined key minimum baseline for
implement G&SM
26 these of DB ÅA: 457655
practices, it has &toTSE: TJS8 /sure
make Fall 2021
that at ©TomiIT Dahlberg
governance. Larger data sets, potentially also covering
least a maturity level of two is obtained, to ensure that it more internal and external contingencies, are required to
26 impacts business/IT alignment.
positively enable this more statistical approach.

13
 10/27/21

For what reasons did the IT governance

concept emerge? Practice related reasons
ü The ever-increasing role of IT
– Need to measure the business impact of IT
– Need to better manage business processes enabled by IT
– Need to offer products and services enabled by IT (developed in time, with
anticipated costs and business objectives met) with ability to produce (IT service
production management for IT-enabled parts)
ü Management needs to direct and control IT costs, risks and value creation
ü Corporate financial disclosure needs – especially risk (auditors, internal auditors)
ü ”Maintenance mess” of IT and IT’s increasing responsibilities
– How to share the burden with business executives
– How to apply best practices documented in ”IT governance” methods

ü ISO/IEC 38500:2008 was accepted rapidly an an international standard by

adopting an Australian national standard as the base(now 38500:2015)

27 G&SM of DB ÅA: 457655 & TSE: TJS8 / Fall 2021 ©Tomi Dahlberg

27

IT governance responsibilities and tasks –

executive and managerial levels (COBIT 2003->)
CobiT’s IT governance perspective
(= shared responsibility of corporate, business and IT executives)

ü The strategic alignment between IT

c V
and business strategy gi De alu
te nt liv e
tra me er
ü IT delivers business value S gn y
i
Al
ü IT risks are evaluated and
Perf uremen

IT
Mea

mitigated
men

Governance
orm

Risk
s

ü IT is resourced so that the

age
anc t

allocation of resources is optimal

Man
e

ü IT performance and service quality Resource

Management
is managed

28 G&SM of DB ÅA: 457655 & TSE: TJS8 / Fall 2021 ©Tomi Dahlberg

28

14
 10/27/21

For what reasons did the IT governance concept

emerge? Regulatory Frameworks related reasons
ü The Report of the Committee on the Financial Aspects of Corporate
Governance (Cadbury Report, 1992)
– Focus on financial reporting – embedded requirements for boards to investigate the
depth of their enterprise’s reliance on IT
ü The Bank of International Settlements (BIS) Enhancing Corporate Governance
in Banking Organisations (1999)
– Specific governance framework (Basel II) – applied to IT as well as IT seen a major
source of operational risks
ü Sarbannes –Oxley Act (after Enron etc., Disclosure of Risk Information to
Securities Exchange Commission, SEC) and enterrpise stakeholders
– Several specific recommendations (read requirements) for IT Governance
information disclosure included
• IT risk disclosure according to COSO (The Committee of Sponsoring Organizations of the
Treadway Commission) requirements. CobiT fulfills COSO (=CobiT for SOX)

ü Currently, for example, in finance industry IT governance as the means to manage and
mitigate operational risks is included in the Basel regulatory framework (banks) and in
the solvency risk management framework (insurance companies)

29 G&SM of DB ÅA: 457655 & TSE: TJS8 / Fall 2021 ©Tomi Dahlberg

29

The theoretical and practical basis of the IT

governance concept emerged decades ago

The theoretical basis of IT governance (single organization) rests on

ü Organization theory
ü Information systems science research on IT management and IT risk
management

ü Corporate governance – IT governance is a part of corporate governance

and corporate risk management
ü Balanced Scorecard (and strategy maps) where information is seen as one of
the resources used by enterprises

Several IT governance methods have been developed or been renamed as

(partly) IT governance methods. Frameworks and methods such as COBIT
and ITIL have been developed by IT professionals and experts since
1980s/1990s. The input of academic researchers has been indirect or limited

30 G&SM of DB ÅA: 457655 & TSE: TJS8 / Fall 2021 ©Tomi Dahlberg

30

15
 10/27/21

Examples and ongoing work in IT governance

practice and research
ü IT governance research and body of knowledge has mainly covered
IT governance within a single organization
– This is sometimes called vertical governance
– Need to extend IT governance to other types of governance arrangements
• Governance between two organizations (e.g. buyer and supplier)
• Hierarchical governance between several organizations (e.g. a buyer and
several suppliers)
• Relational governance between several organizations (e.g.
eCommunities, eMarkets, platforms, volutary IT cooperation)
ü Governance of data
ü Governance principles applied in IT service management, Artificial
Intelligence, Information Security, Blockchain (ISO/IEC projects)
ü Increase the clarity of IT governance concept beyond cost savings

31 G&SM of DB ÅA: 457655 & TSE: TJS8 / Fall 2021 ©Tomi Dahlberg

31

An Example of recent study at TSE:

Inter-Organizational ICT Cooperation within

Municipal Regions in Finland
Ph.D. dissertation by Ari Helin 2020

Including several Conference articles and two journal articles

32ByTomi
G&SMDahlberg (tomi.dahlberg@utu.fi)
of DB ÅA: 457655 & TSE: TJS8 / Fall 2021 and Ari Helin
©Tomi (ari.helin@utu.fi)
Dahlberg

32

16
 10/27/21

33
Why cooperate in ICT (cooperation is prerequisite
to inter-organizational IT governance
ü Why do organizations, in this case municipalities, cooperate? What are their economic and
other expectations about the outcomes / benefits?
– Are we better of by cooperating with others than by doing things ourselves?
ü Transaction costs economy (TCE) theory (e.g. Coase, Williamson)
– Predominant theoretical framework for explaining organizational boundary decisions
(make, buy, ally)
– Describes that if services are similar, their volume is large or very low and it is possible to
lower uncertainty then buying or cooperation is beneficial (market or network governance)
– Benefits are received through lower transactions costs (economic and non-economic)
ü Resource based view (RBV, e.g. Penrose, Barney)
– Often seen to supplement TCE since enterprises aim also to achieve more value
– Describes that if an enterprise is able to better create through cooperation unique, non-
transferrable and difficult to imitate resources then it if beneficial for the enterprise to so as
resources available to the enterprise define the value potential of the enterprise
– Benefits are received through increased value of services (revenues, fees, quality,…)
-> What benefits do municipalities expect to receive and receive?

33 G&SM of DB ÅA: 457655 & TSE: TJS8 / Fall 2021 ©Tomi Dahlberg

33

34
How to implement ICT cooperation and
governance in municipalities
ü IT governance research (e.g. De Haes and Van Grembergen)
– Describes that IT cooperation and its governance is implemented with structure, process and cooperation
practices. In a single organization typical “best” practices are:
– Structure:
• IT strategy committee at the level of executives
• IT steering committee on IT investment prioritization, evaluation, …
• IT project steering committee
• CIO (Chief information officer) on executive committee
• CIO reporting to CEO (Chief executive officer) or COO (Chief operating officer)
– Process
• IT strategy process
• IT budget control and reporting process
• Projects executed by following a project management methodology
• Portfolio management process (business case, ROI, payback, stage gating)
– Cooperation mechanism
• IT leadership coordination
-> How do municipalities cooperate? Are practices the same as those used in single enterprise contexts?

34 G&SM of DB ÅA: 457655 & TSE: TJS8 / Fall 2021 ©Tomi Dahlberg

34

17
 10/27/21

What factors influence cooperation willingness

ü Although economic, social and other cooperation benefits are recognized and there
would be willingness to cooperate, that does not always happen. What influences
whether cooperation happens (between municipalities) or not?

ü The constructs of social network theory by Granovetter are useful as descriptors

– The construct of “ties” is used to describe the flow of information and resources between social groups in
a network, such as municipalities
– Density of ties, strong and weak ties:
• Strong ties are established in one’s own social group (e.g., in a municipality) and appear in the form
of shared goals, values, beliefs, norms etc.. High density of ties strengthens (strong) ties.
– Significance of weak ties
• Information and resources between social groups (e.g. municipalities) flow through weak ties and
create trust necessary to share goals, values, beliefs, norms etc. and to cooperate
– Structural holes - if there are no ties between social groups there is a structural hole
• It is even more important to have ties than to consider the nature of ties for cooperation to happen.
Mediating could be used such as coordination mechanisms or impartial trusted third parties
– Social nature or ties – cooperation needs to generate social benefits in addition to economic
-> What kind of connections and ties exist between municipalities ?

35 G&SM of DB ÅA: 457655 & TSE: TJS8 / Fall 2021 ©Tomi Dahlberg

35

Questions and comments

tomi.dahlberg@utu.fi
+358 50 550 5718
3636 G&SM of DB ÅA: 457655 & TSE: TJS8 / Fall 2021 ©Tomi Dahlberg

36

18
 10/27/21

Appendix. A tool to IT management toolbox– the PDMA or

PDMCA model is followed in most IT management fram

ACT to PLAN and

improve set targets

Measure and DEVELOP/DO

COMPARE the planned

MANAGE
operate

The PDMA (or PDMCA) model is applied in most IT management methods and frameworks
The PDMA/PDMCA model is known as the management cycle in organizational research
The Deming cycle Plan-Deliver-Compare-Act follows a similar cyclical process model

37 G&SM of DB ÅA: 457655 & TSE: TJS8 / Fall 2021 ©Tomi Dahlberg

37

Additional IT Governance questions to be considered by

you and/or discussed if time allows
1. IT governance (enterprise governance of IT) separates IT governance (look into the future, outside of the
organization, IT business value delivery, alignment of business and IT) and IT management (daily
development, operation and risk management of IT). What do you think of the usefulness of this
distinction between governance and governance body and management?

2. IT builds on corporate governance. The purpose of corporate governance is to ensure - with a contract –
between the investor and the management how the funds provided by the investor are used so that the
investor gets back her/his funds and that proceeds are divided. What do you think of the usefulness of
this approach within IT?

3. Another idea is to involve corporate level executives and business unit executive into the management of
IT by using language that is familiar to them such as business objectives of IT, accountabilities, IT
business value delivery. What do you think of the usefulness of this approach?

4. The maturity of IT governance – and in the reviewed article business-IT alignment maturity – was
measured with the generic CMM maturity model. What do you think about the usefulness of this
approach?

38 G&SM of DB ÅA: 457655 & TSE: TJS8 / Fall 2021 ©Tomi Dahlberg

38

19