Exploring Differences between Large and Medium Organizations Corporate Governance of Information Technology

Transcription

1 Exploring Differences between Large and Medium Organizations Corporate Governance of Information Technology UWCISA Symposium Professor Carla Wilkin, Department of Accounting, Monash University Paul Couchman (Independent), Amrik Sohal (Monash University), Ambika Zutshi (Deakin University)

2 Agenda 1. Introduction 2. Research Questions 3. Literature Review 4. Context, Research Method, Analysis 5. Sample 6. Findings 7. Insights Generated 8. Limitations 9. Conclusions 2

3 Introduction An ongoing concern is value delivery from IT investment Our focus is Corporate Governance of IT (CGIT) i.e., comprises boards, leadership + organizational structures and processes CGIT-related tools and management systems i.e., PRINCE2, ITIL,COBIT, Val IT, ISO/IEC 38500:2008 Few studies have explored practitioner views influences, challenges, perceived benefits and views on ISO/IEC 38500:2008 3

4 Research Questions Question 1 What is the extent of awareness amongst IT and business executives regarding CGIT and its related frameworks and/or methodologies that facilitate the delivery of business value? Question 2 How do the views of IT business executives concerning CGIT differ between smaller and larger organizations? Question 3 For organizations with a CGIT policy, what practices are followed? What influences adoption of CGIT as a policy? What are perceived as the principal benefits and challenges associated with implementing CGIT? What structures, processes, mechanisms and resources support CGIT? Question 4 Given its specific CGIT focus, to what extent are ISO/IEC 38500:2008 s principles applied in organizations? 4

5 Literature Review CGIT; CGIT to Build Capability + Business Value; CGIT Tools; RBV and CGIT Corporate Governance and CGIT Use of CGIT to Build Capability + Bus. Value CGIT Tools RBV and CGIT Long concern with generating value from/through IT Often conceptualized through strategic business/it alignment Challenging CGIT can help In response to building capability and increasing business value COBIT, COSO, PRINCE 2, CMMI, ITIL and ISO/IEC 38500:2008 Grounded in RBV of the organization core capability is effective IT gov. Alignment between IT and complementary resources Little consensus re benefits of CGIT to RBV i.e., IT gov. competence creates ITrelated capabilities Organization size effects resources 5

6 Context, Research Method and Analysis Context Smaller (SE) and larger (LO) organizations Both make important, distinct economic and employment contributions ABS definition: small <20; medium ; large >200 IT investment: large 30% of total investment; SMEs 94% had internet LO ME SE Online sales 87.5% 73.8% 56.5% Orders 48.2% 45.6% 34.4% Internet income A$b A$b 59.2 A$b 30.7 Research Method Qualtrics survey, 25 weeks, 2013/2014 Views: business executives + CIO using non-probability convenience sampling Focus: Demographic Use of IT governance frameworks and tools Interpretation of CGIT + incidence of policies and associated practices Influences on the decision to adopt CGIT Extent of achieved CGIT benefits Challenges associated with CGIT Application/applicability of the principles of ISO/IEC 38500:2008 Data analysis: Quantitative SPSS v20; Qualitative i.e., open ended comments manual thematic analysis 6

7 N = 143 comprising ME = 43 (30.1%); LO = 100 (69.9%) Sample MEs LOs Overall Gender Male Female % % 92 8 % Position CEO CIO IT Director COO Operations Manager Other Sample Time in position (years) Time in org. (years) Missing Missing Industry Accomm., cafes and restaurants Retail trade Communication services Cultural and recreational services Transport and storage Electricity, gas and water supply Education Government admin. + defence Finance and insurance Health and community services Others IC/ICT Others Mmgt Consulting

8 Findings CGIT Frameworks and Methodologies Awareness and Implementation 8

9 Findings Views About the Meaning of CGIT ME % LO % Overall % A responsibility of executives and the board of directors aimed at ensuring the organization s IT systems sustain and extend its strategies and objectives A set of mechanisms to request, prioritize, sponsor, fund, monitor, and enforce IT investment decisions in order to ensure the resulting IT investments deliver value to the organization A framework for decision rights and accountabilities designed to encourage desirable behavior in the use of IT within an organization The system by which the current and future use of IT is directed and controlled within an organization A subset of the overall corporate governance of the organization concerned specifically with decisions about key IT activities and investments The strategic alignment of IT with business goals and objectives Other including: (1) necessarily and sufficiently capable of managing and delivering the organization s ICT-enabled investment agenda and business continuity; (2) performance and accountability of IT; (3) controls to ensure proper investment and management for IT capability; (4) policies, strategies

10 Findings CGIT Policy: Incidence of, Responsibility for and its Communication ME LO Overall Written CGIT policy % % % Yes stand alone Yes component of CG Total yes No but under development No Total no Don t know The next section excludes respondents who did not answer or answered no to having a written CGIT policy. Thus, n = 81 Respondent involvement in developing a policy on CGIT 1 (not) (a little) Total (not and/or little) (moderately) (largely) (fully involved) Total (largely and/or fully involved)

11 Findings CGIT Policy: Incidence of, Responsibility for and its Communication cont. Next, those who had a policy under development were excluded. Thus, n = 66 Responsibility for updating it ME LO Overall CEO CFO COO CIO Board Don t know / Other / / / 16.7 Responsibility for implementing CEO CFO COO CIO Board Don t know / Other (i.e., executive team, advisory board, CIO + governance committee) 6.7 / / / 16.7 Frequency reviewed and updated Monthly / 3 monthly / 6 monthly 0 / 13.3 / 0 2 / 15.7 / / 15.2 / 4.5 Annually Ad Hoc / Don t know 46.7 / / / 10.6 Other (i.e., biennially, complex, too early to tell) The CGIT policy is communicated Yes No Don t know Form of communication of CGIT policy / Verbally by supervisor 13.3 / / / 3 Intranet / Internet 20 / / / 1.5 Other (i.e., all, , many of the above, governance groups)

12 Findings Factors Influencing Organizations to Develop CGIT-Related Policies ITGI focus area ME LO Strategic alignment concerns ensuring that IT is in harmony with an organization s strategic objectives, thereby providing capability to deliver business value by positioning IT to assist with adding value to products and/or services, and accordingly in achieving competitive position Value delivery concerns identifying IT benefits sought vs those achieved. This is difficult as determining IT/business value diminishes as IT functions are absorbed into business processes Resource management concerns resources (people, applications, data and technology that serve business needs) + the best financial allocation for IT investment and ongoing budgets, re IT use/resources Risk management concerns financial and operational exposure including technological risk and information security, breakdowns in internal control and oversight, plus business vulnerability due to lack of protection for IT infrastructure Performance measurement involves measuring tangible assets with financial figures + intangible assets that often defy financial measurement (i.e., relationships, databases and knowledge assets) Identified as an influence 16 times (27%). Most cited influences were: Ensure & oversee delivery of appropriate digital support (2); Business objectives & risk (2); Need to manage IT investment & value (2); Identified as an influence 7 times (11.9%). Most cited influence was: As small org. we need to manage IT investments to yield value (2). Identified as an influence 8 times (13.6%). Most cited influence was: Focus leadership attention/ Support from IT executive team (2). Other influences included: Staff usage; and Change management. Identified as an influence 18 times (30.5%). Most cited influences were: Understanding IT Governance (2); and Corporate governance inc. as Advisory Organization (2). Identified as an influence 10 times (16.9%). Influences included: Transparency across the organization; Overseeing IT direction; and Industry reports. Identified as an influence 28 times (22.6%). Most cited influences were: IT supports business direction (alignment) + IT treated as strategic by board (17); and equally: Innovation (2); Value adding (2); Improved business understanding (2); Identified as an influence 12 times (9.7%). Most cited influences were: Reducing complexity/standardization (4); Ensuring projects delivered on time (4); and significant IT spend (3). Identified as an influence 13 times (10.4%). Most cited influences were: Poor practices (4); and CIO (2). Other influences included: Maintain stable environment; effective use of resources; and guidelines for staff. Identified as an influence 61 times (49.2%). Most cited influences were: Regulatory compliance (inc. ext. audit) (13); Risk management (inc. min. outages) (11); Identified as an influence 10 times (8.1%), with ROI cited 8 times. Other influences were: Ensuring results as promised to the board; & Visibility of returns on investment. 12

13 Findings Benefits Achieved from Implementing a Policy for CGIT Benefit Improved engagement with stakeholders Cost savings from reduced liability due to risk management Clarity of responsibility among the organization s personnel Clarity of accountability among the organization s personnel Alignment of IT with business needs Efficient allocation of resources Group 1 (not at all) (extensively) Combined 4/5 ME LO Overall ME Mean LO Overall ME LO Overall ME LO Overall ME LO Overall ME LO Overall SD 13

14 Findings Challenges Associated with CGIT ITGI focus area ME LO Strategic alignment Value delivery Resource management Risk management Performance measurement Identified 18 times (23.7%). Most cited challenges: Change management whilst operating existing business (3); IT risks/ Risk management (3); and Appropriate oversight and decision-making for risk mgmt (2). Identified 4 times (5.3%). Most cited challenge: Value from IT/ Demonstrated benefits realization (3). Identified 35 times (46%). Most cited challenges: Change management (5); and equally: Shared understanding of IT governance & benefits (2); Budget and Resource allocation (2); Compliance (2); Internet security (2) i.e., cloud services, web; Maintaining currency with method changes (2); and Procuring software/cloud services (2). Identified 19 times (25%). Most cited challenges: Change management whilst operating existing business (3); IT risks/ Risk management (3); Appropriate oversight and decision-making for risk management (2); and Bring your own device (2). Was not mentioned as a challenge. Identified 96 times (33%). Most cited challenges: Ensuring/alignment approp. issues being addressed (12); Appropriate business planning (12); Executive commitment (7); Shared understanding of benefits (5); and Balancing innovation and operations (5). Identified 7 times (2.4%). Most cited challenges: Value/Cost (3); and lack of maturity re benefits (2). Identified as a challenge 128 times (44%). Most cited challenges: Commitment (10); Acceptance (9); Communication (9); Managing resistance (7); Staff & user understanding (7); and Change management whilst operating existing business (5). Identified 49 times (16.8%). Most cited challenges: Introducing a culture of accountability (6); Resistance i.e., middle management, tenured staff (5); Enforcing compliance/governance (4); Integration of outsourced providers (3); Risk management vs commercial success (2); Risk taking ability among senior executives (2); and Inappropriate control by executives (2). Identified 11 times (3.8%). Most cited challenges: Demonstrated benefits realization (6); Audit, review (2); and 14 Consequences re non-compliance (2).

15 Findings Application of ISO/IEC 38500:2008 Principles Highest agreement Group % Disagree Neutral % Agree Mean SD Principle 1: Responsibility Principle 2: Strategy Principle 3: Acquisition Principle 4: Performance Principle 5: Conformance Principle 6: Human Behavior Those with responsibility for actions have the authority to perform those actions IT acquisitions are made on the basis of appropriate and ongoing analysis, with clear and transparent decision-making In my organization, IT complies with all mandatory legislation and regulations ME LO Overall ME LO Overall ME LO Overall

16 Findings Application of ISO/IEC 38500:2008 Principles Strongest disagreement Group % Disagree Neutral % Agree Mean SD Principle 1: Responsibility Principle 2: Strategy Principle 3: Acquisition Principle 4: Performance Principle 5: Conformance Principle 6: Human Behavior Individuals and groups within my organization understand and accept their responsibilities with respect to demand for IT My organization s strategic plans for IT satisfy the current and ongoing needs of our organization s business strategy IT is fit for purpose in supporting my organization, in terms of providing the services, the levels of service and service quality required to meet the current and future business requirements ME LO Overall ME LO Overall ME LO Overall

17 Findings Structures, Processes, Mechanisms and Resources Structural Mechanism Planning, Implementation and Monitoring Approaches Facilitation Mechanisms Training Methods ME LO Overall CIO has a role on the board IT strategy committee Job specifications promote this IT steering committee Formal policies or procedures Others: CIO part of exec; alignment program; project governance group; portfolio gov. comm.; 17.8 Service Level Agreements (SLAs) Balanced scorecard Strategic information systems planning IT Alignment models Other: none, weekly catch-up with GM; informal only; 18.9 Business/IT Co-location Rewards and incentives Regular briefings Other: exec. meetings; none; senior exec. make up technology governance committee; 15.6 Online training On-site training that is run by external providers On-site training that is run internally Off-site training that is run by external providers Other: advisors; briefings; communication;

18 Insights Generated CGIT s meaning Preferred definitions concerned delivering value through strategic and inclusive practices, including defining accountabilities Factors influencing adoption of CGIT Risk management LOs: regulatory compliance, audit, minimizing IT downtime and poor IT performance MEs: process IT strategic alignment with business objectives value delivery CGIT practices Enhanced awareness of project management tools vs COBIT and Val IT CGIT policy LOs: more proactive in having a written policy MEs: have a policy under development 18

19 Insights Generated CGIT influences MEs: internal organizational perspectives LOs: more external outcomes/governance Delivering CGIT Primary challenge human element Challenges for all: Ensuring an understanding of CGIT and its benefits Achieving strategic alignment of IT with business goals and strategies Ensuring organizational capacity and capability CGIT benefits Key benefit alignment For those with written CGIT policies Alignment of IT with business needs Clarity of accountability and responsibility Improved stakeholder engagement 19

20 Insights Generated Applicability of ISO/IEC 38500: 2008 to CGIT delivery Delivered on Principles 3 (Acquisition) and 5 (Conformance) Problems with Principles 1 (Responsibility), 2 (Strategy) and 4 (Performance) IT s integral nature Key influences: alignment and risk management Risk management was seen as more important for LOs CGIT Top-down driven written policy and identification of resource mgmt. Formal reported structures, processes, mechanisms and resources MEs more inclusive 20

21 Limitations Limitations Australian organizations Primarily perceptive information bias + error 21

22 Conclusions Conclusions New knowledge regarding ME engagement with CGIT + focus on alignment Human engagement was a primary challenge Managed in terms of assigned responsibility CGIT was seen as an initiative by which to achieve business value through delivering organizational capabilities Improved CGIT practice Actioning a written policy through delivery on assigned accountabilities and attention to human resources 22