How Business Drives It
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View How Business Drives It as PDF for free.
More details
- Words: 3,816
- Pages: 5
Copyright © 2007 ISACA. All rights reserved. www.isaca.org.
How Does the Business Drive IT? Identifying, Prioritising and Linking Business and IT Goals By Wim Van Grembergen, Steven De Haes and Hilde Van Brempt n today’s complex and constantly changing business world, the governance of information technology (IT) and the alignment of IT to the business are high on the agenda of executive management. Strategic planning based on the alignment of IT goals to business goals is a key component in business/IT alignment. It is important that an organisation start with a clear view on its corporate mission and a thorough definition of its supporting strategy and business goals. Then, these need to be translated into goals for the IT department, which are the basis for the IT strategy. Finally, the supporting IT processes must be carefully planned to translate the IT strategy into action. For these planning efforts, companies may be looking for guidance to identify the set of important business goals and IT goals and determine how they interrelate. The IT Governance Institute (ITGI)’s research on this subject was illustrated by a previous article1 in the Information Systems Control Journal and led to the publication of a set of generally applicable business goals for IT and associated IT goals in COBIT 4.0. Extensive follow-up research was performed to gain more insight into this set of business and IT goals and their linkage. This article presents the results of the follow-up research project in which experts in different sectors were asked to validate, prioritise and link a set of business goals and IT goals. This research resulted in a significant improvement of the business goals for IT and associated IT goals in COBIT 4.1.
I
Research Background This research project was based on the findings of a pilot study that resulted in a list of 20 generic business goals and 28 generic IT goals, published in COBIT 4.0. The objective of this research was to: • Validate these lists for completeness, consistency and clarity • Gain more insight into goals’ priorities for different sectors • Examine the relationship between IT goals and business goals In practice, every enterprise has its own distinct sets of business and IT goals. Priorities within these sets differ depending on a variety of internal and external factors, such as company size, market position, degree of IT dependency, industry and geography. This project chose an industry approach and started with a pilot study in the financial sector that was then replicated in the following four sectors: • Manufacturing and pharmaceuticals • IT professional services, telecommunications and media • Government, utilities (energy, oil and gas) and healthcare • Retail and transportation
For the prioritisation and linking of the goals, a Delphi method was used. This method is based on a structured process for collecting and distilling knowledge from a group of experts by means of several feedback rounds. A team of experts was asked to prioritise a list of business and IT goals by using a ranking technique, and the averaged results were returned to them. Different rounds were performed to achieve consensus amongst the experts on which were the important goals and how the business goals linked to the IT goals. The ISACA database was used as a major source for identifying subject experts. In total, the participants were 158 business and IT professionals (managers and auditors) from companies in one of the sectors previously mentioned and with more than 150 employees. One of the assumptions was that these experts have sufficient knowledge on both IT and business goals. Figure 1 presents the expert team’s composition by sector and geographic area.
Figure 1—Expert Team Composition Expert Team per Sector
Retail Transportation: 16 Financial: 38
Government, Utilities, Healthcare: 39
I N F O R M AT I O N S Y S T E M S C O N T RO L J O U R NA L , VO L U M E 6 , 2 0 0 7
Manufacturing, Pharmaceutical: 25
IT Professional Service, Telco, Media: 40
Expert Team per Geography Australia: 7 Asia: 28 North America: 51 Africa: 14
Middle East: 18
Latin America: 3 Europe: 37
1
speaking, the most important business goals and IT goals. Filtering the results per company size and geography confirmed the stability of these top 10 lists of goals.
Findings The following findings resulted from the study. Identification of Business and IT Goals The outcome of the exercise was an in-depth understanding of business goals and IT goals, and how they interrelate. During the research, the original list of IT goals and business goals (published in COBIT 4.0) was reviewed multiple times and evolved to a generic list of 17 (IT-related) business goals and 18 IT goals. Overlaps, inconsistencies and ambiguities amongst the different goals were reduced to a minimum. The goals turned out to be generically defined and applicable across all sectors. Figure 2 presents the final list of business and IT goals, categorised by their corresponding balanced scorecard (BSC) perspectives. The generically defined goals provide a guideline to help companies identify their set of important business and IT goals. In practice, enterprises will need to develop their own subset, but they can do this efficiently by: • Starting from these generic business and IT goals • Updating them for enterprise specifics (strategy, infrastructure, etc.) • Adding measures to track goal achievement Top 10 Business and IT Goals Both lists of business and IT goals have been prioritised over five different sectors. Figure 3 presents the top 10 most important business and IT goals, consolidated over all sectors. Apart from some minor exceptions, the separate lists of the different sectors include the same business goals and IT goals in their individual top 10 lists. This proves that there is a very high degree of consensus that these 10 goals are, generically
Financial and Customer-oriented Goals2 Although priorities may differ from sector to sector, in general, business goals categorised in the customer and financial perspective of the BSC score high in the ranked list, whilst the internal and learning and growth perspective goals receive lower scores overall. As an example, the customeroriented business goals ‘improve customer orientation and service’ and ‘establish service continuity and availability’ and the financial-oriented business goals ‘comply with external laws and regulations’ and ‘manage IT-related business risks’ make up the top four in the generic list and are also systematically ranked high to very high in the individual lists by sector, geography and company size. This trend is confirmed in the IT goals list. The IT goals for the related IT BSC perspective’s corporate and user are higher in the list than those for the learning and growth perspective. For example, the corporate contribution-related goals ‘align the IT strategy to the business strategy’ and ‘provide IT compliance with laws and regulations’ and the user-oriented goals ‘make sure that IT services are reliable and secure’ and ‘provide service offerings and service levels in line with business requirements’ are systematically ranked high for the different sectors, geographies and company sizes. It is remarkable that the future-oriented business goal for acquiring and maintaining the necessary skills only just makes it in the top 10 list of business goals (number 8), and that its IT counterpart goal, ‘acquire, develop and maintain IT skills that respond to the IT strategy’, falls out of the top 10 most important IT goals.
Figure 2—Validated Lists of Business Goals and IT Goals Business Goals Financial (Corporate) Perspective • Manage (IT-related) business risks. • Provide a good return on investment of (IT-enabled) business investments. • Improve financial transparency. • Comply with external laws and regulations.
IT Goals Corporate Contribution • Offer transparency and understanding of IT cost, benefits and risks. • Provide IT compliance with laws and regulations. • Account for and protect all IT assets. • Drive commitment and support of executive management. • Improve IT’s cost-efficiency. • Align the IT strategy to the business strategy. Customer Perspective User Orientation • Improve customer orientation and service. • Make sure that IT services are reliable and secure. • Establish service continuity and availability. • Provide service offerings and service levels in line with business • Offer competitive products and services. requirements. • Achieve cost optimisation of service delivery. • Translate business functional and control requirements in effective and • Create agility in responding to changing business requirements. efficient automated solutions. • Obtain reliable and useful information for strategic decision • Accomplish proper use of applications, information and technology making. solutions. Internal Perspective Operational Excellence • Improve and maintain business process functionality. • Maintain the security (confidentiality, integrity and availability) of • Improve and maintain operational and staff productivity. information and processing infrastructure. • Enable and manage business change. • Deliver projects on time and on budget, meeting quality standards. • Comply with internal policies. • Optimise the IT infrastructure, resources and capabilities. • Optimise business process costs. • Provide IT agility (in responding to changing business needs). • Seamlessly integrate applications and technology solutions into business processes. Learning and Growth Perspective Future Orientation • Acquire, develop and maintain skilled and motivated people. • Acquire, develop and maintain IT skills that respond to the IT strategy. • Identify, enable and manage product and business innovation. • Acquire knowledge and expertise in emerging technologies for business innovation and optimisation. • Ensure that IT demonstrates continuous improvement and readiness for future change. 2
I N F O R M AT I O N S Y S T E M S C O N T RO L J O U R NA L , VO L U M E 6 , 2 0 0 7
Figure 3—Top 10 List of Business Goals and IT Goals
1. 2. 3. 4. 5. 6. 7. 8. 9. 10.
Top 10 Prioritised Business Goals Improve customer orientation and service. Comply with external laws and regulations. Establish service continuity and availability. Manage (IT-related) business risks. Offer competitive products and services. Improve and maintain business process functionality. Provide a good return on investment of (IT-enabled) business investments. Acquire, develop and maintain skilled and motivated people. Create agility in responding to changing business requirements. Obtain reliable and useful information for strategic decision making.
1. 2. 3. 4. 5. 6. 7. 8. 9. 10.
The Role of Sector-specific Characteristics Although a relatively high degree of general consensus was found regarding the top 10 business and IT goals, a number of sector-specific characteristics were identified. In the IT professional services sector, its high dependency on IT skills is confirmed with a higher ranking for the goal ‘acquire, develop and maintain IT skills that respond to the IT strategy’. Another important asset (differentiator) for companies operating in this sector is (knowledge of) advanced technology, which explains the higher importance of ‘identify, enable and manage product and business innovation’. On the other hand, the business goals ‘establish service continuity and availability’ and ‘improve and maintain business process functionality’ score lower compared to most other sectors. This may be explained due to a lower focus (and lower budgets) on their own internal processes whilst most efforts go to customer services. Typical for the government/utilities/healthcare sector is that internal policies are to be strictly followed, which is confirmed by the highly ranked goals ‘improve financial transparency’ (number 6) and ‘comply with internal policies’ (number 9), respectively nine and seven places higher than for the other sectors. This is even reinforced in the utilities sector, which may be a consequence of the specific market situation (monopoly/oligopoly) requiring a controlled environment. Further, because of this sector’s nonprofit orientation, cost-optimisation-related goals, such as ‘provide a good return on investment of (IT-enabled) business investments’ and ‘achieve cost optimisation of service delivery’ score lower in the importance list. This specificity of the sector can also explain the low ranking of ‘offer competitive products and services’, which is ranked 10 places lower compared to the other sectors. Another characteristic of governmental institutions is that they are trying to increase their focus on providing adequate customer (citizen) service, which is confirmed by the high priority for the customer-oriented goals ‘improve customer orientation and goals’ and ‘establish service continuity and availability’. The retail and transportation sector is characterised by low profit margins, which explains the higher ranking for goals such as ‘optimise business process costs’. Customer loyalty is also seen as one of the challenges in this sector, and initiatives are undertaken to deal with this. This is translated into the top four of most important business goals, which are all customeroriented. This is also the only sector where the business goal for compliance with external laws and regulations is not in the top three, indicating that compliance is not yet a top priority in the retail and transportation sector.
Top 10 Prioritised IT Goals Align the IT strategy to the business strategy. Maintain the security (confidentiality, integrity and availability) of information and processing infrastructure. Make sure that IT services are reliable and secure. Provide service offerings and service levels in line with business requirements. Provide IT compliance with laws and regulations. Translate business functional and control requirements in effective and efficient automated solutions. Deliver projects on time and on budget, meeting quality standards. Drive commitment and support of executive management. Improve IT’s cost-efficiency. Account for and protect all IT assets.
The Role of Size and Geography When comparing the differences amongst geographic locations or company size, fewer variations were identified. This may indicate that sector-related characteristics have a higher impact on setting priorities. Still, some minor but interesting differences were identified. For example, larger organisations tend to pay more attention to business goals such as ‘comply with external laws and regulations’ and ‘manage (IT-related) business risks’ than smaller organisations do. In Europe, the Middle East and Africa, the IT goal ‘acquire, develop and maintain IT skills that respond to the IT strategy’ appears to be less important compared to other regions in the world. Generic IT Goals Another finding is that, in general, the level of agreement amongst the experts for the list of prioritised business goals is lower than the level of agreement for prioritised IT goals. An explanation may be found in the fact that business goals may differ more depending upon some external or internal factors, such as sector-specific characteristics, company size, geography and others, whilst IT goals’ prioritisation may follow a more generic pattern and is less influenced by these aspects. Different Levels of Linking Relations This research also contains detailed findings on how the IT goals can support business goals. Figure 4 shows how IT goals are related to business goals. From this matrix, it becomes (visually) clear that some goals are defined on a higher level compared to others. For example the IT goal ‘align the IT strategy to the business strategy’ supports all business goals in a primary (P) or secondary (S) manner, indicating that its scope is broadly defined and covers multiple areas of IT responsibilities. On the other hand, business goal number 15, ‘improve financial transparency’, and IT goal number 13, ‘offer transparency and understanding of IT cost, benefits and risks’, show only a primary relationship to each other, confirming their similar and narrowly defined scope.
Practical Application of the Results Preliminary results of this research have already been taken into consideration for the continuous Control Objectives for Information and related Technology (COBIT) developments, and they contain valuable new opportunities for further updates and follow-up research. The results of this research provide practical guidance for professionals in the attempt to build a cascade of business goals and IT goals for their specific
I N F O R M AT I O N S Y S T E M S C O N T RO L J O U R NA L , VO L U M E 6 , 2 0 0 7
3
14. Improve and maintain operational and staff productivity.
P
P
P
3. Make sure that IT services are reliable and secure.
P
P
P
P
S
S
S
S
S
S
4. Provide service offerings and service levels in line with business requirements.
P
P
S
P
P
S
S
S
S
5. Provide IT compliancy with laws and regulations.
S
P
S
P S
S
S
S
S
P
S
S
7. Deliver projects on time and on budget meeting quality standards.
S
S
S
S
S
S
8. Drive commitment and support of executive management.
S
S
S
S
S
S
S
S
12. Provide IT agility (in responding to changing business needs).
S
S
13. Offer transparency and understanding of IT cost, benefits and risks. S
15. Accomplish proper use of applications, information and technology solutions.
S
16. Seamlessly integrate applications and technology solutions into business processes.
S
S
S
S
S
S
S
S
S
P
P
S
S
S
S
S
S
S
S
S
S
S
S S S
P P
S
S
P S
S
P
S
S P S
S
S
S
S
S
S
S
S
S
P
S
S
S
S
S
S
S
17. Ensure that IT demonstrates continuous improvement and readiness for future change.
S
S
S
P
18. Acquire knowledge and expertise in emerging technologies for business innovation and optimisation.
S
S
P
S
S S
S
P
S
S
S
S S
S
S S
S P
S
P
P
S
organisations. Enterprises can do that efficiently by starting from these generic business and IT goals, selecting what applies to them and updating it for enterprise-specific situations. This will be a good starting point toward implementing IT governance.
S
S
S
S
14. Optimise the IT infrastructure, resources and capabilities.
S
S
P
S
11. Acquire, develop and maintain IT skills that respond to the IT strategy.
S
S
6. Translate business functional and control requirements in effective and efficient automated solutions.
10. Account for and protect all IT assets.
S
S
S
S
17. Identify, enable and manage product and business innovation.
13. Enable and manage business change.
P
P
15. Improve financial transparency.
12.Optimise business process costs.
S
P
Business Goals
S
P
16. Provide compliancy with internal policies.
10. Obtain reliable and useful information for strategic decision making.
9. Create agility in responding to changing business requirements.
11. Achieve cost optimisation of service delivery.
7. Provide a good return on investment of (IT-enabled) business investments.
S
6. Improve and maintain business process functionality.
P
5. Offer competitive products and services.
S
4. Manage (IT-related) business risks.
S
2. Provide compliancy with external laws and regulations.
P
3. Establish service continuity and availability.
P
1. Improve customer orientation and service.
S
P
2. Maintain the security (confidentiality, integrity and availability) of information and processing infrastructure.
9. Improve IT’s cost-efficiency.
S
S S P
S
P
impact, the associated goals are called ‘Corporate Contribution’ and ‘User Perspective’.
Acknowledgements This research project was commissioned by ITGI and was performed by the Information Technology Alignment and Governance (ITAG) Research Institute of the University of Antwerp Management School (UAMS) in Belgium. ITGI also provided the necessary contact information from the ISACA member database for building the expert team. The authors and researchers are grateful for the valuable support of the COBIT Steering Committee and would like to thank Erik Guldentops who initiated this research and provided many ideas on IT governance. Thanks also go the expert team members for taking the time during several rounds to provide valuable answers and feedback on the questionnaires.
Endnote Van Grembergen W.; S. De Haes; J. Moons; ‘IT Governance: Linking Business Goals to IT Goals and COBIT Processes’, Information Systems Control Journal, vol. 4, 2005 2 Because IT may not have a direct financial and customer 4
S
1. Align the IT strategy to the business strategy.
IT Goals
1
8. Acquire, develop and maintain skilled and motivated people.
Figure 4—Linking IT Goals to Business Goals
Wim Van Grembergen is a professor in the information systems management department of the University of Antwerp and an executive professor at the University of Antwerp Management School. He is also academic director of the ITAG Research Institute. Van Grembergen has been involved in research and development activities for several COBIT products. Steven De Haes is responsible for the information systems management executive programmes at the University of Antwerp Management School. He is managing director of the ITAG Research Institute and is currently finalising a Ph.D. in IT governance. De Haes has also been involved in research and development activities for several COBIT products. Hilde Van Brempt is senior researcher for the ITAG Research Institute. She has many years of experience in large organisations and is now involved in organising and executing international research programmes. She is currently starting a Ph.D. research project on IT governance and IT skills.
I N F O R M AT I O N S Y S T E M S C O N T RO L J O U R NA L , VO L U M E 6 , 2 0 0 7
Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by the Information Systems Audit and Control Association, Inc.. Membership in the association, a voluntary organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal. Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of the Information Systems Audit and Control Association and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journal does not attest to the originality of authors' content. © Copyright 2004 by Information Systems Audit and Control Association Inc., formerly the EDP Auditors Association. All rights reserved. ISCATM Information Systems Control AssociationTM Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by the Information Systems Audit and Control Association Inc., for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited. www.isaca.org
I N F O R M AT I O N S Y S T E M S C O N T RO L J O U R NA L , VO L U M E 6 , 2 0 0 7
5
How Does the Business Drive IT? Identifying, Prioritising and Linking Business and IT Goals By Wim Van Grembergen, Steven De Haes and Hilde Van Brempt n today’s complex and constantly changing business world, the governance of information technology (IT) and the alignment of IT to the business are high on the agenda of executive management. Strategic planning based on the alignment of IT goals to business goals is a key component in business/IT alignment. It is important that an organisation start with a clear view on its corporate mission and a thorough definition of its supporting strategy and business goals. Then, these need to be translated into goals for the IT department, which are the basis for the IT strategy. Finally, the supporting IT processes must be carefully planned to translate the IT strategy into action. For these planning efforts, companies may be looking for guidance to identify the set of important business goals and IT goals and determine how they interrelate. The IT Governance Institute (ITGI)’s research on this subject was illustrated by a previous article1 in the Information Systems Control Journal and led to the publication of a set of generally applicable business goals for IT and associated IT goals in COBIT 4.0. Extensive follow-up research was performed to gain more insight into this set of business and IT goals and their linkage. This article presents the results of the follow-up research project in which experts in different sectors were asked to validate, prioritise and link a set of business goals and IT goals. This research resulted in a significant improvement of the business goals for IT and associated IT goals in COBIT 4.1.
I
Research Background This research project was based on the findings of a pilot study that resulted in a list of 20 generic business goals and 28 generic IT goals, published in COBIT 4.0. The objective of this research was to: • Validate these lists for completeness, consistency and clarity • Gain more insight into goals’ priorities for different sectors • Examine the relationship between IT goals and business goals In practice, every enterprise has its own distinct sets of business and IT goals. Priorities within these sets differ depending on a variety of internal and external factors, such as company size, market position, degree of IT dependency, industry and geography. This project chose an industry approach and started with a pilot study in the financial sector that was then replicated in the following four sectors: • Manufacturing and pharmaceuticals • IT professional services, telecommunications and media • Government, utilities (energy, oil and gas) and healthcare • Retail and transportation
For the prioritisation and linking of the goals, a Delphi method was used. This method is based on a structured process for collecting and distilling knowledge from a group of experts by means of several feedback rounds. A team of experts was asked to prioritise a list of business and IT goals by using a ranking technique, and the averaged results were returned to them. Different rounds were performed to achieve consensus amongst the experts on which were the important goals and how the business goals linked to the IT goals. The ISACA database was used as a major source for identifying subject experts. In total, the participants were 158 business and IT professionals (managers and auditors) from companies in one of the sectors previously mentioned and with more than 150 employees. One of the assumptions was that these experts have sufficient knowledge on both IT and business goals. Figure 1 presents the expert team’s composition by sector and geographic area.
Figure 1—Expert Team Composition Expert Team per Sector
Retail Transportation: 16 Financial: 38
Government, Utilities, Healthcare: 39
I N F O R M AT I O N S Y S T E M S C O N T RO L J O U R NA L , VO L U M E 6 , 2 0 0 7
Manufacturing, Pharmaceutical: 25
IT Professional Service, Telco, Media: 40
Expert Team per Geography Australia: 7 Asia: 28 North America: 51 Africa: 14
Middle East: 18
Latin America: 3 Europe: 37
1
speaking, the most important business goals and IT goals. Filtering the results per company size and geography confirmed the stability of these top 10 lists of goals.
Findings The following findings resulted from the study. Identification of Business and IT Goals The outcome of the exercise was an in-depth understanding of business goals and IT goals, and how they interrelate. During the research, the original list of IT goals and business goals (published in COBIT 4.0) was reviewed multiple times and evolved to a generic list of 17 (IT-related) business goals and 18 IT goals. Overlaps, inconsistencies and ambiguities amongst the different goals were reduced to a minimum. The goals turned out to be generically defined and applicable across all sectors. Figure 2 presents the final list of business and IT goals, categorised by their corresponding balanced scorecard (BSC) perspectives. The generically defined goals provide a guideline to help companies identify their set of important business and IT goals. In practice, enterprises will need to develop their own subset, but they can do this efficiently by: • Starting from these generic business and IT goals • Updating them for enterprise specifics (strategy, infrastructure, etc.) • Adding measures to track goal achievement Top 10 Business and IT Goals Both lists of business and IT goals have been prioritised over five different sectors. Figure 3 presents the top 10 most important business and IT goals, consolidated over all sectors. Apart from some minor exceptions, the separate lists of the different sectors include the same business goals and IT goals in their individual top 10 lists. This proves that there is a very high degree of consensus that these 10 goals are, generically
Financial and Customer-oriented Goals2 Although priorities may differ from sector to sector, in general, business goals categorised in the customer and financial perspective of the BSC score high in the ranked list, whilst the internal and learning and growth perspective goals receive lower scores overall. As an example, the customeroriented business goals ‘improve customer orientation and service’ and ‘establish service continuity and availability’ and the financial-oriented business goals ‘comply with external laws and regulations’ and ‘manage IT-related business risks’ make up the top four in the generic list and are also systematically ranked high to very high in the individual lists by sector, geography and company size. This trend is confirmed in the IT goals list. The IT goals for the related IT BSC perspective’s corporate and user are higher in the list than those for the learning and growth perspective. For example, the corporate contribution-related goals ‘align the IT strategy to the business strategy’ and ‘provide IT compliance with laws and regulations’ and the user-oriented goals ‘make sure that IT services are reliable and secure’ and ‘provide service offerings and service levels in line with business requirements’ are systematically ranked high for the different sectors, geographies and company sizes. It is remarkable that the future-oriented business goal for acquiring and maintaining the necessary skills only just makes it in the top 10 list of business goals (number 8), and that its IT counterpart goal, ‘acquire, develop and maintain IT skills that respond to the IT strategy’, falls out of the top 10 most important IT goals.
Figure 2—Validated Lists of Business Goals and IT Goals Business Goals Financial (Corporate) Perspective • Manage (IT-related) business risks. • Provide a good return on investment of (IT-enabled) business investments. • Improve financial transparency. • Comply with external laws and regulations.
IT Goals Corporate Contribution • Offer transparency and understanding of IT cost, benefits and risks. • Provide IT compliance with laws and regulations. • Account for and protect all IT assets. • Drive commitment and support of executive management. • Improve IT’s cost-efficiency. • Align the IT strategy to the business strategy. Customer Perspective User Orientation • Improve customer orientation and service. • Make sure that IT services are reliable and secure. • Establish service continuity and availability. • Provide service offerings and service levels in line with business • Offer competitive products and services. requirements. • Achieve cost optimisation of service delivery. • Translate business functional and control requirements in effective and • Create agility in responding to changing business requirements. efficient automated solutions. • Obtain reliable and useful information for strategic decision • Accomplish proper use of applications, information and technology making. solutions. Internal Perspective Operational Excellence • Improve and maintain business process functionality. • Maintain the security (confidentiality, integrity and availability) of • Improve and maintain operational and staff productivity. information and processing infrastructure. • Enable and manage business change. • Deliver projects on time and on budget, meeting quality standards. • Comply with internal policies. • Optimise the IT infrastructure, resources and capabilities. • Optimise business process costs. • Provide IT agility (in responding to changing business needs). • Seamlessly integrate applications and technology solutions into business processes. Learning and Growth Perspective Future Orientation • Acquire, develop and maintain skilled and motivated people. • Acquire, develop and maintain IT skills that respond to the IT strategy. • Identify, enable and manage product and business innovation. • Acquire knowledge and expertise in emerging technologies for business innovation and optimisation. • Ensure that IT demonstrates continuous improvement and readiness for future change. 2
I N F O R M AT I O N S Y S T E M S C O N T RO L J O U R NA L , VO L U M E 6 , 2 0 0 7
Figure 3—Top 10 List of Business Goals and IT Goals
1. 2. 3. 4. 5. 6. 7. 8. 9. 10.
Top 10 Prioritised Business Goals Improve customer orientation and service. Comply with external laws and regulations. Establish service continuity and availability. Manage (IT-related) business risks. Offer competitive products and services. Improve and maintain business process functionality. Provide a good return on investment of (IT-enabled) business investments. Acquire, develop and maintain skilled and motivated people. Create agility in responding to changing business requirements. Obtain reliable and useful information for strategic decision making.
1. 2. 3. 4. 5. 6. 7. 8. 9. 10.
The Role of Sector-specific Characteristics Although a relatively high degree of general consensus was found regarding the top 10 business and IT goals, a number of sector-specific characteristics were identified. In the IT professional services sector, its high dependency on IT skills is confirmed with a higher ranking for the goal ‘acquire, develop and maintain IT skills that respond to the IT strategy’. Another important asset (differentiator) for companies operating in this sector is (knowledge of) advanced technology, which explains the higher importance of ‘identify, enable and manage product and business innovation’. On the other hand, the business goals ‘establish service continuity and availability’ and ‘improve and maintain business process functionality’ score lower compared to most other sectors. This may be explained due to a lower focus (and lower budgets) on their own internal processes whilst most efforts go to customer services. Typical for the government/utilities/healthcare sector is that internal policies are to be strictly followed, which is confirmed by the highly ranked goals ‘improve financial transparency’ (number 6) and ‘comply with internal policies’ (number 9), respectively nine and seven places higher than for the other sectors. This is even reinforced in the utilities sector, which may be a consequence of the specific market situation (monopoly/oligopoly) requiring a controlled environment. Further, because of this sector’s nonprofit orientation, cost-optimisation-related goals, such as ‘provide a good return on investment of (IT-enabled) business investments’ and ‘achieve cost optimisation of service delivery’ score lower in the importance list. This specificity of the sector can also explain the low ranking of ‘offer competitive products and services’, which is ranked 10 places lower compared to the other sectors. Another characteristic of governmental institutions is that they are trying to increase their focus on providing adequate customer (citizen) service, which is confirmed by the high priority for the customer-oriented goals ‘improve customer orientation and goals’ and ‘establish service continuity and availability’. The retail and transportation sector is characterised by low profit margins, which explains the higher ranking for goals such as ‘optimise business process costs’. Customer loyalty is also seen as one of the challenges in this sector, and initiatives are undertaken to deal with this. This is translated into the top four of most important business goals, which are all customeroriented. This is also the only sector where the business goal for compliance with external laws and regulations is not in the top three, indicating that compliance is not yet a top priority in the retail and transportation sector.
Top 10 Prioritised IT Goals Align the IT strategy to the business strategy. Maintain the security (confidentiality, integrity and availability) of information and processing infrastructure. Make sure that IT services are reliable and secure. Provide service offerings and service levels in line with business requirements. Provide IT compliance with laws and regulations. Translate business functional and control requirements in effective and efficient automated solutions. Deliver projects on time and on budget, meeting quality standards. Drive commitment and support of executive management. Improve IT’s cost-efficiency. Account for and protect all IT assets.
The Role of Size and Geography When comparing the differences amongst geographic locations or company size, fewer variations were identified. This may indicate that sector-related characteristics have a higher impact on setting priorities. Still, some minor but interesting differences were identified. For example, larger organisations tend to pay more attention to business goals such as ‘comply with external laws and regulations’ and ‘manage (IT-related) business risks’ than smaller organisations do. In Europe, the Middle East and Africa, the IT goal ‘acquire, develop and maintain IT skills that respond to the IT strategy’ appears to be less important compared to other regions in the world. Generic IT Goals Another finding is that, in general, the level of agreement amongst the experts for the list of prioritised business goals is lower than the level of agreement for prioritised IT goals. An explanation may be found in the fact that business goals may differ more depending upon some external or internal factors, such as sector-specific characteristics, company size, geography and others, whilst IT goals’ prioritisation may follow a more generic pattern and is less influenced by these aspects. Different Levels of Linking Relations This research also contains detailed findings on how the IT goals can support business goals. Figure 4 shows how IT goals are related to business goals. From this matrix, it becomes (visually) clear that some goals are defined on a higher level compared to others. For example the IT goal ‘align the IT strategy to the business strategy’ supports all business goals in a primary (P) or secondary (S) manner, indicating that its scope is broadly defined and covers multiple areas of IT responsibilities. On the other hand, business goal number 15, ‘improve financial transparency’, and IT goal number 13, ‘offer transparency and understanding of IT cost, benefits and risks’, show only a primary relationship to each other, confirming their similar and narrowly defined scope.
Practical Application of the Results Preliminary results of this research have already been taken into consideration for the continuous Control Objectives for Information and related Technology (COBIT) developments, and they contain valuable new opportunities for further updates and follow-up research. The results of this research provide practical guidance for professionals in the attempt to build a cascade of business goals and IT goals for their specific
I N F O R M AT I O N S Y S T E M S C O N T RO L J O U R NA L , VO L U M E 6 , 2 0 0 7
3
14. Improve and maintain operational and staff productivity.
P
P
P
3. Make sure that IT services are reliable and secure.
P
P
P
P
S
S
S
S
S
S
4. Provide service offerings and service levels in line with business requirements.
P
P
S
P
P
S
S
S
S
5. Provide IT compliancy with laws and regulations.
S
P
S
P S
S
S
S
S
P
S
S
7. Deliver projects on time and on budget meeting quality standards.
S
S
S
S
S
S
8. Drive commitment and support of executive management.
S
S
S
S
S
S
S
S
12. Provide IT agility (in responding to changing business needs).
S
S
13. Offer transparency and understanding of IT cost, benefits and risks. S
15. Accomplish proper use of applications, information and technology solutions.
S
16. Seamlessly integrate applications and technology solutions into business processes.
S
S
S
S
S
S
S
S
S
P
P
S
S
S
S
S
S
S
S
S
S
S
S S S
P P
S
S
P S
S
P
S
S P S
S
S
S
S
S
S
S
S
S
P
S
S
S
S
S
S
S
17. Ensure that IT demonstrates continuous improvement and readiness for future change.
S
S
S
P
18. Acquire knowledge and expertise in emerging technologies for business innovation and optimisation.
S
S
P
S
S S
S
P
S
S
S
S S
S
S S
S P
S
P
P
S
organisations. Enterprises can do that efficiently by starting from these generic business and IT goals, selecting what applies to them and updating it for enterprise-specific situations. This will be a good starting point toward implementing IT governance.
S
S
S
S
14. Optimise the IT infrastructure, resources and capabilities.
S
S
P
S
11. Acquire, develop and maintain IT skills that respond to the IT strategy.
S
S
6. Translate business functional and control requirements in effective and efficient automated solutions.
10. Account for and protect all IT assets.
S
S
S
S
17. Identify, enable and manage product and business innovation.
13. Enable and manage business change.
P
P
15. Improve financial transparency.
12.Optimise business process costs.
S
P
Business Goals
S
P
16. Provide compliancy with internal policies.
10. Obtain reliable and useful information for strategic decision making.
9. Create agility in responding to changing business requirements.
11. Achieve cost optimisation of service delivery.
7. Provide a good return on investment of (IT-enabled) business investments.
S
6. Improve and maintain business process functionality.
P
5. Offer competitive products and services.
S
4. Manage (IT-related) business risks.
S
2. Provide compliancy with external laws and regulations.
P
3. Establish service continuity and availability.
P
1. Improve customer orientation and service.
S
P
2. Maintain the security (confidentiality, integrity and availability) of information and processing infrastructure.
9. Improve IT’s cost-efficiency.
S
S S P
S
P
impact, the associated goals are called ‘Corporate Contribution’ and ‘User Perspective’.
Acknowledgements This research project was commissioned by ITGI and was performed by the Information Technology Alignment and Governance (ITAG) Research Institute of the University of Antwerp Management School (UAMS) in Belgium. ITGI also provided the necessary contact information from the ISACA member database for building the expert team. The authors and researchers are grateful for the valuable support of the COBIT Steering Committee and would like to thank Erik Guldentops who initiated this research and provided many ideas on IT governance. Thanks also go the expert team members for taking the time during several rounds to provide valuable answers and feedback on the questionnaires.
Endnote Van Grembergen W.; S. De Haes; J. Moons; ‘IT Governance: Linking Business Goals to IT Goals and COBIT Processes’, Information Systems Control Journal, vol. 4, 2005 2 Because IT may not have a direct financial and customer 4
S
1. Align the IT strategy to the business strategy.
IT Goals
1
8. Acquire, develop and maintain skilled and motivated people.
Figure 4—Linking IT Goals to Business Goals
Wim Van Grembergen is a professor in the information systems management department of the University of Antwerp and an executive professor at the University of Antwerp Management School. He is also academic director of the ITAG Research Institute. Van Grembergen has been involved in research and development activities for several COBIT products. Steven De Haes is responsible for the information systems management executive programmes at the University of Antwerp Management School. He is managing director of the ITAG Research Institute and is currently finalising a Ph.D. in IT governance. De Haes has also been involved in research and development activities for several COBIT products. Hilde Van Brempt is senior researcher for the ITAG Research Institute. She has many years of experience in large organisations and is now involved in organising and executing international research programmes. She is currently starting a Ph.D. research project on IT governance and IT skills.
I N F O R M AT I O N S Y S T E M S C O N T RO L J O U R NA L , VO L U M E 6 , 2 0 0 7
Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by the Information Systems Audit and Control Association, Inc.. Membership in the association, a voluntary organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal. Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of the Information Systems Audit and Control Association and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journal does not attest to the originality of authors' content. © Copyright 2004 by Information Systems Audit and Control Association Inc., formerly the EDP Auditors Association. All rights reserved. ISCATM Information Systems Control AssociationTM Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by the Information Systems Audit and Control Association Inc., for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited. www.isaca.org
I N F O R M AT I O N S Y S T E M S C O N T RO L J O U R NA L , VO L U M E 6 , 2 0 0 7
5
Related Documents
How Business Drives It
June 2020 3
Business It
June 2020 6
Drives
November 2019 20
Ncs-it Business Intelligence
July 2020 7
It In Business
November 2019 14