Discussion of “IT Governance Drivers of

Process Maturity,” by Roger Debreceny and Glen Gray

2011 UWCISA SymposiumToronto, Canada

Uday MurthyUniversity of South Florida

2

Agenda

Research questions Theoretical foundation Field study methodology IT governance drivers Process maturity measurement Analysis & results Contributions Unanswered questions….future directions

3

Research Questions Are there attributes of IT governance that

govern the level of process maturity? If so, which attributes are more or less significant?

Are there domains or processes that are more influential?

Are there other control variables such as size or industry that explain the relationship between IT governance and process maturity?

Is process maturity evenly distributed across domain?

4

Theoretical Foundation Resource Based View, Dynamic Capability

Theory, Contingency Theory “…provide guidance on the relationship

between governance, strategy and resource acquisition…”

Unclear how these theories inform the relationship between IT governance and process maturity

No propositions offered (as promised in intro)

5

Field Study Nice cross-section of location and industry

in sample of 51 organizations Developed countries more heavily

represented than developing countries Europe, Canada, US, Singapore: 76% Mexico, Philipines: 24%

Mainly large firms (avg. of 172 IT personnel, 194 servers)

6

IT Governance Drivers Very comprehensive approach to data

collection Decision rights and organization Governance framework (39!) Business/IT alignment (24 questions) Environmental volatility Size and complexity

7

Process Maturity -- What

Generic maturity model (Fig. 13 in COBIT 4.1)

vs.

Maturity attribute table (Fig. 15 in COBIT 4.1)

8

9

A w areness and Com m unication

Policies, Plans and Procedures

Tools and Autom ation

Skills and Expertise

Responsibility and Accountability

G oal Setting and M easurem ent

Fig

ure 1

5—M

atu

rity Attrib

ute

Tab

le 1 Recognition of the need for

the process is emerging.

There is sporadic com m unication of the issues.

There are ad hoc approaches to processes and practices.

The process and policies are undefined.

Som e tools m ay exist; usage is based on standard desktop tools. There is no planned approach to the tool usage.

Skills required for the process are not identified. A train ing p lan does not exist and no form al training occurs.

There is no definition of accountability and responsib ility. P eople take ownership of issues based on the ir ow n in itia tive on a reactive basis.

G oals are not clear and no m easurem ent takes p lace.

2 There is aw areness of the need to act.

M anagem ent com m unicates the overall issues.

S im ila r and common processe s em erge, but are large ly in tu itive because of indiv idual expertise.

Som e aspects of the process are repeatable because of individua l expertise , and som e docum entation and informal understanding of policy and procedures m ay exist.

C om m on approache s to use of tools exist but are based on solutions developed by key individuals. Vendor tools m ay have been acquired, but are probably not applied correctly, and m ay even be shelfware.

M inim um skill requirem ents are identified for critical areas. Training is provided in response to needs, rather than on the basis of an agreed p lan, and informal training on the job occurs.

A n ind ividua l assumes his/her responsibility and is usually he ld accountable, even if this is not formally agreed. There is confusion about responsibility when prob lem s occur, and a culture of b lam e tends to exist.

S om e goa l se tting occurs; som e financia l m easure s are estab lished but are know n only by sen ior m anagem ent. There is inconsistent m onitoring in iso la ted areas.

3 There is understanding of the need to act.

M anagem ent is m ore formal and structured in its communication.

U sage of good practices emerges.

The process, po licies and procedures are defined and docum en ted for all key activities.

A p lan has been defined for use and standard isation of tools to autom ate the process. Tools are being used for their basic purposes, but m ay not a ll be in accordance w ith the agreed p lan, and m ay not be integrated with one another.

Skill requ irem ents are defined and docum ented for a ll areas. A form al tra in ing p lan has been deve loped, but formal tra in ing is still based on individual initiatives.

P rocess responsibility and accountab ility are defined and process ow ners have been identified . The process owner is unlikely to have the full authority to exercise the responsibilities.

Som e effectiveness goals and m easures are set, but are not com m unicated , and there is a clear link to business goals. M easurem ent processes em erge, but are not consistently applied . IT ba lanced scorecard ideas are being adopted, as is occasional in tuitive application of root cause analysis.

4 There is understanding of the full requirem ents.

M ature communication techniques are applied and standard communication tools are in use.

The process is sound and com plete; in ternal best practices are applied.

All aspects of the process are docum ented and repeatab le . Po licies have been approved and signed off on by m anagem ent. Standards for developing and m ainta in in g the processes and procedures are adop ted and followed.

Tools are im plem ented according to a standard ised p lan , and som e have been integrated w ith other re la ted tools. Tools are being used in m ain areas to autom a te m anagem ent of the process and monitor critical activ ities and controls.

Skill requirem ents are routinely updated for a ll areas, proficiency is ensured for a ll critica l areas, and certification is encouraged. M ature training techniques are applie d accord ing to the training p lan, and know ledge sharing is encouraged. A ll in terna l dom ain experts are invo lved , and the effectiveness of the training plan is assessed.

P rocess responsibility and accountab ility are accepted and w orking in a w ay that enables a process owner to fully d ischarge his/her responsib ilities. A rew ard culture is in place that m otivates positive action.

E fficiency and e ffectiveness are m easured and com m unicated and linked to business goals and the IT s trateg ic p lan. The IT ba lanced scorecard is implemented in som e areas w ith exceptions noted by m anagem ent and root cause analysis is being standard ised . Continuous im provem ent is emerging.

5 There is advanced, forward-looking understanding of requirements.

Proactive com m unica tion of issues based on trends exists, m ature communication techniques are applied , and in tegra ted communication tools are in use.

Externa l best practice s and standards are applied.

Process docum en tation is evolved to automated w orkflows. Processes, po licies and procedures are standard ised and integrated to enable end-to-end m anagem ent and improvement.

Standardised tool sets are used across the enterprise. Tools are fu lly integrated w ith other related tools to enable end-to-end support of the processes. Tools are being used to support im provem ent of the process and automatically detect control exceptions.

The organisation formally encourages continuous im provem ent of sk ills , based on clearly defined personal and organ isationa l goals. Tra ining and education support externa l best practices and use of leading-edge concepts and techniques. Know ledge sharing is an enterprise cu lture , and knowledge-based system s are be ing deployed. External experts and industry leaders are used for guidance.

Process ow ners are em pow ered to make decisions and take action. The acceptance of responsib ility has been cascaded dow n throughout the organ isa tion in a consistent fashion.

There is an integrated perform ance measurement system linking IT perform ance to business goa ls by global application of the IT balanced scorecard . E xception s are globa lly and consistently noted by m anagem ent and root cause analysis is applied. Continuous im provem ent is a w ay of life.

10

Process Maturity -- How “As is” rating for each of 6 maturity

attributes for each of 41 processes for 51 organizations

Max of 12,546 observations (6 x 41 x 51)

Each maturity attribute rated on 1 to 5 scale, with 5 being highest maturity level

11

Process Maturity – Data Issues Ratings averaged (a) across maturity

attributes and (b) across respondents Some processes had more than one

manager provide rating Some managers provided ratings for

multiple processes “For a small number of organizations, we

collected only overall process maturity level data; not attribute-level data.”

12

Analysis & Results Process maturity levels by domain “…average level of process maturity is very

low…” “More prosaic processes” have relatively high

levels of maturity: 1. Security—Virus 2. Manage Physical Environment 3. IT investment—budgeting 4. Security – network & firewall 5. Manage data

What can get me fired?

13

Regressions give appearance of rigor, but… Missing data

Table 8 regression (overall) is based on 2095 observations (16.7% of 12,546)

Table 9 regression (by attribute) is based on 1896 observations (15.1% of 12,546)

None of the three theories are relied on for logic underlying the regressions

Lack of independence of observations Possible multi-collinearity issues

Concerns Regarding Analysis…1

14

Concerns Regarding Analysis…2 Factor analysis of “Business/IT alignment”

41 data points (no. of organizations, N) and 16 questions (variables, p) and

N / p ratio is less than 3:1 Bare minimum is 3:1, with 5:1 or 6:1

recommended (Cattell 1978; Gorsuch 1983) Business/IT alignment becomes two factors:

“Strategy” and “Vision” Only “Strategy” is significant in regressions

15

Suggestion: Data Reporting

16

Suggestion: Analysis Measures of IT governance

Decision rights and organization, governance frameworks, business/IT alignment, outsourcing, environmental volatility, size and complexity

Use these six measures to categorize organizations as being high, medium, or low in IT governance

Then look for relationships between IT governance category (high, medium, low) and IT process maturity – overall and by domain

17

First look at process maturity of COBIT processes and IT governance drivers thereof

International focus, allowing comparison across firms in more and less developed countries

Association between process maturity and business/IT alignment is intuitively appealing and validates a priori expectation

Contributions

18

Does business/IT alignment lead to process maturity or does process maturity lead to business/IT alignment?

Why is process maturity lower for firms in less developed countries?

What are the consequences of higher/lower process maturity? (On firm performance, internal control effectiveness, etc.)

Unanswered Questions / Future Directions