Professional Documents
Culture Documents
net/publication/301271831
CITATIONS READS
16 1,945
4 authors:
Some of the authors of this publication are also working on these related projects:
All content following this page was uploaded by Tim Huygh on 24 December 2020.
Abstract
This paper empirically investigates how adoption of IT governance and management
processes, as identified in the IT governance framework COBIT 5, relates to the level of IT-
related goals achievement, which in turn associates to the level of enterprise goals
achievement. Simultaneously, this research project provides an international benchmark on
how organizations are currently adopting the governance and management processes as
identified in COBIT 5. The findings suggest that organizations are best in adopting the “IT
factory” related management processes and that implementation scores drop in management
and governance processes when more business and board involvement is required.
Additionally, there are significant differences in perceived implementation maturity of COBIT
5 processes between SME’s and larger organizations. Also, the data offers empirical evidence
that the COBIT 5 processes have a positive association with enterprise value creation.
1. Introduction
In today’s competitive business environment, organizations are relying heavily on IT for
business value creation (Anderson, Banker, & Ravindran, 2006; Chari, Devaraj, & David, 2008;
Kohli & Grover, 2008). This leads to an increased focus on the governance and management
of IT (De Haes & Van Grembergen, 2015; Wilkin & Chenhall, 2010), required to ensure that the
expected business value creation is effectively realized and the associated risks are under
control. In order to implement governance and management of enterprise IT, organizations
are often drawing upon the practical relevance of industry frameworks such as “Control
Objectives for Information and Related Technology” (COBIT), currently in its fifth edition, and
released by the “Information Systems Audit & Control Association” (ISACA). The framework is
built around a set of governance and management enablers and their support in the
achievement of IT-related goals and, ultimately, enterprise goals (ISACA, 2012a).
COBIT-based implementations are gaining popularity as COBIT is the framework of choice for
enterprise governance and management of IT in many organizations (Debreceny & Gray, 2013;
IT Governance Institute (ITGI), 2011; Smits & Hillegersberg, 2013). However, adopting the
guidance as described in the COBIT framework requires a considerable amount of effort and
is often perceived as complex and costly, while return in stakeholder value is difficult to
measure in tangible outcomes (De Haes, Van Grembergen, & Debreceny, 2013; Pereira & da
Silva, 2012).
COBIT-based research is still scarce, especially empirical research (Mangalaraj, Singh, &
Taneja, 2014). As COBIT is an extensive framework, empirical research often requires large
datasets, which are not easily collected. Moreover, with the release of COBIT 5 in 2012,
incorporating some significant changes towards a better focus on IT governance, most of the
existing research is somewhat outdated. As stated by Mangalaraj et al. (2014), “It is time for
IS researchers to examine this important framework, as research on COBIT is highly relevant
to IS as its principles directly match with IT governance.”
The conceptual model used in this research is entirely based on COBIT 5 (Figure 1). The three
main constructs are discussed in the next section.
2. Theoretical background
2.1. Enterprise governance and management of IT
The impact of IT on organizations has increased noticeably over the last decades (Sabherwal
& Chan, 2001). Over time, IT has become a crucial asset to create current and future business
value for organizations (Anderson et al., 2006; Chari et al., 2008; De Haes & Van Grembergen,
2015). This increased dependency on IT implies that business executives and board members
can no longer avoid making important IT-related decisions (Bart & Turel, 2010; Nolan &
McFarlan, 2005; Trites, 2004; Valentine & Stewart, 2013). It also implies a huge potential
vulnerability associated with a spectrum of risks that need to be managed like technical errors
(e.g. system downtime) or external threats (e.g. cybercrime) (De Haes & Van Grembergen,
2015; Raghupathi, 2007). IT both has the potential to support existing business strategies and
to shape new ones. This means that IT can be leveraged to achieve competitive advantage. In
order to enable the business value creation from IT, organizations need a specific focus on IT
governance (De Haes & Van Grembergen, 2009; Weill & Ross, 2004; Wilkin & Chenhall, 2010).
The incentive for organizations appears to be significant: Empirical research indicates that
organizations with better IT governance generate on average 20% higher profits compared to
similar organizations that perform poor on their IT governance (Weill & Ross, 2004).
While a shared definition for the IT governance construct is lacking (Buchwald, Urbach, &
Ahlemann, 2014), we use the following operational definition in this paper, as it clearly
indicates the need for all stakeholders (i.e. both business and IT) to be involved in the process,
in support of organizational goals: “Enterprise governance of IT [EGIT] is an integral part of
corporate governance and addresses the definition and implementation of processes,
structures and relational mechanisms in the organization that enable both business and IT
people to execute their responsibilities in support of business/IT alignment and the creation of
business value from IT-enabled business investments.” (De Haes & Van Grembergen, 2015).
This definition is based on the ITGI (2003) definition, and emphasizes that the governance of
IT should be a focus area of corporate governance (i.e. it required board involvement).
Drawing on corporate governance, researchers in contemporary IT governance literature take
a holistic approach on IT governance, acknowledging that it can be implemented using a set
of structures, processes, and relational mechanisms (Peterson, 2004; Weill & Ross, 2004).
The COBIT 5 framework contains both IT governance and IT management content. In fact,
“Separating governance from management” is one of the COBIT 5 key principles. COBIT 5 puts
forward the following definitions for governance: “Governance ensures that stakeholder
needs, conditions and options are evaluated to determine balanced, agreed-on enterprise
objectives to be achieved; setting direction through prioritization and decision making; and
monitoring performance and compliance against agreed-on direction and objectives”, and
management: “Management plans, builds, runs and monitors activities in alignment with the
direction set by the governance body to achieve enterprise objectives” (ISACA, 2012a). In
summary, governance sets the direction of management, while management operates in
alignment with the directions set by governance.
The COBIT 5 process enabler consists of 37 IT-related processes, which are divided over
governance and management domains. The complete set of processes included in the COBIT
5 process enabler is summarized in Appendix A. The “Evaluate, direct and monitor (EDM)”
domain consists of five governance processes that reflect the board’s responsibilities in IT
covering the setting of the governance framework, responsibilities in terms of value (e.g.,
investment criteria), risks (e.g., risk appetite), resources (e.g., resource optimization), and
providing transparency regarding IT to the stakeholders. The management processes are
classified over four management domains. The “Align, plan and organize (APO)” domain
consists of 13 management processes that are concerned with the identification of how IT can
best contribute to the achievement of business objectives. The domain states that a
management framework is required and contains specific processes related to the IT strategy
and tactics, enterprise architecture, innovation, and portfolio management. Other important
processes in this domain address the management of budgets and costs, human resources,
relationships, service agreements, suppliers, quality, risk, and security. The “Build, acquire and
implement (BAI)” consists of 10 management processes that are aimed at making the IT
strategy concrete through identifying, in detail, the requirements for IT and managing the
investment program and projects. This domain further considers managing capacity,
organizational change, IT changes, acceptance and transitioning, knowledge, assets, and
configurations. The “Deliver, service and support (DSS)” domain is concerned with the actual
delivery of required IT services. It contains six processes on managing operations, service
requests and incidents, problems, continuity, security services, and business process controls.
Finally, the “Monitor, evaluate and asses (MEA)” domain consists of three management
processes that are responsible for the quality assessment in compliance with the control
requirements for all previously mentioned processes. It addresses performance management,
monitoring of internal control, and regulatory compliance (De Haes et al., 2013; ISACA, 2012b).
3. Research approach
The main objective of this paper is to empirically investigate how the level of implementation
of the COBIT 5 process enabler relates to the level of IT-related goals achievement, which in
turn associates to the level of enterprise goals achievement, while simultaneously establishing
a benchmark on how organizations are adopting the COBIT 5 process enabler. In support of
this, we build on the conceptual model as proposed in Figure 1 and further explained in section
2.
4. Results
4.1. Respondent demographics
Demographic information is provided in Table 1 (N=878). As can be seen from this table, the
survey obtained a good distribution of respondents across regions, firm sizes, industries,
functional area of the respondents, and work experience of the respondents. North America
(31.0%), Europe (23.8%), and Asia (20.4%) are the three major regions in which the
respondents were professionally active. The majority of organizations in the sample (60.4%)
are large or very large (i.e. 1500 employees or more). The financial/banking industry is best
represented in the sample (25.9%), followed by the governmental sector (13.7%). Most
respondents categorized themselves as being an audit/risk/compliance professional (45.3%),
followed by an IT professional (43.7%). The vast majority (86.2%) of respondents indicated
having at least 10 years of professional experience.
At the level of the detailed processes within these domains (see next sections), the relatively
better implemented COBIT 5 processes are “manage service request and incidents “and
“manage costs and budgets”. The relatively weak implemented processes of COBIT 5 are
“manage innovation”, “ensure benefits delivery” and “manage knowledge”. In general, many
processes that required more business involvement achieved lower implementation scores
(e.g. managing organizational changes, business process controls etc.). This again is a call for
action, as the importance of business involvement in IT enabled value creation has been
stressed by many researchers (De Haes & Van Grembergen, 2015; Turel & Bart, 2014; Weill
& Ross, 2009). Or in the words of Weill & Ross (2009): “If senior managers do not accept
accountability for IT, the company will inevitable throw its IT money to multiple tactical
initiatives with no clear impact on the organizational capabilities. IT becomes a liability
instead of a strategic assets”.
As the objective is to test for statistical significance on the mean of a set of variables, and we
are dealing with a cross-sectional dataset, independent samples t-tests are performed. If this
test shows a significant p-value, the null hypothesis is rejected, so there is a significant
difference in the mean between both groups. The results of this analysis are presented in
Table 3. Statistically significant results are shaded grey.
The results show that significant differences exist between SME’s and larger enterprises when
it comes to the mean perceived implementation maturity of the whole set of COBIT 5
processes, as well as for each set of process domains (i.e. EDM, APO, BAI, DSS, and MEA).
Despite significant differences in the mean perceived implementation maturity for all of these
categories, only one significant difference exists at the level of the goals, i.e. for the mean
perceived achievement of financial enterprise goals. This suggests that despite having a lower
mean perceived implementation maturity for the COBIT 5 processes, SME’s have a
comparable mean perceived achievement of IT-related goals and enterprise goals, with
exception of the financial enterprise goals.
The relevant variables are the level of enterprise goal achievement, the level of IT-related goal
achievement, and the level of process implementation status. The values for each of these
variables are also computed at an aggregate level. That is, average score for 17 enterprise
goals, average score for 17 IT-related goals, , and average score for 37 process implementation
statuses is computed for each respondent. The correlation analysis is also conducted at the
category level of enterprise and IT-related goals. That is, the average score were computed at
the four dimensions of the IT balance scorecard (IT BSC) and enterprise balance scorecard
(BSC). These dimensions include Financial, Customer, Internal, and Learning and Growth.
Related to the COBIT 5 process reference model, the average score for each domain (EDM,
APO, DSS, BAI, and MEA) is also calculated.
Table 2 indicates the correlation coefficient of 0.89 for this relationship, which confirms a very
strong association between the two metric variables. Among the four IT-related dimensions,
IT Internal dimension is the strongest associated dimension, holding IT related goals such as
“IT agility”, “security”, “enabling business processes by integration of application in business
processes” and “delivery of programmes on time, budget and functionality”. Overall
correlation strength of each dimension is in the range of strong to very strong association and
is statistically significant.
Table 4. Correlations between IT-related goals and enterprise goals at the dimensional level
To elaborate further on the relationship between IT-related goals and enterprise goals, a
scatter plot is developed in Figure 11. The small circles on the graph indicate observed values
for enterprise goals when plotted against IT-related goal observations. The graph clearly
indicates a linear trend between IT-related goals and enterprise goals. A trend line is also fitted
into the graph to imply a strong positive and significant association between IT-related goals
and enterprise goals.
Figure 11. Scatterplot and regression line for the relationship between IT-related goals and enterprise goals
Figure 12. A spline chart between overall process implementation scores and IT-related goals
The positive association is also confirmed in Table 3 with a positive correlation coefficient of
0.87. The domain level analysis in Table 3 shows that all COBIT 5 process domains demonstrate
very strong correlations with the achievement of the IT related goals. All the correlations
reported are statistically significant. The highest correlations score is attributed to the Align,
Plan and Organise (APO), which considering the strategic nature of the domain might not be
a surprise.
Overall
Process Score
Overall
Figure 13 shows a scatter plot between overall process scores and IT-related goals. The graph
plots all the observation for IT-related goals (Y-axis) in relation to process scores (X-axis). Next,
the graph fits a trend line to suggest a strong and positive association between the two
variables. The analysis suggests that the two variables share a strong positive upward trend,
which is statistically significant. This finding also corroborates the trend depicted in Figure 12.
Figure 13. Scatterplot and regression line for the relationship between process implementation scores and IT-related
goals achievement
To acknowledge and address these topics, the objective of this research was twofold. First, a
detailed benchmarking of current adoption of governance and management processes as
proposed in COBIT 5 was performed. Second, drawing on the COBIT 5 goal cascade overview,
the focus was to assess the association between the implementation of
management/governance processes and the achievement of IT-related goals and enterprise
goals.
The findings suggest that better implementation rates of the COBIT management and
governance processes clearly show positive correlations with the achievement of IT related
goals. It was also demonstrated that the achievement of these IT related goals in turn strongly
associated to the achievement of enterprise goals, which as such confirms the proposed
conceptual cascade model in COBIT 5. The research also showed that in general organizations
are best in adopting the “IT factory” related management processes and that implementation
scores drop in management and governance processes when more business and board
involvement is required. Additionally, there are significant differences in perceived
implementation maturity between SME’s and larger enterprises for all of the COBIT 5 process
domains. However, despite having a lower mean perceived implementation maturity for the
COBIT 5 process domains, SME’s have a comparable mean perceived achievement of IT-
related goals and enterprise goals, with exception of the financial enterprise goals.
By offering empirical evidence that governing and managing those IT governance and
management processes does have a positive association with enterprise value creation,
decision-makers will find it easier to support investment propositions related to EGIT.
Additionally, the results of this research will contribute to the relatively new domain of
knowledge around COBIT 5, and it will assist practitioners by providing an international
benchmark and more guidance on how governance and management frameworks, such as
COBIT 5, can lead to higher enterprise value creation from their IT assets and resources.
References
Anderson, M. C., Banker, R. D., & Ravindran, S. (2006). Value Implications of Investments in
Information Technology. Management Science, 52(9), 1359–1376.
http://doi.org/10.1287/mnsc.1060.0542
Andriole, S. (2009). Boards of Directors and Technology Governance: The Surprising State of
the Practice. Communications of the Association for Information Systems.
Bart, C., & Turel, O. (2010). IT and the Board of Directors: An Empirical Investigation into the
“Governance Questions” Canadian Board Members Ask about IT.
Bergeron, F., Croteau, A.-M., Uwizeyemungu, S., & Raymond, L. (2015). IT Governance
Theories and the Reality of SMEs: Bridging the Gap. In 2015 48th Hawaii International
Conference on System Sciences (pp. 4544–4553). IEEE.
http://doi.org/10.1109/HICSS.2015.542
Buchwald, A., Urbach, N., & Ahlemann, F. (2014). Business value through controlled IT:
toward an integrated model of IT governance success and its impact. Journal of
Information Technology, 29(2), 128–147. http://doi.org/10.1057/jit.2014.3
Chari, M. D. R., Devaraj, S., & David, P. (2008). Research Note —The Impact of Information
Technology Investments and Diversification Strategies on Firm Performance.
Management Science, 54(1), 224–234. http://doi.org/10.1287/mnsc.1070.0743
De Haes, S., & Van Grembergen, W. (2009). An Exploratory Study into IT Governance
Implementations and its Impact on Business/IT Alignment. Information Systems
Management, 26(2), 123–137. http://doi.org/10.1080/10580530902794786
De Haes, S., & Van Grembergen, W. (2015). Enterprise governance of information
technology, second edition. Springer.
De Haes, S., Van Grembergen, W., & Debreceny, R. S. (2013). COBIT 5 and Enterprise
Governance of Information Technology: Building Blocks and Research Opportunities.
Journal of Information Systems, 27(1), 307–324. http://doi.org/10.2308/isys-50422
Debreceny, R. S., & Gray, G. L. (2013). IT Governance and Process Maturity: A Multinational
Field Study. Journal of Information Systems, 27(1), 157–188.
http://doi.org/10.2308/isys-50418
Devos, J., Van Landeghem, H., & Deschoolmeester, D. (2012). Rethinking IT governance for
SMEs. Industrial Management & Data Systems, 112(2), 206–223.
http://doi.org/10.1108/02635571211204263
Huang, R., Zmud, R. W., & Price, R. L. (2010). Influencing the effectiveness of IT governance
practices through steering committees and communication policies. European Journal
of Information Systems, 19(3), 288–302. http://doi.org/10.1057/ejis.2010.16
ISACA. (2012a). COBIT 5: A Business Framework for the Governance and Management of
Enterprise IT. Retrieved from http://www.isaca.org/COBIT/Pages/COBIT-5-Framework-
product-page.aspx
ISACA. (2012b). COBIT 5: Enabling Processes. Retrieved from
http://www.isaca.org/COBIT/Pages/COBIT-5-Enabling-Processes-product-page.aspx
IT Governance Institute (ITGI). (2003). Board Briefing on IT Governance, 2nd Edition.
Retrieved from http://www.isaca.org/knowledge-
center/research/researchdeliverables/pages/board-briefing-on-it-governance-2nd-
edition.aspx
IT Governance Institute (ITGI). (2011). Global Status Report on the Governance of Enterprise
IT (GEIT). Retrieved from http://www.isaca.org/knowledge-
center/research/researchdeliverables/pages/itgi-global-survey-results.aspx
Kaplan, R. S., & Norton, D. P. (1992). The Balanced Scorecard - Measures That Drive
Performance. Harvard Business Review, 70(1), 71–79.
Kohli, R., & Grover, V. (2008). Business Value of IT: An Essay on Expanding Research
Directions to Keep up with the Times. Journal of the Association for Information
Systems.
Mangalaraj, G., Singh, A., & Taneja, A. (2014). IT Governance Frameworks and COBIT - A
Literature Review. In AMCIS 2014 Proceedings. Retrieved from
http://aisel.aisnet.org/amcis2014/StrategicUse/GeneralPresentations/13
Nolan, R., & McFarlan, F. (2005). Information technology and the board of directors.
HARVARD BUSINESS REVIEW, 83(10), 96–+.
Pereira, R., & da Silva, M. M. (2012). IT Governance Implementation: The Determinant
Factors. Communications of the IBIMA, 2012, 1–16.
Peterson, R. R. (2004). Crafting Information Technology Governance. Information Systems
Management, 21(4), 7–22. http://doi.org/10.1201/1078/44705.21.4.20040901/84183.2
Raghupathi, W. (2007). Corporate Governance of IT: A Framework For Development.
Communications of the ACM, 50(8), 94–99. http://doi.org/10.1145/1278201.1278212
Sabherwal, R., & Chan, Y. E. (2001). Alignment Between Business and IS Strategies: A Study
of Prospectors, Analyzers, and Defenders. Information Systems Research. Retrieved
from http://pubsonline.informs.org/doi/abs/10.1287/isre.12.1.11.9714
Smits, D., & Hillegersberg, J. (2013). The Continuing Mismatch Between IT Governance
Theory and Practice: Results from a Delphi Study with CIO’s. AMCIS 2013 Proceedings.
Trites, G. (2004). Director responsibility for IT governance. International Journal of
Accounting Information Systems, 5(2), 89–99.
http://doi.org/10.1016/j.accinf.2004.01.001
Turel, O., & Bart, C. (2014). Board-level IT governance and organizational performance.
European Journal of Information Systems, 23(2), 223–239.
http://doi.org/10.1057/ejis.2012.61
Valentine, E., & Stewart, G. (2013). The emerging role of the Board of Directors in enterprise
business technology governance. International Journal of Disclosure and Governance,
10(4), 346–362. http://doi.org/10.1057/jdg.2013.11
Weill, P., & Ross, J. W. (2004). IT Governance: How Top Performers Manage IT Decision
Rights for Superior Results. Harvard Business Press.
Weill, P., & Ross, J. W. (2009). IT savvy: what top executives must know to go from pain to
gain. Harvard Business Press.
Wilkin, C. L. (2012). The Role of IT Governance Practices in Creating Business Value in SMEs.
Journal of Organizational and End User Computing, 24(2), 1–17.
http://doi.org/10.4018/joeuc.2012040101
Wilkin, C. L., & Chenhall, R. H. (2010). A Review of IT Governance: A Taxonomy to Inform
Accounting Information Systems. Journal of Information Systems, 24(2), 107–146.
Appendix A. List of COBIT 5 processes
Code Domain Process Governance/Management
EDM01 Evaluate, Direct Ensure governance framework Governance
and Monitor setting and maintenance
EDM02 Evaluate, Direct Ensure benefits delivery Governance
and Monitor
EDM03 Evaluate, Direct Ensure risk optimisation Governance
and Monitor
EDM04 Evaluate, Direct Ensure resource optimisation Governance
and Monitor
EDM05 Evaluate, Direct Ensure stakeholder Governance
and Monitor transparency
APO01 Align, Plan and Manage the IT management Management
Organise framework
APO02 Align, Plan and Manage strategy Management
Organise
APO03 Align, Plan and Manage enterprise architecture Management
Organise
APO04 Align, Plan and Manage innovation Management
Organise
APO05 Align, Plan and Manage portfolio Management
Organise
APO06 Align, Plan and Manage budget and costs Management
Organise
APO07 Align, Plan and Manage human resources Management
Organise
APO08 Align, Plan and Manage relationships Management
Organise
APO09 Align, Plan and Manage service agreements Management
Organise
APO10 Align, Plan and Manage suppliers Management
Organise
APO11 Align, Plan and Manage quality Management
Organise
APO12 Align, Plan and Manage risk Management
Organise
APO13 Align, Plan and Manage security Management
Organise
BAI01 Build, Acquire Manage programmes and Management
and Implement projects
BAI02 Build, Acquire Manage requirements definition Management
and Implement
BAI03 Build, Acquire Manage solutions identification Management
and Implement and build
BAI04 Build, Acquire Manage availability and capacity Management
and Implement
BAI05 Build, Acquire Manage organisational change Management
and Implement enablement
BAI06 Build, Acquire Manage changes Management
and Implement
BAI07 Build, Acquire Manage change acceptance and Management
and Implement transitioning
BAI08 Build, Acquire Manage knowledge Management
and Implement
BAI09 Build, Acquire Manage assets Management
and Implement
BAI10 Build, Acquire Manage configuration Management
and Implement
DSS01 Deliver, Service Manage operations Management
and Support
DSS02 Deliver, Service Manage service requests and Management
and Support incidents
DSS03 Deliver, Service Manage problems Management
and Support
DSS04 Deliver, Service Manage continuity Management
and Support
DSS05 Deliver, Service Manage security services Management
and Support
DSS06 Deliver, Service Manage business process Management
and Support controls
MEA01 Monitor, Monitor, evaluate and assess Management
Evaluate and performance and conformance
Assess
MEA02 Monitor, Monitor, evaluate and assess Management
Evaluate and the system of internal control
Assess
MEA03 Monitor, Monitor, evaluate and assess Management
Evaluate and compliance with external
Assess requirements
Appendix B. IT-related goals and enterprise goals
IT-related goals (over the dimensions of the balanced scorecard)
Financial Customer
01: Alignment of IT and business strategy 07: Delivery of IT services in line with
02: IT compliance and support for business business requirements
compliance with external laws and 08: Adequate use of applications,
regulations information and technology solutions
03: Commitment of executive management
for making IT-related decisions
04: Managed IT-related business risk
05: Realized benefits from IT-enabled
investments and services portfolio
06: Transparency of IT costs, benefits and
risk
Internal Learning and growth
09: IT agility 16: Competent and motivated business and
10: Security of information, processing IT personnel
infrastructure and applications 17: Knowledge, expertise and initiatives for
11: Optimization of IT assets, resources and business innovation
capabilities
12: Enablement and support of business
processes by integrating applications and
technology into business processes
13: Delivery of programmes delivering
benefits, on time, on budget, and meeting
requirements and quality standards
14: Availability of reliable and useful
information for decision making
15: IT compliance with internal policies
Enterprise goals (over the dimensions of the balanced scorecard)
Financial Customer
01: Stakeholder value of business 06: Customer-oriented service culture
investments 07: Business service continuity and
02: Portfolio of competitive products and availability
services 08: Agile responses to a changing business
03: Managed business risk (safeguarding of environment
assets) 09: Information-based strategic decision
04: Compliance with external laws and making
regulations 10: Optimization of service delivery costs
05: Financial transparency
Internal Learning and growth
11: Optimization of business process 16: Skilled and motivated people
functionality 17: Product and business innovation culture
12: Optimization of business process costs
13: Managed business change programmes
14: Operational and staff productivity
15: Compliance with internal policies