IT Governance: how decisions and structure are
influenced by IT outsourcing
Master thesis, MScBA, specialisation Change Management
University of Groningen, Faculty of Economics and Business
Tuesday, April 22nd 2008
J. Lindhout
Student number: 1576259
Tel. 06 241 999 62
E-mail: jimlindhout@gmx.net
Supervisors
Prof. Dr. A. Boonstra
Drs. D.J. Schaap
II
ABSTRACT
Organisations make decisions about how to handle IT and additionally whether to outsource IT activi-ties or not. IT Governance helps organisations to control IT by specifying the decision rights to en-courage desirable behaviour regarding IT. Weill and Ross (2004) performed extensive research in the field of IT governance and showed that IT governance concerns five main decisions; IT principles, IT architecture, IT infrastructure, business application needs, and IT investment & prioritisation. How-ever, this research does not take account for the situation of outsourcing. This thesis studies this par-ticular field by looking at the changes in decisions and structure, as that is what IT governance is all about. Even though there has been little explicit research into how IT governance is influenced by IT outsourcing, several studies show tasks for the organisation to fulfil. Linking this outsourcing theory to the decisions of Weill and Ross (2004) shows IT governance is about six decisions; IT principles, IT architecture, business application needs, IT investment & prioritisation, contracts, and vendor rela-tions. Three case study organisations that have experience with IT outsourcing are explored to enhance the understanding about how IT governance is influenced by IT outsourcing. Combining insights from theory and cases shows that IT governance is about a total of eight decisions, of which two change and two are new, owing to IT outsourcing; IT principles, IT architecture, IT infrastructure, business appli-cation needs, IT investment & prioritisation (changes), contracts (new), vendor relations (new), secu-rity & compliance (changes).
III
CONTENT
1. INTRODUCTION ... 5 1.1. BACKGROUND ... 5 1.2. PROBLEM STATEMENT ... 6 1.3. PREVIEW ... 7 2. IT GOVERNANCE ... 8 2.1. ITGOVERNANCE ... 8 2.2. DECISIONS ... 8 2.3. STRUCTURING IT GOVERNANCE ... 10 2.4. SUMMARY ... 11 3. IT OUTSOURCING ... 12 3.1. ITOUTSOURCING ... 123.2. TASKS OF THE RESIDUAL-ORGANISATION ... 13
3.3. IT CORE COMPETENCES ... 14 3.4. GOVERNANCE CONSIDERATIONS ... 16 3.5. CONCLUSION ... 17 4. INFLUENCE ON IT GOVERNANCE ... 18 4.1. DECISIONS ... 18 4.2. STRUCTURE ... 20
4.3. CONCLUSION AND IMPLICATIONS ... 20
5. METHODOLOGY ... 21 5.1. DATA COLLECTION ... 21 5.2. DATA ANALYSIS ... 22 6. RESULTS ... 23 6.1. PART 1 STRUCTURE ... 23 6.1.1. STOCK&CO ... 23 6.1.2. PAINT&CO ... 24 6.1.3. HEALTH&CO ... 26 6.1.4. SUMMARY PART 1 ... 27 6.2. PART 2 DECISIONS ... 28
6.2.1. IMPACT OF OUTSOURCING ON DECISIONS ... 28
IV 7. DISCUSSION... 31 7.1. DECISIONS ... 31 7.2. STRUCTURE ... 33 7.3. CONCLUSION ... 34
7.4. LIMITATIONS AND RECOMMENDATIONS FOR FUTURE RESEARCH ... 35
REFERENCES ... 36
LIST OF FIGURES
FIGURE 1CONCEPTUAL MODEL ... 6FIGURE 2ITGOVERNANCE DECISIONS ... 9
FIGURE 3CHARACTERISTICS OF EACH STRUCTURE ... 10
FIGURE 4RESEARCH MODEL ... 20
FIGURE 5ITGOVERNANCE STRUCTURE STOCK&CO ... 24
FIGURE 6ITGOVERNANCE STRUCTURE PAINT&CO ... 25
FIGURE 7ITGOVERNANCE STRUCTURE HEALTH&CO ... 26
FIGURE 8ITGOVERNANCE CHANGES AS RESULT OF OUTSOURCING ... 34
LIST OF TABLES
TABLE 1GOVERNANCE CONSIDERATIONS ... 16TABLE 2INTEGRATION OF OUTSOURCING THEORY ... 17
TABLE 3STRUCTURING IT GOVERNANCE DECISIONS BEFORE OUTSOURCING ... 27
TABLE 4STRUCTURING IT GOVERNANCE DECISIONS AFTER OUTSOURCING ... 27
~ 5 ~
1. INTRODUCTION
1.1. B
ACKGROUNDInformation Technology (IT) has shifted from being solely a supportive tool to a strategic asset requir-ing severe attention from management (van der Zee, 1996). The increased importance of IT over the past decades shows how dependent we are on computer systems (van der Velden & van Grembergen, 2004) and led managers and scientists to the question of how to stay in control over IT. An answer is provided with IT governance which is described by Parkes (2004:17) as a subset of corporate govern-ance that refers to how well an organisation governs or controls those of its activities that involve the use of IT. To determine how well this is done, or what makes good governance, one needs to under-stand the decisions regarding IT and how these decisions are structured. The importance of decisions to be taken is well investigated by Weill and Ross (2004). Their research showed five main decisions to be made; IT principles, IT architecture, IT infrastructure, business application needs, and IT invest-ment & prioritisation. The research also identified a pattern by which most organisations govern IT. Result is that most organisations govern IT by structuring decisions not fully centralised or decentral-ised but somewhere in the middle called ‘hybrid’.
Though Weill and Ross (2004) extensively investigated IT governance one major development was not included or paid attention to, namely outsourcing. Whatever the reason to enter into outsourc-ing, it has an important influence on the way an organisation controls its IT activities and therefore how decisions are made. Trites (2004:93) makes this explicit; ‘It is clear that outsourcing does not relieve the management or directors of any responsibility … it adds to the complexity of their respon-sibilities because they have delegated certain responrespon-sibilities to others but must remain accountable’. Though extensive research has been carried out by scientists (Earl, 1991; Grant, 1992; Huber, 1993; Quinn, 1992; Willcocks, 1994) about outsourcing few (Feeny & Willcocks, 1998; Parkes, 2004; Will-cocks & Fitzgerald, 1996) made the link between governance and outsourcing.
I
NTRODUCTION~ 6 ~
Research by Giarte and Morgan Chambers (Boot & Gianotten, 2008) showed some of the implications for IT governance. Many organisations chose to outsource as stakeholders exerted the need to reduce costs, however not realising the new challenges of dealing with a vendor. IT governance ties the sepa-rate elements of an outsourcing cycle together to stay in control over IT. Without understanding how decisions and the IT structure change, processes stay complex and are likely to be slow (Boot & Gianotten, 2008).
1.2. P
ROBLEM STATEMENTThe above given information shows there is a certain gap in current literature between IT governance and IT outsourcing. As IT outsourcing is and will stay important (Ogburn, 1994) an urge to understand the impact of IT outsourcing on IT governance evolves (Parkes, 2004). This thesis will contribute to current literature by looking at the effect of IT outsourcing on IT governance, visualised in figure 1. As IT governance is all about the decisions and structure regarding IT, the objective is formulated as; This study aims to promote our understanding of the influence of IT outsourcing on IT governance, especially with regard to decisions and structure.
Figure 1 Conceptual model
In order to find out what the effect (?) is of IT outsourcing on IT governance the research question is formulated as; How does IT outsourcing influence IT governance, specifically for decisions and struc-ture?
Sub questions have been formulated to help answer the research question; What is IT governance?
What types of decisions are made? How can IT be structured?
What is IT outsourcing?
I
NTRODUCTION~ 7 ~
1.3. P
REVIEW~ 8 ~
2. IT GOVERNANCE
The research scope contains two main fields for this study to focus on and one of them is IT govern-ance. This chapter will first take a look at what governance is and how it differs from other practices in the IT organisation, followed by an examination of the decisions involved. The chapter continues with information about archetypes and concludes with three main types of structure an organisation can adopt.
2.1. IT
G
OVERNANCEThough IT governance received extensive attention (Brown & Grant, 2005; Webb et al., 2006; Weill & Ross, 2004; Willcocks et al., 1997) it is still confused by many people with management. This is not surprising as information systems (IS) is a relatively new discipline to social and computing sciences (Webb et al., 2006). Governance determines who makes the decision, while management is the proc-ess of making and implementing the decisions (Weill & Ross, 2004:8). Bird (2001) makes the split between governance and management clear by stating that managers administer, develop, implement and monitor business strategies while the board deals with overall organisation policy, culture and direction.
IT governance is defined in different ways (ITGI, 2003; Webb et al., 2006; Weill & Ross, 2004) but this study will use the definition of Weill and Ross (2004) as they did not just use existing research but also performed research at over 200 enterprises. IT governance is; ‘Specifying the deci-sion rights and accountabilities framework to encourage desirable behaviour in the use of IT’ (Weill & Ross 2004:8).
This definition will help organisations to better understand how to successfully govern IT. One might argue that people will show the desired behaviour automatically when the decisions are speci-fied. However, Weill and Woodham (2002) showed that is not true as the IT governance structure of top performers reflects better harmony between IT decision-making, desirable behaviour and objec-tives. Desirable behaviour and goals may vary at each organisation depending on the chosen strategy (de Wit & Meyer, 2004), but IT decision-making covers the same areas for each organisation as the next paragraph will show.
2.2. D
ECISIONSIT
G
OVERNANCE~ 9 ~
Figure 2 IT Governance decisions (Weill & Ross, 2004)
IT principles refer to a related set of high-level statements about how IT is used in the business (Weill & Woodham, 2002). By clarifying the enterprise’s objectives of IT the principles can be discussed, debated, supported, overturned and evolved. As such it will help to understand the role of IT in the business. Furthermore these principles relate back to the definition of IT governance by identifying what desirable behaviour is.
IT architecture provides an integrated set of technical choices to guide organisations in satis-fying business needs. IT architecture is; the organising logic for data, applications, and infrastructure, captured in a set of policies, relationships, and technical choices to achieve desired business and tech-nical standardisation and integration (Weill & Ross, 2004:30). IT architecture is important because integration and standardisation shape IT capabilities. Furthermore, it is the architecture that changes management processes necessary to exploit new technologies.
IT infrastructure is made up of the standard and shared IT services that are centrally coordi-nated and describes the approach to building the IT foundation of the organisation (Weill & Woodham, 2002). Too much investments or implementing the wrong infrastructure results in wasted resources, delays and system incompatibilities with business partners. Decisions include requirements for infrastructure capabilities as well as the location of capabilities within the firm. Understanding these decisions means providing cost-effective services that position the enterprise for rapid adoption of new business applications.
Business application needs concerns business requirements for purchased or internally devel-oped IT applications (Weill & Ross, 2004). Whereas other decisions concern the business value of IT, it is the business application needs that generate value directly, which means an organisation needs to balance creativity and discipline. Creativity concerns identifying new and more effective ways to de-liver customer value, whereas discipline concerns architectural integrity. Most importantly, managers dealing with these decisions must know how to design organisational change and then make it happen. However, these decisions are probably the least mature of all IT governance decisions.
IT
G
OVERNANCE~ 10 ~
Taking a close look at the decisions shows Weill and Ross (2004) in essence talk about activities for IT. Another interesting thing to see is that these ‘activities’ all seem to build on the idea of standardi-sation.
2.3. S
TRUCTURINGIT
GOVERNANCEDetermining the decisions to be made about IT governance is not enough; organisations also need to understand how these decisions can be structured and what the consequences of a chosen structure are. Weill and Ross (2005) showed that there are three main ways to structure IT decisions, namely; cen-tralisation, hybrid and decentralisation. Both centralisation and decentralisation have its advantages and disadvantages whereas hybrid combines the advantages of both structures into one new structure, see figure 3. The combined advantages call for four new activities to focus on. The objective of func-tional leadership is to ensure that IT is being applied as effectively as possible across the group (Hodgkinson, 1996:262). The group-wide perspective evolves as diversity amongst business units needs to be minimised. Consequently one coherent vision and approach towards IT is needed across business units to create an environment that enables synergy. Synergy creates the ability to reduce costs but also maximise support between business units, which results in pooled experience where there is good interaction between group IT members (Hodgkinson, 1996).
Figure 3 Characteristics of each structure (Hodgkinson, 1996)
IT
G
OVERNANCE~ 11 ~
Decentralisation is more suitable when an organisation seeks for high growth. Each business unit or department is autonomous regarding IT as it possesses unique characteristics and demands regarding local markets (Runge, 1994; de Wit & Meyer, 2004). The role of the centre shifts to selecting a prom-ising portfolio of businesses, keeping tight financial control and allocating available capital as the business units require freedom from corporate centre interference and cross business coordination (de Wit and Meyer, 2004:311). Weill and Ross (2005) show that organisations with a decentralised struc-ture direct all decisions towards business unit leaders and process owners, except the decision about investment and prioritisation at which corporate level interferes.
As most organisations want a combination of high profit and growth most organisations prefer a hybrid structure (Weill & Ross, 2005). In a hybrid structure business units receive a responsive service from decentralised IT functions, whilst at the same time a corporate IT function provides group-wide IT services and exerts some degree of central leadership (Hodgkinson, 1996:248). Though there is no general lay out for hybrid structures Weill and Ross (2004 & 2005) did identify a common pattern. Decisions about IT principles and business application needs seem more decentralised than centralised as they are made by a group of IT executives and process owners, whereas decisions about IT architec-ture and infrastrucarchitec-ture are preferred to be centralised at executive level. However, organisations do not have a preferred way to structure decisions concerning IT investment and prioritisation. It is evenly spread between centralisation at executive level, decentralisation at process owner’s level and hybrid by a group of executives and business unit leaders.
2.4. S
UMMARYThis chapter provided an answer to the sub question; What is IT governance? with its related questions What types of decisions are made? and How can IT be structured?
~ 12 ~
3. IT OUTSOURCING
The research scope contains two main fields to focus on, chapter two presented information about IT governance, this chapter will focus on IT outsourcing. First IT outsourcing is introduced to show how it affects organisations. The following paragraph presents the tasks of the residual-organisation, fol-lowed by a paragraph about IT core competences and governance considerations. Paragraph five inte-grates the theory and digs deeper into issues for empirical testing.
3.1. IT
O
UTSOURCINGOrganisations using outsourcing were first seen in the 1960’s (Dibbern et al., 2004; Lee et al., 2003) but it was not before the 1990’s that the term outsourcing became well known as more and more or-ganisations placed parts or even whole processes outside their organisation. Motives to enter into out-sourcing vary at each organisation, but most important reason is to lower costs by concentrating on those activities at which an organisation outperforms others, and outsource the rest (Dibbern et al., 2004; Prahalad & Hamel, 1990). It may be obvious that this study focuses on IT, so when outsourcing is mentioned it refers to IT outsourcing.
Several definitions of outsourcing are known (Apte et al., 1997; Chaudhurry et al., 1995; Cheon et al., 1995; Fitzgerald & Willcocks, 1994; Hancox & Hackney, 1999; Hu et al., 1997; Kern, 1997; Lacity & Hirschheim, 1993; Loh & Venkatraman, 1992; Willcocks & Kern, 1998). However, this study will build on the definition of Kern (1997:37) as it encompasses elements of the other defi-nitions as well: ‘A decision taken by an organisation to contract-out or sell the organisation’s IT as-sets, people, and/or activities to a third party vendor, who in exchange provides and manages assets and services for monetary returns over an agreed time period’.
This definition helps to narrow down the scope of this study as outsourcing only refers to those organisations that previously carried out the IT activities in-house after which a decision was made to place the IT activities outside the own organisation by shifting it to a vendor. Several authors (Lacity & Hirschheim, 1995, Willcocks & Fitzgerald, 1994) describe various arrangements or options for outsourcing of which most are irrelevant to this study. One that is important is the percentage of IT activities to be outsourced. When total outsourcing is mentioned this study refers to the situation where 80 per cent or more of an organisation’s IT budget is spent on outsourcing (Willcocks & Fitz-gerald, 1996).
IT
O
UTSOURCING~ 13 ~
decision-making process. This shows that though most activities are performed at the vendor, the re-sidual-organisation still needs to question itself how to deal with IT; how to control and govern IT.
Outsourcing activities leaves a scattered organisation behind as several activities are cut out and transferred to the vendor. To get a hold of this scattered organisation several scientist defined tasks and competences for the residual-organisation to fulfil, which are presented in the following paragraphs.
3.2. T
ASKS OF THE RESIDUAL-
ORGANISATIONWillcocks and Fitzgerald (1996) showed that whatever activities are outsourced there is a minimum set of tasks that cannot be outsourced; business and IT strategy, business development, systems inte-grator, informed buyer, contract monitoring, contract intermediary and exploiting vendor relations. Business and IT strategy IT strategy was found to be so important that it could not be delegated to an outside party. Still, this task presents a challenge for organisations as a combination of understanding the IT potential and business needs is required.
Business development may be regarded as strategic IT and business thinking at the applica-tion, or business function level. This basically means that even though an organisation enters into out-sourcing it must still be able to evaluate the impact of new IT products on the business.
Systems integrator was regarded as important when kept in-house, but even more important when services and systems were outsourced. Duplication of systems or gaps between different systems seems inevitable without a systems integrator, as the organisation tends to end up with independent systems. All of this will end up in the situation where one department is probably unaware of what the other departments are doing.
Informed buyer was seen as crucial owing to the new requirements that were not automati-cally undertaken in-house. Informed buyer involves the capability to place contracts and negotiate deals effectively, including revisions and additions to the original contract (Willcocks & Fitzgerald, 1996:289).
IT
O
UTSOURCING~ 14 ~
Contract intermediary and exploiting vendor relations overlap each other making it hard to describe them separately. Main point of difference is the knowledge needed about IT. Contract intermediary requires more IT based skills than exploiting vendor relations. In many cases organisations dealt di-rectly with the vendors as if they were an employee, but other organisations used an in-house interme-diary (Willcocks & Fitzgerald, 1996:290). Despite the contract with the vendor, organisations felt a need to exploit vendor relations at another level. This may involve business development opportuni-ties, sharing risks and rewards or just simple discussions about each other.
3.3. IT
CORE COMPETENCESCore IT competences are defined as only those that a firm must possess to respond to recurring issues over time (Feeny & Willcocks, 1998:10). Feeny and Willcocks (1998) identified a total of nine com-petences; leadership, business systems thinking, relationship building, architecture planning, making technology work, informed buying, contract facilitation, contract monitoring, vendor development. Leadership devises structures, processes and staffing to address challenges and to manage their inter-dependencies. At executive level goals are set and direction is given and as such leaders influence overall business perception of IT. Leaders establish a strong relationship between business and IT and use it to create a shared vision for IT. However, leadership is, of course, the traditional role for the CIO or IT director.
Business systems thinking Persons concerned with business systems thinking need to under-stand the connections and interdependencies in business activity. It is these persons that build and communicate holistic views of current organisation activity in order to envision potentially new pat-terns.
Relationship building Whereas the previous competence is the embodiment of integrated busi-ness/IT thinking it is relationship building that facilitates the wider dialogue between business and IT communities (Feeny & Willcocks, 1998:13). Developing users’ understanding of IT potential, helping users and IT specialists work together in harmony, ensuring users’ ownership and satisfaction is what relationship building is all about.
IT
O
UTSOURCING~ 15 ~
Making technology work Whereas the architect will preferably have a mid to long term focus, people concerned with making technology work will have a short term focus. It is these people that, espe-cially in a complex IT environment, will rapidly troubleshoot problems that are disowned by others across the technical supply chain and identify how to address business needs that cannot be satisfied by standard technical approaches. Result is, these people are not specialists with huge knowledge about a small number of issues but have an understanding of IT’s fundamentals that makes them suit-able for a wide range of IT positions.
Informed buying involves analysis of the external market for IS/IT services, selection of a sourcing strategy to meet business needs and technology issues, leading tendering, contracting, and service management processes (Feeny & Willcocks, 1998:14). As such it will be no surprise that Feeny and Willcocks (1998) found the informed buyer as the most important person next to the CIO. That is, when twenty per cent or more of the IT budget is outsourced, otherwise ‘informed buying’ is one of the CIO’s tasks.
Contract facilitation was identified as the seventh competence by Feeny and Willcocks (1998) as arrangements for delivery of IT services are complex. A single point of contact is provided to ensure user’s problems and conflicts are resolved promptly and fairly, within a predetermined set of agreements and relationships. Although contract facilitation is sometimes set up to help manage exces-sive user demand and cost overruns with vendors, in general, it is a coordinating role that both users and vendors appreciate (Feeny & Willcocks, 1998:14).
Contract monitoring Organisations exploit external IT markets, owing to outsourcing, which shows the need for contract monitoring. This competence focuses on protecting the organisation’s position for current and future situations. It means holding vendors accountable for their performance regarding their contract. To be able to judge how well a vendor performs, organisations match each vendor’s achievement against external benchmarks.
IT
O
UTSOURCING~ 16 ~
3.4. G
OVERNANCE CONSIDERATIONSParkes (2004) identified the considerations of outsourcing for IT governance by looking at different activities to outsource. Most considerations are closely linked to the research of Feeny and Willcocks (1998) and/or Willcocks and Fitzgerald (1996). However, Parkes (2004) does highlight some other considerations, see table 1.
Table 1 Governance considerations
Consideration Linked to Accompanies
Ensure that the contract covers acceptable rights and clear ownership so delivery of new systems is made possible. Ensure that terms of the contract are met and use penalties when necessary
Feeny & Willcocks, 1998
Willcocks & Fitzgerald, 1996 Contracts Security issues become more important when
out-sourcing comes into play. Information may be stored somewhere else requiring security measures for internet and extranet. Arrangements must be made by the vendor for emergencies, so backups can be made and restored.
Security issues
By shifting people to the vendor certain knowledge and expertise is lost. It is important to know where this knowledge and expertise are located in case of emergency.
Expertise
The organisation needs to know how things are carried out, how development takes place, and what performance is. Leaders need to communicate about those issues. Procedures need to be in place about when to directly inform the board of directors.
Feeny & Willcocks, 1998 Communication & leadership
The architectural outlay needs to fit with the organi-sation’s needs just as services provided. Systems need to be able to be integrated into the residual-organisation.
Willcocks & Fitzgerald, 1996 Systems integra-tor
Strategic objectives of the business as well as IT
need to be met, there needs to be a fit between both. Feeny & Willcocks, 1998 Willcocks & Fitzgerald, 1996 Business & IT strategy Information must be new and up to date. Errors
need to be fixed when noticed. Measure perform-ance to keep service high.
Making
technol-ogy work
IT
O
UTSOURCING~ 17 ~
3.5. C
ONCLUSIONWhether it is called tasks, competences or considerations, the three outsourcing theories show similar ideas about how to design the residual-organisation. Table 2, shows how the theories can be linked to each other and what they have in common.
Table 2 Integration of outsourcing theory
Willcocks & Fitzgerald Feeny & Willcocks Parkes Similarities
Business & IT strategy Leadership Business & IT strategy
Communication & leadership
Align business and IT strategy to set direction for the whole organisation to promote desirable behav-iour regarding IT Business development Business systems
thinking Characteristics of IT that organisation requires to support business processes
Informed buyer Informed buying Market knowledge about IT
Systems integrator Architecture planning Making technology work
Systems integrator Making technology work
One coherent IT platform that runs smoothly and has no gaps between systems Contract intermediary Contract facilitation
Contracts Contracts formalise the deal and agreements. Monitor-ing shows trade-off be-tween costs & risks. Contract monitoring Contract monitoring
Exploiting vendor
relations Vendor development Relationship building Keep being attractive to each other to lower costs and increase success
Security issues
Expertise
Though the majority of the considerations of Parkes (2004) is supported by a task or competence, no task or competence supports security issues and expertise. Furthermore, Parkes (2004) does not pro-vides the same level of detailed information as Willcocks & Fitzgerald (1996) and Feeny & Willcocks (1998) do, so security issues and expertise will not be addressed any further in the theoretical section of this paper.
~ 18 ~
4. INFLUENCE ON IT GOVERNANCE
Though the connections between the three outsourcing theories have been made, it is not clear how IT governance is influenced by outsourcing. As decisions and structure determine the IT governance, this chapter shows how the theory of chapter two and three relate to each other. Paragraph one will show how the outsourcing theory can be linked to the IT governance decisions and what the effects are. The second paragraph pays attention to how the IT governance structure is affected by outsourcing, fol-lowed by paragraph three that presents the research model for this study.
4.1. D
ECISIONSThe previous chapter showed what the theories of Feeny and Willcocks (1998), Parkes (2004) and Willcocks and Fitzgerald (1996) have in common. This paragraph will link outsourcing theory to each of the separate decisions of Weill and Ross (2004) to understand how decisions are influenced by out-sourcing.
Business & IT strategy + leadership + communication & leadership = IT principles
Business & IT strategy (Parkes, 2004; Willcocks & Fitzgerald, 1996), leadership (Feeny & Willcocks, 1998), and communication & leadership (Parkes, 2004) are all concerned with business and IT strat-egy. Decisions concerning these tasks help to understand the role of IT in the business and set the di-rection for the residual-organisation to follow. This shows that these decisions are closely linked to IT principles, which is a set of high level statement about how to use IT (Weill & Ross, 2004). The deci-sions itself are not influenced by outsourcing, except that they are structured more centralised, whereas Weill and Ross (2005) found them to be more decentralised.
Business development + business systems thinking = Business application needs
Business development (Willcocks & Fitzgerald, 1996) and business systems thinking (Feeny & Will-cocks, 1998) show that IT needs to follow the business instead of reverse. These decisions match business application needs as both are about the requirements the residual-organisation demands from IT in order to support the business processes. Outsourcing does not alter these decisions, they are still decentralised at business unit level.
Informed buyer + informed buying = IT investment and prioritisation
I
NFLUENCE ONIT
GOVERNANCE~ 19 ~
Systems integrator + making technology work + architecture planning = IT Architecture
Systems integrator (Parkes, 2004; Willcocks & Fitzgerald, 1996), making technology work (Feeny & Willcocks, 1998; Parkes, 2004) and architecture planning (Feeny & Willcocks, 1998) are about defin-ing a blue-print for a technical platform and make sure that IT activities are aligned to each other. Re-search (Feeny & Willcocks, 1998; Willcocks & Fitzgerald, 1996) shows that now that programming activities are outsourced, the residual-organisation wants to be sure that systems are aligned, otherwise that will cause the operation to be inefficient and not reach the desired level of synergy. This shows that decisions about IT architecture change owing to outsourcing. It seems as if architecture as defined by Weill and Ross (2004) shifts from high level statement to operational control as systems integrator and making technology work are more about operational aspects.
Contract intermediary + contract facilitation + contract monitoring + contract management = Con-tracts
Contract intermediary (Willcocks & Fitzgerald, 1996), contract facilitation (Feeny & Willcocks, 1998), contract monitoring (Feeny & Willcocks, 1998; Willcocks & Fitzgerald, 1996) and contract management (Parkes, 2004) cannot be compared to any of the current IT governance decisions. They point to a new decision that will be called; contracts. Contract decisions need to be based on added value of outsourcing IT and control of the risks, which means the residual-organisation needs to find a good balance between tight monitoring increasing costs with lower risks or lower costs with higher risks.
Exploiting vendor relation + vendor development + relationship building = Vendor relations Exploiting vendor relations (Willcocks & Fitzgerald, 1996), vendor development (Feeny & Willcocks, 1998) and relationship building (Feeny & Willcocks, 1998) can also not be compared to any of the current IT governance decisions. As this clearly demonstrates the need for a new decision these three are grouped together as; vendor relations. Vendor relations concerns the situation that the residual-organisation and vendor need to stay attractive to each other. Deals are closed for predefined time periods and should be cherished as switching vendors is costly. It will be cheaper and better for both parties to take advantage of each other’s competences. Risks can be shared to keep being attractive to each other for the future.
IT Infrastructure
I
NFLUENCE ONIT
GOVERNANCE~ 20 ~
4.2. S
TRUCTUREIn general the outsourcing theory showed the need to move towards a centralised IT governance struc-ture. Activities and people are cut out of the organisation by outsourcing and leave a scattered IT or-ganisation behind. In order to get a hold of this scattered oror-ganisation Willcocks and Fitzgerald (1996), as well as Feeny and Willcocks (1998) argue that the residual-organisation needs to adopt a centralised structure. On the hand this centralised structure helps to ensure that employees behave as desired. With a centralised structure the residual-organisation overcomes the problem of different IT standards which may lead to behaviour that conflicts with the overall IT standard. On the other hand, a centralised structure helps to reduces costs (Hodgkinson, 1996), which is the most important reason to outsource as we have seen previously.
4.3. C
ONCLUSION AND IMPLICATIONSThe preceding paragraphs shows there are no longer four IT governance decisions, but six as a result of outsourcing. The residual-organisation needs to make decisions about six fields; IT principles, IT architecture, business application needs, IT investment & prioritisation, contracts, and vendor rela-tions. Though IT principles and business application needs are still important issues for IT governance they have not changed by outsourcing. As this study only aims at organisations that previously carried out all the IT activities in-house, it becomes clear that contracts and vendor relations are new decisions for IT governance owing to the vendor that comes into play by outsourcing. The remaining decisions are affected by outsourcing each in their own way. Together the information of this chapter leads to a research model, see figure 4, which will be used for empirical testing.
~ 21 ~
5. METHODOLOGY
Qualitative research was believed to be better suited, instead of quantitative research. Two reasons underlie and support the use of qualitative data collection. First, the subject of this study is relatively new and complicated thus requiring a data collection method which can obtain specific and detailed information. Second, the initial research objective concerns a ‘how’ question about a set of events over which the researcher has no control. Furthermore, the scope indicates open and explorative character-istics, so a case study seems to be the most appropriate way to collect data (Yin, 2003). Result is, the researcher decided to conduct a small multiple case study at three companies in order to identify if common patterns could be discovered. Multiple cases studies are always in favour of single case stud-ies, when one has the time and resources (Yin, 2003).
To ensure companies would fall within the scope of this research, phone calls were made after which more detailed information was sent by e-mail before making appointments. As a result three companies were selected from different industries. The goal is not so much to make statements about the separate industries, but to make statements in general about IT governance. For reasons of confi-dentiality the organisations are given fictitious names.
5.1. D
ATA COLLECTIONThe primary sources of data comprised a set of interviews at the selected companies, as interviews are well suited for gathering qualitative data. Secondary sources of data comprised documentation, which was made available to discuss during the interviews.
A total of six interviews were performed and people were selected on basis of spending a con-siderable amount of their time to IT governance and not solely IT management, which meant that the level of senior management or above was asked to participate. Result was that at Health&Co it was only possible to interview one manager, as the residual IT organisation consisted of only one person.
M
ETHODOLOGY~ 22 ~
5.2. D
ATA ANALYSISTo prevent making premature or even false conclusions from the cases, researchers need to perform not just within-case analysis but also cross-case analysis (Eisenhardt, 1989; Yin, 2003). Furthermore this makes it possible to answer the research questions of this study.
Concerning the within-case analysis, information was described in detail to understand the full explanations of the respondents. The different opinions and experiences regarding IT governance and outsourcing of each respondent were compared to each other. This showed that most information was similar, minor differences were only present when respondents talked about the past.
~ 23 ~
6. RESULTS
Three Dutch organisations were approached to understand how their IT governance changed owing to outsourcing. Central point of attention was to understand how IT governance decisions and structure were used in the past and how this differs from the present situation.
Case descriptions presented are separated into two parts; part one concerns the structure, where each case is described individually and will start with background information and figures, part two concerns the decisions, which are presented integrally as managers from the cases showed similar thoughts.
The case of Health&Co differs from the other cases as it did not outsource but in-source its IT. How-ever, it was decided that the information from Health&Co would be valuable for this research. The biggest argument for this study to incorporate the findings of Health&Co is that Health&Co is not obliged to solely buy IT activities from the in-sourced IT department but is allowed to shop on the free market. At the same time, the in-sourced IT department is allowed to sell its software to other parties than Health&Co. The only ties the IT department still has with the board of Health&Co concerns fi-nancial performance. Seen from the perspective of Health&Co, it can be said that the IT was out-sourced.
6.1. P
ART1
STRUCTURE6.1.1. Stock&Co
Stock&Co concerns a company active in the banking sector, founded in 2000. Stock&Co operates without the use of the traditional bank offices, instead its activities are virtually deployed over the internet and telephone. With its virtually oriented services Stock&Co serves the retail and professional banking sector. Stock&Co employs over 200 people and generated a total revenue of € 69,7 million in 2007 with a net profit of € 32 million.
Stock&Co has a centralised IT structure, with the underlying rationale to create synergy. IT is so important that IT structure determines the overall structure as Stock&Co is a virtual organisation that cannot exist without the use of its IT. As one manager noted; ‘IT is so important that it is almost a core activity to Stock&Co’. Implication for the IT director is to possess long as well as short term ca-pabilities, as another manager noted; ‘First processes need to be well organised and then you can decide to outsource or not. Without doing so you are only fighting fires which leads to inevitable fail-ure of vision and strategy’.
R
ESULTS~ 24 ~
Outsourcing changed the structure in the sense that there was not a distinction between hierarchy and professionalism in the past. Currently IT governance has been designed in such a way that managers and experts operate on the same level, see figure 5. This means Stock&Co created a knowledge rich organisation with room for innovation. Or as one manager noted; ‘The new structure made things transparent, where the left and right side are equally rewarded’.
Figure 5 IT Governance structure Stock&Co
Old New
Hardly any people are shifted to the vendor as IT is very important. Stock&Co retrains its people to prevent losing specific process knowledge. However, outsourcing had its effects on the number of managers. Five IT managers were appointed in the past, but the new situation gave only room to two managers. Two managers were resigned while it was possible to retrain one manager into an expert. The number of people involved with IT concerns 50, which is high, considering a total of 200 Stock&Co employees.
6.1.2. Paint&Co
Paint&Co is a multinational paint producer established in 1777 that grew through a number of mergers and acquisitions to one of the biggest paint producers that now holds leading positions in a several markets. Paint is produced for different sectors like retail, professional and marine. Over 42.000 peo-ple are employed that generated a total revenue of € 10,2 billion in 2007 with a total profit of € 1,2 billion.
Paint&Co was traditionally a decentralised organisation. However the increasing move to-wards globalisation meant margins were under pressure so corporate level felt it was necessary to take over control in order to reduce costs. Corporate wanted to have more control over its several business units and slowly began to centralise activities. However, business units were not asked to give up full autonomy as they have the unique knowledge of product-market combinations.
R
ESULTS~ 25 ~
Result is that all infrastructure and data centres are outsourced. Functional control of the applications is kept in-house whereas operational control is outsourced.
Paint&Co wants to outsource a maximum of 75 per cent of its IT, while 50 to 60 per cent is outsourced currently. Paint&Co holds a strong believe that the business needs to keep control over IT. As one manager noted; ‘At one project we experienced the outsourcing of functional application as-pects that led to a loss of control, which became evident when there was a system malfunction and Paint&Co was not able to enter the servers for accessing valuable operational information’. In order to establish a solid structure for IT, Paint&Co designed an IT governance structure which encom-passes four levels, namely; the Chief Information Officer (CIO), the Information Management Council (IMC), Shared Service Centres (SSC), and business units, see figure 6. It is difficult to give hard fig-ures, but around 50 to 80 people are involved with IT governance.
Figure 6 IT Governance structure Paint&Co
Old New
The move towards this IT governance structure was initiated in 2006 and its strategy directed at ra-tionalisation and globalisation needs to be fully established by 2010. Highest level of IT is the CIO, followed by the IMC that is composed of the Information Managers from each business unit and chaired by the CIO. Directly below it are the SSC’s which are split into; data centres, telecom and networks, workspace, and Intranet. The last level concerns the business units that are concerned with the application related activities. The IMC determines which activities need to be centralised, decen-tralised or outsourced.
R
ESULTS~ 26 ~
6.1.3. Health&Co
Health&Co concerns a group of hospitals that originated from the merger between two Dutch hospitals in the year 1998. Health&Co is the largest group of non academic Dutch hospitals employing 5900 people that take care of over 475.000 policlinic surgeries and 40.000 hospitalisations each year. Health&Co does not solely offer the traditional hospital services, but is also active in nursing and old people’s homes.
As it was not clear what costs IT involved, Health&Co wanted to create more transparency by outsourcing IT starting at January 2008. With the outsourcing contract 49 of 50 people were trans-ferred to the vendor, making it a total outsourcing decision, which immediately showed the lack of structure regarding IT at Health&Co. All infrastructure components are shifted to the vendor, just like the operational control of applications. Concerning applications, a distinction is made between func-tional and operafunc-tional control. Majority of applications were developed by the IT department and as such it contains essential information about the processes of Health&Co which cannot be outsourced. Operational control on the other hand is outsourced and shifted to the vendor. There is no policy in place determining whether to centralise, decentralise or outsource IT, it all depends on the situation. Contracts last for five years and are controlled on basis of expenditures. As the Information Manager (IM) stated; ‘Currently contract control is pre mature and does not encompass the use of Service Level Agreements (SLA). For the nearby future I am planning to design SLA’s as it makes it much easier to evaluate contracts’.
From the original IT department one person stayed behind and was given the task to redesign IT governance for Health&Co. As one might wonder how one person can do this, there is a simple answer; one cannot. From the start this Information Manager (IM) notified the board of directors that it was very likely he needed additional staff for assistance.
Figure 7 IT Governance structure Health&Co
Old New
R
ESULTS~ 27 ~
Policy and strategy is restricted to the IM, IT staff will consist of two employees initiating and master-ing projects, whereas Managers refer to functional control. Though the IM proposes decisions the board of directors need to give approval. One should not forget that hospitals have complex processes, especially for the information systems supporting them. This means that IT follows business strategy, which according to the IM always needs to be the case.
6.1.4. Summary part 1
The move towards outsourcing showed the importance to understand the different decisions to be taken and on what level. At Stock&Co employees ideas are listened to, but decisions are made by the IT director and managers. Health&Co made the decision to outsource just recently and is in the middle of designing an appropriate structure. Currently physicians still have freedom about applications, without interference of the IM that led to a situation where Health&Co uses 240 different systems. For the nearby future the IM wants to change this and make it part of the centralised IT governance structure to create synergy. At Paint&Co IT governance mainly takes place at the IMC though busi-ness application needs takes place at the decentralised busibusi-ness unit level. At Paint&Co vendor rela-tions is structured as a hybrid decision, as decisions about infrastructure typically tend to be central-ised in the IMC and decentralcentral-ised where it concerns the application on business unit level as these involve very specific product-market combinations. Summarising this information, table 3 and 4 show the difference between the old and new IT governance situation.
Table 3 Structuring IT governance decisions before outsourcing
Stock&Co Paint&Co Health&Co
IT Principles Centralised Decentralised Hybrid
IT Architecture Centralised Decentralised Hybrid
IT Infrastructure Centralised Decentralised Hybrid
Business
applica-tion needs Centralised Decentralised Hybrid
IT Investment & prioritisation
Centralised Decentralised Hybrid
Contracts X X X
Vendor relations X X X
Table 4 Structuring IT Governance decisions after outsourcing
Stock&Co Paint&Co Health&Co
IT Principles Centralised Centralised Centralised
IT Architecture Centralised Centralised Centralised
IT Infrastructure Centralised Centralised Centralised
Business
applica-tion needs Centralised Decentralised Decentralised, near future centralised
IT Investment &
prioritisation Centralised Centralised Centralised
Contracts Centralised Centralised Decentralised, near
future centralised
Vendor relations Centralised Hybrid Decentralised, near
R
ESULTS~ 28 ~
Before outsourcing it was not clear how IT was governed, especially at Health&Co where it seemed that everybody was doing everything. The tables clearly show that outsourcing led all case organisa-tions to structure the decisions towards a centralised level. This centralisation gave executive level the power that was needed to get a hold of the scattered IT organisation.
6.2. P
ART2
DECISIONS6.2.1. Impact of outsourcing on decisions
IT Principles , infrastructure and business application needs
IT principles, infrastructure and business application needs are still part of the new IT governance structure at each organisation, but their nature did not change. It does not matter whether outsourcing comes into play or not, principles still need to set the direction for the organisation to follow.
Though infrastructure is one of the first things that organisations outsource, decisions must still be made about which computers and mobile phones to use. The decisions in itself do not change, but the number of decisions to be made decreases. Organisation do no longer worry about the sort of cables and wireless networks to be used; they just need to comply with the designed architecture.
It became evident from the cases that it does not matter whether the application is developed in-house or by the vendor, the application must adhere to several requirements in order to keep the daily operation up and running. So decisions about business application needs are also not affected by outsourcing.
IT architecture
Though the research model showed that IT architecture is no longer just about functional aspects but also about more operational aspects, the case organisations disagree. As one manager of Stock&Co noted; ‘why should I keep operational aspects in-house as I can outsource them and reduce my costs’. IT architecture should only concern decisions about the technical blue-print. Making sure that the sev-eral applications are integrated and aligned is something for the vendor to sort out.
IT investment and prioritisation
R
ESULTS~ 29 ~
Contracts
Contracts are regarded as very important, as deals with outside parties are made. Previously contract decisions were not really present as the organisations developed their own IT. Terms in the contract define the costs and quality of the service that will be provided. For contracts one needs to think of deciding how risks will be shared, who has responsibility and accountability, and what to do in case of unexpected situations. Paint&Co also showed that one can think of using bonuses to stimulate the vendor to outperform the contract.
Vendor relations
All managers agreed that one of the most difficult decisions concerns the attractiveness for residual-organisation and vendor to keep doing business. Contracts are typically closed for five years, during which many things change. The residual-organisation wants to benefit from new developments, whereas the vendor may see new developments primarily as costs. Paint&Co handles this by guaran-teeing a minimum level of services to be acquired so that the vendor is more likely to cover his in-vestments. Furthermore, Paint&Co and Health&Co try to stimulate the vendor to deliver high quality as they invite other vendors to identify new possibilities.
IT security & compliance
R
ESULTS~ 30 ~
6.2.2. Summary part 2
The case studies clearly show that outsourcing changed the IT governance decisions and structure. Though the cases show that IT governance encompasses a total of eight decisions, not all are influ-enced by outsourcing. IT principles, IT infrastructure and business application needs do not change. Contracts and vendor relations are decisions that were not present before outsourcing and show new challenges for IT governance. Security & compliance was identified as a new decision, but is not ex-clusively a result of outsourcing; it should always be part of IT governance as can be seen in table 5.
Table 5 IT governance decisions change owing to outsourcing
IT Principles No change
IT Architecture No change, operational aspects are no part of it IT Infrastructure No change
Business application needs No change IT Investment & prioritisation Outside focus
Select right vendor Contracts Intensity of monitoring
Time period Use of bonuses Vendor relations Sharing risks
Trade-off between rewards & costs Guarantees of acquiring services IT Security & compliance Level of access to information
~ 31 ~
7. DISCUSSION
Purpose of this thesis was to promote our understanding of the influence of IT outsourcing on IT gov-ernance, especially with regard to decisions and structure
.
This chapter discusses the case study results and draws on the theoretical insights to interpret the results founded. Paragraph one discusses the deci-sions and paragraph two the IT governance structure to arrive at the overall conclusion in paragraph three. Paragraph four shows the limitations and gives recommendation for future research.7.1. D
ECISIONS IT PrinciplesThough the cases show that IT principles are important to keep control over IT after outsourcing has taken place, it is still about high level statements that help to identify desirable behaviour. This clearly shows that whether outsourcing comes into play or not, it does not alter IT principles.
IT Architecture
Whereas theory describes it more as an operational activity, the cases show that it is not. A distinction needs to be made between architecture and operational aspects. All managers strongly felt that archi-tecture does not concern the operational activities of making sure that systems are aligned to each other. This clearly shows that the cases reject the theoretical propositions regarding IT architecture shifting to operational aspects as made in chapter four. Health&Co and Paint&Co showed that opera-tional aspects are a typical activity to reduce these costs by outsourcing them. Architecture is all about the technical blue-print that serves as a gate keeper. The vendor needs to make sure that the supplied IT services match the architecture of the residual-organisation.
IT Infrastructure
D
ISCUSSION~ 32 ~
Business application needs
Though Weill and Ross (2004) noted that these are the least mature decisions the cases indicate it is not. Business application needs are very important as they enhance the operation to run smoothly. Making sure that IT supports the business processes is so important that without it the company can hardly survive and respond to demands of the market. It became evident from the cases that it does not matter whether the application is developed in-house or by the vendor, the application must adhere to several requirements in order to keep the daily operation up and running. So decisions about business application needs are also not affected by outsourcing.
IT Investment & prioritisation
Decisions in this field are partly influenced by outsourcing. Both theory and practice agree that IT spending must still reflect strategic objectives, however the focus changes from inside to outside. Decisions are no longer just about selecting and investing in the right IT activities, but also include selecting a vendor. Stock&Co and Paint&Co perform benchmarks to know what goes on in the market to understand which vendor might best do the job.
Contracts
A new decision to be made concerns contracts. Previously IT deals were informal as IT was carried out in-house, one could easily ask another to do something or fire persons in worst case scenarios. As the vendor is not part of the residual-organisation, executives need to carefully lay down what both parties can expect from each other, how risks are shared and what to be done in case of emergency. Stock&Co makes strict agreements and uses penalty clauses to make sure the vendor adheres to the contract. Paint&Co shows it also wise to think of using bonuses in order to stimulate the vendor to perform better than the set SLA’s to increase the quality.
Vendor relations
D
ISCUSSION~ 33 ~
Security & compliance
Though Parkes (2004) was the only one highlighting the importance of security for IT governance, he does make a valid point. In chapter three the decisions was made to ignore security as there was not enough support from other theories. The cases showed a mixed image with Stock&Co and Paint&Co recognising it as an IT governance discipline, while Health&Co rejects it. This difference may lie at the basis that Paint&Co is a large organisation, while Stock&Co cannot live without IT, whereas Health&Co has less experience in the field of IT governance.
It can be argued that IT security has always been present and is not a new decision for IT governance as a result of outsourcing. Assuming that security before outsourcing concerns issues like prevent leaking information to competitors and begin compliant to new legislation, it is possible to say that outsourcing does change security issues. Decisions need to be made about the availability of informa-tion to the vendor. A trade-off is clearly present in this situainforma-tion as giving too much informainforma-tion gives the risk that the vendor might misuse it, whereas too less information may result in inappropriate IT service from the vendor, as he is not able to understand the architectural blue-print. Furthermore the cases showed that it is wise to have a vendor that is also compliant with new legislation as a result of the increasing pressure of social responsibility.
7.2. S
TRUCTUREWeill and Ross (2004) showed that most organisation prefer a mix of centralisation and decentralisa-tion regarding IT governance. Outsourcing theory showed a need for IT governance to become central-ised in order to get a hold of the scattered IT organisation. The cases demonstrate a mixed picture, the smaller organisations do have a centralised IT governance structure or want to move towards it, whereas Paint&Co shows centralisation and decentralisation characteristics. The increasing level of centralisation showed that departments tend to lose autonomy. Paint&Co has always been strongly decentralised which creates tensions with the new situation. As business units posses unique knowl-edge about the industry they operate in they still have a high level of autonomy regarding business application needs.
D
ISCUSSION~ 34 ~
7.3. C
ONCLUSIONThis study shows that outsourcing influences IT governance as several tasks are designed to reorganise the residual-organisation (Feeny & Willcocks, 1998; Parkes, 2004; Willcocks & Fitzgerald, 1996). These tasks add complexity to the residual-organisation as someone needs to take responsibility and accountability, showing the need for decisions of how to govern IT. Trites (2004) already showed that IT director’s responsibilities will change owing to the ever increasing importance of IT. These tasks were linked to the IT governance decisions of Weill and Ross (2004) to understand how outsourcing will theoretically influence IT governance and showed a need for six decisions; IT principles, IT archi-tecture, business application needs, IT investment & prioritisation, contracts, and vendor relations. The case studies supported most of the evidence of the research model, however the case organisations showed that IT infrastructure will still be part of IT governance. Outsourcing the entire infrastructure does not relieve the residual-organisation of making decisions. Furthermore the cases also showed the need to add security & compliance to IT governance. Combining the theoretical and practical insights leads to the situation as proposed in figure 8 thus providing the answer to the research question; How does IT outsourcing influence IT governance, specifically for decisions and structure?
D
ISCUSSION~ 35 ~
Regarding theoretical implications one needs to remember that IT governance is not just about five decisions any more, but about a total of eight. Where Weill and Ross (2004) showed that decisions are differently structured (IT principles and business application needs, decentralised, IT architecture and infrastructure centralised and investment & prioritisation hybrid) this study shows that outsourcing makes decisions shift towards a centralised structure. Logic behind it is not just that organisations strive after cost reduction by standardisation and synergy , but also need to get a hold of the scattered IT organisation. However, business application needs will stay decentralised as business units contain specific product-market knowledge. Vendor relations can take place at any level but is likely to be structured in the same way as business application needs.
Implication for practice is that organisations need to carefully design their IT governance and think about the consequences of outsourcing for IT governance. This became evidently clear from the Paint&Co case. In the past a business unit of Paint&Co decided to enter into a total outsourcing situa-tion, including delegating the decisions. It was a harsh lesson showing that the implications of out-sourcing on IT governance were not carefully thought off as Paint&Co lost control over the outsourc-ing project. Stock&Co is the only one that carefully designed its IT governance. Before enteroutsourc-ing into any outsourcing contract Stock&Co first reorganised and streamlined their internal processes by cen-tralising IT decisions. Health&Co is still seeking of how to design an effective IT governance structure and perhaps this study can give them some guidance.
7.4. L
IMITATIONS AND RECOMMENDATIONS FOR FUTURE RESEARCHOne needs to remember that the presented information is just a piece of the pie, as this study only fo-cuses on decisions and structure. Further research is needed to further validate the results of figure 8 as only three cases were used. All cases operate in different industries making it hard to draw general conclusions or make statements about a single industry. Nevertheless, the cases showed valuable in-formation by presenting similar thoughts and considerations which increased reliability of the results. Future studies with larger samples from different industries, can provide an increased understanding of the influence of outsourcing on IT governance, especially for the supposed relation between business application needs and vendor relations. Another issue for future research is to understand the degree to which IT security & legislation decisions should be part of IT governance.
~ 36 ~
REFERENCES
Apte, U. M., Sobol, M. G., Hanaoka, S., Shimada, T., Saarinen, T., Salmela, T., Vepsalainen, A. P. J. (1997) IS Outsourcing Practices in the USA, Japan and Finland: A Comparative Study, Journal of Information Technol-ogy, Vol. 12, 289-304.
Bird, F. (2001) Good Governance: A Philosophical Discussion of the Responsibilities and Practices of Organiza-tional Governors, Canadian Journal of Administrative Sciences, (18:4), 298-312.
Boddy, D., Boonstra, A., Kennedy, G. (2005) Managing Information Systems: An Organisational Perspective, Essex: Prentice Hall.
Boot, N., Gianotten, M. (2008) Outsourcing Performance 2008: Research & Outlook, Proceedings of Analyse van de Nederlandse uitbestedingsmarkt by Giarte and Morgan Chambers, Amsterdam: Giarte.
Brown, A.E., Grant, G.G. (2005) Framing the Frameworks: A Review of IT Governance Research, Communica-tions of the Association for Information Systems, vol. 15, 696-712.
Chaudhurry, A., Nam, K., Rao, H.R. (1995) Management of Information Systems Outsourcing: a Bidding Per-spective, Journal of Management Information Systems, (12:2), 131-159.
Cheon, M.J., Grover, V., Teng, J.T.C. (1995) Theoretical Perspectives on the Outsourcing of Information Sys-tems, Journal of Information Technology, (10:4), 209-219.
Dibbern, J., Goles, T., Hirschheim, R., Jayatilaka, B. (2004) Information Systems Outsourcing: a Survey and Analysis of the Literature, The Data Base for Advances in Information Systems, (35:4), 6-102.
Dos Santos, B.L. (2003) Information Technology Investments: Characteristics, Choices, Market Risk and Value, Information Systems Frontiers, (5:3), 289-301.
Earl, M. (1991) Outsourcing Information Services, Public Money and Management, (11:3), 17-21.
Eisenhardt, K.M. (1989) Building Theories From Case Study Research, Academy of Management Review, (14:4), 532-550.
Feeny, D.F., Willcocks, L.P. (1998) Core IS Capabilities for Exploiting Information Technology, Sloan Man-agement Review, (39:3), 9-21.
Fitzgerald, G., Willcocks, L.P. (1994) Contracts and Partnerships in the Outsourcing of IT, Proceedings of the 15th International Conference on Information Systems, Vancouver, 91-98.
Gottschalk, P., Solli-Sæther, H. (2005) Critical success factors from IT outsourcing theories: an empirical study, Industrial Management & Data Systems, (105:6), 658-702.
Grant, R. (1992) The Resource-based Theory of Competitive Advantage: Implications for Strategy Formulation, Sloan Management Review, (33:3), 114-135.
Hancox, M., Hackney, R. (1999) Information Technology Outsourcing: Conceptualizing Practice in the Public and Private Sector, Proceedings of the 32nd Annual Hawaii International Conference on System Sciences.
Hodgkinson, S.L. (1996) The Role of the Corporate IT Function in the Federal IT Organization In Earl, M.J., Information Management: The Organizational Dimension, New York: Oxford University Press, 247-269. Hu, Q., Saunders, C., Gebelt, M. (1997) Research Report: Diffusion of Information Systems Outsourcing: a Reevaluation of Influence Sources, Information Systems Research, (8:3), 288-301.
