A FRAMEWORK FOR ANALYSING IT

GOVERNANCE APPROACHES

Bruno Claudepierre

and Selmin Nurcan

1,2

Centre de Recherche en Informatique, Université Paris I – Panthéon Sorbonne

90 rue de Tolbiac, 75 634 Paris cedex 13, France

Institut d’Administration des Entreprises de Paris, Université Paris I – Panthéon Sorbonne

21 rue Broca, 75 005 Paris, France

Keywords: IT governance, IT requirements, IS development processes.

Abstract: Information systems (IS) have a role of information processing and service providing for business activities.

Moreover, the latter take place in an evolving environment and it becomes more and more crucial to

measure the effectiveness and the efficiency of the IS as a support of the enterprise activities and strategies.

The purpose of the corporate governance and the information technology governance (ITG) is to ensure that

enterprise strategy is properly implemented. The ITG can thus facilitate the anticipation of the required

evolutions of the IS. In this paper, we propose a framework for analysing and positioning ITG approaches

often referenced in the literature.

1 INTRODUCTION

The corporate governance is a mechanism which

controls that the company strategy is well applied to

the ground. By distributing the decisional rights and

by defining objectives of control, it directs also the

decisions of the managers. That results mainly in the

implementation of vertical flows of information (or

decisional flows). This type of governance is

oriented by external actors like shareholders.

ITG must achieve goals resulting from corporate

governance. Support activities are organised into an

iterative process which aims at defining the

objectives of IT activities, making the decisions,

scheduling IT activities, controlling and measuring

the implication of the decisions and the activities on

objectives achievement. A general definition for IT

governance is given in (Van Grembergen, 2002):

“IT Governance is the organisational capacity

exercised by the Board, Executive Management and

IT management to control the formulation and

implementation of IT strategy and in this way ensure

the fusion of business and IT”.

In this paper we propose a framework for

analysing some well known ITG approaches. This

paper is organised as follow. Section 2 presents

some approaches related to IT governance. In

section 3, we propose a framework for analysing and

comparing the presented approaches.

2 RELATED WORKS

This section briefly presents some approaches and tools

which aim to support ITG. We identified five IT

related domains impacted by these approaches: (i) IT

management, (ii) process improvement, (iii) controlling

and measuring IT services, (iv) change and flexibility,

and (v) maturity of development processes.

2.1 IT Management

From manager’s point of view, the governance is

about decision making support. Balanced Scorecard

(BSC) (Kaplan and Norton, 1996) is a methodology

helping managers to formalise their scorecard. It

suggests building a scorecard using four analysing

axes: (i) the financial perspective, (ii) the customer

perspective, (iii) the business process perspective

and (iv) the learning and growth perspective. Each

axe allows to the manager to identify the appropriate

indicators. We can add other axes to structure

specific scorecard for ITG (AFAI and CIGREF,

2006).

The synthesis of governance practices in

companies, provided in (Weill, 2004), allowed us to

identify some decisions that IT managers have to

take. This work identifies taxonomy of governance

and exposes a typology of decisions. In this context,

decision-making is an intellectual activity performed

512

Claudepierre B. and Nurcan S. (2007).

A FRAMEWORK FOR ANALYSING IT GOVERNANCE APPROACHES.

In Proceedings of the Ninth International Conference on Enterprise Information Systems - ISAS, pages 512-516

DOI: 10.5220/0002362105120516

 SciTePress

by a human agent, or a group of human agents. It

consists of identifying a problem in a particular

context generally in order to face a changing

situation and to find a solution by selecting among

several choices.

(Kaplan and Norton, 1996) and (Weill, 2004)

provide a support for IT management activities by

describing the decisional context and by proposing a

method to formalise scoreboards.

2.2 Process Improvement

Process improvement was a main goal for industry

in the 80’ in order to decrease waste or product

defects. Motorola used for the first time Six Sigma

in the 80’ when American companies where under

competition from Japanese industry. Today, Six

Sigma (Biehl, 2004) approach is more and more

applied for IS engineering.

Six Sigma is a statically based technique which

is focalised on satisfying customer needs. It is

process oriented and allows a leadership based on

metrics. Processes are considered as supports to the

customer satisfaction. In order to attain this goal, Six

Sigma proposes five steps: “Define”, “Measure”,

“Analyse”, “Improve” and “Control” (DMAIC). It is

an iterative and continuous process of improvement

which leads engineers to manage quality projects, to

measure and to improve the process performance.

The main effect of process improvement is to

increase the process capability.

2.3 Measuring IT Services

A scope for ITG is to control if the decisions related to

the IT management are linked to a strategic goal of the

enterprise. Moreover, the degree of completeness for IT

strategic objectives must be measured and, the

implications of IT activities on the enterprise strategies

should be analysed. COBIT (Control Objectives for

Business and Related Technology) (AFAI and ITGI,

2002) and ITIL (IT Infrastructure Library) (Violino,

2005) make explicitly the link between enterprise

objectives and IT process performance measures.

ITIL provides a set of best practices on IT

processes. It deals with quality of services and

describes bases for the standardisation of IT processes

in companies. ITIL describes the context of service

providing: what are the support or hardware, the tools

and software used and the documentation linked to

them? The limitation of ITIL is raised on the fact that it

does not provide a framework for the improvement of

the quality of services (Niessink and Van Vliet, 1998).

CoBIT is more focalised on the control of activities

and more dedicated to business managers: it allows

them to define control objectives and indicators in

conformity of a three-dimensional perception including

(i) quality of data, (ii) processes, and (iii) IT resources.

CoBIT can help an organisation to align the use of IT

with its business goals (Ridley et al., 2004) and to

decrease IT risks to an acceptable level. CoBIT

organises processes into four domains: planning and

organisation, acquisition and implementation, delivery

and support, and monitoring.

ITIL and COBIT can be considered as

complementary frameworks. Recent works establish

links between IT frameworks: (Santana Tapia, 2006)

argues for using COBIT maturity model to evaluate the

maturity of processes deployed in the context of ITIL.

2.4 Change and Flexibility

ITG is a set of organised activities to control if

decisions related to IT are properly applied. Effects

of the decisions should be measured in order to

evaluate their applicativeness and appropriativeness

in the implementation of the change. The

“Enterprise Knowledge Development: Change

Management Method” (EKD-CMM) (Barrios and

Nurcan, 2004) provides (i) an intention driven IS

engineering model allowing to describe the company

strategy; (ii) a linkage between business processes

and strategic objectives through out top-down,

bottom-up or mixed approaches. The main

advantage resides, in fact, in the capability of the

method to support an enterprise context of change

and to keep IT support aligned with business

objectives.

(Hammami-Abid and Elidrissi, 2004) identifies

implications of IT governance in the way of aligning

IT with business objectives and argues for context

anticipation by ensuring BP flexibility. Authors

identify four ideas associated with ITG: (i)

knowledge anticipation, (ii) leadership or the

capacity to take IT decisions, (iii) reaction based on

a set of indicators and measurements, and (iv) BPs

as support for value creation.

These two approaches allow enterprises to

handle change. EKD-CMM supports the change

process by using specific models (Nurcan et al.,

1999) and, through documentation, allows

anticipation (Hammami-Abid and Elidrissi, 2004).

2.5 Maturity of Development Processes

Development processes are crucial because their

products are the architectures of the enterprise

information systems. The maturity of the

development process can be measured. In this way, a

set of metrics describing the IT context is a

A FRAMEWORK FOR ANALYSING IT GOVERNANCE APPROACHES

513

prerequisite. Capability Maturity Model Integration

(CMMI) is a model developed by the Software

Engineering Institute (SEI) in order to evaluate the

maturity level of the software development

processes. CMMI is composed of a set of models for

various activities in the company. CMMI for system

engineering and software engineering (SEI, 2001)

proposes a set of development processes organised

by key sectors which are representative for a

business activity. Each key sector has its own

specific goals and generic goals. For each goal, a set

of best practices is provided. CMMI proposes two

models for software engineering processes

evaluation: the continuous evaluation and the stage

evaluation. The first is mainly dedicated to small or

medium organisations which can easily identify their

key sectors and the second is more appropriate for

wild structures like international groups.

CMMI allows analysing four types of processes

decomposed by 24 processes which are evaluated

through levels of maturity depending on the selected

type of evaluation.

3 A FRAMEWORK FOR IT

GOVERNANCE AND ANALYSIS

This section presents the framework we built for

analysing IT engineering/management approaches

on particular pertinent aspects linked with ITG. We

use this framework to compare eight approaches.

3.1 The “Four-worlds” Framework

The four-worlds framework was proposed for

understanding several IT related engineering

disciplines: information systems engineering (Jarke

et al., 1992), requirements engineering (Jarke and

Pohl, 1993), process engineering (Rolland, 1998)

and change engineering (Nurcan and Rolland, 2003).

Let us remind that for each discipline, facets and

attributes of the framework should be contextually

defined. We believe that this framework can also

help in understanding the field of ITG. This

comprehension is a prerequisite for providing IS

engineering methods aiming to anticipate ITG.

3.1.1 General Overview

The framework provides four analysis views called

also worlds. The subject world contains the reality of

ITG and is an answer to the question ‘what is ITG?’.

The usage world is linked with users objectives and

justifies ‘why using ITG?’. The development world

contains engineering processes allowing to develop an

IS which is able to support ITG. The objective of the

development world is to describe the way to deploy

ITG and it is led by the question ‘how to deploy ITG?’.

The system world describes the content of the IS, the

elements used to represent the subject world: ‘through

which’ support to communicate about ITG?’.

Each world is described using facets. A facet is

representative of a particular aspect of ITG. We use

valuable attributes to characterise a facet. Thus a world

is composed by a set of facets. An attribute is defined

on a domain of value. A domain can be of several

types: a predefined type (integer, real, boolean...), an

enumerated type (ENUM {a, b, c}), or a set (SET (a; b;

c)). In this section we represent “facets” with quotes,

ATTRIBUTES are in capital letters and values are in

italic. In the following when the facet has a unique

attribute, the latter is considered having the same name

than the facet and is not reminded explicitly.

Figure 1: Framework overview.

The four worlds are interlinked in a particular way

as shown in Figure 1: (i) the subject world generates

some objectives for the usage world, (ii) the system

world is a way to represent the reality or the subject

world, (iii) the system world is built by the engineering

processes described in the development world, (iv) the

development world is a way to attain objectives for the

usage world, finally (v) the system world is used to

support the stakeholders objectives specified in the

usage world.

3.1.2 Subject World

The subject world is described through three facets.

(Weill, 2004) allowed us to identify the “decision”

and “organisation” facets. IT managers have to make

decisions in various domains: IT architecture, IT

infrastructure, requirements, finance and project

scheduling. These decisions are mainly focalised on

ICEIS 2007 - International Conference on Enterprise Information Systems

514

a financial aspect. IT decisions, when they are made,

have to be accepted by all stakeholders.

“Organisation” facet represents the enterprise context

for decision-making and delegation (centralised,

decentralised or hybrid). The “coverage” facet is

representative of the main enterprise objective in

deploying ITG. Internal ITG is seen as a way to

manage IT to ensure a support for business processes.

External ITG is a support to ensure shareholders and

the directorate that IT decisions are in conformity

with their own objectives.

3.1.3 Usage World

The usage world is composed of six facets

representing main goals in using IS. IT managers

have to keep IT “aligned” with enterprise objectives

(Henderson and Venkatraman, 1993) in a particular

“risk management” context. Alignment can be

performed by strategic integration or functional

integration. Risks can be transferred to an external

entity, accepted or refused. Decisions are taken to

ensure that IT creates “values” through services

provided to the organisation or to external actors

(e.g.: customers, shareholders, providers). The

“Quality” facet is representative of the IT usability,

efficiency, efficacy and degree of goal completion

(Tricot and Tricot, 2000). The ‘Change’ facet

characterises

ORIENTATION and CYCLE of change

(Rolland, 1998). ORIENTATION can be horizontal or

vertical and the

CYCLE of change can be radical or

continuous. The “maturity of IT governance” can be

also an essential goal for managers (AFAI and

CIGREF, 2006). Maturity is performed by

instantiating a maturity model describing

LEVEL

(integer) and associated OBJECTIVES which is an

enumeration of enterprise objectives.

3.1.4 Development World

The development world is composed of three facets.

The “architecture approach” is representative of the

way of modelling the enterprise knowledge using

strategic modelling, cartography or being guided by

the target IS (Longépé, 2004). Here, the “quality

approach” facet is not linked with information system

characteristics but with the quality management

methodology in use. We identified two types of

quality approaches: (i) continuous improvement

where goal definition and measures creation

anticipate the future states of the enterprise and goal

redefinition, (ii) the factual approach where data

analysis is required for decision-making. Enterprises

are more and more concerned by “development

process maturity”: they use maturity models like

CMMI which presents the maturity

LEVEL (integer)

and their associated

OBJECTIVES (list of objectives).

3.1.5 System World

The system world is composed of four facets. The

“topography” facet is used to characterise the IT

deployment in the organisation. The topography

can be centralised, distributed or hybrid depending

on the “organisation” of the decision process (§

3.1.2). The “abstract level” is based on the plan

theory in the way that a plan can generate other

more ‘specific’ ones (Rolland, 1998). We can

suppose the existence of infinity of levels but we

limit them, in this framework, to three: meta-

model, model and instance. The “content” facet

describes concepts that the system offers in order to

support ITG: goal, process, service, decision and

indicator. The “description” facet is representative

of the way to represent concepts and is related to

the attributes

FORM and NOTATION used to describe

them. The notation can be formal, semi-formal or

informal. Concepts can be represented through

diagrams, text or ontology.

3.2 Discussion and Analysis

We have chosen to formalise a framework to analyse

the implication of ITG approaches on the IT

engineering methods because, in our knowledge, the

literature does not provide this kind of study does

not exist. We built our framework by defining ITG

related properties. Improvements can be made for

scaling this framework to literature analysis for other

research questions related to ITG. We measured the

pertinence of each approach on a particular aspect of

ITG (i.e. facets we defined for this purpose). Here, we

evaluate this pertinence for each world on a scale of

ten points (see Formula 1 and Table 1). Marks (N) are

proportional to the number of facets used to evaluate

an approach (f

) in comparison to the number of facets

on the concerned world (f

). A high mark on a

specific world, for a given approach, indicates that

this approach can be significantly analysed and

compared to other approaches through the facets of

this world. EKD-CMM which is an ‘enterprise

architecture and IS’ engineering approach, is less

perceived by the framework than the others. This

shows us that EKD-CMM, as enterprise knowledge

and IS engineering approach, does not integrate well

IT governance concepts. Our research aims to

improve IS engineering methods in order to deal with

the ITG requirements. In this context, the evaluation

can help us in selecting the ITG approaches which will

be used to improve IT engineering methods.

A FRAMEWORK FOR ANALYSING IT GOVERNANCE APPROACHES

515

(1)

Table 1: Evaluation of approaches.

Subject

Usage

Develop-

ment

System

(Weill, 2004)

10.00 5.00 3.33 10.00

BSC

6.67 8.33 6.67 7.50

Six Sigma

10.00 6.67 6.67 10.00

ITIL

6.67 8.33 6.67 7.50

COBIT

6.67 10.00 10.00 10.00

EKD-CMM

6.67 5.00 3.33 10.00

(Hammami-Abid, 2004)

6.67 6.67 3.33 7.50

CMMI

6.67 8.33 10.00 10.00

4 CONCLUSIONS

Our study considers, and situates the contributions of

IT governance approaches. This work provides a step

in the comprehension and in the appropriation of IT

governance requirements. The comprehension of these

contributions anticipates our research whose objective

is to work out an engineering method allowing us to

build “governable” information systems.

We aim (i) to improve our knowledge and

experience on method engineering in order to develop

ITG related method chunks which could be integrated

in existing IS engineering methods and (ii) as a first

case study, to extend EKD-CMM in order to anticipate

the ITG requirements for an IS under development.

REFERENCES

Afai, Cigref (2006), Enquête 2006 sur la maturité des

entreprises Françaises en Gouvernance des SI,

Symposium IT Governance en actions, 18

May 2006,

http://www.afai.fr/public/doc/170.pdf, acceded 15/06/06.

Afai, Itgi (2002), COBIT Gouvernance, Contrôle et Audit de

l'Information et des Technologies Associées – Troisième

édition, ISBN: 2-9515149-5-6.

Barrios, J. and Nurcan, S. Model Driven Architectures for

Enterprise Information Systems, Int. Conference on

Advanced information Systems Engineering (CAISE),

Springer Verlag, Riga, Latvia, 2004.

Biehl, R., E. (2004), Six Sigma for Software, in Eickelmann N

and Hayes J H (Ed) IEEE Software, IEEE Computer

Society, pp. 68-70.

Hammami-Abid, I. and Elidrissi, D. (2004), Gouvernance des

systèmes d’information et alignement stratégique : vers

un système d’information agile et urbanisé, in Procedings

of the European and Mediterranean Conference on

Information Systems, 25-27 July 2004.

Henderson, J. C. and Venkatraman, N. (1993), Strategic

Alignment: Leverating Information Technology for

Transforming Organizations, in IBM System Journal,

32:1, pp. 4-16.

Jarke, M., Mylopoulos, J., Schmidt, J. M. and Vassiliou Y.

(1992), DAIDA - An Environment for Evolving

Information Systems, ACM Trans., in Information

Systems, Vol. 10, No. 1.

Jarke, M. and Pohl, K. (1993), Requirements Engineering: An

Integrated View of Representation, Process and Domain,

in Procedings 4th Euro. Software Conf., Springer Verlag.

Kaplan, R. and Norton, D. (1996). Balanced Scorecard –

Translating strategy into action, Harvard Business School

Press (Ed.), 1996, ISBN: 0875846513.

Longépé, C. (2004), Le projet d’urbanisation du SI –

Démarche pratique avec cas concrets – 2

ème

édition,

Dunod (Ed.), ISBN: 2 10 007376 1.

Niessink, F. and Van Vliet, H. (1998), Towards Mature IT

Services, in Software Process: Improvement and Practice,

4:2, pp. 55-71.

Ridley, G., Young, J. and Carroll, P. (2004), COBIT and its

Utilization: A framework from the literature, in

Procedings of the 37

Hawaii International Conference

on System Sciences, Track 8, Vol. 8.

Rolland, C. (1998), A Comprehensive View of Process

Engineering, in the Proceedings of the 10

International

Conference CAISE’98, Lecture Notes in Computer

Science 1413, B. Pernici, C. Thanos (Eds), Springer.

Santana Tapia, R. (2006), IT Process Architectures for

Enterprises Development: A Survey from a Maturity

Model Perspective, Technical Report TR-CTIT-06-04,

CTIT, University of Twente, The Netherlands.

Software Engineering Institute (SEI) (2001), CMMI-SE/SW,

V1.1 - Continuous Representation, http://www.sei.cmu.

edu/pub/documents/02.reports/pdf/02tr001.pdf.

Tricot, A. and Tricot, M. (2000), Un cadre formel pour

interpréter les liens entre utilisabilité et utilité des

systèmes d’information (et généralisation à l’évaluation

d’objets finalisés), in Proceedings of Colloque Ergo-IHM,

Biarritz, France, 3-6 October 2000, pp. 195-202.

Van Grembergen W.(2002), Introduction to the minitrack IT

Governance and its Mechansims, Proceedings of the 35

Hawaii International Conf. on System Sciences (HICSS).

Violino, B. (2005), IT Frameworks Demystified, in Network

World, Vol. 22, Issue 7, 21

February 2005, pp. 18S-20S.

Weill, P. (2004), Don't Just Lead, Govern: How Top-

Performing Firms Govern IT. In MIS Quarterly

Executive, Vol, 8, 1, March 2004, pp. 1-17.

ICEIS 2007 - International Conference on Enterprise Information Systems

516