Diminishing the Gap Between IT Governance Maturity Theory and Practice: Renewing the Approach

DOI: 10.4018/IJITBAG.2019010101



Diminishing the Gap Between IT

Governance Maturity Theory and Practice:

Renewing the Approach

ABSTRACT ITgovernanceresearchsuggeststheexistenceofagapbetweentheoreticalframeworksandpractice. AlthoughcurrentITGresearchislargelyfocusedonhardgovernance(structure,processes),soft governance(behavior,collaboration)isequallyimportantandmightbecrucialtoclosethegap.The goalofthisstudyistodeterminewhatITgovernancematuritymodelsareavailableandifthereremains amismatch.Theauthorsconductedasystematicliteraturereviewtocreateanoverviewofavailable ITgovernancematuritymodels.ThestudyshowsfivenewITgovernancematuritymodelswere introduced.OnlyoneofthenewITgovernancematuritymodelscovershardandsoftITgovernance indetail.Thismodelandcorrespondinginstrumentwasusedtoillustrateitsusabilityinpractice. Theauthorsdemonstratethatcombiningtheinstrumentwithstructuredinterviewsresultsinausable instrumenttodetermineanorganization’scurrentmaturitylevelofhardandsoftITgovernance. KeywoRDS

Collaboration, Design Science, Informal Organization, IT Governance, IT Governance Maturity, Leadership, Organizational Culture, Soft Governance

INTRoDUCTIoN ITgovernanceisarelativelynewtopic(VanGrembergen,2004),withthefirstpublicationsappearing inthelate1990s.ThenumberofITgovernancepublicationsbegantogrowfrom2006/2007(Smits &vanHillegersberg,2014a).ItiswidelyacknowledgedthatcorporategovernanceandITgovernance arerelated.However,littleisknownregardinghowthisrelationshipactuallyworks.Corporate governanceisof“enormouspracticalimportance”(Shleifer&Vishny,1997).Variouspublications suggestthatITgovernanceconstitutesanintegralpartofcorporategovernance(ITGI,2003;Lainhart &John,2000;VanGrembergen,DeHaes,&Guldentops,2004).Corporategovernanceissuescannot besolvedwithoutconsideringIT(VanGrembergenetal.,2004).WedefineITgovernanceasthe structures,process,culturesandsystemsthatengenderthesuccessfuloperationoftheITofthe (complete)organization,anadaptationofthecorporategovernancedefinitionofKeaseyandWright (1993).Thus,ITgovernanceisnotrestrictedtotheITorganization.

TheframeworksusedforITgovernancevaryconsiderably,ascanbeseeninseveralglobal surveysfromtheITGIaddressedto749CEO-/CIO-levelexecutivesin23countries,andsummarized inTable1(ITGI,2008,2011).Toillustratethediversenatureoftheseframeworks,weaddedthe column‘Content’.Unfortunately,themostrecentglobalsurveyfrom2016doesnotincludeaquestion concerningtheuseofITgovernanceframeworks. With13%growthforSixSigma,12%growthforPMI/PMBOK,11%growthforsecurity frameworks,4%growthforITIL,3%growthforTOGAF(from0),anda1%decreasefor COBITinaperiodoffouryears,thereisnoclearleader.Furthermore,itisclearthatmore generalframeworkslikeSixSigmaarefastgrowers,too.Therelationshipwithprojectand portfoliomanagementframeworkslikePMI/PMBOKandPRINCE2aswellasarchitecture frameworkslikeTOGAFcanbeillustratedwithcasesfoundinacademicresearchinwhichIT governanceisimplementedusingportfoliomanagementandarchitecture(Wittenburg,Matthes, Fischer,&Hallermeier,2007). ThelatestCOBITversionisCOBIT2019,releasedattheendof2018,shortlyaftertheliterature reviewinthisstudy(ISACA,2018).ThepenultimatereleaseisCOBIT5.0(ISACA,2012).COBIT usesaclassificationconsistingoffivefocusareas:strategicalignment,valuedelivery,resource management,riskmanagementandperformancemeasurement. PreviousresearchindicatedamismatchbetweentheITgovernanceliteratureandpractice(ITGI, 2011;Smits&vanHillegersberg,2013,2014a).Thesestudiesarebasedonsurveysandsystematic literaturereviewsusingabstractandcitationdatabasesuntilspring2013.NewITgovernancematurity researchcoveringthisgapmighthavebeenpublished.Thisreviewwasintendedtodetermineifnew ITgovernancematuritymodelshavebecomeavailablerecently.

Table 1. Use of IT governance frameworks (ITGI, 2008, 2011)

Framework Content 2011 2007 2005 ITILorISO/IEC20000 Servicemanagement 28% 24% 13% ISO/IEC17799,ISO/IEC27000orother securityframeworks Informationsecurity 21% 10% 9% Internallydevelopedframeworks Unknown/differ 14% 33% SixSigma Quality 15% 2% 5% COBIT(ISACA) ITgovernance 13% 14% 9% PMI/PMBOK Projectmanagement 13% 1% 3% RiskIT(ISACA) Riskmanagement 12% ITassuranceframework(ISACA) ITassurance 10%

CMMorCMMI Softwaredevelopmentorprocess_improvement 9% 4% 4%

ISO/IEC38500 ITgovernance 8% BMIS(BusinessModelforInformation Security,ISACA) Informationsecurity 8% PRINCE2 Projectmanagement 6% 2% ValIT(ISACA) Enterprisevalue(ITinvestments) 5% 0% TOGAF Enterprisearchitecture 3% 0% COSOERM Enterpriseriskmanagement 2% 1% 4%

Hard and Soft Governance Hardgovernancecanbeseenastheorganizationalperspectiveandsoftgovernanceasthesocial perspectiveonITgovernance.ContemporaryITgovernanceliteratureismostlydirectedatthehard partofgovernance,focusingonorganizationalstructuresandprocessesandonrelationalmechanisms (Smits&vanHillegersberg,2014b).Werelatesoftgovernancetohumanbehavior,collaborationand organizationalculture.Relationalmechanismsarerelatedtosoftgovernancetoobutmorenarrowly defined(seeTable2). Thedivisionofgovernanceintohardandsoftgovernancehasbeenmadeinthepast(Cook,2010; Moos,2009;Tarmidi,AbdulRashid,&AbdulRoni,2012;Tucker,2003;Uehara,2010).Forinstance, Moos(2009)differentiatesbetweenlegislationand“softer”formsofgovernancebasedonpersuasion andadviceorobligation,precisionanddelegation(Tucker,2003).Relatedtoparticipatorygovernance, Cook(2010)writesthat“rulesandstructures”are“farlesseffective”thansoftgovernance.Uehara (2010)andTarmidietal.(2012)separatehardandsoftITgovernanceusingthesoftpowertheory. JosephNye(1990)foundedthesoftpowertheory,pertainingto“intangiblepowerresources suchasculture,ideology,andinstitutions.”Thebasicconceptofpoweristheabilitytoinfluence otherstogetthemtodowhatyouwant.AccordingtoNye(2004),thiscanbeachievedinoneof threemajorways:threatenthemwithsticks;paythemwithcarrots;orattractthemorco-optthem, sothattheywantwhatyouwant.Ifyoucanattractotherstowantwhatyouwant,itcostsyoumuch lessincarrotsandsticks. Nye’sresearchattendedtoworldpolitics,butthesameistrueonamuchsmallerscale. Parentsofteenagersknowthatiftheyshapetheirchildren’sbeliefsandpreferences,theyhave greaterandmoreenduringpowerthaniftheymerelyrelyonactivecontrol.Thesameistrue formembersofanorganization.In“TheBasesofSocialPower”,Frenchetal(1959)describe six bases of power: rewarding (carrots), coercive (sticks), legitimate (functions or roles), referent(softpower),expert(knowledgeandscience)andinformational(relevantinformation orargument).Referentpowerconcernstheassociationbetweenindividualsorgroupsandis stronglyrelatedtosoftgovernance.

Thus,frameworkswhichlacksufficientattentiontothesocialaspectsofITgovernanceare incomplete.InasystematicliteraturestudySmitsandvanHillegersbergcouldnotfindamaturity model for IT governance that covers process, structure, human behavior and organizational culture(2013).Theyconclude“thereisaneedforaframeworkand/oranITgovernancematurity modelwhichcombineselementslikeprocess,structureandplanningascanbefoundincurrent frameworkswithelementsrelatedtosocialaspectslikebehavior,collaborationandculture” (Smits&vanHillegersberg,2014a).Thepreviouslymentionedsystematicliteraturestudywas conductedbasedondataavailableinabstractandcitationdatabasesuntilMay2013.Inthe systematicliteraturereviewthatformspartofthisstudyweaddedsomeoverlapandselected papersfrom2012untilthepresentday(spring2018).

Table 2. Structures, processes and relational mechanisms for IT governance, adopted from van Grembergen et al. (2004)

Structures Processes Relational Mechanisms

-Rolesandresponsibilities -ITstrategycommittee -ITsteeringcommittee -ITorganizationstructure -CIOonBoard -Projectsteeringcommittees -e-Businessadvisoryboard -e-Businesstaskforce -Balanced(IT)scorecards -StrategicInformationSystems Planning -COBITandITIL -ServiceLevelAgreements -Informationeconomics -StrategicAlignmentModel -Business/ITalignmentmodels -ITGovernancematuritymodels -Activeparticipationbystakeholders -Collaborationbetweenstakeholders -Partnershiprewardsandincentives -Business/ITcolocation -Sharedunderstandingofbusiness/IT objectives -Activeconflictresolution -Cross-functionalbusiness/ITtraining -Cross-functionalbusiness/ITjobrotation

Maturity Models Thematurityconceptemergedoutofqualitymanagement.Theconceptofmaturitystageswas introducedbyCrosby”(1979)withhis“qualitymanagementprocessmaturitygrid”.Maturitymodels essentiallyrepresenttheoriesconcerninghoworganizationalcapabilitiesevolveinastage-by-stage manneralongananticipated,desiredorlogicalmaturationpath(Pöppelbuß&Röglinger,2011). Theconceptoforganizationalcapabilitiesisbasedontheresource-based-viewusedinthestrategic managementliterature(Ulrich&Smallwood,2004;Wernerfelt,1984).Anorganization’scapabilityis “theabilityofanorganizationtoperformacoordinatedsetoftasks,utilizingorganizationalresources, forthepurposeofachievingaparticularendresult”(Helfat&Peteraf,2003).Thematuringentities inthisresearchareorganizationalcapabilities. Maturitymodelscanbeseenasartefactstodetermineacompany’sstatusquoandas“deriving measuresforimprovement”(Becker,Knackstedt,&Pöppelbuß,2009).Themostwell-knownmaturity modelintheITsectorisCMM,ofwhichversion1.0waspublishedin1991(Paulketal.,1991).CMM wasdevelopedbytheSoftwareEngineeringInstitute(SEI)atCarnegieMellonUniversity.Interest inmaturityemergedfromqualitymanagement(SEI,2010).Inthe1930s,WalterShewhart(1931) beganhisworkonprocessimprovementwithhisprinciplesofstatisticalqualitycontrol.Sincethe launchofCMM,hundredsofmaturitymodelshavebeenlaunchedacrossamultitudeofdomains byresearchersandpractitioners(DeBruin,Freeze,Kaulkarni,&Rosemann,2005).CMMalsohas itscritics(Bach,1995;Ngwenyama&Nielsen,2003),whoespeciallyarguethatitplacestoomuch emphasisonprocesses,andthatinordertoimproveorganizations,attentionmustbepaidtoother aspectssuchaspeople,cultureorleadershipaswell. Theanswertothequestion“Whatmakesorganizationalcapabilitiesmature?”dependsonwhich rationaleisembraced,andtendstofocusontheleveragepointsusedinorganizationalchangeinitiatives (Maier,Moultrie,&Clarkson,2012).WeadoptthedefinitionofBeckeretal.(2009)ofthematurity model:“Amaturitymodelconsistsofasequenceofmaturitylevelsforaclassofobjects.Itrepresents ananticipated,desired,ortypicalevolutionpathoftheseobjectsshapedasdiscretestages.Typically, theseobjectsareorganizationsorprocesses”.Theaimsofmaturitymodelsare“raisingawareness” ofwhatisgoingwrong,and“benchmarking”tocompareresultsacrossorganizations(Maieretal., 2012).Therefore,maturitymodelsarehelpfulinfindingbettersolutionsforchange.However,inorder tobemadeuseful,theymustbeappliedtoasubstantialnumberofcompaniesforvalidcomparison. Purpose Thepurposeofthisstudywastoanswerthefollowingtworesearchquestions: RQ1:WhichnewITgovernancematuritymodelsareavailableintheliterature? RQ2:Isthere(still)amismatchbetweenITgovernancematuritypracticeandtheoreticalframeworks? Thispaperisorganizedasfollows.Thissectionintroducesthetopicsofthisstudy.Thenext sectionpresentstheresearchmethod.Theresultsofthesystematicliteraturereviewandacasestudy exampleusinganewITgovernancematuritymodelaredescribedintheresultssection.Thediscussion sectionincludesareviewofeachoftheeightgroupsofmaturity-relatedpaperswefoundduringthe systematicliteraturereviewaswellasadiscussionoftheuseofoneofthesematuritymodelsina casestudy.Thelastsectionincludestheconclusion,limitationsandimplicationsforfutureresearch. Research Method Ourresearchprocesswasasfollows: 1. ConductasystematicliteraturereviewtolocaterecentliteratureonITGmaturity; 2. CreateanoverviewofavailableITGmaturitymodelsforhardandsoftgovernance;

3. Demonstratetheuseofamaturitymodelforhardandsoftgovernanceinacasestudy; 4. Evaluatetheresultsofthestudy.

Thissectiondescribesthesystematicliteraturereviewandthecasestudyprotocolappliedin thisstudy.

Systematic Literature Review

Asystematicliteraturereviewisamethodologicallyrigorousreviewofresearchresults.Itisalso intendedtosupportthedevelopmentofevidence-basedguidelinesforpractitioners(Kitchenhamet al.,2009).Thisresearchispartlybasedonpreviousresearch,andassuchweconductasystematic literaturereview,asusedinISandthesocialsciences(Kitchenham,2004;Petticrew&Roberts,2006). EarlyresearchonITgovernanceincludedcontingencystudiesfromtheorganizationsciences (Brown,1997;Sambamurthy&Zmud,1999).Methodengineeringprovidedframeworksand processestoassembleISdevelopmentmethodsfromexistingmethodologiesandinventories (Brinkkemper,1996). OursystematicliteraturereviewonITgovernancewassetupandconductedusingScopus.Scopus istheworld’slargestabstractandcitationdatabaseandincludesscholarlyjournalsandbookpublishers. PreviousresearchindicatedamismatchbetweentheITgovernanceliteratureandpractice(ITGI, 2011;Smits&vanHillegersberg,2013,2014a).Thesestudiesarebasedonsurveysandsystematic literaturereviewsusingabstractandcitationdatabasesuntilspring2013.Toavoidmissingrelevant papers,weaddedsomeoverlapandselectedpapersfrom2012untilthepresentday(spring2018). InScopus,wefirstselectedpapersrelatedto“ITgovernance”,“governanceofIT”,“IS governance”or“enterprisegovernance”inthetitle,abstract,orauthorkeywords.Withinthislarge setofpapers,weselectedpapersrelatedto“mature”or“maturity”.Amanualselectionwasused thereaftertodeterminewhichpaperswereinscope.Tobeincludedinscope,thepaperhadtosatisfy thefollowingrules:(a)thetopicmustbeITgovernance(b)thekeyword“mature”or“maturity” mustbeusedrelatingtoITgovernance(c)thepublicationyearmustbe2012orlater(d)thepaper mustbewritteninEnglish,GermanorDutch(e)claimsmustbejustifiedorbasedonresearchand (f)duplicatestudieswereexcluded.

Case Study and Case Study Protocol

Duringthesystematicliteraturereviewwefoundfive(relatively)newITgovernancematuritymodels partlybasedonpreviousresearch.Onlytwoofthesegroupsarebasedonframeworkscoveringhard andsoftITgovernance:COBIT5.0inaholisticwayandtheMIGmodelinamorepracticalway. TheMIGmodelisafocusareamaturitymodelforhardandsoftITgovernancedesignedusing designscience.TheMIGmodelisdiscussedindetailinthediscussionsectionasoneofthegroups ofmaturity-relatedresearchpapers. Inthisstudy,weusetheMIGmodelandthecorrespondingMIGassessmentinstrument(Smits &vanHillegersberg,2014b;Smits&vanHillegersberg,2015).Inthecurrentstate,theinstrument mustbeusedcombinedwithsemi-structuredinterviewstocreateusefulresults.Fortheapplicationof theMIGassessmentinstrument,weusedacasestudyprotocol.Theprotocolusedfortheapplication oftheinstrumentwasasfollows: 1. AgroupofparticipantsinastrategicrolefrombusinessandITwereselectedandinvitedto participateinthestudy; 2. EachparticipantwasaskedtofillouttheMIGinstrumentbeforetheinterview; 3. Theresearchercreatedtheresultssheetusingtheinstrumentandbroughtitasahandoutto theinterview;

4. Duringthesemi-structuredinterview,theresultsforeachfocusareawerediscussed.Where relevant,theresultswerechangedbasedontheopinionoftheinterviewee.Besidesthefocus areas.Theinterviewslastedanaverageofonehourandwererecorded; 5. Followingtheinterviews,theresultsweresummarizedandsenttoeveryparticipantforvalidation; 6. Areportsummarizingtheresultsofthestudywerewritten,presentedanddiscussedwiththe clientandtheparticipants; 7. Theparticipantswereinvitedtofilloutashortevaluationquestionnaire. Havingcompletedtheinterviews,theresultswerecombinedandanalyzed.Theresultsofthe analysis,conclusionsandrecommendationswereanonymized,summarizedinareportandpresented tothesponsorofthecasestudywithintheorganization. Theevaluationformusedwascreatedbasedonanevaluationtemplateforexpertreviewsof maturitymodels(Salah,Paige,&Cairns,2014).Theparticipantswereinvitedtofillouttheevaluation questionnaireaftertheinterview. ReSULTS

The Systematic Literature Review

Previousresearchresultedinasetof659documents(Smits&vanHillegersberg,2014a).Theupdate wasconductedbetweenJanuaryandApril2018andresultedinanadditionalsetof471documents. Afterremovingduplicatesandothertypesofdocuments(noresearchpapers),asetof1,094documents remained.Havingappliedtheotherselectioncriteriaandremovingthepaperspreviouslyfound,a setof245newpapersremained.

The Complete Set

Theoldestdocumentsinourcompletesetof576documentscamefrom1995butthevastmajority werepublishedfrom2006(seeTable3).

Documentsfrom2017and2018werelimitedowingtothetimeoftheselectionandthefactthat italwaystakessometimebeforepublicationsareaddedtothedatabases.

New IT Governance Maturity Papers

TheupdateofthesystematicliteraturereviewwasconductedbetweenJanuaryandApril2018.This resultedinaninitiallistof70newpapersdiscussingITgovernancematuritybetween2012and2018. Afterimplementingtheselectioncriteria,34papersremained.Foreachpaper,wedetermined whichframeworkormodelwasused.TheresultsofthisanalysisaresummarizedinTable4. Asshowninearlierreviews,COBITwasusedinthelargestproportionofpapers(13)andin fiveadditionalpaperswascombinedwithotherframeworks.Adetaileddiscussionofeachgroupis includedinthediscussionsection.Intheliteraturereviewwefoundfive(relatively)newITgovernance maturitymodelspartlybasedonpreviousresearch:group3until7.Allgroupsarediscussedinthe nextsection.

Results of the Case Study example Using the MIG Model

ThecasestudywasconductedatacentraldepartmentofalargeministryintheNetherlands.The numberofemployeesinfull-timeequivalentsis110,000.ThecentraldepartmentislocatedinThe Hagueandhasmanyotherbranchesthroughoutthecountry.Thisorganizationwasknownverywell byoneoftheresearchersbecausehehasbeenworkingforthisorganizationsasanemployeefora fewyearsatthetimeoftheassessment.Thus,besidestheresultsoftheassessmentandtheinterviews wealreadyknewalotaboutthestrongandweakpointsoftheorganization.Thiswasveryuseful wheninterpretingtheresults,decidingonthetopicstogoindepthduringtheinterviewsandwhen

Table 3. Year of publication of the documents

Year Previous New ∑# %

1995–2002 12 12 2 2003–2005 21 2 23 4 2006 24 2 26 5 2007 21 21 4 2008 35 4 39 7 2009 41 5 46 8 2010 55 5 60 10 2011 67 1 68 12 2012 50 10 60 10 2013 5 45 50 9 2014 59 59 10 2015 33 33 6 2016 35 35 6 2017 33 33 6 2018 12 12 2 Total 331 245 576 100

Table 4. New papers describing IT governance maturity-related research

# Model/Framework Found # List of the Papers Found

1 COBIT4.0;4.1and5.0. 13 (Ateşer&Tanriöver,2014;Ibrahim&Nurpulaela,2016;Ishaqetal., 2017;Janahi,Griffiths,&Al-Ammal,2015;Joshi,Bollen,Hassink, DeHaes,&VanGrembergen,2018;Kosasi,2015;Putri,Lestari,& Aknuranda,2017;Safari&Jiang,2018;Seyal,Poon,&Tajuddin,2016; Spremić,2012;Surya&Surendro,2014;Tambotoh&LATUPERISSA, 2015;Vugec,Spremić,&Bach,2017)

2 COBIT4.1or5.0combined_{withotherframeworks.} 5 (Dalipi&Shej,2012;Ngoma&Erasmus,2017;Ningsih,Sembiring,Arman,&Wuryandari,2013;Wahab&Arief,2015;Wijayanti,Setiawan, &Sukamto,2017)

3 M2A3-ITgovernancemodel. 2 (deMoraes,2013,2014)

4 NineITgovernance_categories. 2 (Shaw,Cheng,&Shih,2013;Shaw,Cheng,Shih,&Chang,2013) 5 GreenITgovernancemodel. 1 (N.K.S.Putri&Muljoredjo,2014)

6 ITgovernanceandoperation_framework. 1 (Zhu&Li,2014)

7 MIGmodel. 4 (Smits&vanHillegersberg,2013,2014b;Smits&vanHillegersberg,_{2015,2017)} 8 Othertypesofmaturity_{relatedresearch.} 6 (Alagha,2013;Albayrak&Gadatsch,2012;Bianchi&Sousa,2015;Elagha,2014;Saetang&Haider,2012;Yaokumah,Brown,&Adjei,

2015)

assessingdifferencesbetweentheresultsoftheparticipantsofthestudyandourexperiencesasa memberoftheorganization. Sevenparticipantswereinvitedtoparticipateinthiscasestudy.Allparticipantswereworkingin thesamecentraldepartment(CIOoffice)andwereinvolvedinstrategicbusinessandITdiscussions withrespecttotheentireorganization.Threemanagers(themanagersoftheadvice,theprojectand theriskdepartments)andfourspecificroles(thecoordinatorforinternalpolicies,thecoordinator forenterprisearchitecture,aprogrammanagerandaprojectmanager). Table5displaystheresultsbeforeandaftertheinterviewsforthedepartmentandthecorporateview. Theresultssummarizetheresponsesfromsevenparticipants.Thenumbersbeforeandafterthe interviewsareseparatedbyasemicolon.Thenumberofavailablelevelsiscontingentonthefocus area.Anexampleforcontinuousimprovement:inthedepartmentviewtheresultoftheassessment indicatedlevelAonsevenoccasions.DuringtheinterviewssixparticipantsagreedwithlevelA.One participantsexplainedwhyitshouldbelevelB.Emptyfieldsreflectlevelsthatwereabsentfromthe resultssheetoftheassessmentandthecorrectedresultsfollowingtheinterviews. Ingeneral,therewereconsiderablevariationsintheresults,asdemonstratedbytheassessments andopinionsoftheparticipantsforthesoftgovernancepartcomparedtofewervariationsforthehard governancepart.Themotivationforthechangesprovidessomeideaofthewaysinwhichparticipants interpretedthefocusareas.Someparticipantschangedtheiropinionafteranadditionalexplanation ofthefocusareas,partlyaccountingforthechanges. InTable6,Min,Max,Avg.andσaretheminimum,maximum,averageandstandarddeviation ofthevalues/percentagesbetweentheparticipants’answers,respectively.“Agree”and“Notagree” illustratewhethertheparticipantsagreedwiththeresultoftheassessment. Theparticipantsagreedwithalmostallvaluesshownintheresultsheets.Onlyfor“culture” thereweresomeminorremarksregardingthevalues(eachremarkiscountedseparatelyinTable6). Threeoutofsevenparticipantsconsideredsomeculture-valuesalittletoohighortoolow:thevalue forMarketwasconsideredtoohigh(2x)ortoolow(1x);AdhocracyandClanwereconsideredtoo lowandhierarchytoolow(1x)ortoohigh(1x). DISCUSSIoN InpartAofthissectionwewilldiscusseachoftheeightgroupsofmaturity-relatedpapers.COBIT wasusedinthelargestproportionofmaturity-relatedpapers(group1)andinfiveadditionalpapers itwascombinedwithotherframeworks(group2).Intheliteraturereviewwefoundfive(relatively) Table 5. Results of the hard and soft governance (before; after)

Governance/Focus Area Department View The Entire Organization

A B C D E F A B C D E F Sof tgo ver nance Continuousimprovement 7;6 0;1 7;6 0;1 Leadership 1;0 0;1 0;1 3;3 0;1 3;1 4;1 3;3 0;2 0;1 Participation 6;3 1;3 0;1 7;5 0;2 Understandingandtrust 4;0 1;3 2;3 0;1 6;4 1;2 0;1 Har d go ver nance Functionsandroles 4;0 0;4 1;1 2;2 4;3 1;2 1;1 1;1 Formalnetworks 4;1 1;2 1;3 1;1 5;1 1;3 1;3 ITdecision-making 6;3 1;2 0;2 7;4 0;1 0;2 Planning 5;1 2;4 0;2 5;2 2;4 0;1 Monitoring 4;2 2;2 1;3 5;3 2;2 0;2

newITgovernancematuritymodelspartlybasedonpreviousresearch:M2A3-ITgovernancemodel (group3);NineITgovernancecategories(group4);GreenITgovernancemodel(group5);IT governanceandoperationframework(group6);theMIGmodel(group7).Thefinalgroupconsists ofothertypesofmaturity-relatedresearch(group8). Thethirdstepinthisstudywasdemonstratingtheuseofamaturitymodelforhardandsoft governanceinacasestudy.TheMIGmodelcovershardandsoftITgovernanceinapracticalway. PartBofthissectioncoversadiscussionofthecasestudyconductedusingtheITGmaturitymodel describedingroup7. CoBIT ThelargestpartofthesetpapersisbasedonCOBIT(13)orCOBITcombinedwithotherframeworks (5).ISACAfirstreleasedCOBITin1996.TherehavebeenseveraliterationsoftheCOBITframework tothecurrentversionofCOBIT5.COBIThastransitionedfromanITauditingframeworktowards abroaderITgovernanceandmanagementframeworkwithmanagementtoolsincludingmetrics, criticalsuccessfactors,maturitymodels,andtools.MostpapersarebasedonCOBIT4.1(14outof 18).AlthoughCOBITversion5hasbeenpublished,COBIT4.1remainsinwidespreaduseinmost organizations(Ateşer&Tanriöver,2014).Someauthorsusethisasamotivationtoselectversion4.1 (Ishaqetal.,2017),whereasothersdonotmakeanexplicitdistinctionandusetheversionimplemented byacorporation(Vugecetal.,2017).

Besides other changes, COBIT 5.0 now includes a separation between governance and management,integratesthebestpracticesofCOBIT4,ValIT,andRiskIT,andhasanimproved assessmentofprocessmaturity,acoremetricinCOBIT,andisalignedwithinternationalstandards (DeHaes,VanGrembergen,&Debreceny,2013).ThenewgovernancedomaininCOBIT5.0has fiveprocessesthatwouldbeinthehandsoftheboardandthemostseniormanagement. Currently(end-2018)themostimportantITgovernanceframeworkforpracticeisCOBIT.The primaryfocusofCOBITishardgovernance.NewversionsofCOBITdisplayagradualincreasein attentiontothesoftsideofITgovernance.InCOBIT5afirstholisticattemptwasmadetoinclude thesoftside.InCOBIT2019(ISACA,2018)thecomponent“Culture,EthicsandBehavior”was includedasamanagementobjective,addingasoftdimensiontotheprocessmodeloftheCOBIT framework.Thus,itseemsthesoftsideofITgovernancereceivesmoreattention.However,human behaviorisnotonlyprocessorstructurerelated.BecauseCOBIT2019wasreleasedattheendof 2018,thesystematicliteraturereviewdoesnotincludepapersbasedonCOBIT2019.

CoBIT Combined with other Frameworks

TheresearchpapersusingCOBITcombinedwithotherframeworksareverydiverse.Inthesepapers Table 6. Results of the context, after the interview

Governance/ Focus Area

Department View The Entire Organization

Min. Max. Avg. σ Agree _AgreeNot Min. Max. Avg. σ Agree _AgreeNot

Conte xt Culture -Clan 17.5 60.0 33.7 8.9 7 0 12.2 32.5 23.4 7.5 6 1 -Adhocracy 12.4 28.0 22.2 3.4 6 1 9.2 24.2 16.0 4.8 6 1 -Market 5.8 27.4 14.6 7.4 5 2 5.0 37.5 17.2 11.0 5 1 -Hierarchy 8.4 42.4 29.6 10.2 7 0 26.7 61.7 43.4 12.1 5 2 Informal organization 26% 54% 41% 8% 7 0 23% 60% 38% 14% 7 0

&Erasmus,2017),theopengrouparchitectureframework:TOGAF(Ningsihetal.,2013;Wahab& Arief,2015),aspecificITgovernanceframeworkusedinSouthAfrica:DIPSA(Ngoma&Erasmus, 2017),totalqualitymanagement:TQM(Dalipi&Shej,2012)andthebusinessbalancedscorecard: BSC(Wijayantietal.,2017).

M2A3-IT Governance Model

TheM2A3-ITgovernancemodelisaMaturityModelforAnalysisofAlignmentofActivitiesrelated toITgovernanceandpresentedinDeMoraes’thesis(2013).Thetwelvefieldsofactionarearesearch modelto“assessthedegreeofeffectivenessofITactionstomeettheexpectationsoftheStrategic PlanoftheOrganization”(deMoraes,2014).ThefocusoftheM2A3-ITgovernancemodelisthe AssessmentMaturityLevel.Theindicatorsconstructedbythemodelare“direct,relevantandpractical result”indicators(deMoraes,2013).ThetwelvefieldsofactionofITareauditing,compliance, development,knowledge,management,planning,production,project,quality,requirement,security andtesting. IntheM2A3-ITgovernancemodel,51resultindicatorsaredefinedforthesefieldsofaction. ThemodeldefinesthreematuritylevelsforaresultindicatorAuntilC,inwhichAcorresponds witha“Completematch”,Bwitha“Matchwithrestrictions”andCas“Nomatch”withrespectto theexpectationsofthecorporation.

Nine IT Governance Categories

ThenineITgovernancecategoriesformaresearchmodeltoinvestigatetheeffectsofITgovernance categoriesongovernanceperformance(Shaw,Cheng,Shih,etal.,2013),andbasedontheproposed nineITgovernanceimplementcategoriesofItakura’s(2007)ITgovernanceorganizationalcapabilities view.ThenineITgovernancecategoriesare:usersupport,decision-makingoftopmanagement,review andevaluationITtasks,abilityandevaluationofITdepartment,riskmanagement,CIOauthority, budgetingprocess,outsourcingandITprojectdevelopmentmanagement.Inordertomeasurethe governanceperformance,WeillandRoss’(2004)formulawasused(2004).Thisformulameasures foureffects(“cost-effectiveuseofIT”,“effectiveuseofITforgrowth”,“effectiveuseofITforasset utilization”and“effectiveuseofITforbusinessflexibility”)onascaleof1(“Notimportant”)to5 (“Veryimportant”).Thisresultedinaminimumandmaximumpossiblegovernanceperformance of20and100,respectively.

Green IT Governance Model

ThegreenITgovernancemodelisaresearchmodelforprivatehighereducationinstitutions,developed inthecapitalregionofJakarta,Indonesia(DKIJakarta)foruseinprivatehighereducationinstitutions tominimizeenergyconsumption(pull)andmoney(push)(N.K.S.Putri&Muljoredjo,2014).The pushmodel–focusingonverticalactivities–wasadoptedfrommaterialresourceplanning.Ituses calculationandproductionscheduleforeverylevel,basedonsalesforecast.Thepullmodel–focusing onhorizontalactivities–originatedinthejust-in-time(JIT)systemusedinmanufacturing.InJIT, productionistriggeredbycustomerdemand:theusersarepullingwhattheyneed. Aconsortiumofleadingorganizationsfromindustry,thenon-profitsectorandacademia(the InnovationValueInstitute)hasdevelopedaframeworktoimprovesustainableITcapabilities:the SustainableICT-CapabilityMaturityFramework(Donnellan,Sheridan,&Curry,2011),basedon theITCapabilityMaturityFramework(IT-CMF). ThegreenITgovernancemodelisbasedonSustainableICT-CapabilityMaturityFramework andthefourbasicsustainableITposturesofCurryetal.(2012):thecostcenter,theservice center,theinvestmentcenterandthevaluecenter.Thisresultsinfourhorizontalactivities:ITdata center;ITefficiencytechnique;facilityefficiencytechnique;integrationefficiencytechnique; andverticalactivitiesdependingonmaterialelements,comprisingprinting-paperless,reuse-recycleandrules-policy.

IT Governance and operation Framework ZhuandLi(2014)havedesignedanITgovernanceframework,operatingmodelandITmaturity modelforITtransformationdesign.Forthegovernanceframework,fourmechanismshavebeen identifiedandintegrated:organization,processes,complianceandtransformation.Thisdesignwas developedbasedonindustrybestpracticesandstandardssuchasCOBIT,Val-ITandITIL.TheIT operatingmodelcoversITfunctionalstructure,IToperationalprocesses,consistentmatchingand transformationmanagement. TheITmaturitymodelwasdesignedbasedonpreliminaryfindingsinasurveyinvolvingmore than100large-scalechemicalenterprisesbetween2008and2013.ItcoversanITandabusinessside withfivelevelseach:(1)Technology-driven–customerfollows,(2)Controlled–customerchooses, (3)Service-oriented–customerdecides,(4)Customer-driven–customerowns,(5)Business-driven –customerdirects.Theresearchpaperisrathershort(fourpages),andsoprovidesminimaldetails aboutthedesignprocessandthesurvey.

The MIG Model

TheMIGmodelisafocusareamaturitymodelforhardandsoftITgovernance.Afocusarea maturitymodelisaspecifictypeofmaturitymodelinwhichanincrementalimprovementisbased ontheimprovementofacollectionoffocusareas.Focusareamaturitymodelsdifferfromprevious approachesbydefiningaspecificnumberofmaturitylevelsforasetoffocusareas,whichembrace concretecapabilitiestobedeveloped,toachievematurityinatargeteddomain(Sanchez-Puchol& Pastor-Collado,2017).Focusareamodelsaremuchlesscommonthanfixed-levelmodels.Weshare theviewthatdifferentdimensionshavedifferentmaturitylevelsandtheassumptionoftheexistence ofgenericmaturitylevelsisanoversimplification. Thereisalwaysdebateconcerningwhetherhigherlevelsofmaturityarebetterthanlowerlevels (Andersen&Henriksen,2006).Thismightnotbetrueforalllevels,especiallyforthehighest.This isanissuethatwillbediscussedandeventuallysolvedinalaterstage. Focusareamaturitymodelsdonotdistinguishafixednumberofgenericmaturitylevels,but insteaddefinespecificmaturitylevelsforeachfocusarea.Adistinguishingcharacteristicofa focusareamaturitymodelisthatitalsodefinestheinterrelatedwaysinwhichfocusareasgrow inmaturity(seeFigure1).

Thefirsttwocolumnsarethedomainsandfocusareasthatarerelevanttothetopicof thematuritymodel.Thenumberofmaturitylevelsisusuallysomewherebetween10and20. Focusareamaturitymodelsdonotdistinguishafixednumberofgenericmaturitylevels,but insteaddefinespecificmaturitylevelsforeachfocusarea.ThecapabilitiesarenumberedA,B, CandD.Theoverallmaturityofanorganizationisexpressedasacombinationofthespecific maturitylevels.ThearrowsintherightpartoftheFigureshowtheinterrelatedwayinwhich thecapabilitiescangrowbetweenthefocusareas. TheMIGmodelv.1.0isshowninTable7.TheMIGmodelisamaturitymodelconsisting ofthreeparts:softgovernance,hardgovernanceandthecontext(ofanorganization).The maturitypartoftheMIGmodelconsistsofhardandsoftgovernance.TheMIGmodelconsists offourfocusareasforsoftgovernance:continuousimprovement,leadership,participation, andunderstandingandtrust.Thefivefocusareasforhardgovernancecomprise:functionsand roles,formalnetworks,ITdecision-making,planningandmonitoring.Therearethreefocus areasinthecontext:culture,informalorganizationandsector.Thecontextisplacedoutside ofthematuritypart. Mostmaturitymodelsonlyenumeratematuritylevelswithoutconsideringthesituational aspectsoftheorganizationaldesigns(Mettler&Rohner,2009).Severalstudieshavefoundthat ITgovernanceissituational(ITGI,2011;Rogers,2009;Sethibe,Campbell,&McDonald,2007). Thisimpliesthataone-size-fits-allapproachtoITgovernancemaynotworkinallcircumstances (Brinkkemper,1996).Situationalmaturitymodelsareconfiguredspecificallyforthe(typeof) organizationorsectorathand(Mettler&Rohner,2009).Thecontextofanorganizationcanbe dividedintotheinternalcontext(withintheorganization)andtheexternalcontext(theenvironment). Someofthefocusareascouldbedeemedvalue-free.Ifafocusareaisvalue-free,itisnotpossible toimproveorgrowbecausethedirectionoftheimprovementcannotbedetermined.Thesefocus areasshouldbeaddedtothecontextcomponentasthesituationalpartofthematuritymodel,as proposedbyMettlerandRohner(2009). InordertobeabletousetheMIGmodelinpractice,acorrespondingassessmentinstrument wasdesigned.Weusedversion3whichincludestwoviewsofanorganization:departmentand entireorganization.

Table 7. The MIG model version 1.0 (end result)

Governance Domain Focus Area Maturity Model Used

Soft

Behavior Continuousimprovement Bessantetal.(2001)

Leadership Collins(2001)

Collaboration Participation Magdalenoetal.(2011) Understandingandtrust ReichandBenbasat(1996) Hard Structure Functionsandroles CMM(Paulketal.,1991) (usedforallfivefocusareas) Formalnetworks Process ITdecision-making Planning Monitoring Context Internal Culture QuinnandRohrbaugh(1983)

Informalorganization Usingtheninehardandsoftgovernance_{focusareas.} External Sector SectionsofNACERev.2(Eurostat,2008)

other Types of Maturity-related Research AnoverviewoftherestoftheresearchpapersnotspecifyingorusinganITgovernancematuritymodel. Atheoreticalstudyusingdatafrom20Emiratiorganizationstoevaluatehowafirm’sfive governancedomainsaffectthelevelofITgovernancematurityandhowafirm’sfiveproposed governancemechanismsshapetheoveralleffectivenessofITgovernance(Alagha,2013).Inthis research,DahlbergandKivijärvi’s(2006)fiveITgovernancedomainsareused:(1)Alignment ofbusinessandIT,(2)MonitoringofITresources,risksandmanagement,(3)MonitoringofIT performancemeasurement,(4)Evaluationofvaluedelivery,(5)ITgovernancedevelopment.Albayrak andGadatsch(2012)describeanintegratedreferencemodelforITperformancemeasurementbased onalife-cyclemodelandaperformance-orientedframework.Thereferencemodeldoesnotinclude amaturitymodel. BianchiandSousa(2015)describetheintendeddesignscienceapproachtodevelopanIT governancemodelwithstructures,processesandrelationalmechanismssuitableforpublicsector universitieswithguidelinesforeffectiveandefficientITgovernance.Ashortpaper–3pages– describingastudybasedondatafrom20organizationswithinfinancialservices,telecommunications, manufacturing,andpublicserviceasidentifiedthemostinfluentialITgovernancedomainfor increasingthelevelofITgovernancematurity(Elagha,2014).Itmakesuseofpartialleastsquares pathmodellingandfindsmonitoringofITperformancemeasurementtobethemostinfluentialIT governancedomain,andtheimplementationofacorporatecommunicationsystemsasthemost influentialITgovernancemechanism. SaetangandHaider(2012)havedevelopedaresearchframeworkforinvestigatingeffectiveIT governanceimplementationusingtheDualityofTechnology(Orlikowski,1992)andtheAdaptive StructurationTheory(DeSanctis&Poole,1994).Thisisinterestingbecausetheycanbeconsidered alternativerepresentationsofhardandsoftgovernance.TheDualityofTechnologymodelconcerns thedualismbetweenobjective,structuralfeaturesoforganizationsandsubjective,knowledgeable actionofhumanagents.Inotherwords:theinterplaybetweenthetypesofstructuresinherentto technologiesandthestructuresthatemergeinhumanactionaspeopleinteractwiththesetechnologies. AstudyusingasurveyquestionnairetodeterminethestatusofITgovernanceinuniversities inadevelopingcountry(Ghana)throughassessingthedriversandbarrierstopursuingformalIT governancehasmeasuredtheextenttowhichuniversitiesalignITgoalswithacademicandbusiness objectivesinordertodeterminetheITgovernancematuritylevel(Yaokumahetal.,2015).

DISCUSSIoN oF THe ReSULTS oF THe CASe STUDy eXAMPLe

PartBofthissectioncoversadiscussionofthecasestudyconductedusingtheMIGmodelandMIG assessmentinstrumentdescribedingroup7.TheresultssheetoftheMIGassessmentinstrumentwas helpfulduringthesemi-structuredinterviewsindiscussingthefocusareas.Becausetheorganization waswell-knownbyoneoftheresearcherswealreadyknewalotaboutthestrongandweakpoints oftheorganization.Duringtheinterviewsitemergedthattheparticipantsneedfurtherorbetter explanationsofthesemantics/termsusedintheassessmentaswellastheresult-sheets. Theresultsoftheassessmentweresharedwiththeparticipatingorganizationinaso-called MIGreport.TheMIGreportwaskeptassimpleaspossibleusingthedatafromtheassessments andtheinterviews. Thereportstructurewasasfollows: 1. Introduction:Ashortintroductiontohardandsoftgovernancematurityandadescriptionof theassessmentprocess;

2. Summary, conclusion and recommendation:Ananonymoussummaryincludingconclusions andrecommendationbasedonthenextmaturitylevelbasedonanestimationofthegeneral maturitylevelforeachfocusarea; 3. Results:Adetailedanonymousoverviewofassessmentresults(seeFigure2); 4. Appendices:Allotherinformationsuchasasummaryoftheassessmentprocess,anoverview oftheparticipants,etc. Wedidn’tnoticesubstantialdifferencesbetweentheresultsoftheinterviewsandourownexperiences withintheorganization.Thismighthoweverbetheresultofsearchingforaffirmationofourown experiencesduringtheinterview,althoughwekeptourselvesstrictlytothecase-studyprotocol. evaluation of the Case Study

Laststepinthecasestudyprotocolwasaninvitationtotheparticipantsofthecasestudytofillouta shortevaluationquestionnaire.Theevaluationformusedwascreatedbasedonanevaluationtemplate forexpertreviewsofmaturitymodels(Salahetal.,2014).Theparticipantswereinvitedtofillout theevaluationquestionnaireaftertheinterview.Thequestionnairewasreturnedbysixoutofseven participants(86%). Thequestionnaireusedasix-pointLikertscalerangingfrom“Disagreecompletely”(valuedas onepoint)to“Agreecompletely”(valuedassixpoints).Theself-reportedaverageexpertisewithIT governancewashigh:5.8onascaleofonetoseven(seeFigure3). Theparticipantswereratherpositiveabouttheusefulnessandusabilityoftheresultsofthe instrument(inmostcasesbeingbetween4.5and5.2onascaleoutof6).Furthermore,theevaluation scoresindicatethatcombiningtheinstrumentwithinterviewsconsistentlyresultsinhigherscores. Theevaluationsurveyamongtheparticipantsyieldedpositiveresultsregardingtheusefulness andusabilityoftheresultsoftheinstrumentandtheparticipantsrespondedpositiveontheusability oftheresultsheet.Thus,theMIGinstrumentcanbeusedinpractice,butfurtherimprovements arerequiredtoreducethedeviationbetweentheresultsoftheinstrumentandtheopinionsofthe participants,aswellastofixcertaindeficiencies.

CoNCLUSIoN Thissectionsummarizestheanswerstotheresearchquestions: RQ1:WhichnewITgovernancematuritymodelsareavailableintheliterature? Thesystematicliteraturereviewrevealed34newpapersdiscussingITgovernancematuritysince 2012.COBITwasusedin13papers,whilefiveotherscombineditwithotherbestpracticeframeworks. Intheliteraturereviewwefoundfive(relatively)newITgovernancematuritymodels,partlybased onpreviousresearch:theM2A3-ITgovernancemodel,theNineITgovernancecategories,theGreen ITgovernancemodel,theITgovernanceandoperationframeworkandtheMIGmodel.Withone exception,noneoftheselectedmaturitymodel-relatedpapersfocusedonsocialor(morespecifically) thesoftgovernance-relatedfocusareasincludedintheMIGmodel.Oneexceptionwastheresearch paperbySaetangandHaider(2012),whoselectedtheDualityofTechnology(Orlikowski,1992)and theAdaptiveStructurationTheory(DeSanctis&Poole,1994)todeveloparesearchframeworkto investigateeffectiveITgovernanceimplementation.Bothcanbeseenasalternativerepresentations ofhardandsoftgovernance.However,theresearchframeworkdoesnotincludeamaturitymodel. RQ2:Isthere(still)amismatchbetweenITgovernancematuritypracticeandtheoreticalframeworks? PreviousresearchindicatedamismatchbetweentheITgovernanceliteratureandpractice(ITGI, 2011;Smits&vanHillegersberg,2013,2014a).BesidesspecificITgovernanceframeworkslike COBITandISO/IEC38500inpracticeallkindofframeworksareused(seecolumn‘content’inTable 1).UntilrecentlyITgovernanceframeworksaremostlydirectedatthehardpartofgovernance.Soft governanceispartofeverydaypracticeandneedsgreaterattention.Thisstudyrevealedfivenew ITgovernancematuritymodels.WefoundtwoframeworkscoveringhardandsoftITgovernance: COBIT5.0inaholisticwayandtheMIGmodelinamorepracticalway. NoneoftheselectedpapersdemonstratedapracticalmeansofusingCOBIT5.0tomeasureor improvehardandsoftgovernance.AsidefromtheMIGmodel,socialelementslikecollaboration, behaviorandculturearenotincludedintheseframeworks.Thus,itwouldappearthatasofsummer 2018,hardandsoftITgovernancearecoveredbyCOBIT5.0inaholisticwayandintheMIG modelinamorepracticalway.ApplyingtheMIGmodelislikelytohelpnarrowthegapbetweenIT governancematuritytheoryandpractice. ThecasestudyexampleweconducteddemonstratedtheuseoftheMIGmodelandinstrumentto determinethehardandsoftITgovernancematuritylevelofanorganization.Ingeneraltheparticipants agreedthattheinstrumentisusablewhencombinedwithinterviews.TheMIGmodelislargelybased onframeworksfromtheappropriateliterature(seeTable7).Thestudydemonstratesawaytoreduce Figure 3. Evaluation of the use of the MIG instrument

themismatchbetweenhardandsoftITgovernancematuritytheoryandpractice.ApplyingtheMIG modelresultsinanewapproachwithafocusonhardandsoftITgovernancematurity. LIMITATIoNS ThesystematicliteraturereviewwasconductedusingScopus.Scopusistheworld’slargestabstract andcitationdatabasebutnotalwayscompleteanduptodate.Theremightbepapersmissing.The MIGmodelandtheMIGassessmentinstrumentaredesignedandused(primarily)intheNetherlands. Thisalsoappliestothevalidation,whichwaslimitedtoorganizationsintheNetherlandsandlarge multi-nationals,varyingwidelyinsizeandindustrialsector.Itwouldbeinterestingtouseandvalidate themodelinothercountries. FURTHeR ReSeARCH TheMIGmodelislikelytohelpnarrowthegapbetweenITgovernancematuritytheoryand practice,howeverthemodelisnotyetcomplete.TheMIGmodelisafocusareamaturitymodel,but dependenciesbetweentheidentifiedcapabilitiesandapositioningofthecapabilitiesinamatrixare missing.Thisalsoappliestotheavailabilityofstandardorsuggestedimprovementactionstothe maturitylevelsofthefocusareas.TheMIGinstrumentwascreatedinExcel,anonlineversionof theinstrumentmightbeeasiertouse.

ReFeReNCeS

Alagha,H.(2013).ExaminingtherelationshipbetweenITgovernancedomains,maturity,mechanisms,and performance:Anempiricalstudytowardaconceptualframework.Paper presented at theTenth International

Conference on Information Technology: New Generations (ITNG).AcademicPress.doi:10.1109/ITNG.2013.122

Albayrak,A.,&Gadatsch,A.(2012).ITGovernancemodelforsmallandmediumsizedenterprises.Paper presented at

the Munich, European, Mediterranean & Middle East Conference on Information Systems (EMOIS).AcademicPress.

Andersen,K.V.,&Henriksen,H.Z.(2006).E-governmentmaturitymodels:ExtensionoftheLayneandLee model.Government Information Quarterly,23(2),236–248.doi:10.1016/j.giq.2005.11.008

Ateşer,M.,&Tanriöver,Ö.(2014).InvestigationoftheCobitframework’sinput\outputrelationshipsbyusing graphmetrics.Paper presented at theFederated Conference on Computer Science and Information Systems

(FedCSIS).AcademicPress.doi:10.15439/2014F178

Bach, J. (1995). Enough about process: What we need are heroes. Software, IEEE, 12(2), 96–98. doi:10.1109/52.368273

Becker,J.,Knackstedt,R.,&Pöppelbuß,D.-W.I.J.(2009).DevelopingmaturitymodelsforITmanagement.

Business & Information Systems Engineering,1(3),213–222.doi:10.1007/s12599-009-0044-5

Bessant,J.,Caffyn,S.,&Gallagher,M.(2001).Anevolutionarymodelofcontinuousimprovementbehaviour.

Technovation,21(2),67–77.doi:10.1016/S0166-4972(00)00023-7

Bianchi,I.S.,&Sousa,R.D.(2015).ITgovernanceforpublicuniversities:ProposalforaframeworkusingDesign ScienceResearch.Paper presented at the 26th International Business Information Management Association

Conference - Innovation Management And Sustainable Economic Competitive,Madrid,Spain.AcademicPress.

Brinkkemper,S.(1996).Methodengineering:Engineeringofinformationsystemsdevelopmentmethodsand tools.Information and Software Technology,38(4),275–280.doi:10.1016/0950-5849(95)01059-9

Brown,C.V.(1997).ExaminingtheemergenceofhybridISgovernancesolutions:Evidencefromasinglecase site.Information Systems Research,8(1),69–94.doi:10.1287/isre.8.1.69

Collins,J.(2001).Level5leadership:Thetriumphofhumilityandfierceresolve.Harvard Business Review,

79(1),66–76.PMID:11189464

Cook,D.M.(2010).TheUseofGovernancetoIdentifyCyberThreatsThroughSocialMedia.Paperpresented atthe2010internationalcyberresilienceconference.AcademicPress.

Crosby,P.B.(1979).Quality is free: The art of making quality certain(Vol.94).NewYork:McGraw-Hill. Curry,E.,Guyon,B.,Sheridan,C.,&Donnellan,B.(2012).SustainableIT:Challenges,postures,andoutcomes.

Computer,45(11),79–81.doi:10.1109/MC.2012.385

Dahlberg,T.,&Kivijärvi,H.(2006).AnintegratedframeworkforITgovernanceandthedevelopmentand validationofanassessmentinstrument.Paper presented at the39th Annual Hawaii International Conference

on System Sciences (HICSS),Kauai,HI.AcademicPress.doi:10.1109/HICSS.2006.57

Dalipi,F.,&Shej,A.(2012).TowardsanintegratedmodelofoptimizingtheefficiencyofITinorganizations. InICT Innovations 2011(pp.311–323).Springer.doi:10.1007/978-3-642-28664-3_29

DeBruin,T.,Freeze,R.,Kaulkarni,U.,&Rosemann,M.(2005).Understandingthemainphasesofdeveloping amaturityassessmentmodel.Paper presented at theAustralasian Conference on Information Systems (ACIS), Sydney,NewSouthWales,Australia.AcademicPress.

DeHaes,S.,VanGrembergen,W.,&Debreceny,R.S.(2013).COBIT5andenterprisegovernanceofinformation technology:Buildingblocksandresearchopportunities.Journal of Information Systems,27(1),307–324. doi:10.2308/isys-50422

deMoraes,A.J.M.(2013).Proposalofresultindicatorsformonitoringofoperationalinitiativesofinformation technology(IT)bytheitgovernance-through12(twelve)operationalareasofIT-Inordertocheckhowthese arerelatedtocorporate’sstrategicplanning.Paper presented at the 17th World Multi-Conference on Systemics,

deMoraes,A.J.M.(2014).Casestudy:ImplementationofITgovernanceinamajorindustrylocatedinBrazil’s centralregion(issuesandresults).Paper presented at the 18th World Multi-Conference on Systemics, Cybernetics

and Informatics (WMSCI).AcademicPress.

DeSanctis,G.,&Poole,M.S.(1994).Capturingthecomplexityinadvancedtechnologyuse:Adaptive structurationtheory.Organization Science,5(2),121–147.doi:10.1287/orsc.5.2.121

Donnellan,B.,Sheridan,C.,&Curry,E.(2011).Acapabilitymaturityframeworkforsustainableinformation andcommunicationtechnology.IT Professional,13(1),33–40.doi:10.1109/MITP.2011.2

Elagha,H.(2014).TheuseofpartialleastsquarespathmodelinginITgovernancediscipline.Paper presented

at the11th International Conference on Information Technology: New Generations (ITNG).AcademicPress.

doi:10.1109/ITNG.2014.97

Eurostat.(2008).NACE Rev. 2 Statistical classification of economic activities in the European Community. French,J.,Raven,B.,&Cartwright,D.(1959).Thebasesofsocialpower.Classics of organization theory, 7, 311-320. Helfat,C.E.,&Peteraf,M.A.(2003).Thedynamicresource‐basedview:Capabilitylifecycles.Strategic Management Journal,24(10),997–1010.doi:10.1002/smj.332 Ibrahim,L.,&Nurpulaela,L.(2016).EvaluationofITgovernancetosupportIToperationexcellentbasedon COBIT4.1atthePTTimahTbk.Paperpresentedatthe20163rdInternationalConferenceonInformation Technology,Computer,andElectricalEngineering(ICITACEE).AcademicPress.

ISACA.(2012).COBIT 5: A Business Framework for the Governance and Management of Enterprise IT. ISACA.(2018).COBIT 2019 Framework: Governance and Management Objectives.

Ishaq,A.,Mukhtar,M.,Wahyudi,M.,Indriani,K.,Elham,A.,Kayed,A.,&Terekhin,S.N.et al.(2017). Informationtechnologygovernanceusingcobit4.0domaindeliverysupportandmonitoringevaluation.Journal

of Theoretical and Applied Information Technology,95(20).

Itakura,H.(2007).ITgovernance:Organizationalcapabilities’view.Paper presented at thePortland International

Conference on Management of Engineering&Technology (PICMET’07),Portland,OR.AcademicPress.

ITGI.(2003).Board briefing on IT governance.RetrievedfromITGI.(2008).GovernanceGlobalStatusReport. ITGI.(2011).Global Status Report on the Governance of Enterprise IT.GEIT.

Janahi,L.,Griffiths,M.,&Al-Ammal,H.(2015).AconceptualmodelforITgovernanceinpublicsectors. PaperpresentedattheFourth International Conference on Future Generation Communication Technology

(FGCT).AcademicPress.

Joshi,A.,Bollen,L.,Hassink,H.,DeHaes,S.,&VanGrembergen,W.(2018).ExplainingITgovernance disclosurethroughtheconstructsofITgovernancematurityandITstrategicrole.Information & Management,

55(3),368–380.doi:10.1016/j.im.2017.09.003

Keasey,K.,&Wright,M.(1993).Issuesincorporateaccountabilityandgovernance:Aneditorial.Accounting

and Business Research,23(suppl.1),291–303.

Kitchenham,B.,Brereton,O.P.,Budgen,D.,Turner,M.,Bailey,J.,&Linkman,S.(2009).Systematicliterature reviewsinsoftwareengineering–asystematicliteraturereview.Information and Software Technology,51(1), 7–15.doi:10.1016/j.infsof.2008.09.009

Kitchenham,B.,PearlBrereton,O.,Budgen,D.,Turner,M.,Bailey,J.,&Linkman,S.(2004).Procedures for

performing systematic reviews.

Kosasi,S.(2015).Thematuritylevelofinformationtechnologygovernanceofonlinecosmeticsbusiness.

Paper presented at theInternational Conference on New Media (CONMEDIA).AcademicPress.doi:10.1109/

CONMEDIA.2015.7449140

Lainhart,I.IV,&John,W.(2000).WhyITgovernanceisatopmanagementissue.Journal of Corporate