a r t i c l e i n f o a b s t r a c t
Article history: There are various methods available for dealing with IT governance. These methods are diversified, and in
some cases lengthy and complicated. This paper is concerned with providing a unified simple approach
for IT governance assessment. The approach is developed and tested through the following three main
Keywords: steps: (1) highlighting the basic requirements of IT governance considering key available methods; (2)
Information Technology (IT) designing the target approach that integrates these requirements and uses knowledge management prin-
IT governance ciples; and (3) illustrating the use of the approach through a typical illustrative application. The approach
ISO recommendations
uses the ‘‘STOPE: Strategy, Technology, Organization, People and Environment’’ view to integrate the
COBIT
ITIL
issues involved, the knowledge management principles as an added value, and the six-sigma phases as
STOPE view a cyclic improvement process. The work provides ‘‘fifty’’ main IT governance controls; and these enable
finding key strengths and weaknesses of IT governance in organizations from which development direc-
tions can be derived. It should be noted that considering knowledge management, and people as a main
domain in the integration view, illustrate special emphasis of the human factor in IT governance.
Ó 2013 Elsevier Ltd. All rights reserved.
0747-5632/$ - see front matter Ó 2013 Elsevier Ltd. All rights reserved.
http://dx.doi.org/10.1016/j.chb.2013.12.019
262 H. Bin-Abbas, S.H. Bakry / Computers in Human Behavior 32 (2014) 261–267
of Technology’’ work on IT governance (Weill & Ross, 2004). These 2.2. ITIL and ISO 20000
recommendations are useful as references to the assessment of IT
governance in organizations, where the outcomes of such assess- ISO 20000 is concerned with IT service management is a
ments support planning and future improvements. trimmed version of the British ITIL concerned with IT services in
organizations (Alfantookh & Bakry, 2009; ITIL, 2013; OGC, 2005).
1.3. Knowledge management and IT use As we are concerned with the basic requirements, ISO 20000 is
emphasized here (ISO 20000, 2005). Its target is to provide ‘‘effec-
Knowledge management has been associated with the use of IT tive management and implementation of IT services’’. Like COBIT
in different fields for two main reasons. On the one hand, the use of its continuous development process is that of Deming’s ‘‘PDCA’’
IT supports the effectiveness of the knowledge activities required (De Feo & Barnard, 2004). It associates its governance directions
by knowledge management including: knowledge production, dif- with the basic needs and management requirements given in
fusion and utilization. On the other hand, the use of the knowledge Table 2.
management principles in IT governance enhances the effective-
ness of IT use (Bin-Abbas & Bakry, 2012). Therefore the knowledge 2.3. ISO 38500
management principles need to be emphasized in IT governance
for enhanced IT benefits in organizations working in different ISO 38500 provides guiding principles on ‘‘effective, efficient
fields. and acceptable use of IT’’ (ISO 38500, 2008). These principles
are associated with six basic issues on the one hand, and with
a development process on the other. The basic issues include:
1.4. The presented work
‘‘responsibility, strategy, acquisition, performance, conformance
and human behaviour’’. The development process is not that of
The problem with using the available IT governance recommen-
Deming’s five phases considered by the above methods, it
dations, as assessment references is that they are: diversified; and includes instead the three main cyclic phases of ‘‘evaluate,
in some cases based on lengthy and complicated methods. In addi- direct and monitor’’. A general view of the standard is given in
tion, these recommendations do not provide enough attention to Table 3.
the knowledge management principles. Here therefore comes the
need to unify and simplify IT governance assessments, and also 2.4. MIT IT governance method
to enhance such assessments by considering the knowledge man-
agement principles. The IT governance research group of the MIT has published a
This paper provides a new approach that attempts to integrate book on its work (Weill & Ross, 2004). It considers the work of IT
the main controls associated with the basic IT governance require- governance to be ‘‘toward desirable behaviour in the use of IT’’. It
ments, using the available key recommendations; while also specifies three-phase mechanism for this purpose; and it draws a
emphasizing adherence to the knowledge management principles. framework for the required activities based on the assets of the
This approach would enable finding the key strengths and weak- organization concerned. It emphasizes decision making concerned
nesses of IT governance in organizations, upon which future devel- with IT to be based on the level of responsibility on the one hand,
opment directions can be derived. and the IT issues concerned on the other. It considers IT perfor-
For the development of the target approach, the following mance measures to be associated with IT business support. Table 4
phases have been considered: summarizes the principles and requirements of MIT IT governance
views.
highlighting the basic requirements of IT governance consider-
ing the key available methods and recommendations men-
3. An integrated simple approach
tioned above;
designing a simple unified structured assessment framework
The target IT governance assessment approach is described be-
that integrates these requirements and considers knowledge
low in terms of the following:
management principles; and
illustrating the use of the framework through a typical
the basic principles upon which the approach is based;
application.
the assessment method used; and
The following parts of the paper address each of these phases.
the basic IT governance control requirements considered.
The key available IT governance methods mentioned above are The targeted IT governance assessment approach is based on
addressed in the following. The basic principles, issues and the following five main principles:
requirements of each of these methods are emphasized.
Continuous development: responding to change and to rising
2.1. COBIT issues and opportunities.
Integration of key requirements: viewing collectively according
IT governance according to COBIT is concerned with providing to a comprehensive scope the basic generic requirements con-
‘‘support to the business requirements’’ of the organization con- sidered by the key methods addressed above, while also empha-
cerned (Bakry & Alfantookh, 2006; COBIT, 2013; ITGI, 2005). COBIT sizing human involvement.
provides its governance directions according to Schwartz-Deming Simplification: emphasizing basic generic requirements, while
process of ‘‘PDCA: Plan, Do, Check, Act’’ (De Feo & Barnard, 2004) leaving details to individual situations.
considering the available IT and IT related resources, and empha- Knowledge management: activating the role of knowledge and
sizing required performance criteria. A general view of COBIT is supporting knowledge sharing and collective wisdom among
presented in Table 1. the people involved.
H. Bin-Abbas, S.H. Bakry / Computers in Human Behavior 32 (2014) 261–267 263
Table 1
IT governance target, process, resources and criteria (ITGI, 2005).
Table 2
IT services management (ISO 20000, 2005).
Table 3
IT governance process and principles (ISO 38500, 2008).
Assessment measures: translating the basic generic IT gover- 3.2. Assessment method
nance requirements into control elements that can be measures
in terms of their importance level on the one hand and imple- Organizations concerned with the basic IT governance control
mentation level on the other. requirements can ask two questions on each control element: the
level of importance of the element; and the level of its implemen-
Toward achieving continuous development, the six-sigma tation. For both questions, five levels have been taken into account.
phases of the ‘‘DMAIC: Define, Measure, Analyze, Improve and Con- The mid-level ‘‘level three’’ would represent the average, with two
trol’’ process (De Feo & Barnard, 2004) have been adopted. It is a levels above, and two levels below, as illustrated in Table 6.
modified version of Deming’s ‘‘PDCA’’ process, and it is widely Considering knowledge sharing, the two questions concerned
advocated for quality management. with each issue can be assessed by different people. This would
The basic generic IT governance requirements have been inte- lead to the need of finding averages for both: the weight and the
grated over the ‘‘STOPE: Strategy, Technology, Organization, People implementation, as given in Table 6. In addition, a relative measure
and Environment’’ essential domains. These domains have previ- that combines the averages of both: importance and implementa-
ously been used in various IT investigations (Bakry, 2004). This tion can be found. This is also illustrated in Table 6, which provides
integration supports simplification through providing well-struc- this relative combined measure as a percentage value.
tured IT governance scope. Individual IT situations can use this The above can be applied not only to the basic IT governance
general scope as a base for refinement to deal with specific detailed control elements, but also to other possible elements that may
situations. It should also be noted here that STOPE integration do- be needed for specific cases. As will be seen below, the IT gover-
mains include people as a main domain among the other four nance requirement controls are open to further additional consid-
domains. erations that may be taken into account. This enhances knowledge
Considering knowledge management to drive IT governance has sharing and support improvement.
the advantage of exploring opportunities and collective wisdom
among people, and lead to high performance. In addition, providing 3.3. IT governance controls
suitable measures to addressed control requirements help specify-
ing improvement directions. Table 5 summarizes the integrated Fifty basic IT governance control elements have been mapped
simple approach showing: the continuous development process; over the STOPE domains; with ten elements per domain. They have
the STOPE essential domains; and the basic principles of knowl- been derived from the key methods addressed above and from
edge management (Bin-Abbas & Bakry, 2012). The measurement experience. These control elements are identified according to
method of the approach is addressed in the following. their domains in Tables 7–11, where each table is concerned with
264 H. Bin-Abbas, S.H. Bakry / Computers in Human Behavior 32 (2014) 261–267
Table 4
IT governance (Weill and Ross: MIT, 2004).
Table 5
IT governance (a STOPE view with six-sigma process).
Table 6
Assessment method: importance (weight) and implementation level.
Scale for both importance (weight) ‘‘w[i]’’ and implementation level ‘‘g[i]’’
Poor/low Below average Average Above average Good/high
1 2 3 4 5
Average weight of a control element [i]: for ‘‘K’’ assessments
P
w½i ¼ Kj¼1 w½i; j=K
Average implementation level of a control element [i]: for ‘‘K’’ assessments
PK
g½i ¼ j¼1 g½i; j=K
Collective weighted implementation indicator ‘‘r’’: for ‘‘N’’ elements.
PN PN
r¼f i¼1 w½i g½i= i¼1 w½i ð5Þg 100
Table 7
Assessment of IT governance: ‘‘Strategy’’.
Table 8
Assessment of IT governance: ‘‘Technology’’.
Table 9
Assessment of IT governance: ‘‘Organization’’.
Table 10
Assessment of IT governance: ‘‘People’’.
one domain. The tables allow grading the importance and the in kept concealed for business reasons. Seven senior staff members
implementation level of each element. In addition, each table per- of the IT center of the organization, ‘‘K = 7’’, have assessed all ‘‘50 IT
mits adding additional control elements to its domain, so that governance control elements’’ presented in Tables 7–11 according
knowledge sharing is enhanced. It should be noted that documen- to STOPE domains. The results of the assessment are given in the
tation as an important knowledge availability and accumulation is- ‘‘importance’’ and ‘‘implementation’’ fields of every control ele-
sue is emphasized in all domains. In addition, the controls of the ment in these tables in terms of the number of staff who adopted
strategy have some similarities with controls of other domains; a specified level for each field. The averages of the importance
and this is due to the fact that strategy seeks development at all weights and implementation grades of all control elements are
domains. presented in Table 12 according to the five STOPE domains. The
To enhance the understanding of the approach, an illustrative collective weighted implementation indicators for the STOPE do-
application is introduced in the following. mains are also given in the table.
Figs. 1–5 illustrate the results obtained for the control elements
4. An illustrative application of every STOPE domain; and Fig. 6 shows the results of the overall
weighted implementation indicators of the five STOPE domains.
For illustrating the use of the above approach, it has been ap- Various remarks can be derived from these results at the control
plied to the IT governance of a Saudi organization, whose identity element level and at the domain level. These would help specifying
266 H. Bin-Abbas, S.H. Bakry / Computers in Human Behavior 32 (2014) 261–267
Table 11
Assessment of IT governance: ‘‘Environment’’.
Table 12
Assessment results: average weights and grades and indicators.
Fig. 2. Assessment of IT governance controls: Technology. Fig. 4. Assessment of IT governance controls: People.
H. Bin-Abbas, S.H. Bakry / Computers in Human Behavior 32 (2014) 261–267 267
5. Conclusions
References
Alfantookh, A., & Bakry, S. H. (2009). IT governance practices: ITIL. Saudi Computer
Journal: Applied Computing and Informatics, 7(1), 56–65.
Fig. 6. IT governance performance (%): a STOPE view. Bakry, S. H. (2004). Development of e-government: A STOPE view. International
Journal of Network Management, 14(5), 339–350.
Bakry, S. H., & Alfantookh, A. (2006). IT governance practices: COBIT. Saudi Computer
what need to be done for the improvement of the current state of Journal: Applied Computing and Informatics, 5(2), 53–61.
Bin-Abbas, H., & Bakry, S. H. (2012). Knowledge management: An instrument for
IT governance in the organization concerned. As an example, here building the knowledge society. International Journal of Knowledge Society
are some useful observations. Research (IGI Publishing, USA), 3(3), 58–67.
COBIT 5 (2013): A business framework for the governance and management of
enterprise IT. Information System Audit and Control Association. <http://
The given average importance weights of all control elements www.isaca.org/cobit>.
range between ‘‘3.57’’ and ‘‘4.86’’ out of ‘‘5’’; while the given De Feo, J. A., & Barnard, W. W. (2004). Juran Institute’s six sigma breakthrough and
average implementation grades of all control elements range Beyond: Quality performance breakthrough methods. New York: McGraw-Hill.
ISO/IEC 20000 (2005): International standards organization/international electro-
between ‘‘2’’ and ‘‘3.71’’ out of ‘‘5’’. This shows that a gap is felt technical commission. Information Technology-Service Management, Geneva
by the IT staff of the organization between what is seen as 20, Switzerland.
important in IT governance and what is actually implemented. ISO/IEC 38500 (2008). International standards organization/international electro-
technical commission, Corporate Governance of Information Technology,
Best match between importance and implementation exists in
Geneva 20, Switzerland.
the control elements of ‘‘qualification and training of IT staff’’, ITGI (2005). Information Technology Governance Institute COBIT (Control
which is associated with the ‘‘people’’ domain, and of ‘‘IT gover- Objectives for Information and Related Technologies) 4: Control objectives,
management guidelines and maturity models. Rolling Meadows, Illinois, USA,
nance compliance with relevant organization regulations’’ of
2005.
the ‘‘environment’’ domain. ITIL (2013). Information Technology Infrastructure Library, the British Office of
The IT governance control element associated with ‘‘documen- Government Commerce. <www.itil.org>.
tation’’ seems to have a mismatch problem between its impor- OGC (2005). Office of government commerce, best practices: Introduction to ITIL,
The Stationary Office, UK, December 2005.
tance and its implementation in all domains except for the Weill, P., & Ross, J. W. (2004). IT governance: How top performers manage IT decision
‘‘technology’’ domain. rights for superior results. Boston, Massachusetts, USA: Harvard Business School
At the domain level, ‘‘strategy’’ has least score, while ‘‘technol- Press.