Master Thesis
Supervisor: Dr. E.P.M. Croonen
Co-assessor: Dr. O. Belousova
Alignment between Business and IT
to create and capture business value in SMEs
A systematic literature review
by
Patrick Smit
S2680262
University of Groningen
Faculty of Economics and Business
MSc Business Administration (MScBA)
Small Business and Entrepreneurship
June 2019 | 24-06-2019
Page 2 of 71 [Personal Identifiable Information
Page 3 of 71
Abstract
Alignment of business and IT is core to organizations in order to create business value through the effective use of IT. Literature on the field of Information Technology Governance (ITG) has focused to a great extent on medium and large sized organizations (enterprises). However, advancements in technology and regulation fuel the relevance of ITG for every organization, including SMEs. Consequently, effective use of IT is core to business survival, business performance, and business value creation and capturing.
Therefore, this study addresses the research question: how does the ITG process, with the focus on aligning Business and IT, affect the abilities of SMEs to create and capture business value? By conducting a systematic literature review, this study systematically answers the research question and has identified three main categories in ITG that are important for organizations in general, translated to a perspective on SMEs.
Organizational characteristics
A formal governance structure enables accountability over necessary controls of IT management. The amount of organizational social capital and IT social capital should be aligned, spanning the boundaries of business and IT.
Board composition
Decision rights in ITG are core to business continuity, to mitigate the chance and impact of operational IT failures. Consequently, the IT competency level of the board should be adequate. Implementation of an ITG control framework in organizations enables SMEs to improve business performance and improve the process of business value creation and capturing. The board should significantly be involved in ITG practices.
Business/IT alignment strategy
A continuous alignment between business (strategy and processes) and IT (strategy and processes) is core to drive the effective use of IT. Effective use of IT empowers organizations of any size to improve performance and to create and capture business value.
Page 4 of 71
Index
1 Introduction ... 6
1.1 Importance of IT Governance for organizations ... 7
1.1.1 Objective of ITG ... 8
1.1.2 Stakeholders in ITG ... 8
1.2 ITG research ... 9
1.3 Advancements in IT Governance through a synthesized process view ... 10
1.3.1 Update on the field of IT Governance ... 11
2 Methodology ... 13
2.1 First stage | Planning the review ... 13
2.2 Second stage | Conducting the review ... 14
2.3 Third stage | Reporting and dissemination ... 15
3 Literature review ... 17 3.1 Theoretical perspectives ... 18 3.1.1 Agency Theory ... 18 3.1.2 Boundary-spanning Theory ... 20 3.2 What Is Governed ... 21 3.2.1 IT Artifacts ... 21 3.2.2 Content ... 22 3.2.3 Stakeholders ... 24 3.3 How Is It Governed ... 25 3.3.1 Decision Rights ... 25 3.3.2.1 Control ... 27 3.3.3 Architecture ... 28 3.4 Outcomes ... 30
3.4.1 Business value and performance ... 30
4 Discussion and conclusion ... 33
4.1 Main contributions of this study ... 33
4.2 Major conclusions of this study ... 33
4.3 Limitations ... 36
4.4 Practical implications ... 36
Appendix A ... 39
Appendix B ... 40
Page 6 of 71
1 Introduction
Information Technology Governance (ITG) is important for business performance: large enterprises as well as SMEs perform better when successfully implementing an ITG framework (Fiscount, 2019). Scholars claim a positive relationship between Information Technology (IT) investments and firm competitive advantage (Hall & Liedtka, 2007; Pula, Stone, & Foss, 2003). In most organizations, IT is a crucial element of business processes and the most important driver in a fundamental digital transformation of organizations (Sassenburg, 2011).
However, in a survey among business and IT executives (Geneca, 2017) it shows that 75% of the executives claim that IT projects in their firms are usually “doomed right from the start” (Geneca, 2017). Moreover, “With yesterday’s solutions problems of the day before yesterday are addressed” (Baan, 2014), in where is referred to the largest IT failures of the Dutch government. An example of an IT failure, is the legacy IT systems of the UWV (Dutch social security agency), which are not aligned with the aspired service level of the UWV. The main conclusion (in response to the Dutch commission Elias): problems are currently addressed from the IT perspective, but should mainly be addressed from the business perspective (Baan, 2014). Therefore, ITG should be considered as highly relevant for every business decision maker, C-level executive and board of directors, since the key objective of ITG is the alignment of business and IT to create and capture business value (De Haes & Van Grembergen, 2009).
IT Governance is broadly defined in literature. By studying 300 organizations, Weill and Ross (2004) have confirmed the use of a diverse subset of ITG definitions in organizations. As a result, no single best formula for governing IT has been identified (Weill & Ross, 2004). Simonsson and Ekstedt (2006) argue that ITG is about the decision making process of IT assets, which consist of the hardware and software in use, the processes, human capital, and the strategic IT-goals of an organization. Simonsson and Ekstedt (2006) have analyzed the diversity of ITG definitions and included the 60 most cited references of ITG. Weill and Ross (2004) found that managers widely interpret the definition of ITG, and as a consequence do implement an ITG framework in very different ways in their organizations. More awareness of the process and frameworks in successfully implementing ITG in organizations should be raised among business decision makers, C-level executives and board of directors.
In this paper, ITG is defined according to the definition of De Haes and Van Grembergen (2014). ITG is defined as the alignment of Business and IT, consisting of leadership and organizational structures and processes that ensure that the organization’s IT sustains and extends the organization’s strategy and objectives (IT Governance Institute, 2003; Van Grembergen, 2002). According to De Haes & Van Grembergen (2004: P.1), ITG is an organizational capacity exercised by the board of directors, executive management and IT management “to control the formulation and implementation of IT strategy and in this way ensure the fusion of business and IT”.
Page 7 of 71 a relevance for SMEs, will be reviewed. This study is based on the existing and available published scholarly articles.
Furthermore, The relevance for SMEs is fueled by the emerged regulatory compliance in the period 2009-2017. Organizations have to be compliant with emerged regulation. The General Data Protection Regulation (GDPR) is a very important example. How does the GDPR affect the ITG process, and what are its linkages to outcomes of the ITG processes, such as organizational performance? Organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater). In parallel it is argued that in practice 9 out of 10 SMEs cannot be compliant with the GDPR, because it is “too complex, extensive and not vague” (Groenendijk, 2019: P.17). This leads to the following research question:
How does the ITG process, with the focus on aligning Business and IT, affect the abilities of SMEs to create and capture business value?
To answer the research question, the “IT Governance Cube” Tiwana et al. (2013) (figure 1) is used as a framework to position ITG research and derive subquestions. This study is based on a firm-level analysis, which results in a firm-level focused dimension “Who is governed” (Tiwana et al., 2013), resulting in the following questions:
1) What is governed?
Represents what is governed including identification of relevant stakeholders (Tiwana et al., 2013).
2) How is it governed?
Represents the mechanisms used in governance (Tiwana et al., 2013).
The ITG Cube is extended with an outcome dimension, which relates to the objectives of ITG implementation and can be achieved by successfully implementing ITG practices. The extension of the ITG Cube results in the final subquestion:
3) What are the outcomes of successful implementation of ITG practices?
Represents outcomes based on value creation and capturing in organizations (ISACA, 2012). The questions are important, because the premises are central to the business continuity of organizations of any size.
1.1 Importance of IT Governance for organizations
In many organizations, IT is critical in the day-to-day operations and critical in order to sustain the survival and growth of the firm (De Haes & Van Grembergen, 2009). The critical role of IT reflects on the ability to be “in-business”: in modern organizations, IT is the backbone that enables the support, sustainability and growth of the business (De Haes & Van Grembergen, 2009). The critical role of IT in modern organizations underlines the importance of ITG. The quest for a framework to arrange processes to constantly align the business strategy and goals with the IT strategy and goals, realized through the effective use of IT (ISACA, 2012).
Page 8 of 71 managers in a company know how IT is governed. This research paper therefore can serve as an instrument to raise ITG awareness at the managerial, executive and board level. The awareness function is very relevant from an organizational perspective, because awareness of ITG processes is shown to be the single best indicator of governance effectiveness (Weill and Ross, 2004).
The exponential data growth in the recent years is addressed in literature as an important driver to develop the ITG discussion and ITG practices into a top issue for senior business and IT management (Luftman & Ben-Zvi, 2011; Peterson R., 2004; Tallon, 2010). According to Mr. Zwenne (professor at Leiden University, specialized in telecommunication- and privacy law) the GDPR should be a top priority of organizations, and an important topic in boardroom discussions (Groenendijk, 2019). Therefore, ITG should be high on the agenda for many organizations.
1.1.1 Objective of ITG
The main objective of ITG is business value creation through the effective use of IT in organizations (ISACA, 2012). Value creation is defined as “realizing benefits at an optimal resource cost while optimizing risk”, in where benefits realization, risk optimization and resource optimization are the core pillars of the ITG objective (ISACA, 2012: P.13). Viewing ITG as an organizational capacity to ensure the fusion of business and IT (Van Grembergen, 2002) underlines the inclusion and relevance for the business stakeholders.
In ITG the business stakeholders can be defined as the Board of Directors, executive management, IT management, and the customers of an organization (De Haes & Van Grembergen, 2004; De Haes & Van Grembergen, 2009). Solid ITG processes allow for the aggregation of data in lower levels of the organization to concrete information which enables the board to pro-actively engage in ITG practices, and steer the (IT-) organization based on business objectives (Sassenburg, 2011). The dynamic aggregation of data for boardroom discussions is referred to as “from bit to board” by Sassenburg (2011), which summarizes the responsibility of the corporate board in engaging in ITG practices and pro-actively steering IT-portfolios of the organization (Sassenburg, 2011). ITG has an internal focus to meet present and future demands of the business, as well as an external focus to meet the present and future demands of the customers (De Haes & Van Grembergen, 2009).
1.1.2 Stakeholders in ITG
Internal and external stakeholder needs are influenced by different drivers, for example regulatory compliance and the emergence of more stringent regulation, a changing business strategy, changing business landscapes, and new technology (ISACA, 2012). The stakeholder drivers are grounded in the outcomes of successfully implementing ITG practices, value creation and capturing in organizations (ISACA, 2012). The stakeholder drivers effectively drive the main objective of ITG, value creation through effective use of IT according to the COBIT 5 “enabling processes” ITG framework (ISACA, 2012).
Page 9 of 71 procedures and performance” (Peterson, 2003: P.63). ITG structures comprise of “structural (formal) devices and mechanisms for connecting and enabling horizontal, or liaison, contacts between business and IT management (decision-making) functions” (Peterson, 2003: P.59-60). The relational mechanisms in ITG are defined as “the active participation of, and collaborative relationship among, corporate executives, IT management, and business management” (Peterson, 2003: P65, 19*).
1.2 ITG research
Tiwana et al. (2013) have introduced the “IT Governance Cube” (figure 1) as a framework that can be used to position ITG research. The ITG Cube can especially add value in the context of this research paper, because it allows to divide the “Cube” in what we already know as a discipline (shaded cells in cube), and the “fertile directions in which our research conversation can progress” (unshaded cells in cube) (Tiwana et al., 2013). Based on the analysis and synthesized findings, this research paper aims to synthesize the recent literature in ITG. Furthermore, this paper aims to extent the research conversation, by synthesizing not only what we already know as a discipline, but also in the “cells” towards which the research progresses. Recommendations and a framework for business executives is provided, based on the advancements in the field of ITG, the synthesized findings and the future research directions. Key in the framework is the Business / IT alignment
Figure 1: “IT Governance Cube” (Tiwana et al., 2013).
Page 10 of 71
Positioning of ITG research Definition / meaning
Who Is Governed Unit of analysis
Ecosystem Combination of firms and / or networks of
firms
Firm (focus and scope of this study) Individual organization
Project IT project and / or application
What Is Governed Unit of analysis
IT Artifacts Hardware / software
Content Content of the IT Artifacts
(for example: data and information)
Stakeholders Stakeholders in ITG
How Is It Governed Mechanisms used to govern
Decision Rights Allocation of decision rights
Control Formal and informal control mechanisms
Architecture IT architecture as a control mechanism
Outcomes Outcomes of successful ITG implementation
Business value and performance Business value creation through effective
use of IT in organizations
Index 1 | Definitions / meaning based on the ITG Cube to position ITG research (Tiwana et al., 2013) The first dimension of the cube is “Who is governed” and represents the scope of governance and corresponds to the unit of analysis, for example an application at the corresponding “Project” level, or the complete IT function within a firm (Tiwana et al., 2013). An “Ecosystem” refers to either a large network of co-operating firms, or interfirm sourcing arrangements (Tiwana et al., 2013).
The second dimension “What is governed” refers to whether what is governed are “IT artifacts” and the content of the IT artifacts, or refers to the stakeholders involved in producing and consuming the IT artefacts (Tiwana et al., 2013). For example, IT artifacts refer to hardware and software. However, “What is governed” also refers to the content of the IT artifacts, and the stakeholders involved in creating and especially consuming the IT artifacts.
The third dimension “How is it governed” represents the mechanism used in governance. Tiwana et al. (2013) refer to allocation of decision rights, control mechanisms, or to the use of the architecture itself used “as a mechanism for non-overt control”. According to Tiwana et al. (2013) the research agenda should progress beyond the focus on control mechanisms and beyond the focus at the project level.
1.3 Advancements in IT Governance through a synthesized process view
Page 11 of 71 budgets are spend on regulatory compliance. Recent introductions of regulatory compliance are the Sarbanes-Oxley act in 2002, Basel II as a regulation between banks effective in Europe from 2008 (Hall & Liedtka, 2007); (Pula, Stone, & Foss, 2003) and the very recent introduction of the General Data Protection Regulation (GDPR) effective in Europe from may 2016 while
enforced on the 25th of may 2018 (Chassang, 2017; Mikkonen, 2014).
Advancements in IT, however, take place at such a fast pace that literature on effective ITG needs to further evolve from research on new forms of organizations, that were previously considered as infeasible (Tiwana, Konsynski, & Venkatraman, 2013). This research paper gives the reader an update on the field of ITG by reviewing recent published papers in the period 2009-2017. This systematic literature review can be used as a starting point and reference for researchers to conduct new research in the ITG field. Especially, this paper aims to show the advancements in compliancy regulation in regard to ITG and how recent literature has integrated this concept.
1.3.1 Update on the field of IT Governance
This study takes a recent literature review of IT Governance articles published between 1998-2008 (Wilkin & Chenhall, 2010) as a starting point, and complements this review by conducting a systematic literature review on the published academic articles on ITG in the period 2009-2017. The focus of this study is to show how the ITG process, with the focus on aligning Business and IT, affects the abilities of SMEs to create and capture business value.
Based on a firm-level perspective (Tiwana et al., 2013) this paper aims to make the IT Governance process more explicit, by following up on the IT Governance Cube (Tiwana et al., 2013). By following up on the IT Governance Cube (Tiwana et al., 2013) this paper aims to show the current state of the literature in what we already know as a discipline (shaded cells in cube), and extending the ITG discussion with the recent developments in regulatory compliance. The inclusion of regulatory compliance in ITG is fueled by the dominant business-IT aspect in recently introduced regulations. The business-ITG dimensions What is governed and How is it governed, as indexed by the IT Governance Cube (Tiwana et al., 2013), are reviewed to synthesize the what and how of ITG. The what and how of ITG can be linked to the drivers and outcomes of engagement in ITG practices.
Page 12 of 71 Recommendations and a framework for business executives is developed in this paper, based on the advancements in the field of ITG, the synthesized findings and the future research directions. Key in the framework is the Business / IT alignment of SMEs.
Figure 2: Extension of The IT Governance Cube (Tiwana et al., 2013) by means of a systematic literature review (blue arrows: specific focus of this study).
Page 13 of 71
2 Methodology
When conducting a systematic literature review, it is important to prevent any bias or impurities in the analysis of the data. It is the systematic approach of the literature that adds to the quality of the research process. This systematic approach is a prerequisite so that the study is fully transparent and has a high reliability and validity, so that the study can be reproduced (Tranfield et al., 2003). In this study, the three stages are used as proposed by Tranfield et al. (2003): 1) Planning the review, 2) Conducting the review and 3) Reporting and dissemination.
2.1 First stage | Planning the review
The first stage, planning the review, consists of the clarification of goals and needs of the study, including the identification of the most important source of data. This study aims to find existing concepts and theories within the field of ITG research. Furthermore, there is a clear aim to structure and synthesize the content of the articles. Another choice regarding the data sources is to only include peer-reviewed academic articles, that is, articles that are inspected and validated by scholars that have a reasonably comparable background in the field of study (Guerrieri, 2012). The article search and inclusion is executed based on an open search strategy, via the academic search engine and database Web of Science. Advanced options are available within this database, that improve the possibility of narrowing down the selection of articles. To come to a more relevant and specific search string, the search terms are narrowed down to terms that are of high relevance to the field of this study. Figure 3 provides an overview of the search process. The search strategy is executed in Web of Science on 13 June, 2018.
Figure 3: Overview of the search strategy/process, the search string and article inclusion/ exclusion.
Step7 | 27 articles
Topic "IT Governance"
Topic "Information Technology
Governance" Language: English
Time period:
2009 - 2017 ManagementCategory: Category: Business AI Score ≥ 50 unavailable articlesExclusion: Filter: only included focused articles Step 6 | 43 articles
Topic "IT Governance"
Topic "Information Technology
Governance" Language: English
Time period:
2009 - 2017 ManagementCategory: Category: Business AI Score ≥ 50 unavailable articlesExclusion:
Step 5 | 45 articles
Topic "IT Governance" Topic "Information Technology
Governance" Language: English
Time period:
2009 - 2017 Category: Management Category: Business AI Score ≥ 50 Step 4 | 78 articles
Topic "IT Governance" Topic "Information Technology Governance" Language: English Time period: 2009 - 2017 Category: Management Category: Business Step 3 | 204 articles
Topic "IT Governance" Topic "Information Technology Governance" Language: English Time period: 2009 - 2017 Step 2 | 292 articles
Topic "IT Governance" Topic "Information Technology Governance" Language: English Step 1 | 319 articles
Page 14 of 71 Step 1
The relevant search string is based on Topic “IT Governance” OR Topic “Information Technology Governance” which leads to 319 results (Figure 3, step 1).
Step 2
Only English articles are included in the selection, resulting in 292 articles (Figure 3, step 2). Step 3
The time period of the included articles is from 2009 to 2017, indicating 204 articles (Figure 3, step 3). The Web of Science search engine shows that the most substantial part of the related articles is written in the year 2004 and onwards.
Step 4
To align the articles with the business and management stakeholders of this study, the results are filtered to only include the Web of Science categories “Management” and “Business”, which results in 78 articles (Figure 3, step 4). The inclusion of the categories “Management” and “Business” is moreover in-line with the “IT Governance Cube” of Tiwana et al. (2013). A firm-level dimension is taken into account, based on the dimension “Who Is Governed” of the ITG Cube (Tiwana et al., 2013).
Step 5
The next step is to filter the respective journals based on an impact score.
The database http://www.eigenfactor.org is used for this process. In order to include the
journals that show a high impact score, the highest scoring half of journals is included that represent a minimum “Eigenfactor” impact score (AI) of 50. The subsequent articles and journals are listed in Appendix A. After correcting the inclusion of the articles based on the minimum impact score of the respective journals, 45 articles are included for this literature review (Figure 3, step 5). The subsequent articles and journals after correcting are listed in Appendix B, C, D, E and F.
Step 6
Two articles were excluded because the PDF-source linked to the database was unavailable and the respective articles could not be downloaded. 43 articles are included for this literature review (Figure 3, step 6).
2.2 Second stage | Conducting the review
The second stage, conducting the review, is the execution stage which comprises of three relevant sub steps: 1) Study quality assessment, 2) Data extraction and monitoring progress, and 3) Data synthesis. Because of the importance of this “execution” stage, the sub steps will be defined in more detail below.
Page 15 of 71 The 43 articles account as input for a further and more thorough attempt to categorize the articles. First, I have analyzed and fully read the 43 articles. In the next step, I have set-up an index (Appendix G) of the articles, based on title, author, journal, keywords, the type of study and which type of data is collected and how the data is collected. I have composed three clear categories to logically arrange the articles, based on its content and relevance.
The three main categories are:
1) Theoretical perspective (explicit contribution to a specific theory)
2) ITG process: What Is Governed and How Is It Governed (ITG Cube, figure 2) 3) ITG outcomes (performance & business value).
Step 7
As a means of study quality assessment, articles that are not focused enough to the research question in regard to business-IT alignment and/or performance and business value as outcomes, are excluded. Based on the fully read articles and derived descriptives, the non-focused articles are excluded. Finally, 27 articles (appendix H) are included for this literature review (Figure 3, step 7). The first category comprises of articles that have a clear and explicit focus on a specific theory in regard to ITG. These theories support in understanding the mechanisms in ITG, and evaluating the relevance for SMEs. Case studies are not excluded, but indexed in the category ITG process (main category 2), as the specific case studies provide relevant and practical insights on the ITG process. Articles that focus on ITG outcomes, such as performance and business value, are arranged in the third category.
The data of the selected 27 articles is extracted in this study, by a systematic means of extracting the data, based on a firm-level analysis. Links to other concepts, identification of “emergent concepts” and key results are included in this study (Tranfield et al., 2003). This systematic literature review attempts to thoroughly synthesize the data/articles (Tranfield et al., 2003), and present a framework for suggested ITG mechanisms and practices in SMEs, in order to empower SMEs to create and capture business value. This study aims to not only provide a clear review of the literature set, but also to “connect the dots” between the different articles, frameworks and claims and findings of different authors.
2.3 Third stage | Reporting and dissemination
The third stage, reporting and dissemination, aims to provide a wrapped-up report and propose recommendations (Tranfield et al., 2003). The report is differentiated according to three defined categories, based on the included articles, with the goal to synthesize the categories in the discussion & conclusion section, and presenting an overarching ITG framework for SMEs:
1) Theoretical perspectives (as pronounced in the articles, based on the search strategy)
- Agency Theory - Boundary-spanning Theory 2) ITG process - What Is Governed - How Is It Governed 3) ITG outcomes
Page 17 of 71
3 Literature review
To support in understanding the relevance and importance of this systematic literature review, table 1 and table 2 are provided. Table 1 shows an overview of descriptives as derived by indexing and systematically reviewing the articles. Table 2 shows an overview of descriptives as derived by categorizing the articles in the derived main categories of this study.
Number of studies*1 Number of studies*1
Total sample 27 How Is It
Governed Countries Decision Rights 5 Australia 1 Theoretical perspectives Control 3 Brazil 1
Agency Theory 4 Architecture 4 Europe 1
Boundary-spanning Theory 2 Finland 1
Other / Non-specified 3 Outcomes United States 6 Business value / performance 9 Other / Non-specified 15 Who Is Governed Other / Non-specified 2 Korea 1 Ecosystem 0 Taiwan 1
Firm 27 Firm size
Project 0 Micro firms |
<10 employees 0 Industries Small firms | <50 employees 0 Financial services 3 What Is Governed Medium-sized | <250 employees 5 Healthcare 1
IT Artifacts 4 Large firms |
>250 employees
2 Public
sector 1
Content 7 Not limited /
not specified*2 20 Not limited / not specified*2 22 Stakeholders 3
Page 18 of 71 Main category*1 2009 2010 2011 2012 2013 2014 2015 2016 2017 Theoretical perspective - Agency Theory 26 24 2 5 - Boundary-spanning theory 22 27 What Is Governed - IT Artifacts 4 17 7 13 - Content 11 26 22 17 27 15 12 - Stakeholders 16 27 19 How Is It Governed - Decision Rights 23 24 2 8 1 - Control 18 9 27 - Architecture 18 21 27 20 Outcomes - Business value / performance 6 9 27 3 10 14 13 25 12
Table 2: Overview of articles categorized in derived main categories. *1: numbers in table 1 correspond to the indexed article number.
Note - 1: articles are indexed according to the category and/or categories that correspond to the specific article. Note - 2: numbers in text correspond to the indexed article number.
Note - 3: numbers in text with an added “*”, are original sources that correspond to the indexed article number. 3.1 Theoretical perspectives
3.1.1 Agency Theory
Introduction
Page 19 of 71 Agency Theory as a perspective on ITG
Agency Theory in ITG research
According to Dawson et al. (2016, 5) many scholars in ITG use the agency theory as a theoretical perspective, in where the agents (management) are rational actors with the goal to maximize their individual utility, even when it is at the expense of the principals (shareholders). The goal of the governance structure is to create and sustain benefits and value for the organization (Weill & Ross, 2004, 2*). ITG concentrates on transforming IT to meet the current and future business demands of the business as well as the demands of the business customer (Peterson, 2003). According to Tiwana (2009), an idealized governance structure can be created when there is a correct fit between governance decision making and the location of domain and technical specific knowledge (Tiwana, 2009). In order to create a governance structure that enables to create and capture business value, it is important that there is a sufficient focus on the value of information systems, and the establishment of sufficient controls over IT management (Weill & Ross, 2004, 2*).
Contribution of Agency Theory to ITG process
By integrating the principal-agent relationship in an IT governance structure, the question arises to what extent decision power needs to be centralized or decentralized, because this is related to the extent of control by either the principal or the agent, and important in creating value for the organization (Xue et al., 2011, 26). However, by extending the rationale of the principal-agent theory raised by Dawson et al. (2016, 5), there is the issue of costs of control in relation to environmental uncertainty (Xue et al., 2011, 26). The costs of control are related to the extent the decision making process is decentralized (Xue et al., 2011, 26). Either there is more effort required to monitor the decision processes and outcomes, or the organization has to provide incentives in order to mitigate the opportunistic behavior of the agents (Xue et al., 2011, 26).
According to Dawson et al. (2016, 5) there is a lot of variation on how organizations define accountability for IT Governance, and to what extent the accountability is formalized and communicated. In literature, the recalled accountability is a practical example of the necessary controls over IT management. The main problem that occurs is that, without a formal and structured governance structure in place, decision making is based on an individualized ad-hoc basis (Boh & Yellin, 2006, 24*; Weill & Ross, 2004, 5*). The risk is that individual ad-ad-hoc decision making can be in conflict with the organizational goals, and does not support the process of creating and sustaining value for the organization (Boh & Yellin, 2006, 24*; Weill & Ross, 2004, 5*).
Intermediate conclusion
Page 20 of 71
3.1.2 Boundary-spanning Theory
Introduction
Boundary-spanning theory is the theoretical foundation behind the deviations between planned and actual structures (Levina & Vaast, 2006, 22). In boundary-spanning theory, boundaries occur between different fields of practice (Levina & Vaast, 2006, 22). For example, between organization levels, and arguably also at the boundaries of the dimension “business” and “IT” (Levina & Vaast, 2006, 22). According to Tushman (1977: 591, 22*) boundary spanners are “capable of translating contrasting coding schemes”. Boundary spanners support knowledge sharing between groups (Levina & Vaast, 2006, 22) and arguably support the process of translating business demands at the boundaries of “business” and “IT” in an attempt to create and capture business value.
Boundary-spanning Theory as a perspective on ITG Boundary-spanning Theory in ITG research
It is most important for managers and business executives to understand that when actual interaction structures differ from planned interaction structures, business and IT in ITG cannot be aligned (Zolper et al., 2013, 27). The main argument is that the ITG structure cannot be implemented as intended (Zolper et al., 2013, 27). The main argument is that when interaction structures actually differ, the real organization is not being governed. Because of the importance of decision rights and control in ITG, understanding the boundary-spanning potential and its effect on the effectiveness of ITG to create business value, is very relevant.
The recent introduction of more stringent regulation for organizations, for example the Sarbanes Oxley Act and the GDPR, underlines the importance of the awareness of the actual procedures and processes in organizations (Zolper et al., 2013, 27). Awareness of the actual procedures and processes is important in the perspective of regulatory compliance, because, because when the actual procedures differ from the formally planned procedures, organizations are essentially not able to prove actual regulatory compliance, which is potentially detrimental to the business value (Zolper et al., 2013, 27).
Contribution of Boundary-spanning Theory to ITG process
The interaction structures in ITG are important in governing that the planned ITG processes are actually being implemented and executed as intended. In ITG, the cooperation and dependence between different layers of an organization and internal and external forms of collaboration are important examples of interaction. Therefore, Zolper et al. (2013, 27) argue that deviations between planned and actual interaction structures in IT change processes, as a result of ITG, is an important organizational mechanism.
A planned ITG structure is based on the formal structure of the organization. However, to be effective in realizing business value in ITG, the ITG structure not only needs to be implemented across all relevant organization levels, the dimension of “business” and “IT” also needs to be bridged in order (Zolper et al., 2013, 27). According to Zolper et al. (2013, 27) most executives are aware that actual work procedures deviate from the planned procedures, but cannot explain what is different and why it is different.
Page 21 of 71 costs (Valorinta, 2011, 22). IT outsourcing enables the management of an organization to focus more on the alignment between IT activities and business strategies (Valorinta, 2011, 22). Moreover, it is argued that through boundary spanning activities and collaboration between business and IT functions, organizations may improve the alignment between business and IT and as a result, empower the creating and capturing of business value (Valorinta, 2011, 22). Intermediate conclusion
An understanding of the boundary-spanning potential and its effect on the effectiveness of ITG to create business value is very relevant. From an internal perspective, the recent introduction of more stringent regulation for organizations, for example the Sarbanes Oxley Act and the GDPR, underlines the importance of the awareness of the actual interaction structures (procedures and processes) and the fit between the planned interaction structures (procedures and processes) in organizations (Zolper et al., 2013, 27). Boundary-spanning activities support the process of translating business demands at the boundaries of business and IT, and drive the effectiveness of business value creation and capturing.
3.2 What Is Governed
3.2.1 IT Artifacts
Introduction
Part of the dimension “What is Governed” of the ITG Cube (figure 2) is “IT Artifacts”. IT Artifacts refers to the explicit “What”, such as hardware, software, cloud infrastructures, and applications (Tiwana, Konsynski, & Venkatraman, 2013). According to Tiwana et al. (2013) the existing body of literature has focused to a great extent on the successful implementation of IT artifacts in organizations.
IT Artifacts
From a business perspective, the IT discussion has long been about the IT artifacts, such as hardware, software and networks of the organization (Tiwana et al., 2013). Tallon et al. (2013, 17) confirm the longstanding focus on the physical IT artifacts, proposing a shift in the focus of ITG literature to uncover the structures and practices used to govern nonphysical IT artifacts. Tiwana et al. (2013) refer to the importance of progressing the ITG discussion from IT artifacts towards the “content” dimension, as the “content” dimension has a stronger relevance in creating value for the organization.
Although advancements in ITG literature on IT artifacts are important in understanding the explicit “What”, relevance and importance is raised of the content dimension “How” (Tiwana et al., 2013; Tallon et al., 2013, 17).
Page 22 of 71 Exponential data growth in the recent years is addressed in literature as an important driver to step away from the traditional IT artifacts discussion at a hardware / software level (Luftman & Ben-Zvi, 2011; Peterson R., 2004; Tallon, 2010, 17*). Contrary, exponential data growth drives ITG and its related practices into an important issue of managing the information lifecycle which should be a priority of top management of organizations, because of the importance to business value creating and capturing, and overall performance of the company (Luftman & Ben-Zvi, 2011; Peterson R., 2004; Tallon, 2010, 17*).
Transition of IT Artifacts
Managing the information lifecycle is a clear indicator of a new stream of literature that is of high importance for organizations, while the mainstream literature focuses primarily on the physical IT artifacts (Tallon et al., 2013, 17). Physical IT artifacts are defined as bundles of properties, either functions or capabilities, packaged in hardware or software (Orlikowski & Iacono, 2001, 17*). Tallon et al. (2013, 17) motivate that governing nonphysical (information) IT artifacts is quite fundamentally different from governing physical IT artifacts. The fundamental difference is in the value aspect of the IT artifacts: physical IT artifacts decline in value as a function of increased use (Tallon et al., 2013, 17), in contrast: nonphysical (information) IT artifacts do not decline in value by increased usage (Tallon & Scannell, 2007, 17*). Instead, the value of nonphysical (information) IT artifacts (information) can increase with greater use (Tallon & Scannell, 2007, 17*).
Choudhary & Vithayathil (2013, 4) follow up on the abstraction from the physical IT artifacts, by adressing how organizational structures are affected by the adoption of cloud computing. The adoption of cloud computing services is a practical example of the transition from physical IT artifacts to nonphysical IT artifacts. Board competencies related to cloud computing services (CCS) contribute in the flexibility of adopting CCS and is positively related to business process performance improvements and overall firm performance (Beimborn et al., 2013, 7; Prasad & Green, 2015, 13).
Intermediate conclusion
Managing the information lifecycle is identified as a clear indicator of a new stream of literature that is of high importance for organizations of any size, because of the pronounced relation to business value creating and capturing. Physical IT artifacts decline in value as a function of increased use (Tallon et al., 2013, 17). However, the value of nonphysical (information) IT artifacts does not decline in value by increased usage, instead, the value of information can increase with greater use (Tallon & Scannell, 2007, 17*). Managing the information lifecycle is effective in the creation as well as capturing of business value, as a result of the potential to increase the value of information, relative to the extent of information usage (Tallon & Scannell, 2007, 17*).
3.2.2 Content
Introduction
Page 23 of 71 artifacts has received the least attention in literature. However, Tiwana et al. (2013) raise the relevance of the “Content” dimension because we enter the era of big data analytics. Moreover, according to Tiwana et al. (2013: P. 3) it is the “strategic assumption of information scarcity” that is being replaced by information abundance. The main argument here is that if firms want to be able to make sense of massive amounts of real-time data, it is necessary to develop theory around the content dimension in ITG.
The distinction between IT artifacts and content can be described based on a citation by Tallon et al. (2013, 17):
“IT does matter, but not because of hardware or even standard commercial software. It is because the intelligent and innovative application of information solves business problems and creates customer value at high speed, low cost, and the right scale. To put it simply, it’s not about the box; it’s about what’s inside the box” (Broadbent et al., 2003: P.10).
The box itself can be referred to as the IT artifacts, whereas what is inside the box can be referred to as the content in ITG.
Content in ITG
Why is it that the content dimension of ITG has received the least attention in literature (Tiwana et al., 2013) while in this paper it already is clear that sustainable value is more in the nature of nonphysical IT artifacts than it is in the physical IT artifacts? (Tallon & Scannell, 2007, 17*). The most important initiator of the growing importance of governing information in organizations is the ever-increasing amount of data that is stored in data centers, with examples of organizations doubling the amount of data each year (Lyman & Varian, 2003, 17*; Tallon & Scannell, 2007, 17*). The key is in the process of interpreting information based on raw data, where information is a key input in organizational decision making (Luftman & Ben-Zvi, 2011, 17*). Moreover, information is a crucial element in the process of creating value within organizations (Luftman & Ben-Zvi, 2011, 17*).
A central theme in governing the content, “what is inside the box” (Broadbent et al., 2003: P.10, 17*), is to what extent the boundaries of the IT function of a firm are internal or external (Valorinta, 2011, 22). In literature, it is acknowledged that the ability of firms to control the internal and simultaneously the external IT resources, provides a basis for gaining superior firm performance (Park et al., 2017, 12). The main elements that should be included in an ITG framework is the organizational data, application systems, and people (Parent & Reich, 2009, 11). Social capital in the perspective of an ITG framework is an important factor, because the degree of social capital in an organization drives the creation of business value (Schlosser et al., 2015, 15). The main task for organizations is to align the amount of social capital at the organizational level and the respective IT level (Schlosser et al., 2015, 15).
Page 24 of 71 for organizations that Xue et al. (2011, 26) raise is that dependent on the level of environmental uncertainty, organizations need to trade of the benefits of local responsiveness in information processing at the one hand, with the benefits of control and coordination by means of centralization in ITG decision making at the other hand.
Intermediate conclusion
At the content level, information is a crucial element in the process of creating value within organizations of any size (Luftman & Ben-Zvi, 2011, 17*). Social capital in the perspective of an ITG framework is an important factor, because the degree of social capital in an organization drives the creation of business value (Schlosser et al. (2015, 15). The main task for organizations is to align the amount of social capital at the organizational level with the amount of IT social capital in the organization (Schlosser et al., 2015, 15).
3.2.3 Stakeholders
Introduction
Part of the dimension “What is Governed” of the ITG Cube (figure 2) is “Stakeholders”. Stakeholders in respect to ITG refer to the stakeholders involved in producing and consuming the IT artifacts and the content of the IT artifacts (Tiwana et al., 2013). According to Tiwana et al. (2013) the stakeholders concerned in producing and consuming IT artifacts and its content have received moderate attention among scholars.
Relational mechanisms
By understanding the information value dimension [in section 3.2.1.], it is clear that the ITG discussion and efforts transitions to a more pronounced boardroom issue. Consequently, organizations have evolved in divergent forms and constellations (Tiwana et al., 2013). This
evolution of organizational formats defy the traditional boundaries of
centralization/decentralization and insourcing/outsourcing (Tiwana et al., 2013). Therefore, to be effective in the ITG strategy, it is important to clearly identify the internal and external stakeholders of the organization which should be included in the ITG framework.
Internal stakeholders of an organization are the shareholders, employees, management, executives and the board of directors, whereas the most important external stakeholders of an organization are its clients and potential clients. The relational mechanisms in ITG are defined as “the active participation of, and collaborative relationship among, corporate executives, IT management, and business management” (Peterson, 2003: P65, 19*). (Tiwana & Kim, 2016, 19*) have identified a growing trend in organizations to simultaneously insource and outsource the same IT activities, spanning the boundary of internal and external processes, which can be referred to as “concurrent IT sourcing” (Tiwana & Kim, 2016: P.101, 19). The boundaries of the internal and external processes should be monitored, to verify alignment of stakeholder objectives and examine the performance improvements as a result of concurrent IT sourcing (Tiwana & Kim, 2016, 19).
Regulatory compliance
Page 25 of 71 underlines the importance of the awareness of the actual procedures and processes in organizations, because of the relevance to organizational value creation and capturing, in which employees play a key role (Zolper et al., 2013, 27). In a qualitative study by Spears & Barki (2010, 16) informants of organizations were interviewed in regard to compliance with the Sarbanes-Oxley act. The interviews contribute in understanding the types of activities and security controls in which the employees / users participate in combination with the associated outcomes (Spears & Barki, 2010, 16).
An important outcome of the study by Spears & Barki (2010, 16) is that organizations should engage in Security Risk Management (SRM) practices in order to achieve regulatory compliance. SRM is defined as a continuous process of “identifying and prioritizing IS security risk, and implementing and monitoring controls” in order to address the IS security risks (Spears & Barki, 2010: P.505, 16). Mitigating (IS security) risks contributes to the ability of capturing value. The internal organization, especially, benefits from engaging in SRM practices because the employees are a key element in ITG and in reducing IT security risks.
In traditional Information Security literature, users are often portrayed as the weakest link in (IT) security of organizations (Spears & Barki, 2010, 16). However, contrary to the traditional view, Spears & Barki (2010, 16) argue that users may be an important resource in regard to IS security, because of the essential business knowledge that the internal users have, driving business value creation. Another aspect argued by Spears & Barki (2010, 16) is the effect of user participation, which is effective in engaging users to protect sensitive and critical information in the business processes.
Intermediate conclusion
The growing trend of organizations to simultaneously insource and outsource IT activities, “concurrent IT sourcing”, implies organizational challenges, in order to align stakeholder objectives and foster organizational performance improvements (Tiwana & Kim, 2016: P.101, 19). To drive stakeholder alignment, the boundaries of the internal and external processes should be monitored. (IS security) risks should be mitigated in order to foster the continuity of business value creation and capturing. Therefore, it is relevant and important for organizations to engage in SRM practices.
3.3 How Is It Governed
3.3.1 Decision Rights
Introduction
Part of the dimension “How Is It Governed” of the ITG Cube (figure 2) is “Decision Rights”. Agency Theory can be used as a perspective to explain and evaluate the distribution of ITG decision rights in organizations. Decision Rights in ITG refer to the allocation of decision rights used as a mechanism to govern (Tiwana, Konsynski, & Venkatraman, 2013).
Allocation of ITG decision rights
Page 26 of 71 steeply decreasing market values and as a result the resignation of board members of the respective organization (Benaroch & Chernobai, 2017, 1). The resulting effect from failures does not only hold for large enterprises; operational IT failures negatively impact the reputation of a firm, irrespective to the firm size (Benaroch & Chernobai, 2017, 1).
By engaging in ITG practices, a goal is to encourage desirable behavior in the prioritization and use of IT (Karhade et al., 2015, 8). Because of the impact of IT failures, internal as well as external to the organization, responsibility and decision rights need to be centralized to a great extent and concentrated in the top of organizations (Benaroch & Chernobai, 2017, 1). Because decision rights are integral to ITG, it is important that organizations engage in an effective IT portfolio prioritization (Karhade et al., 2015, 8). Moreover, decision rights and the impact of failures is very relevant in respect to strategic business opportunities, and as a result the process of value creation and capturing in organizations (Karhade et al., 2015, 8). The rationale is that a misalignment between the decision rights / decision rationale, results in investments in unsuitable IT initiatives, and as a result the organization fails in acting on key IT-enabled strategic business opportunities (Karhade et al., 2015, 8).
Mitigating risk and (re-)gaining trust
According to Carr (2003, P.11, 1*) the impact of operational IT failures is that it “can paralyze a company’s ability to make its products, deliver its services, and connect with its customers, not to mention foul its reputation”. What is most important in relation to the regulatory compliance, is that, in general, operational IT failures compromise the “confidentiality, integrity, or availability of data assets or functional IT assets responsible for the creation, storage, processing, transport, and safeguarding of the data” (Benaroch & Chernobai, 2017, P.730, 1). This is especially important in regard to the GDPR, because one of the main pillars is that organizations are responsible for maintaining the confidentialty and integrity of (customer) data (Chassang, 2017; Mikkonen, 2014). Therefore, balancing tensions between autonomy and synergy supports in the alignment of business and IT in organizations (Williams & Karahanna, 2013, 23).
Page 27 of 71 Intermediate conclusion
The allocation of ITG decision rights is important for organizations of any size, because failures as a result of decision rights misallocation can have an enormous impact on the viability and performance (business survival) of any company (Benaroch & Chernobai, 2017, 1). To mitigate the risks of decision rights in ITG, the IT competency level of the board is effective to ensure the alignment of the business and IT objectives, and to stimulate organizational performance and thus the creation of business value (Williams & Karahanna, 2013, 23).
3.3.2.1 Control
Introduction
Part of the dimension “How Is It Governed” of the ITG Cube (figure 2) is “Control”. Control in ITG refers to formal and informal control mechanisms used as a mechanism to govern (Tiwana, Konsynski, & Venkatraman, 2013).
Regulatory compliance
From a regulatory compliance point-of-view, the effectiveness of an internal control mechanism is of high importance: according to the Sarbanes-Oxley Act top management of public companies (in the United States) are responsible for an adequate design and operation of an effective system of internal control (Kerr & Murthy, 2013, 9). For example, how effective the system of internal control is in safeguarding a high integrity and reliability of the financial reporting system of the organization (Kerr & Murthy, 2013, 9).
IT is a key enabler of organizational competitiveness and performance; in today’s business environment, IT is the main driver of organizations that enables to control and enables to improve business performance and business value creation (Kerr & Murthy, 2013, 9). However, while organizations rely heavily on IT, the introduction of IT in organizations can introduce risks which need to be managed (Kerr & Murthy, 2013, 9).
Outsourcing
According to Thouin et al. (2009, 18) outsourcing IT can reduce the costs of IT management to the firm. An advantage of IT outsourcing is that it enables an organization to increase the focus on the core business, rather than focusing on administrative functions such as security management or data center management (Thouin et al., 2009, 18). Another advantage is the cost efficiency involved with outsourcing to a specialized IT partner, achieved by economies of scale and scope, and high concentration of external expertise and experience (Kerr & Murthy, 2013, 9).
However, outsourcing may introduce risks because of potential deficiencies in the planned and actual governance structures and IT implementations. Not only the dimensions of business and IT need to be bridged, it also involves bridging the internal and external boundaries of the organization. This is highly relevant, since Zolper et al. (2013, 27) argue that most executives are not aware what and why is different in planned and the actual procedures and structures.
Risk mitigation by implementing an ITG control framework
Page 28 of 71 Information and Related Technology” (CobiT) prescribes optimal methods of managing IT risks (Kerr & Murthy, 2013, 9). The “what” question is central to the CobiT framework, instead of the “how” question (Bouker, 2008: P.18). The CobiT framework describes a diverse set of specific IT control and security processes that an organization can implement to enhance the organizational ability to achieve business goals and to improve internal control (Kerr & Murthy, 2013, 9).
CobiT framework explained: an ITG control framework
The CobiT framework is widely used by IT managers and increasingly used by managers and auditors in the context of evaluating IT control systems (Kerr & Murthy, 2013, 9). The main focus of the CobiT framework is on the management and especially control of IT , with the goal to create and capture business value through the effective use of IT (Kerr & Murthy, 2013, 9).
The CobiT framework consists of 34 key IT control and security processes that have to be managed in order to realize effective ITG (Kerr & Murthy, 2013, 9). The control and security processes comprise of activities and risks that must be managed (Kerr & Murthy, 2013, 9). The corresponding IT processes are arranged in four domains, corresponding to the major areas of responsibility within IT: 1) Plan and Organize (plan), 2) Acquire and Implement (build), 3) Deliver and Support (run), and 4) Monitor (evaluate) (Kerr & Murthy, 2013, 9).
The focus of the 34 key IT control and security processes is not about the detailed arrangement of the specific technical details (ISACA, 2012). Instead, it is about governance, management and control to align between the business requirements and how IT can empower the business (ISACA, 2012). In executing the 34 processes, the CobiT framework can be extended with other standards, for example ITIL and Prince 2 (Bouker, 2008). These standards extend CobiT from an operational point-of-view, which enables organizations to implement the core of the CobiT framework, without the need to implement other ITG related frameworks. CobiT, therefore, enables a focused and transparent implementation of ITG in organizations (Bouker, 2008).
Intermediate conclusion
The risks of deficiencies introduced by IT outsourcing can be formally arranged and mitigated in organizations of any size by engaging in ITG control practices, and implementing the CobiT ITG control framework. By describing the what question in accordance to the internal and external (IT) processes, the boundary spanning process is supported in not only stimulating the Business-IT alignment, but also the alignment between the different internal and external parties involved in the process of governing and executing the IT framework, driving organizational performance and the process of creating and capturing business value.
3.3.3 Architecture
Introduction
Page 29 of 71 form of control, in contrast to a fully arranged ITG framework (for example, the CobiT ITG control framework) (Tiwana, Konsynski, & Venkatraman, 2013).
IT architecture as a governing mechanism
In ITG literature, there is a distinction between two broad types of IT assets: apps and infrastructure (Tiwana & Kim, 2015, 20). In ITG, apps are less abstract to the organization, and more “visible” for the employees. Arguably, this does support in the process of governing apps and to an extent the infrastructure in organizations. According to Tiwana & Kim (2015, 20) being able to bridge between the technical spectrum and business processes in organizations is a prerequisite in order to effectively use IT architecture as a mechanism to govern.
Boundary spanning: development of IT architecture
The control of boundary spanning between the technical spectrum and business processes is in-line with the article of Zolper et al. (2013, 27). It is argued that in order to be successful in ITG, an ITG framework should be implemented across all relevant levels and functions within the organization (Zolper et al., 2013, 27). The ITG framework should span the internal as well as the external processes, including information about the specificity of the processes (Thouin et al., 2009, 18). Accordingly, by outsourcing processes and IT activities with a low specificity, the firm’s financial performance can be improved (Thouin et al., 2009, 18).
By effectively combining the respective business processes and the technical spectrum, organizations are able to create value, as long as the technical and business knowledge is bridged (Tiwana & Kim, 2015, 20). It is the process of seizing a business opportunity, in which the specific use of IT can create a competitive advantage (Tiwana & Kim, 2015, 20). Interestingly, the main driver of business value creation is not based on IT itself, but rather on how IT is used (Tiwana & Kim, 2015, 20).
Strategic alignment
In the process of value creation and capturing by implementing an ITG framework, the how refers to the strategic alignment of IT with the business processes and business opportunities (Tiwana & Kim, 2016, 19). It is referred to as “Strategic IT agility” (Tiwana & Kim, 2016: P. 656, 19), in which firms use IT to consistently create a series of (temporary) advantages, by introducing new products, services, or other processes in which rivals are unable to timely adapt to or copy the advantage.
To develop the “Strategic IT agility” (Tiwana & Kim, 2016: P. 656, 19) of an organization, it is a prerequisite that the IT architectures and ITG framework allow for the demanded agility. The IT organization (whether in-house or outsourced) and the IT architecture of the organization should be designed to be adaptive and agile to the changing and dynamic business requirements (Tiwana & Konsynski, 2010, 21).
Page 30 of 71 Intermediate conclusion
The organizational ability to be able to bridge business processes and IT is a prerequisite in order to effectively use IT architecture as mechanism to govern (Tiwana & Kim (2015, 20). Because of the lower costs of control involved, the use of IT architecture itself as a governing mechanism does fit very well as a governing mechanism for SMEs. The main argument is that SMEs, in general, are resource constrained (Bruderl & Schussler, 1990). By effectively combining the respective business processes and the technical spectrum (IT), organizations of any size are able to create value, as long as the technical and business knowledge is bridged (Tiwana & Kim, 2015, 20). “Strategic IT agility” (Tiwana & Kim, 2016: P. 656, 19) enables organizations to be adaptive and agile to changing business requirements, while maintaining business/IT alignment, driving business value creation.
3.4 Outcomes
3.4.1 Business value and performance
Introduction
The main objective of ITG is business value creation through the effective use of IT in organizations (ISACA, 2012). Business value creation is defined as “realizing benefits at an optimal resource cost while optimizing risk” (ISACA, 2012: P.13). Benefits realization, risk optimization and resource optimization are the core pillars of the ITG objective (ISACA, 2012. Optimizing risk can be achieved by adequately balancing the realization of benefits, the associated risks and resource optimizations, and alignment with the business objectives (ISACA, 2012). Subsequently, the business objectives are governed through effective ITG practices.
Business value
In literature, it is recognized that organizations rely on IT at in increasing pace, fueled by significant IT-enabled investments (Buchwald et al., 2014, 3*). At the same time, organizations are under pressure to become more agile because of environmental uncertainty (Reynolds & Yetton, 2015, 14). Keeping up with the industry clock speed is important for the sustainability of the business value proposition, because in modern organizations IT is deeply embedded within the business strategies to enable new business models (Reynolds & Yetton, 2015, 14).
Page 31 of 71 To be effective in ITG, it is important that the objectives of the stakeholders are aligned (Buchwald et al., 2014, 3). The ITG framework should control for the boundaries spanning internal and external to the organization, and the boundaries spanning inside the organization (Zolper et al., 2013, 27). The goal of ITG structures in organizations is to help creating a positive business/IT relationship, in which employees are empowered according to the planned ITG structures and processes (Zolper et al., 2013, 27). The people aspect is important, to understand the dynamics of ITG structures, and because the employees have to realize the formally designed ITG structures and processes (Zolper et al., 2013, 27).
Organizational performance
In literature, the effect of ITG of organizational performance is considered as a uniform dimension between financial or nonfinancial performance (Park et al., 2017, 12). Interestingly, the more recent literature quests for a multidimensional approach to performance outcomes of ITG, to include other factors such as operational efficiency, market growth and innovation (Park et al., 2017, 12). The reconsideration of the performance outcomes of effective ITG, is in-line with the recent literature that focuses on cloud computing services (CCS) (Prasad & Green, 2015, 13).
The IT intensive business landscape is viewed as dynamic, and requires a continuous understanding of strategies to manage risk and control the business environment (Prasad & Green, 2015, 13). To cope with the environmental turbulence, it is argued that organizations should embrace a diversified approach to business/IT alignment (Reynolds & Yetton, 2015, 14). In this diversified approach, there is not a single business/IT alignment strategy (Reynolds & Yetton, 2015, 14). Rather, it is recognized that business /IT strategic alignment creates value at multiple levels in an organization, by integrating and reconfiguring IT resources available to the organization (Reynolds & Yetton, 2015, 14; Park et al., 2017, 12). To be able to create and especially capture the business value created by ITG efforts, multiple business/IT alignment strategies can be adopted by the organization to improve continuous business/IT alignment with the dynamic organizational environment (Reynolds & Yetton, 2015, 14).
Internal control and financial performance
Organizations often apply the concept of ITG in order to justify IT investments (Lunardi et al., 2014, 10). Financial performance in regard to ITG is important, because, on average, organizations that adopt ITG practices show an improvement in financial performance (Lunardi et al., 2014, 10). The improvement in financial performance especially reflects in regard to the profitability of the firm (Lunardi et al., 2014, 10). The underlying argument is that companies with good IT governance models, are better able to make IT decisions (Lunardi et al., 2014, 10). Moreover, the financial performance improvements are grounded in overall efficiency improvements (Lunardi et al., 2014, 10). Examples of efficiency improvements fueled by ITG adoption are cost reductions and better IT infrastructure utilization (Lunardi et al., 2014, 10). IT decisions and cloud computing services (CCS)
Page 32 of 71 increasingly adopt CCS, which mitigates internal IT risks, but introduces business risks incorporated by the cloud service providers and intermediaries (Prasad & Green, 2015, 13). When implementing CCS in organizations, it is important to reconsider ITG structures to re-achieve business/IT alignment, adjusted to the new risk level that is introduced by implementing CCS in the organization (Prasad & Green, 2015, 13). When outsourcing IT in organizations, the financial performance improvements can be increased by complementary investments in internal IT (Han & Mithas, 2013, Beimborn. When implementing CCS or outsourcing IT, a reconsideration of ITG structures and processes improves overall business process performance, and allows for business value creation (Prasad & Green, 2015, 13).
Internal control and risk assurance
Consequently, internal control over financial reporting is one of the top three concerns of managing IT in organizations, grounded in regulation, e.g. the Sarbanes-Oxley Act (Kerr & Murthy, 2013, 9). The CobiT framework supports in evaluating the effectiveness of the internal controls (Kerr & Murthy, 2013, 9). As a result of implementing adequate ITG mechanisms, strategic IT alignment can be achieved (Wu et al., 2015, 25). Strategic IT alignment encompasses the alignment of strategy, plans, operations, and processes in the context of business/IT alignment (Wu et al., 2015, 25). Facilitating adequate internal control over financial reporting implies that, through policies, procedures, practices and organizational structures, “reasonable assurance is provided to the organization that the business objectives will be achieved and undesired events will be prevented, or detected and corrected” (Kerr & Murthy, 2013: P.590, 9). Risk assurance is important, because organizations rely heavily on IT to control and improve business performance, and consequently to assure the process of business value creation and capturing (Kerr & Murthy, 2013, 9).
Intermediate conclusion
