Recent corporate scandals such as HIH and OneTel in Australia, and Enron and Worldcom in the United States have raised the importance of corporate governance and prompted governments to provide guidelines to reduce risks to shareholders, employees and consumers. In the United States, the Sarbanes-Oxley Act 2002 introduced stringent corporate governance requirements and organisations around the world are following the lead of the US and focussing on corporate governance. For example, in Australia, the AS 8000 Good Governance Principles was released in 2003 making Standards Australia the first standards body in the world to publish national guidelines on corporate governance. The Australian standard AS 8015 Corporate Governance of Information & Communications Technology is being considered by an International Standards working group as a candidate for adoption as an international standard.
Increasingly, IT governance is considered an integral part of corporate governance. There has been rapid increase in awareness and adoption of IT governance. As well as seeking to conform to national governance requirements (such as the Sarbanes-Oxley Act), organisations are establishing IT governance to ensure that IT is aligned with the objectives of the organisation. IT governance includes leadership, organisational structures and processes to ensure that the organisation’s IT sustains and extends the organisation’s strategy. To ensure that IT is aligned with the objectives of the organizations, and sustains and extends the organization’s strategy, senior managers are implementing IT governance frameworks. Organisations are under pressure to improve their IT governance and service quality and are investing in training, consultants, hardware and software to implement frameworks such as Control objectives for information and related Technology (CobiT) and the IT Infrastructure Library (ITIL).
Associated with IT governance is the management of IT services provided. Organisations are grappling with the challenges of improving availability and capacity of business-critical applications while improving service levels, reducing support costs and lowering incident and problem resolution times. The increasing use of outsourcing contracts to multiple service providers raises challenges for IT governance and service management. Apart from articles in the practitioner press, there is very little research published in this important area. The frameworks available are continually evolving. Many organisations have already adopted the IT Infrastructure Library (ITIL) framework. This framework has recently been revised from version 2 to version 3. As well as investing in the new editions of the ITIL books, organisations are considering how to transition from version 2 to 3 and the implications in terms of conversion training and tool sets. An international standard on IT Service Management has been released – ISO/IEC 20000. Many organisations are seeking to gain certification to this standard for competitive advantage in tendering for outsourced service provision and also by internal IT groups as a defence against outsourcing threats. To further complicate the IT Service Management environment, the Software Engineering Institute is developing two complimentary ‘constellations’ to accompany the Capability Maturity Model Integration (CMMI). These constellations focus on acquisition and service management. As these additional frameworks share common processes with the CMMI, it is expected that organisations that have invested in the CMMI framework will be interested in the two new constellations.
The objective of this book is to examine current popular IT governance and IT service management frameworks and standards. It strives to present a variety of views from many countries and perspectives about how these standards are used by organisations. As these frameworks are increasingly widely adopted, they are revised and improved. Consequently, organisations need to keep up-to-date with the revisions to the frameworks. This book provides an in-depth view of challenges and benefits experienced by organisations in their initial adoption of the frameworks and then incorporating the subsequent revisions. Furthermore, this book highlights the critical contribution of IT service management to IT governance, and the strategic and tactical value provided by effective service management.
In my own research on IT Governance or IT Service Management, I found there was little published research on these topics and felt that there was a need for a collection of recent research. The motivation for this book came from my attendance at various conferences such as the International Conference on IT Governance, the European Conference on Information Systems and the Australasian Conference on Information Systems. I contacted authors I had met at these conferences and encouraged them to extend their research as a contribution to this collection. The call for chapters was also promoted through the ISWorld and IRMA mailing lists and this approach resulted in contributions from an international cohort of authors.
This book makes its mark by providing a collection of recent research outcomes covering most of the popular frameworks used for IT governance and service management. It contributes to the subject matter by providing up-to-date reviews of the extant literature. The case studies provide empirical evidence of the experience of many organisations from various countries.
Structure of the book
This book is divided into four sections.
Section 1 sets the scene by providing literature reviews of previous research to date on IT Governance. It is essential in any new area of study to establish a cumulative research tradition. Researchers will find this literature review valuable and it will facilitate building on previous studies and identifying gaps in the research effort to date.
The opening chapter by Buckby, Best and Stewart provide a comprehensive understanding of the current state of IT governance literature across five key focus areas: strategic alignment of business and IT systems; delivery of value from IT systems; risk management of IT systems; management of IT resources; and measurement of the performance of IT systems. The authors present a detailed overview of research across the key focus areas of IT Governance (ITG), and by identifying important gaps in ITG research guide future thinking and research on ITG.
The second chapter by Lee and Lee aims to clarify the concept of ITG through conducting a literature review, suggesting some implications of this work for practitioners and indicating directions for the future study of ITG. Most managers acknowledge the importance of managing IT assets within a framework of ITG, but only a small number of academic treatments deal with ITG, meaning that businesses often find themselves making their governance decisions in a vacuum.
David Musson proposes that there are three different concepts that are grouped together as IT governance: IT governance as a framework or audit process; IT governance as IT decision-making; and IT governance as a branch of corporate governance. Through a review of the literature, Musson brings together the disparate views of IT governance so as to permit a broader view of this important subject.
Section 2 provides six case studies of IT Governance in countries as geographically diverse as Australia, Korea, and the United States of America. These case studies will be of practical use to managers who are embarking upon IT Governance initiatives.
Bhattacharjya and Chang introduce key IT governance concepts and industry standards and explore their adoption and implementation in the higher education environment. This chapter provides a valuable example to practitioners by demonstrating that IT governance processes, structures and relational mechanisms adopted by these institutions generate value through improvements in a number of key focus areas for IT management.
Using a public sector audit office in an Australian state, Gerke and Ridley examine the potential to use an audit program based on the Control Objectives for Information and Related Technologies (CobiT) framework. The results suggest that the CobiT-derived instrument was effective for IT audit, and was able to be tailored to the needs of the organisation, when evaluated against a number of criteria.
Shan and Hua consider the challenges in managing the complexity in architecture design. They define a methodical approach to effectively manage the complexity in architecture design and rationalize the architectural assets of IT application portfolios in a service oriented paradigm. The holistic framework provides a multidisciplinary approach of portfolio analysis and service-oriented architecture planning. A case study in the US finance industry illustrates the use of this framework in real-world scenarios.
The next chapter, by Lee and colleagues compares the IT Governance setups of three large service sector firms in Korea. It seeks to identify the activities, types, and determinants of firms’ IT governance decision making processes, and to suggest the basis on which forms of IT governance may represent rational selections for given service companies. The proposed and partially validated IT governance framework should be useful for further research and practice of IT governance.
The Australian Standard for the Corporate Governance of Information and Communication Technology (ICT) AS8015 is used by O’Donohue, Pye and Warren as the focus of their chapter. Recommendations are provided to enhance the effective implementation of this Standard’s principles within an organisation. These recommendations concern such factors as identifying and addressing issues surrounding the implementation of this Standard and the actions that could be undertaken to improve the effectiveness of ICT governance by sharply focusing upon the governance aspects of ICT within business, as opposed to the management aspect of ICT.
Academics and practitioners collaborated Mark Toleman on the case study in chapter 9. It reports on a major restructure incorporating both CobiT and ITIL principles at an Australian University. As well as describing the new reporting and internal structures of the Division, the alignment of the goals of the Division to the corporate goals is discussed. Care was taken to ensure that the new ICT structure was logical and conducive to operational effectiveness, efficiency and sound ICT governance, and could provide pathways and opportunities for career progression, client-focus and role delineation and functional accountability.
Section 3 is the largest section in the book and provides many and varied perspectives on the relationship of IT Governance with business, corporate governance, and IT security. This section also considers governance as it relates to IT portfolio management, outsourcing, and software development.
Brian Cusack uses the control frameworks of CobiT and ITIL to provide a mapping of organizational roles from the capital interest at the highest level, through to the implementation level in an enterprise system. Security affects all processes within an organization structure and both control frameworks provide varying capability for control at different levels in an organization. In this chapter the security process is mapped from two control frameworks at the strategic layer and the issue of effective management tactics discussed from the theoretical structures within the problem area.
Chapter 11 focuses on the importance of both corporate and IT governance, and demonstrates that IT governance is a very important sub-component of corporate governance. Borth and Bradley present a framework which should facilitate a strong understanding of the different factors and mechanisms that impact firm governance. A number of interesting empirical results relating to these governance mechanisms are presented with examples that link corporate and IT governance.
Alea Fairchild and colleagues report on the I-Fit research project which commenced as a joint activity of a regional ICT consultancy with a university research center. The main goal of the project is to help the consultants to improve alignment between business and IT in the client organizations. The I-Fit project takes the perspective of the business manager: how a business manager can influence and increase the value of the IT services received. The I-Fit model was developed based on the literature on strategic alignment and Information Quality. The model assumes causal relationships between ‘IT governance’, ‘Strategic Alignment, ‘Information Quality’, and ‘Business Performance’ in an organization.
This chapter by Kollmann and Hasel focuses on young Internet-based firms and articulates the knowledge and skills required by IT professionals. Building on the general IT governance principle of aligning business and IT, it introduces an adequate competence model, outlines its dimensions, and suggests a framework for modeling the effects of factors internal and external to the firm on the value propositions of the different dimensions. The authors hope that a comprehensive understanding of the role of IT-related competence will assist founders not only in finding suitable partners, but also in aligning e-business strategy and information technology in Internet-based ventures.
Rogers assesses the role maturity models can play in enterprise IT governance. Frameworks such as the Capability Maturity Model make it possible to assess maturity in key areas. The author describes additional maturity models that have no formal association with a comprehensive framework, the application of which represent significantly less overhead than the larger frameworks that include a maturity model component. Rogers seeks to present a broad perspective on maturity models that enterprises can use as a preliminary means of evaluating available tools. This overview of maturity models can facilitate the selection of a model to bring about improved IT governance in one or more focus areas.
The next chapter by Yael Dubinsky and colleagues aims to bridge the gap between high-level IT governance and software development governance. A model for governance in general is presented and then used to describe IT and software development domain-specific governance. The model is built based on a review of the literature and a set of scenarios. The process of transition to agile software development is used to demonstrate the domain-specific governance schemes.
The aim of the chapter by Ann Rouse is to alert decision makers to the fact that outsourcing IT incorporates residual risks even when widely-recommended operational controls are implemented. After briefly reviewing existing formal governance frameworks and their treatment of IT outsourcing, an analytical model for considering outsourcing benefits and risks is introduced. Some strategic IT governance issues that become critical once a firm outsources a significant proportion of its IT services are highlighted. Effective control processes are necessary, but not sufficient for good corporate governance and those responsible for corporate governance should ensure that both operational and strategic governance issues are considered when IT is substantially outsourced.
Portfolio Management principles are the foundation of building effective governance. Murali Ramakrishnan’s chapter is intended primarily for managers who are preparing to implement portfolio management concepts in an organisation and students of IT Project Management, who wish to understand the difference between Project and Portfolio Management. While there is literature available discussing portfolio management at the conceptual level, there is not enough available which translates these concepts into tactical implementation. Practitioners can benefit from discussing implementation approaches that can be tailored to suit individual needs. This chapter shows one of the many ways to implement a portfolio management framework.
The purpose of the chapter by Dowse and Lewis is to help business and information managers to adapt IT management arrangements to suit the organisational context by examining the issues associated with alignment of IT governance and service management, identifying contingencies and developing a framework. After examining the requirements for IT governance, the organisation is considered as a system and competing needs for integration and differentiation within the organisation are examined. The emerging concept of information systems as a contributor of value is also discussed and a framework developed.
The focus in section 4 is IT Service Management. Models such as ITIL and ISO/IEC 20000 are described and extended and illustrated with a case study. This section considers the importance of quality, strategy and return on investment issues in relation to IT Service Management.
Jon Iden presents and analyses a real life ITIL project based on a longitudinal case study. The purpose is to illustrate how the ITIL process reference model for some processes may be used almost as a blueprint, while ITIL for other processes may be profoundly adapted to suit the context and the needs of the implementer. Furthermore, the success factors and the impediments for successful implementation are discussed. This chapter will especially inform practitioners about how ITIL may be utilised and how an implementation project might be organised.
The chapter by Neil McBride describes a suggested model for developing a service strategy within IT services. It discusses the content and process of developing an IT service strategy. The example of hospital information systems is used to illustrate the strategic process. In order to set the scene for the strategic process, the state of information systems strategy research is discussed and set in the context of the developing service management research literature. A case is made for a migration from an IT strategy based primarily on the development of a portfolio of IT systems to a service-strategy based on the development of a portfolio of business services.
A descriptive-conceptual overview of the main models and standards of processes formulated in the Systems Engineering (SE), Software Engineering (SwE) and Information Systems (IS) disciplines is provided by Manual Mora and colleagues. Given the myriad of models and standards reported, the convergence suggested for the SE and SwE models and standards, and the increasing complexity of information systems, the authors argue that these standards become relevant to the IS discipline. Based on the aims and principles identified, the authors report and posit the concepts of process, system and service as conceptual building-blocks for describing such models and standards. Initial theoretical and practical implications for the Information Systems discipline of such models and standards are discussed.
Based on the IT-industrialisation and an increased customer orientation in IT-Service management, the aspect of quality becomes increasingly important. This chapter by Claus-Peter Praeg and Dieter Spath introduces an IT-Service management framework for the use of quality management concepts in the context of the life cycle phases of IT-Services. It argues that IT-Service management, combined with quality management and a life cycle approach for IT-Services provides a new perspective for organisations to provide high quality IT-Services. The aim is to support organisations in the effective use of quality management concepts depending on IT-Service life cycles.
Chee Ing Tiong and colleagues explore financial metrics that organisations could use in measuring the return on investment from their adoption of the IT Infrastructure Library (ITIL) framework. ITIL outlines an extensive set of best practices for IT service management in organisations but as yet there is limited academic research on measuring the return on investment from ITIL adoption. This literature review discusses the importance of measuring return on investment in ITIL and some of the available measurement metrics for IT investment that could be adapted. A measurement model for measuring investment return on ITIL service management is proposed.
Malzahn describes how models for software development and service delivery can be integrated into a common approach to reach an integrated product life cycle for software. The models include SEI’s Capability Maturity Model Integration (CMMI), SPICE (Software Process Improvement and Capability Determination, ISO 15504) and ISO/IEC 20000 (Service Management). Whilst the CMMI constellation approach delivers an integration perspective defined in three models (development, acquisition and services), SPICE and ISO/IEC 20000 need additional alignment to be usable in an integrated approach.
Book Development Process
A double-blind review process was used for all chapters submitted to the editor. Authors of selected chapters were invited to act on the reviewers’ comments and resubmit their chapters to the editor. Chapters were checked and final revisions applied.
I have enjoyed the process of compiling this book and in particular working with the contributors who provided such wide-ranging research on the topic of IT governance and service management. It is up to you, the readers to decide if the perspectives offered here are relevant to your research or to the practical application of the concepts in your organisations. I would be delighted to hear your feedback on the usefulness of this collection.
Disclaimers
No product or service mentioned in this book is endorsed, nor are any claims made about the capabilities of such product or service.
All trademarks are copyrighted to their respective owners.
Aileen Cater-Steel
Editor