WIXLIB

2015 48th Hawaii International Conference on System SciencesIT Governance Maturity: Developing a Maturity Model using the DelphiMethodDaniël SmitsUniversity of Twented.smits@utwente.nlJos van HillegersbergUniversity of Twentej.vanhillegersberg@utwente.nlAbstract3.as part of corporate governance from aperformance perspective;4. as part of corporate governance from aconformance perspective; and5. functioning top-down; or6. functioning bottom-up.Does ITG maturity have a significant positiveimpact on IT performance and firm performance?Some studies did not find a clear positive correlation[7, 8]. Others, however, suggest a significant positiveimpact [9-12]. Some argue there might be aconsiderable time delay between the improvement ofITG maturity levels and the perceived benefit [13].Frameworks frequently used in practice for ITG arevery diverse: ITIL, security frameworks like ISO17799, ISO 27000, ISO 38500, COBIT, Six Sigma,PMI/PMBOK, Risk IT, IT Assurance Framework,CMM or CMMI, and so on [14]. The foregoingunderlines that in practice not only ITG frameworksare used for ITG but all sorts of frameworks.These frameworks are largely based on processesand structure. An exception is the ISO 38500 standardfor ITG [15]. This framework sets out six principles forgood corporate governance of IT: responsibility, strategy. The inclusion of humanbehavior as one of the principles makes it a positiveexception. Implementation of this standard however isnot yet widespread [14, 16].People are an important asset in organizations.People don't work or think in terms of process andstructure only. Human behavior and organizationalculture are equally important aspects of governance. Asurvey by the IT Governance Institute showed that"The culture of the organization, its ways of workingand human factors"are seen by 50% of theparticipants as one of the factors that most influencedthe implementation of ITG, surpassed only by "Thebusiness objectives or strategy" which scored 57%[14].To advance in maturity, organizations should payattention to both the hard and soft sides of ITgovernance (ITG). The hard side is related toprocesses and structure, the soft side to social aspectslike behavior and organizational culture. This paperdescribes a study to develop an ITG maturity model(MM) that includes both.Our research method is based on literature study,the Delphi method and makes use of a Group DecisionSupport System. We chose to design a focus area MM.In this type of MM maturity is determined by a set offocus areas.The study reveals one MM as being appropriate forhard ITG. For soft ITG we found no single modelappropriate. Soft governance needs more specificcapabilities defined for each focus area individually.Based on knowledge from literature and experts weselected models for each focus area. Three alternativesfor informal organization need further research.1. IntroductionIT governance (ITG) is an ongoing concern fororganizations worldwide. A McKinsey global survey in2014 showed that 35% of IT executives (or 30% of allexecutives) mention "Improving governance processesand oversight" as most important to improving ITperformance [1]. The CEB Audit Leadership Councilhas included ITG in their top 10 'hot spots' for 2014mentioning that "The growing demand for informationto enhance decision making has elevated the need for acomprehensive IT governance structure" [2].ITG is a relatively new topic. The first publicationsappeared in the early 1990s [3]. Definitions of ITG inthe literature vary greatly [4, 5]. An analysis of the ITGliterature revealed that six streams of thought can bedistinguished in ITG [6]. These streams see ITG as:1. decision making;2. as part of IT auditing;1530-1605/15 31.00 2015 IEEEDOI 10.1109/HICSS.2015.5414534

To be able to grow in maturity, organizationsshould thus pay attention to the hard and soft aspects ofgovernance. The split of governance into hard and softgovernance has been made before [17-21]. Joseph Nyeis founder of the soft power theory. Soft power isrelated to "intangible power resources such as culture,ideology, and institutions" [22]. This is close to howwe see soft governance. We define the hard side ofITG as the functional aspects of governance likestructure and processes. These aspects are also definedas the elements of organizational design. The soft sideof ITG is defined as related to social aspects likehuman behavior and organizational culture.The basic concept of a MM consists of a number ofareas—henceforth called focus areas—which maturealong a predefined path to achieve higher levels ofmaturity. A higher level of maturity is defined as abetter means to fulfill its purpose; the predefined pathis described by a set of capabilities. Capabilities are theability to mobilize and deploy resources to achieve agoal [23].Most maturity models (MMs) used for ITG arerelated to the existing frameworks mentioned beforewhich are largely focused on processes and structure[24]. These frameworks make use of differentapproaches for assessing organizational maturity andperformance. Some frameworks, for example COBIT,include a formal MM based on the CMM stages [25].Others, for example ITIL, do not and need additionalframeworks for maturity [26]. Of these frameworks,only COBIT is really focused on ITG.MMs in which ITG is one of the areas can be foundmore often. Examples are the IT Capability MaturityFramework from the Innovation Value Institute [27].This framework is based on the CMM levels too andcontains maturity capabilities for IT leadership andgovernance.The most dominant foundation of past IS researchis CMM [28]. Perceptions on maturity differ. Somerelate maturity to alignment with best practiceframeworks. "A maturely governed IT organization isthus defined as an organization that is efficient andaligned with state-of-the-practice frameworks such asCOBIT, Val IT or ITIL." [28].An ITG MM for hard and soft governance does notexist [14, 28]. We thus designed a new MM for ITGusing knowledge from literature and experts. For thispurpose we defined two research questions.When designing a MM for ITG:1. What type of MM do we need?2. What are the capabilities of each focus area?This paper is organized as follows. Section 2presents the research methodology. Section 3 coversthe MMs. The results of the literature study and theDelphi study are described in Section 4. The discussionand conclusion, including the limitations and nextsteps, are presented in Section 5.2. Research methodologyThere are many views on how to design a MM andno shared vision exists on which approach should befollowed [29, 30]. As a design process for the MM wecombined the general process steps as described byMaier, Moultrie and Clarkson [31] for the design ofmaturity grids with the more specific process steps forthe design of focus area maturity frameworks adaptedfrom van Steenbergen et al. [32].We combined this approach with a Delphi study.The Delphi method may be characterized as a methodfor structuring a group communication process so thatthe process is effective in allowing a group ofindividuals, as a whole, to deal with a complexproblem [33]. The Delphi method is used to "generatepropositions" on how focus areas grow in maturity andas "construct validation" [34]. The construct in thisstudy is the MM.As a foundation for the MM we built on an ITGmodel for hard and soft governance and the context ofthe organization [35] (see Table 1).Table 1. IT governance model foundationGovernance DomainFocus ticipationCollaboration Understanding andtrustFunctions and rolesStructureFormal networksHardIT ernalContextInformal organizationExternalSectorAs proposed by several scholars, ITG can bedeployed using a trichotomy summarized as structure,processes and relational mechanisms. This trichotomywas used as a starting point for the design. Thedomains for hard governance have been adopted.Relational mechanisms was broken up into severalparts for soft governance and the context. Softgovernance was divided into two domains 'Behavior'and 'Collaboration'. 'Behavior' defined as "the responseof an individual" and 'Collaboration' defined as"making joint effort towards a goal", Within eachdomain focus areas were defined based on knowledge4535

The participants had to respond to questions andstatements using a laptop or tablet. There was nohierarchy or dominance; each opinion counted and wasrecorded. Where needed, responses were anonymous tothe rest of the group. The upper part of the screen wasavailable to all participants. What is shown on thelower part is highly configurable. If applicable, forexample, when asked to rate a change in the model, weused Spilter to show graphs of the results after allresponses were given (see Figure 2).from literature and experts resulting in a set of ninefocus areas.The focus areas 'Culture', 'Informal organization'and 'Sector' are seen as value free and were moved tothe context. The resulting 12 focus areas are thefoundation for the MM we design in this study.The approach of this study was to select existingMMs for each focus area of the IT governance modelfoundation (see Figure 1).Figure 1. Overview of the studyIn a literature study we made an initial selection ofMMs for each focus area. The participants were askedto rate the suitability of the MM and received ahandout with a summarized description of the proposedcapabilities. Each round was organized as a meeting.After each round the model was improved using thefeedback during the meeting.Careful selection of participants is important. Thequality and responses of a Delphi panel is as good asthe experts [33, 36]. For the series of meetings weinvited participants very experienced in ITG. Theaverage ITG experience was 13 years (for more detailssee Figure 4). These were found among the membersof the special interest group Governance of the Ngi(the Dutch association of IT professionals) and theNAF workgroup IT governance (NAF the DutchArchitecture Forum). The meetings were organizedbetween October 2013 and February 2014. To inviteesit was explained that it was important to attend thecomplete series of meetings.Figure 2. Example screenshot of SpilterThese graphs or intermediate results are onlyavailable to the researcher.When experts invited to the meetings were not ableto attend they were asked to give their feedback onlineat a later time using Spilter. In Spilter all feedback istraceable to the participant.3. Maturity modelsMerriam-Webster defines maturity as "the qualityor state of being mature" [39]. The maturing entities inthis study are 'organizational capabilities'. This is basedon the resource-based-view which is used in strategicmanagement literature [40, 41]. An organizationcapability is "the ability of an organization to performa coordinated set of tasks, utilizing organizationalresources, for the purpose of achieving a particularend result" [42].MMs can be seen as artifacts to determine acompany's status quo and as "deriving measures forimprovement" [43]. The most well-known MM in theIT sector is the CMM. Version 1.0 of the model waspublished in 1991 [44, 45]. The interest in maturityemerged out of quality management [46]. In the 1930sWalter Shewhart started his work on processimprovement with his principles of statistical quality2.1 Technical details of the Delphi studyThe efficiency of face-to-face meetings wasincreased by a supplemental group communicationprocess [33]. We used a Group Decision SupportSystem (GDSS) to improve the effectiveness of thegroup meetings [37]. For this purpose we selected theinnovative tool Spilter by Canast which is a userfriendly, web-based GDSS [38]. The tool also allowsthe researcher to enable anonymous responses for anindividual question.4536