IT governance in Brazil:



Similar documents
BADM 590 IT Governance, Information Trust, and Risk Management

Trustworthy Computing Spring 2006

Mapping COBIT 5 with IT Governance, Risk and Compliance at Ecopetrol S.A. By Alberto León Lozano, CISA, CGEIT, CIA, CRMA

The Importance of IT Controls to Sarbanes-Oxley Compliance

Measuring IT Governance Maturity Evidences from using regulation framework in the Republic Croatia

IT Governance. Key Initiative Overview

Applying Integrated Risk Management Scenarios for Improving Enterprise Governance

ITIL. Lifecycle. ITIL Intermediate: Continual Service Improvement. Service Strategy. Service Design. Service Transition

AN OVERVIEW OF INFORMATION SECURITY STANDARDS

IT Governance using COBIT implemented in a High Public Educational Institution A Case Study

Executive's Guide to

Criticism of Implementation of ITSM & ISO20000 in IT Banking Industry. Presented by: Agus Sutiawan, MIT, CISA, CISM, ITIL, BSMR3

CADMC 2013 GUIDELINES FOR THE PROPOSAL OF A SYSTEM OF DESIGN MANAGEMENT INDICATORS IN PRODUCT DEVELOPMENT COMPANIES CAMBRIDGE

Enabling IT Performance & Value with Effective IT Governance Assessment & Improvement Practices. April 10, 2013

Balanced Scorecard; a Tool for Measuring and Modifying IT Governance in Healthcare Organizations

Based on 2008 Survey of 255 Non-IT CEOs/Executives

Dallas IIA Chapter / ISACA N. Texas Chapter. January 7, 2010

Guide to the Sarbanes-Oxley Act: IT Risks and Controls. Frequently Asked Questions

Gobierno de TI Enfrentando al Reto. IT Governance Facing the Challenge. Everett C. Johnson, CPA International President ISACA and ITGI

GLOBAL STANDARD FOR INFORMATION MANAGEMENT

Information Technology Governance. Steve Crutchley CEO - Consult2Comply

Beyond Mandates: Getting to Sustainable IT Governance Best Practices. Steve Romero PMP, CISSP, CPM IT Governance Evangelist

IT Governance Regulatory. P.K.Patel AGM, MoF

Global Technology Audit Guide. Auditing IT Governance

Revised October 2013

A Framework for a BPM Center of Excellence

ASSESSMENT OF THE IT GOVERNANCE PERCEPTION WITHIN THE ROMANIAN BUSINESS ENVIRONMENT

Assessing Your Information Technology Organization

The Role of ECM in IT Governance

IT Service Management ITIL, COBIT

GOVERNANCE OF INFORMATION TECHNOLOGY IN HIGHER EDUCATION

INFORMATION TECHNOLOGY FLASH REPORT

Program Management Professional (PgMP) Examination Content Outline

IT Governance isn t one thing, it s everything. Steve Romero PMP, CISSP, CCP

Maximizing Your IT Value with Well-Aligned Governance August 3, 2012

Practical Approaches to Achieving Sustainable IT Governance

Moving Forward with IT Governance and COBIT

A common core ITIL Version 3.0 and CMMi-SVC

Introduction Auditing Internal Controls in an IT Environment SOx and the COSO Internal Controls Framework Roles and Responsibilities of IT Auditors

TECHNOLOGY STRATEGY AUDIT

1. FPO. Guide to the Sarbanes-Oxley Act: IT Risks and Controls. Second Edition

CLASSIFICATION SPECIFICATION FORM

ITAG RESEARCH INSTITUTE

Outsourcing & Regulatory Compliance Risks

BEST PRACTICES. March 29, 2005 IT Governance Framework. by Craig Symons. Helping Business Thrive On Technology Change

The Information Security Management System According ISO The Value for Services

COBIT 5 For Cyber Security Governance and Management. Nasser El-Hout Managing Director Service Management Centre of Excellence (SMCE)

Using COBiT For Sarbanes Oxley. Japan November 18 th 2006 Gary A Bannister

IT Governance Dr. Michael Shaw Term Project

Certified Software Quality Assurance Professional VS-1085

IT GOVERNANCE PANEL BRING VALUE BY AUDITING IT GOVERNANCE GET THE

Cloud Computing. Key Initiative Overview

Dr. Gad J. Selig, PMP, COP Managing Partner, GPS Group, Inc., Director, Technology Management & Dual Graduate Business Degree Programs & Associate

COBIT 4.1 TABLE OF CONTENTS

Electronic Procurement Allow for Inspection By Society

Implementing COBIT based Process Assessment Model for Evaluating IT Controls

GAIA Service Catalogs: A Framework for the Construction of IT Service Catalogs

Contents. viii. 4 Service Design processes 57. List of figures. List of tables. OGC s foreword. Chief Architect s foreword. Preface.

The Role of Internal Audit In Business Continuity Planning

CONSULTING SERVICES Managed IT services

Hans Bos Microsoft Nederland.

IS Management, ITIL, ISO, COBIT...

Proceedings of the 34th Hawaii International Conference on System Sciences

IT Compliance After Hours Seminar September 2007 Zurich. Improving IT Risk & Compliance Management (RCM)

Integrated Information Management Systems

Incorporate CMMI with Corporate Governance Using Enterprise Software Change Management Solutions

COPYRIGHTED MATERIAL. Contents. Acknowledgments Introduction

A FRAMEWORK FOR INTEGRATING SARBANES-OXLEY COMPLIANCE INTO THE SOFTWARE DEVELOPMENT PROCESS

How To Improve Your Business

Application Overhaul. Key Initiative Overview

What Should IS Majors Know About Regulatory Compliance?

Enhancing IT Governance, Risk and Compliance Management (IT GRC)

10 Best-Selling Modules For Home Information Technology Professionals

The Future of Best Practices in IT Service Management - ITIL Version 3 Explained

Getting In-Control - Combining CobiT and ITIL for IT Governance and Process Excellence. Executive Summary: What is the business problem?

IT Governance: framework and case study. 22 September 2010

ITAG RESEARCH INSTITUTE

Strategy and Tactics to Achieve Effective IT Governance

ENTERPRISE RISK MANAGEMENT FOR BANKS

Contract management roles and responsibilities

Designing and Implementing Cloud Governance: Cloud, and Cloud Governance, are Emerging Capabilities

How To Improve Your Business Recipe Cards

Business philosophy 28 Ultrapar Annual Report 2007

Internal Control over Financial Reporting Guidance for Smaller Public Companies

ITIL's IT Service Lifecycle - The Five New Silos of IT

Data Governance Implementation

A Scorecard Framework Proposal for Improving Software Factories Sustainability: A Case Study of a Spanish Firm in the Financial Sector

Governance SPICE. ISO/IEC for Internal Financial Controls and IT Management. By János Ivanyos, Memolux Ltd. (H)

COBIT Helps Organizations Meet Performance and Compliance Requirements

2009 Solvay Brussels School and IT Governance institute

MarketScope for IT Governance, Risk and Compliance Management, 2008

How to Design and Manage ITIL

Achieving Business Imperatives through IT Governance and Risk

Transcription:

Article IT governance in Brazil: does it matter?

Authors Prof. Dr. Guilherme Lerch Lunardi, Universidade Federal do Rio Grande (FURG), Brazil. IT governance in Brazil Prof. Dr. Joâo Luiz Becker, Universidade Federal do Rio Grande do Sul (UFRGS), Porto Alegre, Brazil. Prof. Dr. Antonio Carlos Gastaud Maçada, Universidade Federal do Rio Grande do Sul (UFRGS), Porto Alegre, Brazil. IT strategic planning (ITSP) is an important IT management tool because it can be used to formally define the means of aligning IT with the business objectives. IT governance has been receiving increasing attention in both academic and professional literature in recent years. This is a response to the changing role of the IT function within organizations and, consequently, the need to ensure that IT is being appropriately managed. In order to strategically drive and control this function, the principles of corporate governance are applied. There are two key issues to consider: the value IT delivers to an organization; and the control and mitigation of IT-related risks. Most of the rules are based on common sense, standardization, and leading practices that are designed to efficiently and effectively carry out the IT-function. There are a number of studies that show that companies with good IT governance models generate higher returns on their IT investments than their competitors, in particular, because they make better ITrelated decisions. Committees, budgeting processes, approvals, etc., are just some of the IT governance mechanisms that encourage behavior consistent with the organization s mission and culture. Lately, business magazines like Computerworld, CIO and InformationWeek have featured some high-profile corporate examples of successful IT governance. However, there is still not enough quality scientific research to confirm the effectiveness of IT governance in achieving better financial performance. Although it is not possible to state conclusively that enhanced governance leads to better financial performance, a recent study by Weill and Ross asserted that the two measures correlate quite well. The authors analyzed 256 companies worldwide during the period 1999 to 2003, showing that firms with mature IT governance had more than 25% higher profits than firms that had poor governance, but the same strategic objectives. There is a clear need for more in-depth studies into the impact of IT governance, especially because, in addition to the acquisition and maintenance cost of IT infrastructure, companies have spent large sums of money on consultancy services, certifications, training and software specifically designed for IT governance. In order to obtain a better understanding of the effects of IT governance on organizational performance, we analyzed the main IT governance mechanisms adopted by Brazilian companies listed on the São Paulo Stock Exchange (BOVESPA) and their impact on IT management and organizational performance. Firstly, we identified those Brazilian companies that formally apply IT governance practices, using two distinct strategies: Search and analysis of electronic press releases (e.g., announcements, interviews, articles, cases, institutional websites, etc.,) determining the company name, IT governance mechanisms adopted and the exact time period the IT governance process began. Emails to the investors relations department of all the companies listed on BOVESPA, asking them if they implemented IT governance mechanisms, and if so, which ones, and the exact implementation period. 23

From this research, 101 (out of a total of 405) companies were identified as formally implementing IT governance, which represents almost 25% of the BOVESPA companies. Most of the IT governance adoptions in the sample occurred in 2004-05 (68 firms or 67.3%), showing that IT governance is a very recent function among publicly-traded Brazilian firms (see Figure 1). The large number of firms starting the IT governance process in this period might be explained by the efforts of Brazilian companies to adapt their internal controls to the requirements of the Sarbanes-Oxley Act 2002 (SOX), which is mandatory for those companies that negotiate shares on the New York Stock Exchange (NYSE) the initial deadline for foreign companies was December 2006. Figure 2. IT governance drivers COBIT ITIL SOX Internal Solution BS7799/ISO17799 PMI SLA/SLM IT Steering Committee Post Implementation Review BSC/IT BSC Strategic Information Systems Planning Effective communication SEI Maturity Model ROI/business evaluation 36% 32% 27% 23% 18% 15% 12% 10% 7% 7% 6% 5% 44% 54% Internet Portal 4% Figure 1. Distribution of sample firms by year Others 27% 45 40 35 30 25 20 15 10 5 0 42 26 12 9 7 4 1 2001 2002 2003 2004 2005 2006 2007 large domains (planning and organization, acquisition and implementation, delivery and support, and monitoring), ITIL includes a set of recommendations divided into two blocks. The first set concerns support for services and service delivery, focusing on managing IT infrastructure so as to ensure the service levels are grouped with the internal and external clients. Source: data collection end-date: march 2007 Most common IT governance mechanisms were adopted. A total of 23 different IT governance mechanisms were adopted by Brazilian companies (see Figure 2). It can be seen that COBIT (Control Objectives for Information and Related Technology) and ITIL are the IT governance drivers most frequently cited by the companies. Developed specifically for the management of IT infrastructure, many companies indicated that they use these two models as guides for the implementation of IT governance. While COBIT emphasizes the control of different processes in four Developed by the IT Governance Institute, COBIT is designed specifically for the control of IT, helping organizations to align the use of technology with their corporate objectives. It is used in the IT field as an umbrella for various methodologies and leading practices indicated for the management of IT. ITIL, on the other hand, has gained note as a specific model

IT governance in Brazil for the IT area, containing a set of leading practices for the management of technology infrastructure. It facilitates the identification of the maturity of the processes, how to improve them and, as a consequence, offers parameters for a company to compare its performance with others in the same segment. It has also been noted that a large number of companies that have adopted various guidelines from both models in order to be compliant with the requirements of SOX. The second group of practices focused on conforming to SOX (36%) and the use of their own IT governance models (32%), which are supported by some of the framework practices that are well established in the market, such as COBIT, ITIL, BS7799, COSO, etc. As more senior management is responsible for ensuring that the published financial information is accurate, IT has become a critical issue, especially because modern accounting systems are based on technology and the reliability of financial reports depends on the existence of safe and trustworthy computational environments. Hence, the justification for the information security guidelines, such as BS7799, ISO17799 and ISO27001. With regard to the employment of their own models of IT governance, there is a growing tendency towards using a combination of practices and guidelines from different frameworks, so as to obtain the benefits of each of them without necessarily incorporating details that are not relevant. These models tend to be made up of other mechanisms, involving the management of projects, the elaboration of service level agreements and their monitoring, the IT committees, as well as the use of post-implementation evaluation methods (all indicated in the literature as important IT governance mechanisms). Among those mechanisms that are less frequently mentioned listed as Others are: COSO (Committee of Sponsoring Organizations); the IT service catalog, shared domain knowledge; Six Sigma; SOA (Service Oriented Architecture); the IT project-linked compensation practices; BPM (Business Process Management); ISO9000; and the definition of roles and responsibilities. This survey illustrates those mechanisms that are most used by Brazilian companies, though the simple statement or announcement in the media that the company uses a particular mechanism does not necessarily mean that is effectively being used to help the company improve the use of its IT. Some companies adopt or initiate the adoption of some of these mechanisms because they are following a trend or to copy their competitors. But, in the end, what do IT executives really think about the impact of the different IT governance mechanisms in the management of IT and organizational performance? In order to try to answer this question, 83 executives from large Brazilian companies (the majority being IT directors and managers) participated in a survey carried out by the Federal University of Rio Grande do Sul (UFRGS) to identify the IT corporate governance mechanisms adopted and their impact on IT management. The executives surveyed (Table 1) responded that the following IT governance mechanisms most affect their companies IT management: Strategic IT planning (3.03) Compliance practices (3.02) IT projects committee (3.00) CIO s participation in the company strategy (2.99) IT BSC (2.89) IT committees (2.88) As well as being the most common IT governance mechanism among the companies surveyed, IT Strategic Planning (ITSP) is an important IT management tool because it can be used to formally define the means of aligning IT with the business objectives, whereby responsibility for the management of IT resources is designated, policies and technology architecture are developed, and IT can be used to win competitive advantage. In addition to ITSP, compliance practices were also reported as having a strong impact on IT management. Under pressure from different regulatory bodies, many organizations have dedicated themselves to ensuring the conformity of their internal processes, as they can be audited and held accountable by these authorities at any time. Although they may not be the exclusive responsibility of the IT function, many areas that are audited are related to or are dependent on IT, like access to and safety of information and the integrity of the systems (e.g., the use of electronic spreadsheets that are manipulated outside the system). With the fulfillment of these requirements, several benefits are gained in the IT area, e.g., a reduced risk of fraud, procedural review, the development of more efficient practices and a better distribution of responsibility aspects previously considered superficial by higher management. 25

Good IT governance models generate higher returns on a company s IT investments than their competitors. Table 1. Perceived impact of IT governance mechanisms in IT management Mechanisms n Mean Standard deviation IT strategic planning 75 3.03.885 Compliance practices 61 3.02.904 IT project committee 71 3.00.756 CIO on board of directors 67 2.99.961 IT BSC 36 2.89.919 IT committees 59 2.88 1.001 Post-implementation review 66 2.82.927 PMO (Project Management Office) 36 2.78.959 IT project feasibility analysis 72 2.68.709 COBIT 46 2.67.896 IT management incentive 55 2.65.821 practices PMI 53 2.64.787 BS7799 40 2.63 1.102 Formal communication practices 69 2.62.893 ITIL 50 2.56.993 ISO9000 34 2.56 1.160 SLA/SLM 66 2.45.880 BPM 31 2.32.909 SOA 28 2.32.905 COSO 21 2.29 1.146 Formal learning practices 49 2.22.896 CMM 23 2.17 1.072 Six Sigma 16 2.06.929 BS15000 14 2.00 1.038 n = Number of executives The use of committees and participation of the CIO in the development of the corporate strategy emerged as two important mechanisms in an organization s formal IT structure that can have a significant impact on successful management. Many organizations have used different committees to help their governing bodies fulfill their duties as effectively as possible. Given the importance of the IT function in corporate businesses, the use of committees linked directly to the IT function has become increasingly common. Made up of managers from different areas of the business, these committees are tasked with increasing the organization s commitment to effective IT governance and the precision of the IT-linked decision-making process. Although many different versions exist, it is most important that the concepts and the rationality guiding each mechanism are applied and customized to each organization s local environment. With regard to the role of IT in the definition of corporate objectives and strategies, it is clear that a large number of top executives are not particularly well versed in many aspects of information technology. This, in turn, can hinder IT-related decisionmaking. When the IT department can propose ideas, or influence strategy and advise the other members of the management team on the IT choices that can enhance their businesses, there is a great opportunity for the company to make gains. The IT function is represented at the senior management level by the presence of the CIO on the executive board and other high-level corporate management meetings. This has the beneficial effects of the organization being better informed about IT-related matters, as well as providing the business with upto-date knowledge about business models, management techniques, technology and the potential risks and benefits associated with each of the decisions taken. An interesting observation that emerged from the survey was that the ITIL and COBIT frameworks appear only as intermediate mechanisms in relation to their importance. Both are seen as constituting a set of components composed of different mechanisms that, in this macro configuration, do not appear to receive much attention from other senior management. Nevertheless, when some of their components are analyzed individually, e.g., ITSP, the use of committees, performance indicators, the CIO s participation in strategy, among other mechanisms found in the two frameworks senior management spends considerable time reviewing them. Both COBIT and ITIL act as important reference guides for IT management, but it is not necessary for all of their processes and control objectives to be adopted. The adoption of COBIT and ITIL can help organizations both to mitigate risks associated with IT and to create IT business value. Nevertheless, many companies fail to follow even the most basic rules, such as making business cases for IT projects; periodically adjusting and aligning the IT budget with business needs; and using benchmarking or metrics except for finance, which can certainly negatively

IT governance in Brazil affect the organizational performance. Still, researchers have unanimously concluded that there is no universal best IT governance structure, since the solution for any given firm is contingent upon a variety of factors. It is clear that the adoption of robust IT governance mechanisms can modify the manner in which organizations manage and apply their technology processes to the business in a more efficient way than those organizations where IT management is less effective, and this is reflected in the global performance of the organization. In doing so, IT will have an impact on the business processes, which together determine the overall performance of the firm. Figure 3. Event study model T0 Performance (t-1) In order to measure the impact of the adoption of IT governance mechanisms on financial performance, we used event-study methodology. In a nutshell, an event study compares the performance of a group of firms that have undergone a particular event (in our case, the adoption of IT governance mechanisms) with the performance of a similar group of firms that did not undergo that event. This method is commonly used in accounting and finance studies, and has been recently applied to studies of management and information systems (measuring the impact of IT investment announcements on stock prices, supply-chain management systems adoption, information systems outsourcing decisions, etc). In our case, we defined an event window (Figure 3) that was centered on the year in which IT governance was introduced (the period in which companies formally implemented their IT governance model, either through an own model or driven by the adoption of reference guides or frameworks such as COBIT and ITIL) called date zero (t = 0). IT governance Adoption (t) The estimation and comparison windows were defined as one year before and one year after the adoption of IT governance, respectively. Changes in performance were tested for the year prior to a firm s adoption of IT governance mechanisms (year minus ( ) 1) as well as for the year in which IT governance was adopted (date zero) and the year after adoption (year plus (+) 1); this device helps to identify possible lag effect benefits. The analysis indicated that IT governance adopters noticeably improved their organizational performance compared with the control group, mainly in relation to profitability measures (such as ROA, ROE and profit margin). It is interesting to note that the effect of IT governance mechanisms on ROE varied over time, being statistically significant solely one year after the IT governance adoption. We also found that IT governance mechanisms were used essentially to enhance the efficiency of the firms, e.g., in achieving cost reductions or better IT infrastructure utilization, rather than in expanding benefits such as sales growth Performance (t), (t+1)... (Estimation window) (Event window) (Comparison window) L1 L2 L3 T1 Event T2 T3 t and stock prices. These findings corroborate recent studies that also found a significant positive relationship between the effects of IT investments on such profitability measures. In fact, some studies reveal that Brazilian executives, when compared with their counterparts in other countries, still perceive the main benefits of IT are related to operating processes rather than having strategic value. We noted that the impact of these mechanisms is enhanced over time, that is, as IT governance mechanisms mature, the greater the benefits are. Therefore, we can say that the impact of those mechanisms is not an isolated event, but a continuous phenomenon the lag effects being greater than the immediate effects. 27

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information