IT Governance in Financial Services and Manufacturing

Transcription

1 IT Governance in Financial Services and Manufacturing Comparing the two sectors using COBIT 4.1 as framework MICHAEL MIRBAHA Master Thesis Stockholm, Sweden 2008 XR-EE-ICS 2008:003

2 Abstract This is the Final Report of a Master Thesis Project written at Industrial Information and Control Systems at the Royal Institute of Technology. The thesis was conducted at BiTA Service Management AB. In today s dynamic and often turbulent business environment, Information Technology (IT) has become pervasive and organizations are highly IT dependent. Due to this dependency the importance of an alignment between IT units and the business strategic direction has increased. This alignment is the primary goal of IT governance. Control Objective for Information and related Technology (COBIT) is a recognized framework for IT governance. With the guidance of COBIT, managers can recognize critical IT processes and identify controls and risks. The managers can also make assessments of process capability based on maturity models. The use of maturity models for assessment of process capability is a key part in IT governance implementation and can be used for benchmarking a firm through time or against other firms. The use of maturity models also enables management to identify and notice the strengths and weaknesses of the firms IT activities. The goal of this thesis was to assess the IT governance maturity of organizations in financial services and manufacturing, using COBIT 4.1 as framework, and then compare the two sectors. The survey data gathered from ten large Swedish organizations are presented in this thesis. The results show that there exist differences in IT governance maturity between the two sectors, with financial services being more mature. This report also identifies and discusses some of the factors that may explain the differences in IT governance maturity between the two sectors.

3 Table of Contents Abstract... Table of Contents... Table of Figures Introduction Background Goal and aim Objectives Delimitations Theory Corporate governance Linking IT Governance with Corporate governance IT governance The difference between governance and management The Sarbanes-Oxley Act Different frameworks for IT Governance ISO standards ISO 9000 Quality Management Systems ISO/IEC Information Technology Service Management Standard ISO Information Security Management Systems M_o_R Management of Risk AS Australian Standard for Corporation Governance of IT ITIL V.3 Information Technology Infrastructure Library COBIT 4.1 Control Objectives for Information and related Technology Business Requirements IT resources in COBIT Process-orientated Method Project Model The Project Initiation The Theory Phase... 24

4 3.1.2 The Information Gathering Phase The Analysis Phase The Project Closure Phase Data collection Quantitative and Qualitative Methods Primary and secondary data Research strategy and method The IT Organization Modeling and Assessment Tool (ITOMAT) Selection Population Sampling method Evaluation of the validity and reliability of the study Results Respondent roles and number of interviews per organization The IT governance maturity results from each sector The results from Financial services The results from Manufacturing The differences in IT governance maturity Discussion and conclusion The Financial Services Sector The Manufacturing sector Analyzing the differences Discussion about the project and suggestions for improvement Conclusions References... Appendix...

5 Table of Figures Figure 2.1: Linking Corporate governance to IT governance. 6 Figure 2.2: Five ways enterprises seek value from IT. 7 Figure 2.3: IT Governance and IT Management. 9 Figure 2.4: Conceptual model of the relationship between IT governance and IT management 9 Figure 2.5: The eight quality management principles. 12 Figure 2.6: Service management processes. 13 Figure 2.7: The Plan-Do-Check-Act cycle. 13 Figure 2.8: The AS 8015 model for corporate governance of IT. 15 Figure 2.9: ITIL Service Lifecycle. 16 Figure 2.10: IT Governance Focus Areas. 17 Figure 2.11: The COBIT Cube. 18 Figure 2.12: Basic COBIT principle. 18 Figure 2.13: The four interrelated domains of COBIT. 20 Figure 2.14: Overall COBIT framework. 21 Figure 2.15: Inputs and Outputs. 21 Figure 2.16: Goals and Metrics. 22 Figure 2.17: RACI Chart. 22 Figure 2.18: Graphic Representation of Maturity Models. 23 Figure 3.1: The different phases in the thesis project model. 24 Figure 3.2: The role distribution in ITOMAT. 28 Figure 3.3: ITOMAT s Internal Metrics, IM, for assessment of IT governance maturity, MI. 28 Figure 4.1: The ITOMAT roles interviewed and the total number of interviews conducted. 31 Figure 4.2: The 34 COBIT processes. Source: ITGI, Figure 4.3: Financial services, results per domain and average IT governance maturity. 33 Figure 4.4: Financial services, results per process. 33 Figure 4.5: Manufacturing, results per domain and average IT governance maturity. 34 Figure 4.6: Manufacturing, results per process. 34 Figure 4.7: The difference in ITGM per domain and total average. 35 Figure 4. 8: The difference in ITGM per process. 35

6 1. Introduction This is the report of a Master of Science thesis written at Industrial Information and Control Systems at the Royal Institute of Technology. The thesis was conducted at BiTA Service Management AB. This chapter presents the background along with the goals, aims and delimitations of this thesis. 1.1 Background Today firms are using technology in developing, managing and exchanging intangible assets such as information and knowledge. This information has to be secure, accurate, reliable, and provided to the right person at the right time and place for the firm to be successful. Because of the pervasiveness and dependence on information technology (IT) in organizations, the importance of an alignment between IT units and the business strategic direction has increased. 1,2 This alignment is the primary goal of IT Governance. 3 Researchers were examining and addressing the fundamental concepts of IT governance even as early as the 1960 s, but it was not until the late 1990 s that the notation of Information system (IS) governance frameworks and then later IT governance frameworks started to feature prominently in the academic literature. 4 Due to the dynamic and highly competitive business environment nowadays where firms spend around 3-5 percent of their revenues each year on IT just to stay competitive, good IT governance is no longer nice to have but it is a must have. 5, 6 It is rarely a matter of just working harder or longer to extract greater value from IT, instead it requires development of new techniques for designing, implementing and involving different people in the IT decisions. 7 High-level IT governance models are therefore being created and today IT governance is high on the agenda in many organizations. 8 The research of Weill and Ross shows that top-performing enterprises generate returns to their IT investments up to 40 percent greater than their competitors. Their studies also show that firms with above-average IT governance following the same specific strategy, e.g. customer intimacy, have more than 20 percent higher profits than firms with poor governance following the same strategy. 9 Many leading organizations use IT governance to pursue gains in efficiency, accountability, and regulatory and other forms of compliance. 10 In 2006 the IT governance Institute (ITGI) conducted a global survey drawing on 695 organizations. The survey reports 1 Grembergen, V.W., Haes D.S. & Guldentops, E., 2004, p.3 2 Lee, C-H., Lee, J-H., Park, J-S. & Jeong K-Y., 2008, p.1 3 Haes D.S. & Grembergen, V.W., 2008, p.2 4 Brown, E.A. & Grant G.G., 2005, p Yayla, A.A. & Hu, Q., 2008, p.1 6 Webb, P., Pollard, C. & Ridley, G., 2006, p.7 7 Weill, P. & Ross, J.W., 2000, p.25 8 Haes D.S., et al., 2008, p.1 9 Weill, P., et al., 2000, p.2 10 Lee, C-H., et al., 2008, p.1 1

7 that 87 percent of participants considered IT crucial to the delivery of their business vision and strategy. 11 With this major IT dependency comes a huge vulnerability that is inherently present in complex IT environments. There is a wide spectrum of external threats that accompanies the risk factor, such as errors, omissions, abuse, fraud and cybercrime. 12 For the above mentioned reasons, most organizations are vulnerable to IT risks. IT governance helps mitigating this risk. 13 All the issues described above point out the need for a specific focus on IT governance needed to ensure that the investment in IT will generate the required business value and that risks associated with IT are mitigated. 14 Also with the passage of the Sarbanes-Oxley Act in the United States in 2002, organizations have to reexamine their corporate governance structures to ensure proper fiscal accountability to stakeholders and organizational shareholders. Through legislation the corporate managers are now obligated to adopt a more transparent framework to govern their organizations. IT governance which is often the weakest link in the overall governance structure of an organization received due to the Sarbanes-Oxley Act a significant increase in attention by the business management. 15 To be able to implement effective IT governance, organizations need to assess their current performance and be able to identify where and how improvements can be made. The use of maturity models greatly simplifies this task and provides a structured approach for measuring how developed the IT governance process and the processes managed within IT are against a consistent scale. 16 Also maturity models can be a very comprehensive tool to benchmark the organization through time or against other organizations from specific sizes and in specific geographies and sectors. 17 There are many factors influencing governance requirements, with industry and region being two of these factors. 18 According to the key findings from ITGI s IT Governance Global Status Report from 2006 there exists a significant difference among industry sectors, where the financial services appear to be better performers when it comes to IT governance while the manufacturing sector is a lesser performer. 19 This leads to the main question of this thesis: Are there any differences in IT governance maturity between the financial services sector and the manufacturing sector for large Swedish organizations? 11 ITGI, 2006, p Grembergen, V.W., et al., 2004, p.3 13 Lee, C-H., et al., 2008, p.3 14 Grembergen, V. W., et al., 2004, p.3 15 Brown, E.A., et al., 2005, p Guldentops, E., 2004, p Grembergen, V. W., et al., 2004, p Weill, P., et al., 2000, p ITGI, 2006, p.6 2

8 1.2 Goal and aim The goal of this project was to assess the IT governance maturity of ten large Swedish organizations from the financial services sector and the manufacturing sector and compare them horizontally, between two industry sectors. Consequently, the aim of this project was to examine if any differences could be found in the IT governance maturity of firms depending on the industry sector. 1.3 Objectives 1. Measure the IT governance maturity for the ten participating firms. 2. Compare and analyze the results from the two different industry sectors 1.4 Delimitations The following delimitations existed for this project: 1. Only firms in the financial services or manufacturing sectors according to the Swedish Standard Industrial Classification 2007 (SNI 2007) 20 were asked to participate. 2. Only large Swedish firms with more than 600 employees were asked to participate

9 2. Theory In this chapter the theoretical framework for this study is presented. IT governance is a broad concept and integrally inter-related with corporate governance making IT governance a subset of corporate governance. 21 It is therefore intuitive to start the theory chapter by looking at the broader issue of corporate governance and how corporate governance and IT governance are linked. Thereafter the term IT governance is discussed. Also the difference between governance and management, the Sarbanes-Oxley Act and several frameworks for IT governance are discussed in this chapter. At the end of this chapter the COBIT framework is described thoroughly. 2.1 Corporate governance Recent pressures, including the failure of organizations such as Enron, WorldCom, Global Crossing, and BreX, have led to an increased focus on corporate accountability. One example is the Sarbanes-Oxley Act of 2002 which introduced legislation imposing new governance requirements. 22 A more detailed discussion about the Sarbanes-Oxley Act can be found in section 2.5. Even though the definitions of corporate governance vary, they all situate corporate governance at the highest levels of the organization and present a need for leadership, direction and control. 23 Three definitions of corporate governance are presented below: Corporate governance is the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately and verifying that the enterprise s resources are used responsibly 24 Corporate governance is the system by which business corporations are directed and controlled. The corporate governance structure specifies the distribution of rights and responsibilities among different participants in the corporation, such as the board, managers, shareholders and other stakeholders, and spells out the rules and procedures for making decisions on corporate affairs. By doing this, it also provides the structure through which the company objectives are set, and the means of attaining those objectives and monitoring performance. 25 Governance is the exercise of authority direction and control of an organization in order to ensure its purpose is achieved. It refers to who is in charge of what; who sets the direction and the parameters within which the direction is to be pursued; who makes decisions about what; who sets performance indicators, monitors progress and evaluates results; and, who is accountable to whom for what. Governance includes the structures, responsibilities and process/practices that the board of an organization uses to direct and manage its general operations. These structures, processes and organizational traditions determine how authority is exercised, how decisions are taken, how stakeholders have their say and how decision-makers are held to account Korac-Kakabadse, N. & Kakabadse, A., 2001, p.9 22 Ridley, G., Young, J. & Carroll P., 2004, p.1 23 Webb, P., et al., 2006, p.9 24 Charter Institute of Management Accountants (CIMA). Source: itsmf, 2007(b), p.2 25 The Organization of Economic Co-operation and Development (OECD). Source: itsmf, 2007(b), p.3 26 Gill, M., 2002, p.2 4

10 According to Weill and Ross two complementary sides of corporate governance can be articulated; the behavioral side and the normative side. The behavioral side of corporate governance encompasses relationships and patterns of behavior between different agents in an organization. The way managers, shareholders, employees, key customers, and communities form the strategy of the firm by interacting with each other. The normative side of corporate governance refers to the set of rules that frame the above mentioned relationships and assign decision rights to specific individuals or groups of individuals. The mechanisms formalizing the relationships, providing rules and operating procedures to ensure that objectives are met are defined by the normative side. 27 Even though the literature does not agree on an optimal governance structure, it is commonly accepted that weaker governance is associated with more agency problems and lower firm performance. 28 Studies have shown that firms with excellent corporate governance show good stock earnings rate and shareholder compensation. These findings support the hypothesis of a strong correlation between firm performance and improved corporate governance Linking IT Governance with Corporate governance Weill and Ross propose a framework for linking corporate governance and IT governance, figure 2.1 below. It shows the six key assets through which enterprises accomplish their strategies and generate business value. Below follows a list of these key assets with some of their key elements: Human assets: People, skills, training Financial assets: Cash, investments, liabilities Physical assets: Buildings, plants, equipment Intellectual property (IP) assets: Patents Information and IT assets: Digitized data, information, knowledge about customers Relationship assets: Relationships, brand, reputation with customers, competitors. The governance of the key assets occurs through a number of organizational mechanisms, such as processes, committees, audits, and procedures. At the bottom of figure 2.1 are the mechanisms used to govern each of the key assets. Common mechanisms across multiple assets will increase integration and will be simpler to communicate and implement. Hence the organization will perform better with more common governance mechanisms. 30 IT governance cannot be considered in isolation because it links to the governance of the other key assets. The governance of the key assets in turn links to corporate governance and desirable behavior Weill, P., et al., 2000, p.9 28 Yayla, A.A., et al., 2008, p.2 29 Lee, C-H., et al., 2008, p.2 30 Weill, P., et al., 2000, p Weill, P., 2004, p.3 5

11 Figure 2.1: Linking Corporate governance to IT governance. Source: Weill, P., et al., 2000, p. 5. In figure 2.1 strategy is a set of choices while desirable behavior represent the beliefs and culture of the organization as defined and acted through not only strategy but also corporate value statements, mission statements, business principles, rituals, and structures. It is the behavior that creates value not the strategy, and therefore clear desirable behaviors are the key to effective governance IT governance IT governance has by deploying information through the application of technology been recognized as a critical success factor in the achievement of corporate success, and it is widely accepted that the benefits generated by organizational IT investments directly are influenced by IT governance. 33, 34 As mentioned previously, studies has shown that firms with above-average IT 32 Weill, P., et al., 2000, p Ridley, G., et al., 2004, p.1 34 Webb, P., et al., 2006, p.1 6

12 governance that follow a specific strategy have more than 20 percent higher profitability than firms with poor IT governance following the same strategy. 35 The importance of IT governance can be emphasized by the significant and raising IT baseline costs. Reports have shown that IT make up about 75 percent of the operating budget and represent approximately 4 percent of gross revenue. Nowadays IT failure or breach can precipitate a significant financial loss or the development of serious legal risks and issues for an organization. 36 Analysis of costly failures of IT initiatives have indicated poor governance and lack of guidance to those whose role it was to manage the risks associated with achieving the benefits and value from IT investments. 37 Studies have shown that large organizations spend over 50 percent of their capital investment, i.e. money used to purchase fixed assets, on IT. 38 All enterprises have IT governance, but enterprises with effective IT Governance have actively designed a set of IT governance mechanisms that encourage desirable behaviors, i.e. behavior consistent with the organization s strategy, mission, norms, and culture. IT governance matters due to it influencing the benefits received from IT investments. Figure 2.2 shows five ways topperforming enterprises pro-actively seek value from IT. 39 Clarify business strategies and the role IT plays in achieving them. Measure and manage the amount spent and the value received from IT. Design organizational practices to fit IT to their business strategies. Assign accountability for the organizational changes required to benefit from new IT capabilities. Learn from each implementation, becoming more adept to sharing and reusing IT assets. Figure 2.2: Five ways enterprises seek value from IT. Source: Weill, P., 2004, p.1-3. Included in the IT Governance literature is a range of definitions differing considerably depending upon the perspective of the researcher. 40 Although the definitions of IT governance differ they are all focused on the same issues, such as the alignment of IT with the business. 41 Presented below are some definitions of IT governance: IT governance: Specifying the decision rights and accountability framework to encourage desirable behavior in using IT. 42 IT Governance is the organizational capacity exercised by the Board, executive management and IT management to control the formulation and implementation of IT strategy and in this way ensure the fusion of business and IT Weill, P., 2004, p.3 36 Webb, P., et al., 2006, p.3 37 itsmf, 2006, s Ridley, G., et al., 2004, p.1 39 Weill, P., 2004, p Webb, P., et al., 2006, p.5 41 Grembergen, V.W., et al., 2004, p Weill, P., et al., 2000, p.8 43 Grembergen, V.W., et al., 2004, p.5 7

13 In this paper the definition of IT governance is in line with the IT Governance Institute s (ITGI) definition of IT governance: IT governance is the responsibility of executives and the board of directors, and consists of the leadership, organizational structures and processes that ensure that the enterprise s IT sustains and extends the organization s strategies and objectives. 44 The many different definitions of IT governance give rise to a lack of clarity which inhibits and damages the communication regarding IT governance. 45 One of the challenges in implementing good IT governance is to be able to describe it to and communicate it with IT and non-it personnel. Research has shown that this factor is the most important predictor of high governance performance; the higher the percentage of managers who can describe IT governance, the higher the governance performance The difference between governance and management The difference between IT governance and IT management is fundamental and well beyond theory with distinguishable activities even if in some cases they are performed by the same person. 47, 48 Unlike management, IT governance is not about what specific decisions are made but rather the systematically determination of who makes each type of decision, who has input to a decision, and how these people are held accountable for their role. 49 While managers administrate, develop, implement, and monitor business strategies on day-to-day-basis, governors deal with overall organization policy, culture, and direction. 50 Bird makes this distinction by stating that managers manage organizations by virtue of the authority delegated to them by those who govern. 51 In other words governance determines who makes the decisions while management is the process of making and implementing the decisions. 52 Figure 2.3 below, illustrates the difference between IT governance and IT management. The domain of management focuses on the effective and efficient supply of IT services and products and the management of IT operations. IT governance in turn is much broader and concentrates on the contribution to present business operations and performance (internal focus) while also transforming and positioning IT for meeting future business challenges (external focus). IT governance is therefore both internally and externally orientated and spanning both present and future time frames ITGI, 2007, p.5 45 Webb, P., et al., 2006, p.1 46 Weill, P., 2004, p Peterson, R.R., 2004, p Bird, F., Weill, P., 2004, p.3 50 Webb, P., et al., 2006, p.2 51 Bird, F., Weill, P., et al., 2000, p.8 53 Grembergen, V.W., et al., 2004, p. 5 8

14 Figure 2.3: IT Governance and IT Management. Source: Grembergen, V.W., et al., 2004, p.5 The relationship between IT governance and IT management can from a conceptual point of view also be modeled as figure 2.4. Figure 2.4: Conceptual model of the relationship between IT governance and IT management. Source: Sallé, 2004, p The Sarbanes-Oxley Act In response to a number of high-profile accounting scandals from such organizations as Enron and WorldCom, the United States Congress passed the Sarbanes-Oxley Act in July The aim of the Act is to rebuild public trust and to prevent future accounting scandals. The Act has been considered the most far-reaching securities legislation since the Security Acts of 1933 and , 55 It not only imposes additional disclosure requirements, but it proposes substantive corporate governance mandates. 56 The Sarbanes-Oxley Act clearly defines the rules for accountability and makes management personally responsible for ensuring the credibility of the 54 Kaarst-Brown, M.L. & Shirley, K., 2005, p.1 55 Zhang, I.X., 2007, p Ibid. 9

15 internal control over financial reporting disclosure. 57 The Committee of Sponsoring Organizations of the Treadway Commission (COSO) defines internal control as: A process, effected by an entity s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: Effectiveness and efficiency of operations Reliability of financial reporting Compliance with applicable laws and regulations 58 Hence the Sarbanes-Oxley Act both targets management accountability and operating efficiency. These are two areas that are tightly coupled with the IT function. 59 The Sarbanes-Oxley Act therefore has a strong impact on both corporate governance and IT governance. 60 The Act contains eleven sections, where the two most obvious sections of relevance for the CIO are sections 302 and 404. These sections deal with the internal controls an organization have in place to ensure the accuracy of their data. Also section 409 is important because material changes affecting financial disclosure must be reported on a rapid and current basis. The system must therefore be able to provide timely information within a short timeframe. 61 The Sarbanes-Oxley Act has an extensive application area that affects all organizations that are considered issuers according to the Securities Exchange Act of 1934 or the Securities Act of The Act is therefore applicable to both American and non-american organizations with registered shares or American Depository Receipts for trade on the American stock-exchange or marketplace. Also organizations that have initiated a procedure to offer shares to a wider public in the United States are affected. The Act therefore includes Swedish companies with shares traded in New York. 62 Outlined below is a simplified process for becoming compliant with the Sarbanes-Oxley Act according to Kaarst-Brown et al. 63 : 1. Document processes from an IT perspective. Any automated financial and operational process must be documented, and the control points identified. Review existing documentation for completeness and close any gaps. 2. Identify control points in the processes, where manual and automated portions intersect, or where two different systems are linked. 3. Test viability of controls to demonstrate that appropriate controls are in place and work as designed. The tests need to show that the controls work in preventing errors and do exception reporting. 4. Report results from testing, including identification of any gaps. Recommendations should be given for correction of errors and closing any gaps. 5. Implement plan of action to close gaps and eliminate know errors. 6. Select a framework to set up internal IT control systems. 57 Damianides, M., 2005, p Kaarst-Brown, M.L., et al., 2005, p.2 60 Damianides, M., 2005, p Kaarst-Brown, M.L., et al., 2005, p.1 62 Svernlöv, C. & Blomberg, E.B., 2003, p Kaarst-Brown, M.L., et al., 2005, p.8 10

16 There are several existing frameworks that may assist with the above, one of them is COBIT. COBIT which stands for Control Objectives for Information and related Technology is an accepted standard that provides a framework for users, audits, control activities, and security practices. 64 COBIT is explained in more detail in section Different frameworks for IT Governance In part as response to governance requirements like the Sarbanes-Oxley Act, the focus on internal controls in organizations has risen. The organizations policies, rules and procedures that are undertaken to either eliminate pure risks or reduce them to a considered level are considered as the system of internal controls. From the auditors a pressure to develop frameworks of internal control objectives to allow for international standardization has risen. 65 These IT frameworks are a set of processes, procedures, and policies that allow organizations to measure, monitor, and evaluate their situation to predefined factors, criteria or benchmarks. 66 In recent years several frameworks aimed to define, assess and improve internal controls of organizations has been issued. 67 These frameworks also assist managers in the tasks of measuring and monitoring IT performance and effectiveness. 68 The sections below provide an overview of the most recognized frameworks ISO standards The ISO standards are maintained by the international organization for standardization (ISO) and administrated by internal accreditation and certification bodies. ISO is a network of 157 countries that manages the international standards, with a central secretariat in Geneva, Switzerland, that coordinates the system. 69 There are several ISO standards that are widely used by IT service providers; ISO 9000, ISO/IEC 20000, and ISO These standards are described in the subsections below ISO 9000 Quality Management Systems The ISO 9000 standard is widely used in the service sector and manufacturing. The standard has been implemented in organizations worldwide. The standard is made up of three sections; ISO 9000 that describes the fundamentals and vocabulary; ISO 9001 that lists the requirements for certification; and ISO 9004 that has guidelines for performance improvement. It should be noted that it is not possible to be certified to ISO 9000, the actual standard to which the quality management of an organization can be certified to, is ISO Kaarst-Brown, M.L., 2005, p.8 65 Ridley, G., et al., 2004, p.1 66 Webb, P., et al., 2006, p.4 67 Ridley, G., et al., 2004, p.1 68 Webb, P., et al., 2006, p itsmf, 2006, p

17 ISO 9000 qualifies that an organization has carried out the correct processes regarding the management of resources, the quality of the product, the maintenance of quality records, and the requirement for continual improvement. The ISO standard is based on eight quality management principles, see figure Figure 2.5: The eight quality management principles. Source: itsmf, 2006, s.23. The intention of the standard is to help organizations save time, effort and money by avoiding confusion about the objectives of the audit program, conduct a combined environmental/quality audit, ensure that the audit reports contain all the relevant information and follow the best format and also to evaluate the competence of audit teams members against the appropriate criteria ISO/IEC Information Technology Service Management Standard ISO is a management standard that addresses the establishment and maintenance of processes and the mechanisms to ensure their relevance and improvement. The standard consists of five kind of key processes shown in figure 2.6. Each process has a defined objective and specification itsmf, 2006, p Ibid. 73 Ibid. 12

18 Figure 2.6: Service management processes. Source: itsmf, 2006, p.47. The standard also requires the organization to implement the Plan-Do-Check-Act methodology and apply it to their service management processes. Below the Plan-Do-Check-Act methodology is illustrated. Figure 2.7: The Plan-Do-Check-Act cycle. Source: itsmf, 2006, p.48. Plan Plan service management. What needs to happen, who will do what and how? Do Implement service management. Execute the planned activities. Check Monitor, measure and review. Check whether the activities yield the desired result. Act Continuous improvement. Adjust the plan in accordance to the checks. 13

19 ISO Information Security Management Systems An Information Security Management System is the instrument by which the values of an organization s information assets are protected on an ongoing basis. ISO has two parts: 1. ISO 27001:2005, Information technology Security techniques Information Security management Systems Requirements 2. ISO 17799:2005, Information technology Security techniques Code of practice for information security management Although the second part of the Standard was introduced as a support document to the original code of practice, it quickly became the more important part of the two documents. The second part provides guidance for building and maintaining an organization s information security management system. 74 Measured by an organization s risk profile the ISO provides detailed guidance for the creation of a fit-for-purpose Information Security Management System M_o_R Management of Risk Risk can be defined as uncertainty of outcome of actions and events. Therefore the risk has to be assessed in respect to the combination of the likelihood of something happening, and the impact which arises if it does actually happen. Management of Risk (M_o_R) is the overall process to assist in the effective control of risks and is a fundamental part of corporate governance. The aim of the risk management is to identify and manage risks to best effect for increasing and protecting shareholder value within the business. For M_o_R to be successful it not only requires board level sponsorship but must also fit into the corporate culture of the business AS Australian Standard for Corporation Governance of IT AS 8015 is published by Standards Australia and is prepared by thirteen committees of experts from industry, governments, consumers and other relevant sectors. The objective of AS 8015 is to provide a framework, from which the directors of any organization, e.g. a small business owned and operated by one or two people, a charity, or a company listed on a stock exchange, to govern the use of IT. The basis of AS 8015 is to establish a framework for informed and timely decision making in the use of IT, at the highest level of the organization. 77 The framework described in AS 8015 consists of a model, six guiding principles, and a vocabulary. Figure 2.8 below describes the AS 8015 model. In the model, senior executives monitor and evaluate the organization s use of IT against the pressures and needs acting on it. 74 itsmf, 2006, p Ibid. 76 Ibid., p Ibid., p

20 They then address any gaps by directing the development and implementation of policies and plans. 78 The six guiding principles included in the framework are listed below: Establish clearly understood responsibilities for IT 2. Plan IT to best support the organization 3. Acquire IT validity 4. Ensure that IT performs well, whenever required 5. Ensure IT conforms with formal rules 6. Ensure IT respects human factors Figure 2.8: The AS 8015 model for corporate governance of IT. Source: itsmf, 2006, p ITIL V.3 Information Technology Infrastructure Library ITIL was originally developed by the Central Computer and Telecommunications Agency (CCTA), later to come part of the UK Office of Government Commerce (OCG) in the late 1980s. It is based on the experience of more than 1400 organizations. ITIL version 3 is the current version and focuses on the Service Lifecycle illustrated in figure itsmf, 2006, p Ibid. 80 OGC,

21 Figure 2.9: ITIL Service Lifecycle. Source: OGC, The service lifecycle consists of five phases each with its own core book describing the phase in more detail. At the core of the service lifecycle is Service Strategy that drives all other phases. Service strategy is the phase of policymaking and setting objectives. Service Design provides guidance for the design and development of services and service management practices, with the most important objective being the design of new or changed services for introduction into a production environment. Service transition provides guidance for the development and improvement of capabilities for transitioning new and changed services into live service operations. Service operation involves coordinating and carrying out activities and processes required to provide and manage the day-to-day operation of services. The Continual Service Improvement phase stands for learning and improving and should be applied throughout the entire service lifecycle, from service strategy to service operations. In this phase improvement programs and projects are initiated and prioritized based on the strategic objectives of the organization. 81 The ITIL service lifecycle incorporates the PDCA model for quality control, see figure 2.7 in section for more detail COBIT 4.1 Control Objectives for Information and related Technology COBIT stands for Control Objectives for Information and related Technology and is a framework designed to control the IT function. The framework was originally developed by the Information Systems Audit and Control Foundation (SACF), which is the research institute for the Information Systems Audit and Control Association (ISACA), but was later transferred to an independent body within ISACA named the IT Governance Institute (ITGI). The current version of COBIT (4.1) was released in ITGI states that The COBIT framework is a high-level process model that organize a broad range of IT activities in 34 processes. COBIT provides a uniform structure to implement, understand, and evaluate IT performance, capabilities and risks with the primary goal of satisfying 81 itsmf, 2007(a) 16

22 business requirements. 82 The framework appeals to different users including the executive management, the business management, IT management, and auditors. 83 The IT governance focus areas describe the topics that the organization s executive management needs to address to govern IT. Figure 2.10 shows the focus areas that are included by ITGI in COBIT 4.1 to describe the COBIT processes. 84 Figure 2.10: IT Governance Focus Areas. Source: ITGI, 2007, p.6. Strategic alignment focuses on ensuring the linkage of business and IT plans; defining, maintaining and validating the IT proposition; and aligning IT operations with enterprise operations. Value delivery is about executing the value proposition throughout the delivery cycle, ensuring that IT delivers the promised benefits against the strategy, concentrating on optimizing costs and proving the intrinsic value of IT. Resource management is about the optimal investment in, and the proper management of, critical IT resources: applications, information, infrastructure and people. Key issues related to the optimization of knowledge and infrastructure. Risk management requires risk awareness by senior corporate officers, a clear understanding of the enterprise s appetite for risk, understanding of compliance requirements, transparency about the significant risks to the enterprise and embedding of risk management responsibilities into the organization. Performance measurement tracks and monitors strategy implementation, project completion, resource usage, process performance and service delivery, using, for example, balanced scorecards that translate strategy into action to achieve goals measurable beyond conventional accounting. 82 itsmf, 2006, p ITGI, 2007, p Ibid., p.6 17

23 The basic principle of the COBIT framework is represented by the COBIT cube, see figure IT resources are managed by IT processes to achieve IT goals that respond to the business requirements. Each of the cubes three dimensions will be described in the subsections below. 85 Figure 2.11: The COBIT Cube. Source: ITGI, 2007, p Business Requirements The business orientation is the main theme of COBIT, and the framework is based on the following principle: To provide the information that the enterprise requires to achieve its objectives, the enterprise needs to invest in and manage and control IT resources using a structured set of processes to provide the services that deliver the required enterprise information. 86 Figure 2.12 below reproduces the principle above. Figure 2.12: Basic COBIT principle. Source: ITGI, 2007, p ITGI, 2007, p Ibid., p.10 18

24 COBIT has seven control criteria that information needs to conform to for it to satisfy the business objectives. These control criteria are referred to as business requirements for information. Below a short description of each control criteria can be found: 87 Effectiveness: Information must be delivered in a timely, correct, consistent, and useable manner as well as being relevant to the business process. Efficiency: Provide information through the most productive and economical use of resources Confidentiality: Protection of sensitive information from unauthorized disclosure. Integrity: Completeness and accuracy of information and its validity in accordance with the expectations and the values of the business. Availability: Availability of information when required now and in the future and the safeguarding of necessary resources. Compliance: Compliance with the laws, regulations and contractual arrangements. Reliability: Provide appropriate information for management IT resources in COBIT COBIT identifies and defines four IT resources that the IT organization uses to deliver its goals. The four resources are: 88 Applications: The manual procedures and automated user systems that process the information. Information: The data in all their forms used by the business. Infrastructure: The technology and facilities that enable the processing of applications. People: The personnel required to plan, organize, acquire, implement, deliver, support, monitor, and evaluate the information systems and services Process-orientated As mentioned in section COBIT has identified 34 IT processes that are generally used by organizations; however, they can be combined as required by the organization and they need not all apply. These processes have been divided into four distinct but interrelated domains see figure These domains are Plan and Organize (PO), Acquire and Implement (AI), Deliver and Support (DS), and Monitor and Evaluate (ME) ITGI, 2007, p Ibid., p Ibid., p

25 Figure 2.13: The four interrelated domains of COBIT. Source: ITGI, 2007, p.12. The Plan and Organize domain covers the strategy and tactics and deals with the identification of how IT best can contribute to the achievement of the business objectives. In order to realize the IT strategy and IT goals, IT solutions need to be identified, developed or acquired, as well as implemented and integrated into the business process. These tasks are done in the Acquire and Implement domain, in addition to changes and maintenance of existing systems to make sure the solutions continue to meet business objectives. The third domain, Deliver and Support, is concerned with the actual delivery of required services. These required services include service delivery, management of security and continuity, service support for users, and management of data and operational facilities. Finally, the Monitor and Evaluate domain addresses performance management, monitoring of internal control, regulatory compliance, and governance. 90 Figure 2.14 below summarizes the overall COBIT framework. For each of the IT processes COBIT provides the following core components, giving a complete picture of how to control, manage, and measure each process: 91 Process description: Control objectives describing what the process owner needs to do. Process inputs: What the process owner needs from others. Process outputs: What the process owner has to deliver. Goals and metrics: Shows how the process should be measured. RACI chart: Defines what has to be delegated and to whom. Maturity model: Shows what has to be done to improve. The process inputs and outputs are the documents needed and generated from the process to assure that activities are correctly executed. Figure 2.15 below shows an example of the inputs and outputs of the process Define a Strategic IT plan (PO1), i.e. the process needs cost-benefit reports from process Manage the IT investment (PO5) and generates among other documents a Strategic IT plan that is needed as input in other processes. 90 ITGI, 2007, p Ibid., p.28 20

26 Figure 2.14: Overall COBIT framework. Source: ITGI, 2007, p.26. Figure 2.15: Inputs and Outputs. Source: ITGI, 2007, p

27 In COBIT the goals and metrics are defined at three levels: 92 IT goals and metrics: What the business expects from IT and how to measure it. Process goals and metrics: What the IT process must deliver to support IT s objectives and how to measure it. Activity goals and metrics: What needs to happen inside the process to achieve the required performance and how to measure it. There exist two types of metrics; outcome measures indicating if the goals have been met, and performance indicators indicating whether the goals are likely to be met. The outcome measures of the lower levels become performance indicators for the higher level, as illustrated by figure Figure 2.16: Goals and Metrics. Source: ITGI, 2007, p.31. A RACI-chart splits the process activities into four responsibility types, which then are assigned to different roles. In the COBIT framework 19 roles are defined. Figure 2.17 shows a RACI-chart for process PO1. Figure 2.17: RACI Chart. Source: ITGI, 2007, p ITGI, 2007, p ITGI, 2007, p.22 22

28 Accountable is the person who authorizes an activity and provides direction. Responsible is the person who gets the task done. Consulted is a two-way communication with those who opinion are sought. Informed is a one-way communication with those who are kept updated. 94 The COBIT maturity model is based on a method of evaluating the organization, so it can be rated from a maturity level of non-existent (0) to optimized (5). COBIT has a generic definition for the maturity scale and a specific model for each of COBIT s 34 processes. Using the maturity models developed for each of the processes, management can identify the actual performance of the organization, the current status of the industry, the organizations target for improvement and the required growth path between as is and to-be. This is illustrated in figure It should be noted that the purpose of the COBIT maturity model is not to assess the level of adherence to the control objectives. Hence the process maturity is not the same as process performance. 96 Figure 2.18: Graphic Representation of Maturity Models. Source: ITGI, 2007, p ITGI, 2007, p Ibid., p Ibid. 23

29 3. Method In this chapter the approach for this study is presented. By way of introduction, the chosen project model is described followed by a presentation of the research strategies, methods and tools used to collect data for this thesis. The chapter is ended with a discussion around the selection and the validity of this study. 3.1 Project Model In this section the project model used for this study is explained. Figure 3.1 below shows the project model and the subsections describe each of the different phases. Figure 3.1: The different phases in the thesis project model The Project Initiation In the first phase of the project, the project initiation phase, the scope of the project was defined along with the delimitations. Meetings were scheduled with key project stakeholders to clarify roles and responsibilities and to set the expectations of the outcome. In this phase the project plan described here was defined. A risk analysis was made for the project and document administration routines were chosen. The project initiation phase was also used to get an overview over the field, mostly by talking to other students. This phase was ended by the approval of the Project Plan The Theory Phase In the theory phase the relevant literature was identified and studied. In this phase the secondary data for this thesis was gathered (see section 3.2.2). Different methods for information gathering and analysis were studied. The methods most suitable for this project were thereafter chosen. The theory section in this thesis is based on the literature study performed in this phase. This phase was ended by the approval of the Evaluation Plan The Information Gathering Phase In this phase organizations of interest were contacted. The IT Management role in the different organizations was identified and interviews were booked and carried through with the respondents. With the help of the IT Manager of the organization, respondents in the different 24

30 ITOMAT roles were identified in the organizations (see section 3.4). The IT manager then, with help of the COBIT guidelines, distributed the 34 processes between the different roles depending on who was best suited to answer questions about specific COBIT processes. These respondents were then contacted and interviews were booked and carried through. Most of the primary data used in this thesis were gathered in this phase (see section 3.2.2). This phase was ended by a compilation of the gathered data The Analysis Phase In the analysis phase the compiled data was analyzed. Additional interviews with scientists, experts in the field and respondents that participated in the study were booked and carried through to validate the result and to help with the analysis of the data. This phase was ended by the completion of a draft of the Final Report The Project Closure Phase In this final phase the presentation material was created and the results presented both at the Royal Institute of Technology (KTH) and at the office of BiTA Service Management AB. This phase was ended by the approval of this Final Report by the examiner at KTH. 3.2 Data collection Quantitative and Qualitative Methods The two most common methods used in scientific research are quantitative and qualitative. Both are used when gathering empirical data and are suited for different contexts. Professor Sigmund Gronmo states that quantitative and qualitative methods are complementary and that they seldom exclude each other. He emphasizes that none of the two approaches are better or more scientific than the other. 97 Both qualitative and quantitative methods have their advantages and disadvantages and they can both be used in the same study. 98 The difference between a quantitative and a qualitative approach is that the first approach operates with numbers and sizes trying to put numbers on measurable and comparable objects and events according to fixed rules, while the second approach operates with meanings mediated through language and action. 99 In this study both the quantitative and the qualitative approach have been combined to get a better understanding. 100 This is done in two steps; first a quantitative approach was used gathering data through personal interviews by using the IT Organization Modeling Assessment tool (ITOMAT), see section 3.4 for more information about ITOMAT. Then a qualitative approach was used with open personal interviews trying to analyze the results from the first step. 97 Jacobsen, D.I., 2000, p Patton, M.Q., 1988, p Jacobsen, D.I., 2000, p Ibid., p

31 Primary and secondary data Secondary data is information from secondary sources and is not directly compiled by the analyst. It includes published or unpublished work and can be gathered from countless sources of publications, journals and dictionaries. 101 The gathering of new data and information is essential for the scientific development. If the data gathered is primary used as the basis for a study it is called primary data. 102 Both primary and secondary data was used in this study. The primary data is generated by the personal interviews described in section 3.3. The secondary data comes from the publications already available. The secondary data used in this study are all based on academic and scientific literature. By critically reviewing and carefully interpreting the sources of information, literature, and collected data the aim of this report is to be as reliable as possible. 3.3 Research strategy and method According to Yin five major research strategies can be identified in the social sciences: experiments, surveys, archival analysis, histories, and case studies. 103 Surveys are the most popular and effective strategies in the social sciences and are used when the researcher gather information through oral or written answers from respondents. Surveys constitute a multiple research tool due to the fact that there are relatively few areas that cannot be examined through persons answering questions about a subject or a topic. In this study a survey strategy has been used with a cross-sectional design. In a cross-sectional design the researcher gathers the information needed for the study from the respondent on a single occasion. No future follow-up is needed. 104 Personal interview was the chosen research method for this study. In a personal interview the interviewer after agreeing on a meeting with the respondent visits him or her and asks questions. The questionnaire should be structured and set up in advance. Personal interviews can be characterized as an expensive method that sometimes is necessary for collecting data with high quality. 105 Personal interviews are both time consuming and resource intensive. The interviews are also preceded by mail and telephone contacts, where the respondent is informed about the study and a date is set for the interview. Also the traveling to and from the respondent is an inevitable cost, in both time and money. 106 The larger advantages of personal interviews are that relatively longer questioners can be used and more complicated questions can be asked compared to for example questionnaires by post. The interviewer can use answering cards with different answering alternatives, show pictures, diagrams and other visual aids to help facilitate the replies or use open questions where the 101 Kotler, P. 2002, p Ruane, M.J., 2006, p Yin, R.K., 1994, p Ruane, M.J., 2006, p Dahmström, K., 2000, p Ibid., p.91 26

32 respondent does not have answering alternatives. In addition the interviewer can keep the interest up for answering the questions throughout the interview by marking the transition between different questions. Also purely psychological a respondent is more eager to please if the interviewer has taken the trouble to come and ask the questions in person. 107 Two other advantages of personal interviews worth noting are that the interviewer can unravel any indistinctness in the questions and that the interviewer can stimulate the respondent to give as complete answers as possible. 108 The disadvantages of personal interviews are besides the time and cost issues discussed above the risks for interview effects and prestige bias. An interview effect is when the interviewer affects the respondent illicitly by giving to much help in the answering of the questions and also through the choice of words and the intonation. Prestige bias is the tendency for the respondent to answer in a way that makes him or her feel better, often resulting in an overestimation in the answer The IT Organization Modeling and Assessment Tool (ITOMAT) The IT organization modeling and assessment tool (ITOMAT) was used in this study. ITOMAT is based on the COBIT framework and is a tool for maturity assessment of IT governance in organizations. ITOMAT has four generic metrics inherited from the COBIT framework called internal metrics. These internal metrics are activity execution, assigned responsibilities, documents in place, and metrics monitoring. These metrics are described below: 110 Activity Execution: For each process ITOMAT lists all activities contained in that process according to the COBIT framework and allows for a maturity assessment at activity level. Assigned responsibilities: In ITOMAT the relations connect roles with processes instead of activities, as stated in COBIT. Further ITOMAT only have five roles embracing the 19 roles stated in COBIT, see figure 3.2. This means that instead of mapping 19 roles with some 200 activities in COBIT, ITOMAT maps five roles and 34 processes. Documents in place: The documents that represent input and outputs for the COBIT processes are listed in ITOMAT. ITOMAT measures the number of these documents that are in place. Metrics monitoring: The metrics, COBIT suggests can be used to monitor the progress of each process and its maturity, are the same in ITOMAT. 107 Dahmström, K., 2000, p Ibid., p Ibid., p Simonsson, M. & Johnson, P.,

33 Figure 3.2: The role distribution in ITOMAT. Source: Simonsson, M., et al., 2008 Given the value of an internal metric a maturity level is assigned, see figure 3.3. As mentioned above, ITOMAT allows for maturity assessment at activity level (activity execution) by using the maturity model for processes defined in COBIT. The maturity levels for the assigned responsibilities metrics depends on the number of RACI relationships specified for each process and role, and how well these are aligned to the relationships stated in COBIT. For the internal metrics documents in place and metrics monitoring, a linear assumption of COBIT s focus on quantity in documents and monitoring of metrics is used as base for the maturity model. 111 Figure 3.3: ITOMAT s Internal Metrics, IM, for assessment of IT governance maturity, MI. Source: Simonsson, M., et al., 2008 The maturity score of a process is calculated as the average maturity of the four internal metrics. Also the organization maturity can be calculated as the average maturity of all the 34 COBIT processes. 111 Simonsson, M., et al.,

34 3.5 Selection Population A population is the entire set of elements that the scientist wants to study. 112 When the population is known and the researcher wants to study differences or similarities between different groups the researcher can divide the population into several strata. It should be noted that the results then are not representative for the entire population but only can be used to study differences or similarities between the different strata. 113 The population of this study is large Swedish organizations and the strata that are compared are the financial services sector and the manufacturing sector Sampling method The fulfillment of the criterion required for probability sampling could not be guaranteed in this study and hence a nonprobability sampling approach was chosen. In this approach the elements are selected from the population in some nonrandom method. This means that the probability of an element from the population being included in the sample is unknown. 114 One of the nonprobability sampling methods is quota sampling. In quota sampling the researcher first identifies the strata and then use convenience or judgment sampling to select the required number of subjects from each stratum. In this study quota sampling was used with five organizations in each stratum. 3.6 Evaluation of the validity and reliability of the study There are four aspects of quality that must be taken into consideration in empirical research; construct validity, internal validity, external validity, and reliability. 115 Construct validity refers to the extent to which a test measures a particular theoretical construct. Many of the phenomena studied by researchers fall into the category of not having a single, definite criterion measure or operational definition from which they can be equated. By using construct validation a complex phenomenon could be defined by showing that its meaning lay in a network of relationships among directly measurable variables. In this thesis ITOMAT has been used as a tool to assess the IT governance maturity of organizations based on COBIT s maturity model, and since ITOMAT itself is based on COBIT the construct validity for this thesis is satisfactory Dahmström, K., 2000, p Gustavsson, B., 2004, p Bryman, A. 2002, p Yin, R.K., 1994, p Ibid., p.33 29

35 Internal validity is concerned with establishing a causal relationship as distinguished from spurious relationships, i.e. trying to determine if event X leads to event Y, while the external validity refers to the degree to which generalization legitimately can be made from the study s findings. 117 Reliability refers to the degree of absence from haphazard measurement errors in an empirical measurement. Errors could be introduced from documents when coding the original data, or for example through incorrect keystrokes. In interviews measurement errors could occur if the respondent is tired, misunderstand the question, has trouble to remember, etcetera. 118 To raise the reliability of this study several actions were taken. Before the interviews ITOMAT was described for the respondents and throughout the interviews the researcher made sure that the respondent did not misunderstand the questions or started to get tired, by having a dialog with the respondent. The interviews and the coding of the data were made by the same person and the code was then triple checked against the original documents. 117 Yin, R.K., 1994, p Gustavsson, B., 2004, p.55 30

36 4. Results In this chapter the results from the interviews are presented. In the first section the interviewed roles for each organization are presented along with the total number of interviews conducted in each organization. The subsequent sections present the average results from the financial services and manufacturing. The last section shows the difference in IT governance maturity between the two sectors. 4.1 Respondent roles and number of interviews per organization Figure 4.1 shows the ITOMAT roles that were interviewed and the total number of interviews conducted in each organization (the financial services organizations F1-F5 and the manufacturing organizations M1-M5). Each interview took, on average, one hour and a half to conduct. Some respondents had several roles in their organization and thus the number of roles interviewed is larger than the number of interviews conducted. Organization Executive Business IT management IT operations Compliance Number of Interviews F1 3 F2 3 F3 4 F4 3 F5 2 M1 3 M2 3 M3 2 M4 3 M5 3 Figure 4.1: The ITOMAT roles that were interviewed and the total number of interviews conducted. In the method chapter (chapter 3) the method for choosing respondents was explained. A short repetition will however follow below. First a respondent with the role of IT management was identified and contacted in the organization. Together with the IT manager and the COBIT guidelines the 34 COBIT processes were divided between the ITOMAT roles, also a respondent matching the ITOMAT role was identified in the organization. Thereafter the respondents were 31

37 contacted and interviewed. The role of IT management, IT operations and Business were interviewed in all of the participating organizations. 4.2 The IT governance maturity results from each sector In this section the results from the study are presented. Each industry sector has its own subsection with two figures. The first figure shows the average IT governance maturity (ITGM) for the COBIT domains and the second figure shows the average ITGM for each of the 34 processes. The Y-axis in the figures contains the different domains and processes described in COBIT 4.1. The X-axis shows the IT governance maturity, following the same maturity scale as COBIT, i.e. ranging from 0-5. In the Appendix the separate results for each organization is presented. Below is a list of COBIT s 34 processes for easy reference. Figure 4.2: The 34 COBIT processes. Source: ITGI,

38 4.2.1 The results from Financial services In this subsection the results from the financial services sector are presented, i.e. the average results from the top four banks in Sweden and one newcomer. Figure 4.3 shows the results per domain and the total average ITGM. Figure 4.4 shows the ITGM per process. In the Appendix the separate results from each organization is presented. Figure 4.3: Financial services, results per domain and average IT governance maturity. Figure 4.4: Financial services, results per process. 33

39 4.2.2 The results from Manufacturing In this subsection the results from the manufacturing sector are presented, i.e. the average results from the five manufacturing organizations. Figure 4.5 shows the results per domain and the total average IT governance maturity. Figure 4.6 shows the ITGM per process. In the Appendix the separate results from each organization is presented. Figure 4.5: Manufacturing, results per domain and average IT governance maturity. Figure 4.6: Manufacturing, results per process. 34

40 4.3 The differences in IT governance maturity In this section the differences in ITGM between the financial services and the manufacturing sectors are presented, i.e. the ITGM from the financial services sector minus the ITGM from the manufacturing sector. Figure 4.7 shows the results per domain and the total average ITGM. Figure 4.8 shows the ITGM value per process. Figure 4.7: The difference in ITGM per domain and total average. Figure 4. 8: The difference in ITGM per process. 35

41 5. Discussion and conclusion In this chapter, the results from the financial services sector, the manufacturing sector, and the IT governance maturity differences between the two sectors are discussed. Additional interviews with researchers, experts in the field, and respondents that participated in the study were conducted with the goal of finding probable causes for the differences identified. This chapter ends with a discussion about the project and some suggestions for future research are given. 5.1 The Financial Services Sector The average IT governance maturity (ITGM) for the financial services sector is 2.9, see figure 4.3, with the Plan and Organize domain being the most mature. As previously explained in section the Plan and Organize domain covers strategy and tactics and is concerned with the identification of the way IT best can contribute to the achievement of business objectives. It is interesting to note that the four larger banks in Sweden all had similar ITGM while the newcomer (organization F5) had a lower ITGM, see Appendix for the separate results from each organization. The four most mature processes in the financial services sector are Determine technological direction (PO3), Manage the IT investment (PO5), Manage IT human resources (PO7), and Ensure regulatory compliance (ME3). The high maturity for the processes in the Plan and Organize (PO) domain could perhaps be explained by the high integration of IT in critical business operations in the financial services sector in general and to banks in specific. This was illustrated up by the IT manager of organization F4 that stated: Banks are IT. This high integration between IT and business has lead to banks having more structured and defined processes to determine the technological direction and manage the IT investment, resulting in a higher maturity score in processes PO3 and PO5. Also because of this high integration the process for managing IT human resources is also very structured, which is reflected in the score of PO7. The two least mature processes in figure 4.4 are Enable operation and use (AI4) and Educate and train users (DS7). These two processes, which are closely linked, both have a maturity score close to 2. The goal of process AI4 is to ensure a proper use and operations of applications and infrastructure by providing documentation and training, while the goal of process DS7 is to educate and train users to ensure effective use of technology and applications and compliance with key controls on security. Hence the results show that the processes with the lowest maturity score both involve the education, training and documentation to ensure a proper and effective use of technology and applications by users. So even though the organizations in the financial services sector have a high maturity in the management of IT human resources (PO7) the maturity in the processes concerning education and training of the users are low. 36

42 Financial services organizations, especially banks are under constant supervision and monitoring by the Swedish Financial Supervisory Authority. It is therefore business critical to have structured and defined processes to ensure IT compliance with laws and regulations, resulting in a high maturity score in the process Ensure regulatory compliance (ME3). 5.2 The Manufacturing sector The average ITGM of IT processes in the manufacturing sector is 2.4, see figure 4.5. The domain being least mature is the Monitor and Evaluate domain. This domain addresses management supervision of the organization s control process, and independent assurance provided by internal and external audit. According to the IT manager of organization M1 there exists a tolerance level for IT errors in the culture of the manufacturing organizations. There are of course some areas in the manufacturing where this tolerance level does not exist, often in the core of the business (the production) or when dealing with dangerous materials, but in general there is a culture in the manufacturing industry tolerating smaller mistakes from IT. This was acknowledged by several of the respondents. The Executive role of organization M3 stated another factor affecting the Monitor and Evaluate domain, namely that the credibility and the public picture of a manufacturing organization is not as vital as it is for the organizations in the financial services sector. Also the manufacturing organizations are not supervised and monitored as intensely by the authorities as the financial services organizations. The two processes with the lowest maturity score in figure 4.6 are Ensure continuous service (DS4), and Monitor and evaluate internal control (ME2). DS4 is concerned with the development, maintenance and testing of the IT continuity plans. The process minimizes the probability and impact of a major IT service interruption on key business functions and processes. ME2 has the goal to monitor and evaluate internal control to provide assurance regarding effective and efficient operations and compliance with applicable laws and regulations. The low maturity of process DS4 and ME2 could perhaps be explained by the above described tolerance level in the culture of manufacturing organizations. 5.3 Analyzing the differences As can be read from figure 4.7, the financial services sector is on average almost half a point more mature than the manufacturing sector regarding the IT governance. The largest average domain differences can be found in the Monitor and Evaluate domain and the Plan and Organize domain. Figure 4.8 shows the difference between the two sectors in more detail. As previously mentioned, additional interviews were carried out with researchers and experts in the field, including some of the respondents to give more substance to this analysis. These interviews had the aim of trying to analyze the results and trying to explain the differences. To downsize the length of the interviews only a few processes were chosen and discussed. These chosen processes have a difference in maturity value of at least 0.75 between the sectors, resulting in a 37

43 difference of one (1) when only using whole and half maturity values. The chosen processes were Define a strategic IT plan (PO1), Manage the IT investment (PO5), Management of IT human resources (PO7), Assess and manage IT risks (PO9), Manage projects (PO10), Ensure continuous service (DS4), Ensure system security (DS5), Monitor and evaluate internal control (ME2), and Ensure regulatory compliance (ME3). One explanation for the high maturity in the financial services sector for the process Define a strategic IT plan (P01), could be the higher integration between business and IT in the sector, as mentioned previously. According to the IT manager of organization F3 the business strategy only becomes concrete when it is translated into IT strategy. This high integration of IT in critical business operations leads to the financial services sector needing a more structured process than the manufacturing sector for defining a strategic IT plan (PO1) resulting in a high maturity score. This high integration between IT and business makes the average IT employee in the financial services sector influencing the business more directly than the average IT employee in the manufacturing sector. This creates a more structured and defined process for the Management of IT human resources (PO7) in the financial services sector. The differences in maturity for the processes Assess and manage IT risks (PO9) and Ensure system security (DS5), where the financial service sector is being more mature than the manufacturing sector, could have their explanations in the business models of the organizations. According to the Business role of organization F2, the organizations in the financial services sector, especially banks, are operated on risks and risks are built-in in the business model. This makes banks dependent on trust and goodwill which is generated from the public faith in banks. If the IT systems are not safe, it could lead to loss of credibility resulting in loss of trust from the public. This is something that most respondents with the Business role agreed on. It is in general critical for organizations in the financial services sector to develop new products in form of new services. But because all the financial organizations and especially the banks, almost offer the same services it is difficult to differentiate through products. This is not the case in the manufacturing sector where product differentiation is very common. The time-to-market is therefore very important for the financial services organizations. Also the management in the financial services sector invests heavily in IT projects, because of two primary reasons. Firstly it is due to the high integration between IT and business in the financial services sector, previously mentioned, making the management prioritizing IT more often than the management in the manufacturing sector. Secondly, due to IT being the largest and primary marketing channel for organizations in the financial services sector, something that all of the respondents agreed upon. The big investments in IT results in the financial services organizations having a wide variety of IT systems. Because of this variety a range of IT systems gets involved whenever a new project is started. This results in the need of experts from many different systems getting involved in new projects. This habit of working in large project groups, the importance of time-to-market, and the amount of investments involved in IT results in very structured and disciplined working methods regarding projects for the organizations in the financial services sector. The high maturity in process Manage projects (PO10) and process Manage the IT investment (PO5) could perhaps be explained by this. 38

44 The single largest process maturity difference between the financial services sector and the manufacturing sector was found in the process Ensure continuous service (DS4). The primary resource for an organization in the financial services sector, especially for banks, is the public s image of the organization and the trust of the clientele. Banks turn directly to the public as their customers, which often is not the case in the manufacturing sector. Also another important factor is the changed behavior of the customers in the financial services sector. Nowadays most of these customers only use IT services, something that is not as usual for the customers in the manufacturing sector. The services banks offer are used continuously, and customers rely on the services to work twenty-four seven. If the services do not work the customer could lose faith in the bank resulting in loss of goodwill. This is due to the time value of money making not only the bank lose money when systems are down but also customers (e.g. when buying and selling bonds etcetera). A customer that has lost money because of a system failure in a bank is a difficult customer to gain back the trust from as stated by the IT manager of F5. This may partly explain the large maturity difference in process Ensure continuous service (DS4) between the two sectors. The processes Monitor and evaluate internal control (ME2) and Ensure regulatory compliance (ME3) also show large maturity differences between the sectors. Financial services organizations in general, and banks in particular, are under constant supervision and monitoring by the Swedish Financial Supervisory Authority and it is important to comply with the laws and regulations that exist. It is therefore imperative to have a good internal control; not only because the Swedish Financial Supervisory Authority requests it but also to ensure that the important trust and goodwill from the public is not lost. Credibility is after all the primary resource for the banks as mentioned previously, unlike the manufacturing sector where, according to some of the respondents, there exists a tolerance level for errors in some areas of IT and the credibility towards the public is not as vital. 5.4 Discussion about the project and suggestions for improvement Even though this thesis was well thought through and planned before the data was gathered, there is always room for improvement. Below I will summarize some of the weaknesses in this project and give examples of what could have been done differently. It should be noted that only one person was interviewed for each ITOMAT role. A higher number of respondents for each role would perhaps give a more accurate result. Also this study is totally based on the truthfulness of the respondents even though several actions were taken to raise the validity and reliability of this thesis as mentioned in the method section. A more accurate, but much more time consuming and costly method for doing this study could be by observing and getting access to the documents and metrics for the organizations in question. Also the mapping of the ITOMAT roles to an organization was difficult and even the IT managers of the organizations had a difficult time with choosing the best respondent to answer each specific COBIT process. This mapping could perhaps have been done more accurately if 39

45 access had been granted to documents from inside the organization. The time and cost constraints for this thesis were the primary reason for these weaknesses mentioned. 5.5 Conclusions In this study the IT governance maturity was compared between the financial services sector and the manufacturing sector. The results show that there exists a difference in IT governance maturity between the two sectors and that the organizations in the financial services sector in average are more mature, regarding IT governance, than organizations in the manufacturing sector. The processes showing the largest differences between the two sectors, with the financial services sector being more mature, are: Define a strategic IT plan (PO1), Manage the IT investment (PO5), Management of IT human resources (PO7), Assess and manage IT risks (PO9), Manage projects (PO10), Ensure continuous service (DS4), Ensure system security (DS5), Monitor and evaluate internal control (ME2), and Ensure regulatory compliance (ME3). Some of the factors found in this study that perhaps could explain these differences are listed below: The financial services sector is more regulated than the manufacturing sector, mainly because of the monitoring and supervision of the Swedish Financial Supervisory Authority. The financial services organizations offer the same products to the same customers, unlike in the manufacturing sector where organizations can differentiate themselves through their products. The organizations in the financial services sector use IT as the primary marketing channel, which often is not the case in the manufacturing sector. The customers of the organizations in the financial services sector demand continuous twenty-four seven service. If there is a problem with the IT services for a financial services organization, it could result in not only the organization losing money but also the customer, due to time value of money. Credibility is the primary resource for financial services organizations, especially for banks, and it is therefore vital what the public thinks about the security etcetera. 40

46 References Bird, F., Good governance: A philosophical discussion of the responsibilities and practices of organizational governors, Canadian Journal of Administrative Sciences, Vol.18, No.4, p Brown, E.A. & Grant G.G., Framing the frameworks: A review of IT governance research, Communications of the Association for Information Systems, Vol. 15, p Bryman, A., Samhällsvetenskapliga metoder, Liber ekonomi. Dahmström, K., Från datainsamling till rapport att göra en statistisk undersökning, third edition, Studentlitteratur. Damianides, M., Sarbanes-Oxley and IT governance: new guidance and IT control and compliance, IS Management, Vol. 22, No. 1, p Gill, M., Corporate Governance after Enron and World Com: Applying Principles of Results-Based Governance, Proceedings of Insight Conference on Corporate Governance, Calgary, Synergy Associates, Inc. Grembergen, V.W., Haes D.S. & Guldentops, E., Structures, Processes and Relational Mechanisms for IT Governance, In Grembergen, V.W. (Ed.), Strategies for Information Technology Governance, Idea Group Publishing. Guldentops, E., Governing Information Technology through COBIT, In Grembergen, V.W. (Ed.), Strategies for Information Technology Governance, Idea Group Publishing. Gustavsson, B., Kunskapande metoder inom samhällsvetenskapen, Studentlitteratur. Haes D.S. & Grembergen, V.W., Analysing the Relationship Between IT Governance and Business/IT Alignment Maturity, Proceedings of the 41st Hawaii International Conference on System Sciences. ITGI, IT Governance Global Status Report IT Governance Institute. ITGI, COBIT 4.1, IT Governance Institute. itsmf, Frameworks for IT Management, The IT Service Management Forum. itsmf, 2007(a). IT Service Management Based on ITIL V3 A Pocket Guide, The IT Service Management Forum. itsmf, 2007(b). IT Governance based on COBIT 4.0 A Management Guide, The IT Service Management Forum.

47 Jacobsen, D.I., Vad, hur och varför?, Studentlitteratur. Kaarst-Brown, M.L. & Shirley, K., IT Governance and Sarbanes-Oxley: The latest sales pitch or real challenges for the IT Function?, Proceedings of the 38th Hawaii International Conference on System Sciences. Korac-Kakabadse, N. & Kakabadse, A., IS/IT governance: Need for an integrated model, Corporate Governance, Vol.1, No.4, p Kotler, P., Kotlers Marknadsföring Att skapa, vinna och dominera marknader, Upplaga 1:2, Liber ekonomi. Lee, C-H., Lee, J-H., Park, J-S. & Jeong K-Y., A Study of the Causal Relationship between IT Governance Inhibitors and Its Success in Korea Enterprises, Proceedings of the 41st Hawaii International Conference on System Sciences. OGC, The Official Introduction to the ITIL Service Lifecycle, Office of Government Commerce. Patton, M.Q., Qualitative Evaluations methods, Sage publications Inc. Peterson, R.R., Integration Strategies and Tactics for Information Technology Governance, In Grembergen, V.W. (Ed.), Strategies for Information Technology Governance, Idea Group Publishing. Ruane, M.J., A och O i forskningsmetodik, Studentlitteratur, Lund. Ridley, G., Young, J. & Carroll P., COBIT and its Utilization: A framework from the literature, Proceedings of the 37th Hawaii International Conference on System Sciences. The Swedish Bankers Association, June Banker i Sverige Faktablad om svensk bankmarknad. Sallé, M., IT Service Management and IT Governance: Review, Comparative Analysis and their Impact on Utility Computing, HP Labs Technical Report HPL Simonsson, M. & Johnson, P., The IT organization modeling and assessment tool: Correlating IT governance maturity with the effect of IT, Proceedings of the 41st Hawaii International Conference on System Sciences. Svernlöv, C. & Blomberg, E.B., Sarbanes-Oxley Act USA:s hårda svar på redovisningsskandalerna, Balans, s Webb, P., Pollard, C. & Ridley, G., Attempting to Define IT Governance: Wisdom or Folly?, Proceedings of the 39th Hawaii International Conference on System Sciences.

48 Weill, P. & Ross, J.W., IT Governance How Top Performers Manage IT Decision Rights for Superior Results, Harvard Business School Press. Weill, P., Don t Just Lead, Govern: How Top-Performing Firms Govern IT, MIS Quarterly Executive, Vol. 3, No. 1, p Yayla, A.A. & Hu, Q., Determinants of CIO Compensation Structure and Its Impact on Firm Performance, Proceedings of the 41st Hawaii International Conference on System Sciences. Yin, R.K., Case Study Research: Design and Methods, Second edition, Sage Publications. Zhang, I.X., Economic consequences of the Sarbanes-Oxley Act of 2002, Journal of Accounting and Economics, No. 44, p

49 Appendix Financial Organization F1 Organization F1 is one of the top four bank groups in Sweden. 119 The organization has over 1000 employees at multiple sites around Sweden. Presented below are the results for organization F1. Figure A.1 shows the results per domain and the total average IT governance maturity value. Figure A.2 shows the maturity value per process. Figure A.1: Organization F1, results per domain and the total IT Governance Maturity. Figure A.2: Organization F1, results per process. 119 The Swedish Bankers Association, 2006, p.4 I

50 Financial Organization F2 Organization F2 is also one of the top four bank groups in Sweden. 120 The organization has over 1000 employees at multiple sites around Sweden. Presented below are the results for organization F2. Figure A.3 shows the results per domain and the total average IT governance maturity value. Figure A.4 shows the maturity value per process. Figure A.3: Organization F2, results per process and the total IT Governance Maturity. Figure A.4: Organization F2, results per process. 120 The Swedish Bankers Association, 2006, p.4 II

51 Financial Organization F3 Organization F3 is the third organization in this study belonging to the top four bank groups in Sweden. 121 The organization has over 1000 employees at multiple sites around Sweden. Presented below are the results for organization F3. Figure A.5 shows the results per domain and the total average IT governance maturity value. Figure A.6 shows the maturity value per process. Figure A.5: Organization F3, results per process and the total IT Governance Maturity. Figure A.6: Organization F3, results per process. 121 The Swedish Bankers Association, 2006, p.4 III