RESEARCH ARTICLES

 

The board and it governance: towards practical implementation guidelines

 

 

S Posthumus; R von Solms

Nelson Mandela Metropolitan University

 

 

---

ABSTRACT

This paper addresses the need for clear guidance on IT governance and its implementation based on the current lack of board level understanding of strategic IT-related issues. The paper briefly discusses a model that was developed to provide guidance to boards of directors on how to strategically direct and control IT i.e. the WHAT, WHO and HOW of IT Governance (WWH-ITG) Model. Then a set of implementation guidelines to facilitate the implementation of the WWH-ITG Model are introduced and discussed in detail. Through this various key aspects central to ensuring that IT governance is applied effectively in an organisation are highlighted.

Key phrases: Board of Directors, Penta-Bottom-Line, Responsible, Accountable, Consulted, Informed, IT Governance

---

 

 

1 INTRODUCTION

The necessity to incorporate IT governance as part of corporate governance is comparable to the need for IT to be a fundamental organisational constituent as opposed to a function executed in remote corners or ivory towers (IT Governance Institute 2003: Internet). However, the implementation of IT governance can prove to be a significant challenge. This is because many boards of directors do not fully grasp the degree to which their organisations depend operationally on IT systems or the degree to which IT contributes toward shaping organisational business strategy (Nolan & McFarlan 2005:96).

This lack of clarity served as a key motivation for the development of a model to guide IT governance. This model identified as the WHAT, WHO and HOW of IT Governance (WWH-ITG) Model was discussed in a paper titled: "The Board and IT Governance: The What, Who and How" (Posthumus et al. 2010). This paper focuses on addressing three key questions that boards of directors should attempt to answer when establishing IT Governance in their organisations. These three questions are: WHAT issues relating to IT should a board focus on? WHO should assist the board in ensuring that such issues are addressed appropriately? HOW should such issues be addressed? Furthermore, while it is important to provide such guidance it is also necessary to provide more specific guidance on the implementation of IT Governance and, thus the WWH-ITG Model. This is because few guidelines, if any, of this nature exist. For this reason, the primary objective of the research presented in this paper was to develop a set of implementation guidelines for IT Governance based on the WWH-ITG Model.

To demonstrate how this objective was achieved, it is necessary to discuss the various research techniques that were applied. The reasons for their application are motivated through some discussion on the research philosophy apparent to this paper. The research methodology applied is also illustrated and discussed. This helps to provide some background as to how the WWH-ITG Model itself was developed. Some discussion on the WWH-ITG Model then follows, highlighting its key components and its utility as a means of providing guidance to boards with relation to IT Governance. Hereafter, the implementation guidelines are introduced and some explanation is given as to how they were derived and validated. Each of the guidelines is then discussed in detail and some concluding remarks are provided.

 

2 RESEARCH PHILOSOPHY

In order to appreciate the perspective of a given research undertaking, it is necessary to motivate the underlying research philosophy. This paper addresses the challenge of implementing effective IT governance given the pervasive role of IT in facilitating and driving core business operations. The specific focus involves the exploration and modelling of the IT governance constructs that facilitate the coordination of board level responsibility for IT.

A key element of governance in general includes people. When people are involved in a particular situation, that situation becomes part of a social phenomenon. The social sciences are concerned with the study of social phenomenon by examining the actions and behaviours generated from within the human mind. The study of social phenomena typically occurs outside of a laboratory environment where conditions cannot be easily controlled and are generally considered to be quite complex and "messy" (Robson 1993). Therefore, greater emphasis is placed on the meaning of what is being researched rather than on the measurement of the research data itself. This meaning is examined through the utilization of various qualitative research techniques.

Qualitative research techniques have thus been applied to this research to draw facts relating to social behaviour. These facts are used to motivate a solution to the challenges associated with such behaviour. As a result, the research philosophy of this paper falls more within the social scientific paradigm, and is thus more qualitative in nature. As such, the particular qualitative research techniques applied include:

• Literature study;

• Qualitative content analysis;

• Triangulation;

• Arguing;

• Modelling, and

• Elite interviewing.

The methodology used to implement the above research techniques is discussed in a subsequent section in the paper, as the techniques were employed chronologically. Figure 1 illustrates the relationships between the various research techniques employed and provides an overview of the methodology followed. These research techniques and research methodology were then applied in order to develop the WWH-ITG Model.

 

 

3 A MODEL TO GUIDE IT GOVERNANCE: THE WWH-ITG MODEL

The reason for the development of the model stemmed from a thorough literature study that was conducted across the fields of corporate governance and IT governance. Through this literature study it was discovered that there is a general lack of IT expertise at board level. These expertise relate to what should be done in order to strategically direct and control IT appropriately. In order to determine the extent of such expertise with respect to IT Governance a qualitative content analysis was conducted.

Through this qualitative content analysis, sixty organisations across multiple business domains each in South Africa, the United Kingdom and the United States were examined. This was done in order to collect data reflecting the extent of board level IT expertise. Specific criteria were used against which each organisation was bench-marked to objectively determine their extent of board level IT expertise present.

The data collected through the qualitative content analysis was critically analysed and logically interpreted through triangulation against additional data acquired through further literature investigation. This served to improve the reliability and research rigor applied in order to justify the need for the model. Once this had been achieved, an additional literature study was conducted which focused on various management related theories.

The purpose of this was to identify a sound theoretical basis upon which a model could be developed. One theory that was identified as offering utility in this regard was agency theory. The means by which agency theory was applied to support the development of the model was discussed in the paper titled "Agency Theory: Can it be used to strengthen IT governance?" (Posthumus & von Solms 2008). Once the utility of applying agency theory had been sufficiently motivated and validated, the model was constructed.

An initial draft of the model was developed and then qualitatively evaluated through an expert/elite interview in order to improve its validity and reliability. The expert interviewed to provide a professional opinion on the model was Judge Mervyn King, chairperson of the King Committee, responsible for drafting the three King Reports on Corporate Governance. Judge King offered feedback and recommendations on the model through which several aspects pertinent to the strategic directing and controlling of IT by the board were indicated.

Based on the feedback and recommendations it was agreed that the model be structured according to the three key aspects relating to IT Governance mentioned earlier in this paper. Each of these aspects indicates a particular question that a board should consider in order to strategically direct and control IT effectively. To reiterate, these questions are WHAT issues relating to IT should a board focus on? WHO should assist the board in ensuring that such issues are addressed appropriately? HOW should such issues be addressed? Based on these questions the model was termed as the WWH-ITG Model i.e. the WHAT, WHO and HOW of IT Governance Model.

With respect to WHAT, it was suggested that IT Governance focus on what Posthumus & Von Solms (2009:126) have termed the IT Penta-Bottom-Line. The IT Penta-Bottom-Line identifies the five key focus areas of IT Governance i.e. strategic alignment, value delivery, risk management, resource management and performance measurement. It was further suggested that the board issue IT-related directives in terms of each of these five focus areas just as they should issue directives in terms of the Triple-Bottom-Line, as recommended in the King II Report (2002) with respect to corporate governance.

With respect to WHO should assist the board, various key personnel and board-level committees were identified and their responsibilities discussed. It was suggested that either an audit committee, risk management committee or a dedicated IT oversight committee be responsible for advising the board in terms of directing and controlling IT with consideration for the IT Penta-Bottom-Line.

With respect to HOW IT-related issues should be addressed, an IT Strategic Impact Grid, developed by Nolan & McFarlan (2005:99), was introduced. The IT Strategic Impact Grid categorizes two broad strategies that organisations typically follow in relation to their dependence on IT. These strategies are a defensive IT strategy and an offensive IT strategy. Depending on which strategy an organisation follows it was also shown that an organisation would operate according to a particular IT mode. These modes are support mode, factory mode, turnaround mode and strategic mode. Recommendations were then made in terms of which board-level committee would be most suitable for facilitating board-level IT decision making depending on the mode an organisation operates in. Additionally, it was suggested that the IT mode also determines the frequency of board committee meetings and IT Governance status reports.

Based on the discussions regarding these three questions, the WWH-ITG Model was completed and it was indicated how consideration for each of these three questions is vital to ensure the success of IT Governance. Figure 2 illustrates the WWH-ITG Model to guide IT Governance demonstrating the WHAT, WHO and HOW as far as the board's involvement in IT governance is concerned.

 

 

As mentioned earlier, the WWH-ITG model provides the basis for the development of the implementation guidelines for IT Governance. These implementation guidelines supplement the WWH-ITG Model by providing a board with more specific guidance on how to implement IT governance with consideration for the key aspects highlighted by the model.

 

4 THE WWH-ITG MODEL IMPLEMENTATION GUIDELINES

In order to clearly demonstrate how the WWH-ITG Model implementation guidelines supplement the WWH-ITG Model some explanation is required relating to how they were derived. Hereafter, each of the guidelines is discussed respectively in more detail.

4.1. THE WWH-ITG MODEL IMPLEMENTATION GUIDELINES EXPLAINED

By examining several sources of IT governance literature it becomes possible to identify key issues playing a role in terms of its implementation. Based on these issues a set of general guidelines can be presented and discussed to illustrate how to implement IT governance through the WWH-ITG Model.

De Haes & Van Grembergen (2004:1) define IT governance as "the leadership and organisational structures, processes and relational mechanisms that ensure that an organisation's IT sustains and extends its strategy and objectives". In relation to this definition, De Haes & Van Grembergen (2004:2) discuss a framework by Peterson (2003) that illustrates that such structures and processes include the delegation of roles and responsibilities, strategic IT decision-making, strategic IT monitoring and the measurement of IT governance maturity.

Additionally, in the document "Board Briefing on IT Governance, 2^nd Edition", the IT Governance Institute (2003:Internet) states that "IT governance is the responsibility of the board of directors and executive management. It is an integral part of enterprise governance and consists of the leadership and organisational structures and processes that ensure that the organisation's IT sustains and extends the organisation's strategies and objectives". Furthermore, the IT Governance Institute (2003:Internet) claims that "for effective IT governance to be implemented, enterprises need to assess how well they are currently performing and be able to identify where and how improvements can be made. This applies to both the IT governance process itself and all the processes that need to be managed within IT".

The National Computing Center (2005:Internet) states that "top level commitment [to IT governance] backed up by clear accountability is a necessity. IT governance needs a mandate and direction from board/executive level management if it is to succeed in practice. Management responsibilities and accountabilities in the business as well as IT must be clearly defined [and] measurement systems will ensure objectives are owned and monitored". Upon closer examination of the literature presented above it can be clearly shown that each source refers to similar issues relating to the effective implementation of IT governance. From these issues clear guidelines can be derived.

• Firstly, it is important to delegate IT governance roles and responsibilities. This can be achieved through responsible, accountable, consulted and informed, i.e. RACI (pronounced "racey") charts. Therefore, the use of RACI charts serves as a clear guideline in terms of how to delegate IT governance roles and responsibilities.

• Strategic IT decision making determines how an organisation should direct IT in alignment with corporate vision and mission. Thus, the issuing of clear, measurable directives is a necessity and some guidelines can be presented in terms of how IT-related directives could be issued.

• Strategic monitoring and assessment of IT governance processes needs to be reported to the board. It is necessary to provide some guidelines in terms of how such reports should be laid out and presented to the board. This will enable the board to control IT governance appropriately and ensure that well informed decisions are made.

• Lastly, the measurement of IT governance efficiency is important because this helps to gauge the maturity of an organisation's IT governance function. Therefore, guidelines in terms how to measure the overall efficiency of IT governance can be offered.

An initial draft of these implementation guidelines was prepared and qualitatively evaluated through expert/elite interviews to test their validity. The experts interviewed were Professor S.H. (Basie) von Solms, a research professor at the University of Johannesburg and then President of the International Federation for Information Processing (IFIP) and Dr Alewyn Burger, the Chief Operations Officer (COO) of the Standard Bank in South Africa. Based on the feedback offered by Professor von Solms and Dr Burger, the implementation guidelines were amended. These guidelines are discussed below. It is, however, important to note that the proposal and motivation of such implementation guidelines merely represents one approach that may be applied, and should, therefore by no means be considered as a standard.

4.2. GUIDELINES FOR RACI

A RACI chart is a role assignment system that provides structure and clarity to the assignment of individual roles. These roles are undertaken as part of a team that executes a specific function or process. It is a simple grid system used to clarify individual roles and ensure that a team addresses everything that needs to be accomplished.

Through the RACI system, every task and decision is documented, and roles are mapped and clarified according to: who is Responsible, who is Accountable, who is Consulted and who is Informed (i.e. RACI) of certain issues to ensure that a function or process is executed effectively (Gyani 2008:Internet). In terms of the WWH-ITG Model, it is important to clearly specify the role players and their roles in order to minimize gaps, overlaps and confusion about who plays what role in ensuring success in the implementation of IT governance. This is achieved through the development of a WWH-ITG Model RACI chart which is constructed as follows:

1. The first step is to identify what processes need to be executed based on the WWH-ITG Model to ensure that IT governance is carried out effectively. In this regard, the WHAT factor of the WWH-ITG Model, i.e. Penta-Bottom-Line, is important. There needs to be a process in place to ensure that each of the focus areas of the Penta-Bottom-Line is addressed. Additionally, reporting to the board on the status of each of the Penta-Bottom-Line processes is necessary. Thus, Penta-Bottom-Line reporting was also identified as a necessary process.

Each of these processes should be listed along the left hand side of the WWH-ITG Model RACI chart.

2. The next step is to identify the key role players i.e. who is involved in ensuring that the Penta-Bottom-Line processes are executed effectively. Thus, the WHO factor of the WWH-ITG Model becomes important. In this regard, the key role players are the board of directors, a board-level committee, the Chief Executive Officer (CEO) and the Chief Information Officer (CIO). These role players are listed along the top of the WWH-ITG Model RACI chart.

3. Once the processes and role players have been identified, it is necessary to delegate various roles to each role player for each process that needs to be executed. This will ensure that the implementation of the WWH-ITG Model for IT governance is successful. In this regard, some suggestions can be made as to how roles could be delegated:

- The board should be accountable for and informed about the execution of each Penta-Bottom-Line process. The board is accountable to the shareholders for the means by which the organisation is directed and controlled, including IT. In order to continuously direct and control effectively, the board needs to apply due care and due diligence through well-informed decision making facilitated by accurate reporting.

- A board committee should be consulted to provide input relating to each Penta-Bottom-Line process before the board issues directives in this regard. The provision of such input to the board is made possible through reporting. One of the elite interviewees, Professor Von Solms, stated that a board committee should therefore be Responsible for reporting IT governance and information security related issues to the full board.

- The CEO should be informed about the execution of each Penta-Bottom-Line process. This is important since the CEO is the key role player in the implementation of an organisation's strategic plan (King II Report 2002:23), which should include consideration for the IT function.

Additionally, the CEO should be consulted to provide input in terms of reporting on each Penta-Bottom-Line process. This is necessary since the CEO must endorse the strategic business plan along with its IT implications (IT Governance Institute 2005a:Internet), approve the IT risk management plan (IT Governance Institute 2005b:Internet), define and monitor performance measurements and develop a suitable incentive-based system to facilitate adherence to such performance measurements (IT Governance Institute 2005c:Internet).

- Finally, the CIO should be responsible for overseeing the execution of each Penta-Bottom-Line process. This is because the CIO serves as the primary executive link between strategic management (i.e. the board) and an organisation's IT function (IT Governance Institute 2005a:Internet). Professor Von Solms stated that a CIO should not be responsible for IT governance and information security reporting but that this should rather be assigned to a board-level committee. However, there is currently much debate in literature around the issue of the inclusion of the CIO as a member of the board. In such a case the CIO may be nominated as a member of a particular board-level committee tasked with addressing IT-related issues. In such a case the CIO may therefore have some responsibility for reporting IT governance and information security related issues to the board. Therefore, the responsible role has been also assigned to the CIO for reporting on IT governance and information security related issues. In the case where an organisation is not able to have its own CIO then another executive possessing sufficient IT-related knowledge and expertise should be assigned as responsible for overseeing the execution of IT Governance. If this executive is nominated to serve on the particular board level committee tasked with addressing IT-related issues then he / she too may be jointly responsible for reporting on IT governance and information security related issues. If he/she is not nominated to a board level committee, this responsibility would be delegated solely to a board level committee.

4. Once roles for each process have been delegated to the role players, it is necessary to ensure that there is at least one responsible role and one accountable role in place for each process. This will ensure that there are no significant role gaps or overlaps for each process in the RACI chart. With the exception of a board committee and the CIO both being responsible for IT governance and information security reporting as motivated above no significant gaps or overlaps exist in the WWH-ITG Model RACI chart. Figure 3 illustrates an example of a RACI chart based on the suggestion discussed above which could be used in conjunction with the WWH-ITG Model.

 

 

The WWH-ITG RACI chart provides the executives involved in the implementation of the WWH-ITG Model with clarity as far as their roles in terms of each Penta-Bottom-Line process is concerned. Next it is important to consider how each Penta-Bottom-Line process should be executed. The role of the board is to be accountable for IT governance and how it should be directed and controlled. Therefore, it is necessary that they stipulate how each Penta-Bottom-Line process should be executed. The board can accomplish this by issuing directives for each Penta-Bottom-Line process of the WWH-ITG Model RACI chart. In this regard, some guidelines for issuing such directives can be suggested.

4.3. GUIDELINES FOR DIRECTIVES

It is imperative that the board develop an understanding of how to issue directives in terms of IT in order to ensure that it is directed and controlled in accordance with the business objectives. This can be achieved by developing an understanding of the role which IT plays in an organisation by examining its strategic impact on the business. The HOW factor of the WWH-ITG Model enables this through the IT Strategic Impact Grid, developed by Nolan & McFarlan (2005:99). The IT Strategic Impact Grid classifies organisational dependence on IT according to four modes of IT operation namely: support mode (fairly low need for reliable systems and a low need for IT to be strategic), factory mode (high need for dependable systems and a low need for IT to be strategic), turnaround mode (low need for reliable systems and a high need for IT to be strategic) and strategic mode (high need for reliable systems and a high need for IT to be strategic).

In terms of the WWH-ITG Model, it is necessary to provide the board with more specific guidelines on how they should issue directives for IT depending on the mode of IT operation their organisation is categorized as according to the IT Strategic Impact Grid. Nolan & McFarlan (2005:99) state that the various modes of IT operation focus on a specific IT spending slogan. Each of these spending slogans provide some indication as to which focus area/s of the IT Penta-Bottom-Line may play a more primary role in each mode of IT operation. This may lead to more detailed directives being issued with respect to these focus areas.

• In support mode the spending slogan is "don't waste money". From this it can be deduced that resource management may play a more primary role for organisations in Support Mode. Thus, directives issued for organisations in Support Mode will still address the full IT Penta-Bottom-Line to a minimum level but there may be a greater awareness for resources to be managed effectively. This may necessitate the issuing of more detailed directives for resource management. It will be beneficial for the boards of organisations in support mode to work with their relevant board-level committee, such as an audit committee, and consult ISO/IEC 38500 (2008:Internet), COBIT 4.1 (2007), which can be used as an umbrella framework for IT governance, to help issue appropriate IT-related directives. Additionally, a document such as "IT Governance Domain Practices and Competencies: Governance of Outsourcing" (IT Governance Institute 2005d:Internet) may offer insight into the issuing of more specific directives relating to IT resource management.

• For factory mode the spending slogan is "don't cut corners", i.e. do things properly. From this it is logical to assume that value delivery, performance measurement and risk management may play an important role for organisations in factory mode. Thus, directives issued by the board of factory mode organisations, while still addressing the full IT Penta-Bottom-Line to a minimum level, may need to focus more on ensuring that IT investments deliver their expected value, performance is measured effectively to ensure that proper value delivery is achieved and risks are managed appropriately to ensure high performance levels and, thus, also proper value delivery. Risk management also plays a role in uncovering and addressing any issues concerning legal and regulatory compliance and contractual obligations. It may prove beneficial for boards of organisations in factory mode to work with their audit or risk management committee, and consult ISO/IEC 38500 (2008:Internet), COBIT 4.1 (2007) for IT governance in general, Val IT (2006:Internet) for value delivery, ISO/IEC 27002 (2005) for information security and risk management and even the IT Infrastructure Library (ITIL) (2007) for service delivery and performance measurement to help them issue relevant IT-related directives.

• For turnaround mode the spending slogan is "don't screw it up". From this it can be logically deduced that strategic alignment and resource management might be more important for organisations in turnaround mode. Thus, directives issued by the board of organisations in turnaround mode, even though addressing the full IT Penta-Bottom-Line to a minimum level, may need to offer more detail on ensuring that IT is strategically aligned with the business objectives and that this is achieved cost-effectively through proper management of resources. This is because it is critical that strategic IT plans for organisations in turnaround mode advance on schedule and within their assigned budget due to the fact that competitive advantage is at stake (Nolan & McFarlan 2005:101). Furthermore, it is vital that issues of legal and regulatory compliance and contractual obligations also be addressed appropriately through relevant directives. It may be useful for the boards of organisations in turnaround mode to work with their IT oversight/governance committee, and consult ISO/IEC 38500 (2008:Internet), COBIT 4.1 (2007) to help provide additional guidance on the issuing of appropriate IT-related directives in this regard.

• In strategic mode the spending slogan is "spend what it takes and monitor results intensively". From this it is reasonable to assume that strategic alignment, value delivery, risk management, resource management and performance measurement i.e. all of the IT Penta-Bottom-Line focus areas equally play a critical role for organisations functioning in strategic mode. Organisations in strategic mode typically have a high need for operational reliability coupled with a high need for cutting edge technology in order to place them at the forefront of their industry. Nolan and McFarlan (2005:101) state that in these organisations "new technology informs not only the way they approach the marketplace but also the way they carry out daily operations". Thus, it is suggested that organisations in strategic mode address each of the focus areas of the IT Penta-Bottom-Line in great detail in order to ensure that appropriate directives can be issued in this regard, including issues of legal and regulatory compliance and contractual obligations, which is vital. It could prove to be beneficial for boards of strategic mode organisations to work closely with their IT oversight/governance committee, and consult ISO/IEC 38500 (2008:Internet), COBIT 4.1 (2007), Val IT (2006:Internet) for value delivery, ISO/IEC 27002 (2005) for information security and risk management and also the IT Infrastructure Library (ITIL) (2007) for service delivery and performance measurement to help them issue relevant IT-related directives.

Figure 4 illustrates an example of the suggested importance rating of the IT Penta-Bottom-Line focus areas per mode of IT operation based on the discussion above. It highlights the potential importance of the focus areas of the Penta-Bottom-Line according to a high (H), medium (M) and low (L) importance rating. This offers guidance in terms of how the board could issue directives according to the mode of IT operation their organisation functions in. It is important to stress that this merely represents an example and should in no way be interpreted as being the standard approach to issuing directives.

 

 

It is important to draw attention to the fact that the directives issued by the board in terms of the IT Penta-Bottom-Line may actually overlap several focus areas. For example, a directive could state: "Ensure that current IT projects do not exceed their allocated budget by more than 5% annually". Such a directive may be interpreted as addressing both value delivery and resource management. Note that the example directive stated above displays a factor of measurability.

An important question that can be raised regarding such measurability of directives is "how will such directives actually be measured against to ensure that IT governance is effective?" The answer to this question lies in reporting. Reports must provide the board with relevant information to measure against the IT-related directives issued. To ensure that IT-related reports to the board offer utility in this regard some guidelines for such reporting can be suggested.

4.4. GUIDELINES FOR REPORTING

In the paper titled: "The Board and IT Governance: The What, Who and How", reporting was discussed as part of the HOW factor of the WWH-ITG Model. It was stated that the board of directors should be provided with an IT governance-related report on a regular basis. This discussion focused on the frequency of such reporting which was said to be dependent on the mode of IT operation an organisation functions in according to the IT Strategic Impact Grid. For support mode it was suggested that the board should expect a report at least once a year, for factory mode the board should expect a report at least every six months to a year. Additionally, it was suggested that for turnaround and strategic modes a report should be expected by the board at least every three months.

Besides the frequency of such reporting it is important that the right IT-related information be reported to the board in the IT governance report. Reporting at the strategic level focuses on presenting strategic-level management, i.e. the board of directors, with information that clearly demonstrates levels of compliance with the directives issued for maintaining an organisation's strategic direction. Since the IT governance report is critical to enabling the board to make sound strategic IT-related decisions it is very important that the information in this report be presented to them in a meaningful way. Von Solms (2005) states that IT-related issues should be reported to the board in a format appropriate for facilitating their understanding.

Additionally, Wessels et al. (2003) states that strategic management requires information that has been processed, analysed and summarised. Thus, it is evident that strategic management reports should contain measurement data that has been aggregated or abstracted be presented in the form of statistics, graphs and/or text (Olivier et al. 2006:41). The board, equipped with such IT governance reports and aided by the advice of a particular board-level committee, should be able to make sound and well-informed strategic IT-related decisions in terms of the IT Penta-Bottom-Line with relation to their specific mode of IT operation.

Besides making sound and well-informed IT-related decisions through the IT governance report it is important for the board to measure the efficiency or maturity of the organisation's IT processes and governance function as a whole. Therefore, some guidelines for measuring IT governance efficiency or maturity can also be suggested.

4.5. GUIDELINES FOR MEASURING IT GOVERNANCE MATURITY

In order to assess the maturity of an organisation's IT governance function, a maturity model can be utilized. Maturity Models provide a means for an organisation to grade its maturity in a specific area. The IT governance Institute has created a particular IT governance maturity model which enables an organisation to assess its maturity level on a scale of 0 to 5, where 0 stands for nonexistent IT governance and 5 stands for optimized IT governance that is forward-looking on IT issues and resolutions (Guldentops et al. 2002:Internet).

Maturity models present an easy-to-understand means for an organisation to establish it's "as is" and "to be" position in terms of IT governance and further facilitates it with benchmarking against best practices and standards. Through this, it becomes easy to identify deficiencies and to stipulate the actions that will facilitate an organisation in addressing such deficiencies and thus progress to the level of IT governance maturity they wish to attain (Guldentops 2003). It is important for an organisation to comply with the fundamental principles of maturity assessment. In this regard, it can progress to a higher level of IT governance maturity only when all the conditions specified for a certain maturity level are complied with (De Haes & Van Grembergen 2004:Internet).

Figure 5 illustrates and adaptation of the Capability Maturity Model (CMM) discussed by the National Computing Center (2005:Internet) and also includes aspects of the IT Governance Institute's specific IT governance Maturity Model which is also used in COBIT 4.1 (2007). In order to make certain that an organisation's IT resources are management successfully through IT governance, it is necessary to assess IT governance maturity on an ongoing basis. It is important that the assessment remains objective and focused on an organisation's business requirements. In doing this the organisation will be able to certify that the existing "as is" and aspired "to be" IT governance maturity level is practical and quantifiable (National Computing Center 2005:Internet).

 

 

5 CONCLUSION

It is important that the board of an organisation gain an understanding of the necessity of IT governance. Moreover, it is essential that they become fully aware of WHAT IT-related issues should be addressed at the strategic level, WHO should address these issues and HOW they should be addressed. This can be achieved through a model such as the WWH-ITG Model. In addition to this, it is important that the board and other key organisational role players in terms of IT governance become aware of the specific details that facilitate its implementation. In this regard, there should be clear delegation of IT governance-related roles and the board must understand what IT-related directives they should issue. Furthermore, there should be a well defined reporting system in place that delivers relevant, non-technical, accurate and timely information to the board on which they can base their strategic IT decision making. Additionally, it is necessary to provide a means of measuring the efficiently or maturity of IT Governance itself.

The WWH-ITG Model and its implementation guidelines (as proposed in this paper) offer a crisp and clear means of addressing IT governance at board level. This is supported by the three experts through the input they provided. In this way both the WWH-ITG Model and its implementation guidelines serve to provide an easy to understand road map on how to address IT governance at board level and furthermore serve to operationalise IT governance through the guidelines presented in this paper.

 

REFERENCES

COBIT 4.1. 2007. Control objectives for information and related technology. IT Governance Institute.         [ Links ]

DE HAES S & VAN GREMBERGEN W. 2004. IT governance and its mechanisms. [Internet: http://www.isaca.org/Content/ContentGroups/Member_Content/Journal1/20044/jpdf041-ITGovernanceandIts.pdf; downloaded on 2005-09-25].         [ Links ]

GULDENTOPS E, VAN GREMBERGEN W & DE HAES S. 2002. Control and governance maturity survey: establishing a reference benchmark and a self-assessment tool. [Internet: http://www.isaca.org/Journal/Past-Issues/2002/Volume-6/Pages/Control-and-Governance-Maturity-Survey-Establishing-a-Reference-Benchmark-and-a-Self-assessment-Tool.aspx, downloaded on 2008-07-10].         [ Links ]

GULDENTOPS E. 2003. IT Governance: Part and parcel of corporate governance. European Financial Management & Marketing (EFMA) Conference.         [ Links ]

GYANI S. 2008. What is the RACI/ARCI matrix in project management? [Internet: http://www.pmhut.com/what-is-the-raciarci-matrix-in-project-management; downloaded on 2008-11-14].         [ Links ]

ISO/IEC 27002. 2005. Information technology - security techniques - code of practice for information security management. ISO/IEC.         [ Links ]

ISO/IEC 38500. 2008. Corporate governance of information technology. [Internet: http://www.itgovernance.co.uk/iso38500.aspx; downloaded on 2010-09-09].         [ Links ]

IT GOVERNANCE INSTITUTE. 2003. Board briefing on IT governance, 2^nd Edition. [Internet: http://www.isaca.org/Content/ContentGroups/ITGI3/Resources1/Board_Briefing_on_IT_Governance/26904_ Board_Briefing_final.pdf; downloaded on 2005-02-26].         [ Links ]

IT GOVERNANCE INSTITUTE. 2005a. IT governance domain practices and competencies: IT alignment - who is in charge? [Internet http://www.itgi.org/template_ITGI275e.html?Section=Recent_Publications&Template=/TaggedPage /TaggedPageDisplay.cfm&TPLID=43&Content ID=14046; downloaded on 23-10-2005.         [ Links ]]

IT GOVERNANCE INSTITUTE. 2005b. IT governance domain practices and competencies: information risks - whose business are they? [Internet http://www.itgi.org/template_ITGI275e.html?Section=Recent_Publications&Template=/TaggedPag e/TaggedPageDisplay.cfm&TPLID=43&ContentID=14046; downloaded on 23-10-2005.         [ Links ]]

IT GOVERNANCE INSTITUTE. 2005c. IT governance domain practices and competencies: measuring and demonstrating the value of IT. [Internet http://www.itgi.org/template_ITGI275e.html?Section=Recent_Publications &Template=/TaggedPage/TaggedPageDisplay.cfm&TPLID=43&ContentID=14046; downloaded on 23-10-2005.         [ Links ]]

IT GOVERNANCE INSTITUTE. 2005d. IT governance domain practices and competencies: governance of outsourcing. [Internet http://www.itgi.org/template_ITGI275e.html?Section=Recent_Publications&Template=/TaggedPage/ TaggedPageDisplay.cfm&TPLID=43&Content ID=14046; downloaded on 23-10-2005.         [ Links ]]

IT INFRASTRUCTURE LIBRARY (ITIL). 2007. IT infrastructure library (ITIL). The Stationery Office.         [ Links ]

KING II REPORT. 2002. The King report on corporate governance for South Africa. Institute of Directors of Southern Africa.         [ Links ]

NATIONAL COMPUTING CENTER. 2005. IT governance: developing a successful governance strategy - a best practice guide for decision makers in IT. [Internet: http://www.itgi.org/Template_ITGI.cfm?Section=Business,_Management_and_Governance1&CONTENTID =33527&TEMPLATE=/ContentManagement/ContentDisplay.cfm; downloaded on 2008-05-10].         [ Links ]

NOLAN R & MCFARLAN FW. 2005. Information technology and the board of directors. Harvard Business Review. 83(10):96-106.         [ Links ]

OLIVIER C, VON SOLMS R & COWLEY N. 2006. Movis: A model for the visualization of information security. Nelson Mandela Metropolitan University.         [ Links ]

PETERSON R. 2003. Information strategies and tactics for information technology governance. Idea Group Publishing.         [ Links ]

POSTHUMUS S & VON SOLMS R. 2008. Agency theory: can it be used to strengthen IT governance? Proceedings of the IFIP TC 11 23^rd International Information Security Conference: 687-691.         [ Links ]

POSTHUMUS S & VON SOLMS R. 2009. A model for aligning information technology strategic and tactical management. Nelson Mandela Metropolitan University.         [ Links ]

POSTHUMUS S, VON SOLMS R & KING M. 2010. The board and IT governance: The what, who and how. South African Journal of Business Management. 41 (3):23-32.         [ Links ]

ROBSON C. 1993. Real world research: A resource for social scientists and practitioner-researchers. Blackwell Publishers.         [ Links ]

VAL IT. 2006. Enterprise value: governance of IT investments - The Val IT framework. [Internet: http://www.itgi.org/AMTemplate.cfm?Section=Deliverables&Template=/ContentManagement/ ContentDisplay.cfm&ContentID=24259; downloaded on 2007-21-03].         [ Links ]

VON SOLMS R. 2005. Business information: your company's time bomb? Infocom.         [ Links ]

WESSELS P, GROBBELAAR E & MCGEE A. 2003. Information systems in the South African business environment. 2^nd edition. LexisNexis Butterworths.         [ Links ]