Information Systems Management, 27:10–24, 2010
Copyright © Taylor & Francis Group, LLC
ISSN: 1058-0530 print / 1934-8703 online
The Effect of IT Governance Maturity on IT Governance
Mårten Simonsson, Pontus Johnson, and Mathias Ekstedt
The Effect of IT Governance Maturity on IT Governance Performance
Department of Industrial Information and Control Systems, KTH, Royal Institute of Technology,
if appropriate documentation exists. The internal IT organization efficiency is called IT governance maturity. One might
argue, however, that internal efficiency metrics of the IT organization are of moderate interest only; what really matters is
the external effectiveness of services that the IT organization
delivers to the business. We refer to this latter effectiveness as
IT governance performance.
From a management perspective, the situation is further
complicated by the fact that IT governance performance is not
directly controllable. IT management can define and manage
the internal structure of the IT organization but they can only
hope that this in the end also leads to good IT governance performance as perceived by the business.
Fortunately for IT management, it is reasonable to believe
that an organization that displays a high IT governance maturity also benefits from good IT governance performance. Even
though Croteau & Bergeron (2001) concluded that little
research had previously shown the existence of a direct link
between IT governance and organizational performance, some
progress has been made. A number of studies have focused on
finding different linkages, e.g., Weill and Ross’ (2004) survey
on how financially top-performing companies manage IT
decision rights, Dahlberg and Lahdelma’s (2007) study on IT
governance maturity and the degree of IT outsourcing, and De
Haes and Van Grembergen’s (2008) research on IT governance
and IT business alignment. The correlation of IT governance
maturity and IT governance performance, however, has never
been analyzed in detail.
There are several best practice based frameworks that detail
effective arrangements for the internal structure of an IT organization. Although it is reasonable that there is a correlation
between the quality of the internal structure of an IT organization –
labeled IT governance maturity, and the external impact of the
same IT organization on the business – labeled IT governance
performance, this has not been validated. The results, based on
35 case studies, confirm the hypotheses of a positive correlation
between IT governance maturity and IT governance performance. Among IT processes described in 34 references, the
internal structure of the IT organization, clearly defined organizational structures and relationships, mature quality management, and cost allocation show the strongest positive correlation
to IT governance performance. The maturity of project management and service level management, as well as performance and
capacity management, show almost no correlation to IT governance performance. The findings can be used to improve current
frameworks for IT governance.
Keywords alignment of IS organization; business value of IT;
governance of the IS organization; IS organization
transformation; strategic IS planning
IT governance is defined as the structures, processes and
relational mechanisms for the IT decision making in an organization (Van Grembergen, De Haes, & Guldentops, 2004). The
concept IT organization is used in this paper to represent
everybody that is involved in IT-related decision making, so be
it an IT department employee or a business manager acting as a
stakeholder for IT. The highest decision making authority in an
IT organization is called IT management.
There is IT governance in every organization that deals with
IT. However, the quality of the IT organization may differ
between enterprises; depending on issues such as if rights and
responsibilities are distributed over the appropriate people, if
formalized processes for important tasks are implemented, and
The research presented in this article thus aims at testing the
following research hypothesis:
H1: There exists a positive correlation between IT governance
maturity and IT governance performance.
Address correspondence to Mårten Simonsson, Department of
Industrial Information and Control Systems, KTH, Royal Institute of
Technology, Osquldas väg 12, 7 tr, 100 44 Stockholm, Sweden.
This hypothesis is divided into several sub-hypotheses in the
methodology section of this paper, where a number of potentially falsifying tests are also presented.
THE EFFECT OF IT GOVERNANCE MATURITY ON IT GOVERNANCE PERFORMANCE
The structure of the paper is as follows: First, the theoretical
foundation for IT governance maturity and IT governance performance is presented. We then turn to describing the methodology of the research performed, and explain the different
hypotheses and tests. Finally, the outcome of the tests, based
on 35 case studies, is presented. The findings are discussed and
validated in discussions with experts in the field.
There are many ways to design organizations for insightful
yet efficient decision making and the field has been thoroughly
investigated for several decades (Cyert & March, 1963;
Galbraith, 2002; Handel, 2003; March, 1994; March & Simon,
1958; Mintzberg, 1979; Weber, 1978). Transferred to the subset of the organizational theory that considers IT decision making, the general principles are still valid. IT governance deals
with the structures, processes and relational mechanisms
involved in IT decision making, and highlights IT’s business
supportive, or business driving function (Luftman, 1996; Van
Grembergen et al, 2004; Weill & Ross, 2004).
IT governance is a new concept. It emerged in the nineties
when Henderson, Venkatraman, and Loh used the term to
describe the complex array of interfirm relationships involved in
achieving strategic alignment between business and IT (Loh &
Venkatraman, 1993; Loh & Henderson, 1993). IT governance
today concerns how the IT organization is managed and structured, and it provides mechanisms that enable the development
of integrated business and IT plans; it allocates the responsibilities within the IT organization; and it prioritizes IT initiatives
(Debraceny, 2006; Holm Larsen, Kühn Pedersen, & Viborg
Andersen, 2006; Ridley, Young, & Carroll, 2004; Sallé &
Rosenthal, 2005; Van Grembergen et al 2004; Weill & Ross,
2004). It is important to ensure that the IT governance is not only
designed to achieve internal efficiency in the IT organization,
such as deploying good IT processes and making sure that the
means and goals are documented. The final goal of good IT governance is rather to provide business enabling support.
Several frameworks assist IT governance decision making.
Weill and Ross have developed a simple IT governance framework that can be used to analyze the suitability of different decision models (Weill & Ross, 2004). The IT Infrastructure Library
(ITIL) supports implementation of processes related to delivery
and support of IT and details establishment and maintenance of
service level agreements and operation level agreements (Office
of Government Commerce, 2007). ITIL receives massive support from practitioners all over the world, but the framework
itself has traditionally provided little support for strategic IT
concerns. This has been improved in recent ITIL v3 publications, but ITIL still does not cover the entire scope of IT governance, i.e. it still does not support all the decisions made by IT
management. The most widely used IT governance framework
is the Control Objectives for Information and related Technology, COBIT (ITGI, 2007a), which is discussed in further detail
below. A recent addition to the growing number of IT governance frameworks is Val IT (ITGI, 2007b). Val IT takes IT governance onto a higher level of abstraction by providing general
directions on how to manage IT from a business point of view.
The high level of abstraction is however also a limitation, as Val
IT purely focuses on the interface between IT and the business
and lacks the support to represent e.g. the processes of an IT
organization. Val IT takes on where COBIT ends, and the two
frameworks complement each other well.
As described in the introduction, an important distinction can
be made between IT governance maturity and IT governance
performance. The former spans the internal quality of the IT
organization, which at least in principle is under the control of IT
management or a CIO. A maturely governed IT organization is
thus defined as an organization that is efficient and aligned with
state-of-the-practice frameworks such as the ones mentioned
above. The concept of maturity is used also in other disciplines,
including software development. The Software Engineering
Capability Maturity Model, SE-CMM, was created by the Software Engineering Institute of the Carnegie Mellon University in
the late eighties (Humphrey, 1989). It comprises a tool for objectively assessing the ability of government contractors’ processes
to perform software projects. The term IT governance performance, on the other hand, can rather be seen as the external
objective of IT governance. It describes the effectiveness and
impact of an enterprise’s IT organization as perceived from a
business point of view. Good IT governance performance is the
desired goal, but it is outside the direct domain of control of the
IT management responsible for achieving it.
As mentioned in the introduction, the main purpose of this
paper is to determine how IT governance maturity and IT
governance performance are correlated. A statistical approach
is chosen where the IT governance maturity is seen as an
aggregate of a set of independent variables and the IT governance performance is a variable potentially dependent on the
maturity. In order to determine the strength of correlations
between maturity and performance, a number of case studies
have been carried out. Before these are discussed, the following two subsections describe IT governance maturity and IT
governance performance in further detail.
IT GOVERNANCE MATURITY
The Control Objectives for Information and related Technology, COBIT is the most well-known framework for IT
governance maturity assessments (Debraceny, 2006;
Guldentops, 2004; Holm Larsen et al, 2006; Ridley et al, 2004;
Van Grembergen & De Haes, 2008; Warland & Ridley, 2005).
It was first issued by the IT Governance Institute, ITGI, in
1998 and has been constantly evolving ever since. COBIT
features a maturity model for IT governance, which follows the
same principles as the Software Engineering Institute’s Capability Maturity Model (Humphrey, 1989). The framework
provides a definition of IT governance as consisting of four
M. SIMONSSON ET AL.
domains and 34 processes. Each process contains a number of
IT governance maturity indicators, such as activities, documents, metrics, and support for role and responsibility assignment. The domains and processes in COBIT are described
briefly in the following subsections.
the business process. In addition, changes in and maintenance of
existing systems are covered by this domain to make sure the solutions continue to meet business objectives. Table 2 covers the
seven processes that concern acquisition and implementation.
Plan and Organize (PO)
This domain covers ten IT processes of strategy and tactics,
c.f. Table 1, and concerns the identification of the way IT can
best contribute to the achievement of the business objectives.
The realization of the strategic vision needs to be planned,
communicated and managed for different perspectives. A
proper organization as well as technological infrastructure
should be put in place.
Deliver and Support (DS)
This domain is concerned with the actual delivery of
required services, which includes service delivery,
management of security and continuity, service support for
users, and management of data and operational facilities. The
covered processes are listed in Table 3.
Acquire and Implement (AI)
To realize the IT strategy, IT solutions need to be identified,
developed or acquired, as well as implemented and integrated into
Monitor and Evaluate (ME)
All IT processes need to be regularly assessed over time for
their quality and compliance with control requirements. This
domain addresses performance management, monitoring of
internal control, regulatory compliance, and governance. The
processes in this domain are presented in Table 4.
Plan and organize IT processes (ITGI, 2007a)
Define a strategic IT plan
Define the information
Define the IT processes,
Manage the IT investment
aims and direction
Manage IT human resources
Assess and manage IT risks
Incorporation of IT and business management in the translation of business
requirements into service offerings. Development of strategies to deliver these
services in a transparent and effective manner.
The establishment of an enterprise data model that incorporates a data
classification scheme to ensure the integrity and consistency of all data.
Defining and implementing a technology infrastructure plan, architecture and
standards that recognize and leverage technology opportunities.
Establishing transparent, flexible and responsive IT organizational structures and
defining and implementing IT processes with owners, roles and
responsibilities integrated into business and decision processes.
Effective and efficient IT investment and portfolio decisions, and by setting and
tracking IT budgets in line with IT strategy and investment decisions.
Providing accurate, understandable and approved policies, procedures,
guidelines and other documentation to stakeholders, embedded in an IT
Hiring and training personnel, motivating through clear career paths, assigning
roles that correspond with skills, establishing a defined review process,
creating position descriptions and ensuring awareness of dependency on
The definition of a QMS, ongoing performance monitoring against predefined
objectives and implementation of a program for continuous improvement of
Development of a risk management framework that is integrated in business and
operational risk management frameworks, risk assessment, risk mitigation and
communication of residual risk.
A defined program and project management approach that is applied to IT
projects and enables stakeholder participation in and monitoring of project
risks and progress.
THE EFFECT OF IT GOVERNANCE MATURITY ON IT GOVERNANCE PERFORMANCE
Acquire and implement IT processes (ITGI, 2007a)
Identify automated solutions
Acquire and maintain application software
Acquire and maintain technology
Enable operation and use
Procure IT resources
Install and accredit solutions and changes
Identifying technically feasible and cost-effective solutions.
Ensuring that there is a timely and cost-effective development process.
Providing appropriate platforms for the business applications in line with
the defined IT architecture and technology standards.
Providing effective user and operational manuals and training materials
to transfer the knowledge necessary for successful system operation
Acquiring and maintaining IT skills that respond to the delivery strategy,
an integrated and standardized IT infrastructure, and reducing IT
Controlling impact assessment, authorization and implementation of all
changes to the IT infrastructure, applications and technical solutions;
minimizing errors due to incomplete request specifications; and halting
implementation of unauthorized changes.
Testing that applications and infrastructure solutions are fit for the intended
purpose and free from errors, and planning releases to production
Deliver and support IT processes (ITGI, 2007a)
Define and manage
Ensure systems security
Identify and allocate
Educate and train users
Manage service desk
Manage the physical
Identifying service requirements, agreeing on service levels and monitoring the
achievement of service levels.
Establishing relationships and bilateral responsibilities with qualified third-party service
providers and monitoring the service delivery to verify and ensure adherence to
Meeting response time requirements of SLAs, minimizing downtime, and making
continuous IT performance and capacity improvements through monitoring and
Building resilience into automated solutions and developing, maintaining and testing IT
Defining IT security policies, plans and procedures, and monitoring, detecting, reporting
and resolving security vulnerabilities and incidents.
Complete and accurate capture of IT costs, a fair system of allocation agreed upon by
business users, and a system for timely reporting of IT use and costs allocated.
A clear understanding of IT user training needs, execution of an effective training strategy
and measurement of the results.
A professional service desk function with quick response, clear escalation procedures,
and resolution and trend analysis.
Establishing and maintaining an accurate and complete repository of asset configuration
attributes and baselines, and comparing them against actual asset configuration.
Recording, tracking and resolving operational problems; investigating the root cause of
all significant problems; and defining solutions for identified operations problems.
Maintaining the completeness, accuracy, availability and protection of data.
Providing and maintaining a suitable physical environment to protect IT assets from
access, damage or theft.
Meeting operational service levels for scheduled data processing, protecting sensitive
output, and monitoring and maintaining infrastructure.
M. SIMONSSON ET AL.
Monitor and evaluate IT processes (ITGI, 2007a)
Monitor and evaluate IT
Monitor and evaluate internal
Ensure regulatory compliance
Provide IT governance
Monitoring and reporting process metrics and identifying and
performance improvement actions.
Monitoring the internal control processes for IT-related activities and
identifying improvement actions.
Identifying all applicable laws, regulations and contracts and the
corresponding level of IT compliance and optimizing IT processes to
reduce the risk of non-compliance.
Preparing board reports on IT strategy, performance and risks, and
responding to governance requirements in line with board directions.
IT GOVERNANCE PERFORMANCE
IT governance performance is the quality of the services
that the IT organization delivers, as seen from a business point
of view. A similar, yet broader, discipline is strategic alignment, where Jerry Luftman attempted to provide guidance for
achieving strategic alignment between business and IT in a mid
90s framework. As of today, Luftman’s framework has been
applied in 500 case studies (Luftman, 1996; Luftman, Papp &
Brier 1999). Dahlberg and Lahdelma (2007) synthesized IT
governance literature and created another broad definition of
business value delivery from IT. In the early 2000s, MIT
researchers Weill and Ross con ...
Purchase answer to see full