IT Governance Implementation: The Determinant Factors

In the last 20 years, the use of IT by organizations has increased and ITG discipline is today a major concern. ITG has been recognized as a CIO top-10 issue for more than five years and has risen in priority between 2007 and 2009. Best practices and frameworks have been proposed in order to help organizations in ITG implementation. However, such practices and frameworks argue that the application of their practices depends on each organization context, but they don’t describe the different contexts and how the practices must be applied given the different contexts. Such fact calls for the identification and formalization of the determinant factors that can influence each ITG implementation which is not present in any framework. The researchers start the paper with a literature review to leverage such differentiator factors, herein called contingency factors, in order to provide a scientific viewpoint. Then, the researchers present the evaluation section with expert’s interviews in order to provide practitioner viewpoint. The researchers finalize the research with main contribution and future work section.


Introduction
Nowadays, IT plays a significant role in interorganizational transactions and relations.Thus, IT has become a valuable asset and resource in contemporary business strategy literature (Dahlberg and Lahdelma, 2007;Gao, Chen and Fang, 2009;Jiandong and Hongjun, 2010).Many organizations have become totally reliant on IT for success and recognize that IT is becoming one of their main organizational assets (Gerrard, 2009;Park, Jung, Lee and Jang, 2006).Decisions about IT adoption, implementation and management are still complex, so many organizations are wasting a lot of money in bad IT acquisition (Lunardi, Becker and Macada, 2009).
Since IT has become crucial to the support, sustainability and growth of the business, this pervasive use of technology has created a critical dependency on IT that calls for a specific focus on IT Governance (ITG) (De Haes and Grembergen, 2008).Indeed, Gartner states that ITG has been recognized as a CIO top-10 issue for more than five years and has risen in priority between 2007 and 2009 (Gerrard, 2009).Some studies have shown that companies with good ITG models generate superior returns on their IT investments than their competitors (Lunardi, Becker and Macada, 2009;Jacobson, 2009).With IT investments making up a significant portion of corporate budgets and increased external pressure to control and monitor costs, effective ITG is seen as a vital way to ensure returns on IT investments and improved organizational performance (Jacobson, 2009).Organizations can no longer afford to have ITG by default or bad ITG by design (Simonsson, Lagerström and Johnson, 2008;Symons, 2005).

Communications of the IBIMA2
Several Frameworks and Best Practices exist to help organizations in ITG implementation e.g.COBIT (Information Technology Governance Institute, 2007), ITIL (Taylor, Iqbal and Nieves, 2007), CMMI-SVC (Forrester, Buteau and Shrum, 2009), etc; however, most of the Frameworks and Best Practices share the idea that each case is a different case considering organizations context (Lunardi, Becker and Macada, 2009; Information Technology Governance Institute, 2007; Agarwal and Sambamurthy, 2002).Such fact calls for the identification and specification of the factors that can influence each ITG implementation which is not present in any Framework or Best Practice that, besides the provision of a set of valuable guidelines, lack a correct explanation of how they can and must be used giving organizations context.Moreover, some of the most important Frameworks and Best Practices in the market are also pointed out in literature as lacking a theoretical foundation from a scientific viewpoint (Goeken and Alter, 2008;2009).
The hereby objectives are to use literature review to identify and formalize the current contingency factors that influence ITG implementation in organizations obtaining an artefact with theoretical foundation from a scientific viewpoint.The researchers intend to evaluate their contingency factors, interviewing some ITG experts with several years of practice in their organizations.This type of evaluation will also ensure that the artefact won't lack a practitioner viewpoint becoming more complete and coherent with the reality.
In the next section, the researchers will describe the problem that this article intends to help in solving.Afterwards, in section 3, the research methodology that will be used is described.Building on these findings, the researchers make a literature review and propose their contingency factors in section 4.Then, the evaluation of the contingency factors in section 5 is detailed and the conclusion and future work finalize the paper in section 6.

Problem
Although ITG relevance for business success, conceiving the ITG model is just the first step, implementing ITG as a sustainable solution is the next challenging step (Fasanghari, NasserEslami and Naghavi, 2008).
There are evidences of the positive effect of good ITG implementation in organizations, for example: • With the help of well-organized ITG, organizations may increase their return on IT investments by as much as 40% (Weil and Ross, 2004).
• Enterprises that perform well in ITG may gain returns on IT investment 40% higher than their competitors; given the same business strategy, those with an average performance in ITG may make 20% more profit (Lingyu, Bingwu, Ruiping and Jianzhang, 2010).
In spite of all these evidences about influence of ITG in organizations' success and returns, there are also evidences of IT continuously being badly managed and governed: • The far-reaching structural changes following an ERP implementation can be disastrous, as shown by Bingi, Sharma and Godla (1999) who states that there are several failed ERP attempts, and companies lost not only the capital invested in ERP packages and millions paid to outside consultants, but also a major portion of their business.Buckhout, Frey and Nemec (1999) affirm that in several ERP implementations, the overrun of costs and schedule as well as the lack of improvements is high, or even Scott (1999) who evidences the FoxMeyer bankruptcy case.Indeed, 70% of ERP implementations fail to achieve their corporate goals (Bernroider, 2008).
• Gallagher and Worrel (2008) report a case of a new cross-business units system implementation where the delay in the implementation of a earlier product versions were frustrating because many of these projects took well in excess the timeline originally targeted.
• Shpilberg, Berez, Puryear and Shah (2007) affirm that organizations must stop spending more than 80% of their IT budget in maintenance, patches, upgrades and other routine expenses, and less than 20% on the development of new applications and capabilities.
• Lunardi, Becker and Macada (2009) evidence some important facts, as for example that 72% of IT projects are late, over-budget, lacking in functionality, or never delivered; of the "successful" projects (28%), 45% were over budget and 68% took longer than planned.
• Yet, Lunardi, Becker and Macada (2009) highlight the fact that many companies spend about 50% of all their capital investment on IT.
• On the other hand, Gao, Chen and Fang (2009) conclude and affirm that huge IT investment did not bring significant benefits.
With evidences of failure of so many IT implementations, the proposal of new approaches for ITG is imperative.Currently, the most adopted solutions are the existing frameworks in the market.
Indeed, several Frameworks and Best Practices exist to support organizations in ITG implementation.ITIL and COBIT, for example, are between the most adopted frameworks (Broussard and Tero, 2007;Radovanovic, Radojevic, Lucic and Sarac, 2010;Ridley, Young and Carroll, 2004), but several organizations still prefer to design their own (Broussard and Tero, 2007).Such fact is not surprising since the most Frameworks and Best Practices state that there is no single "best" IT organizational structure or governance arrangement because IT needs to respond to the unique environments within which it exists (Lunardi, Becker and Macada, 2009; Information Technology Governance Institute, 2007; Agarwal and Sambamurthy, 2002).Since the existing Frameworks and Best Practices do not make any reference to the possible factors that can influence each ITG implementation and the way the provided guidelines must be used giving the different organizations' environment, organizations are developing their own Framework in order to adapt it to their specific needs.ITG implementation is influenced by external and internal factors (Xue, Liang and Boulton, 2006), however, literature and current Frameworks and Best Practices fail to reveal a clear and concise identification of these factors.
Moreover, some of the most used and known Frameworks and Best Practices in the market are seen as complex (Pereira and Mira da Silva, 2011), too general (Morimoto, 2009), lacking a theoretical foundation from a scientific viewpoint (Goeken and Alter, 2008;2009), and overlap with each other (Pereira and Mira da Silva, 2010).These statements reinforce the possibility of improvements in the existing Frameworks and Best Practices.Framework complexity is even demonstrated by Pereira and Mira da Silva (2011) (Figure 1).The main problem that this research contributes to solve is the following: There are many frameworks to support ITG implementation.However, Frameworks keep affirming that each case is a case and still lacking the identification of the factors that can influence each ITG implementation taking into account each organization's environment.

Research Methodology
The research methodology that will be used in this paper is Design Science Research (DSR).Toward the end of the 1990s, it began growing in popularity for use in scholarly investigations in IS.DSR methodology is conducted in two complementary phases: build and evaluate.In contrast to behaviour research, design-oriented research builds a "to-be" conception and posteriorly seeks to build the system according to the defined model taking into account the restrictions and limitations (Osterle et al., 2011).Design science addresses research through the building and evaluation of artefacts designed to meet the identified business needs (Hevner, March, Park and Ram, 2004), instead of analyzing existing IS in order to identify causal relations (Osterle et al., 2011).
Few researchers attempted to perform empirical studies on ITG topic (Brown and Grant, 2005).Hence, the researchers build and evaluate new and innovative artefacts following the design research paradigm (Hevner, March, Park and Ram, 2004).It is argued that a better understanding of ITG implementation guide from different and sometimes complementary points of view can be accomplished.
Based on the four design artefacts produced by design science research in IS (constructs, models, methods and instantiations), constructs will be focused on.Constructs are necessary to describe certain aspects of a problem domain and allow the development of the research project's terminology (Schermann, Böhmann and Krcmar, 2009).The constructs proposed will be the Contingency Factors.
The research methodology applied is divided according to the two processes of design science research in IS; build and evaluate.The build process and the evaluation process are composed by one stage (Table 1).This kind of research approach was already used in other researches as De Haes and Grembergen (2008) and Vicente and Mira da Silva (2011).
In the first stage, the researchers started with the literature review.Since Contingency Factors area is poorly explored or even in the early stages, this research is exploratory rather than being hypothesis testing.Exploratory research often builds on secondary research, such as reviewing available literature and/or data or qualitative approaches, such as informal discussions with customers, employees, management or depth interviews, focus group projective methods, case studies or pilot studies (De Haes and Grembergen, 2008).
In consequence, the researchers used literature review and depth interviews to identify the ITG Contingency Factors.In the academic literature, a number of authors compiled "mini" reviews to support their own conceptual or empirical papers (De Haes and Grembergen, 2008;Brown and Grant, 2005;Brown and Magill, 1994;Sambamurthy and Zmud, 1999;Simonsson and Ekstedt, 2006).Nevertheless, literature review represents the foundation for research in IS.As such, review articles are critical to strengthening IS as a field of study.Moreover, the approach used in this paper follows the concept-centric methodology of IS literature reviews as outlined in Webster and Watson (2002).A design artefact is complete and effective when it satisfies the requirements and constraints of the problem that was meant to be solved.In this paper, the present artefacts were evaluated through interviews as well as literature review.In addition, by submitting these research results to respected international conferences, the researchers have also used the appraisal of the scientific community as evaluation criteria.

Proposal
The researchers decided to start the literature review with an overview on the different types of governance in order to clearly identify the type of governance approached on this article, followed by a historical overview about ITG definition in order to demonstrate that ITG definition is not clear in scientific community.

Communications of the IBIMA6
Governance is a concept that can be used in many contexts.There are many different types of governance and the researchers should make a brief review of them in order to understand each one and which governance will be focused on: Governance -is the responsibility delegated by stakeholders and the public, defined by legislators and regulators and shared by boards, in some measure, with managers (Webb et al., 2006).

• • •
• Enterprise Governance -is a set of responsibilities and practices exercised by the board and executive managers, with the goal of providing strategic direction, ensuring that plans and objectives are achieved, assessing that risks are proactively managed and assuring that the enterprise's resources are used responsibly (Grembergen and De Haes, 2008).
demonstrated a lack of a clear shared understanding of the term ITG.None of the definitions reflect all of the elements of the framework, possibly indicating that authors do develop definitions to support their particular focus (Webb et al., 2006).
These types of governance are correlated and cannot be dissociated from each other.They should be dealt with as "whole Governance" with dependencies and relations between them and an order to be followed.However, ITG already developed into a discipline of its own rights (Simonsson and Ekstedt, 2006).Since ITG cannot exist in isolation but must be a sub-set of enterprise governance (Symons, 2005;Park et al., 2006) and is also commonly referred to as a sub-set of corporate governance (Lunardi et al., 2009) (Webb, 2006), it is concluded that ITG is the most specific and focused on the identified types of governance.In this paper, the focus will be on ITG.Factors that, depending on organizations context, may influence the ITG implementation but that are not likely or intended, are a possibility that must be prepared for.

Researcher
Year Reference Brown and Magill ITG decisions the locus of responsibility for IT functions Luftman ITG is the degree which the authority for making IT decisions is defined and shared among management, and the processes managers in both IT and business organizations apply in setting IT priorities and the allocation of the IT resources.

Sambamurth y and Zmud
ITG refers to the patterns of authority for key IT activities.
Grembergen ITG is the organizational capacity by the board, executive management and ITM to control the formulation and implementation of IT strategy and in this way ensures the fusion of business and IT.
Weill and Vitale ITG describes a firm's overall process for sharing decision rights about IT and monitoring the performance of IT investments.

Schwartz and Hirschheim
ITG consists of IT-related structures or architectures (and associated authority patterns), implemented to successfully accomplish (IT imperative) activities in response to an enterprise's environment and strategic imperatives.

IT Governance Institute
ITG is the responsibility of the board of directors and executive management.
It is an integral part of enterprise governance and consists of the leadership and organizational structures and processes that ensure that organization's IT sustains and extends the organization's strategies and objectives.
Weill and Ross ITG is specifying the decision rights and accountability standard to encourage desirable behavior in using IT.
Craig, Cecere, Young, and Lambert ITG is the process by which decisions are made around IT investments.How decisions are made, who makes the decisions, who is held accountable and how the results of decisions measured and monitored are all parts of ITG.

Webb, Pollard and Ridley
The strategic alignment of IT with business, such that maximum business value is achieved through the development and maintenance of effective IT control and accountability, performance management and risk management.

Simonsson and Ekstedt
ITG is the preparation for, making of and implementation of IT-related decisions regarding goals, processes, people and technology on a tactical or strategic level.

Gerrard
ITG is the process that ensures the effective and efficient use of IT in enabling an organization to achieve its goals.The definition contain certain key concepts: ITG is composed of processes with the inputs, outputs, roles and responsibilities that are inherent in a process definition.The role of ITG "ensures", as opposed to "executes".The goal of ITG is defined as a business goal, not just IT-related.Key performance measures, identified as effectiveness and efficiency, together represent business value.

Communications of the IBIMA8
From a literature review came a number of substantive conclusions relating the contingency factors to ITG implementation.After dealing with the literature review, the identified Contingency factors include: organizational culture and structure, strategy, size, regional differences, industry, maturity, ethical and trust.A summary of the identified contingency factors as well as their literature references is present in Table 3. Below is detailed each of the identified Contingency Factors: Culture -Corporate culture plays an invaluable role in the enterprise development.Management of culture is to make employees care about enterprise (Jiandong and Hongjun, 2010), and its context refers to managing IT workers and workplaces in such a way that the social processes, which reflect the interactions among groups of people with differing worldviews, are taken into account (Weisinger and Trauth, 2003).Surveys of CEOs during the past few years have identified organizational culture as one of the largest inhibitors to change and related business performance improvements (Gerrard, 2009), which means corporate culture can influence the success of ITG implementation (Fink and Ploder, 2008).Structure -The structure of IT is one of the major recurring issues in literature (Goeken and Alter, 2008;Bernroider, 2008;Sambamurthy and Zmud, 1999;Adams, Larson and Xia, 2008).The majority of the existing literature approaches the topic of ITG from existing or proposed structures point of view (Webb, Pollard and Ridley, 2006).IT has not only changed the traditional ways people acquire information, but has also broken old patterns of production management and profoundly changed firm's organization structure in space and time.Organization structure is the necessary condition to the achievement of business goals by organizations (Gao, Chen and Fang, 2009).Organizational structure has been identified by the literature as a concern that should be taken into consideration in ITG implementation.
Size -Some studies have attempted to discover the effect of organization size on ITG (De Haes and Grembergen, 2008;Brown and Grant, 2005;Cochran, 2010).Sambamurthy and Zmud (1999) state that the size of the firm influences the ITG mode through its effect on the mode of corporate governance.There are also evidences that many small organizations lack standardized project management practices (Cochran, 2010).
Industry -IT has a wide range of applicability across almost all industries (Tanriverdi, 2006).Some ITG studies only focus on a specific kind of industry (De Haes and Grembergen, 2008), others in several industries as for example (Simonsson, Lagerström and Johnson, 2008), who conducted interviews in separated industries and collected different results.ITG means different things in distinct industries, evident by the different regulations that have been developed (Webb, Pollard and Ridley, 2006).
Regional Differences -Some studies have been made about regional differences on ITG implementations.For example, Weisinger and Trauth (2003) pointed out the importance of aspects, such as language, local laws and national information infrastructures.Another study performed by Aagesen, van Veenstra, Janssen and Krogstie (2011) made a cross-country comparative study where they found different ITG implementations, while Fink and Ploder (2008) performed some regional case studies in different countries.
Maturity -IT has matured so much that, in many ways, IT has become a commodity.However, specialized resources are still needed (Cochran, 2010).The use of ITG maturity measurements is one of the means to evaluate the success of ITG (Dahlberg and Lahdelma, 2007).Some studies were performed and interesting conclusions were collected: a study compared different organizations and determined that, in general, the high performers have more mature ITG structures and processes (De Haes and Grembergen, 2008); another study identified possible requirements for good 9 Communications of the IBIMA ITG maturity assessments (Simonsson, Johnson and Ekstedt, 2008); and yet another study concluded that there is a correlation between ITG performance and ITG maturity indicators (Simonsson, Lagerström and Johnson, 2008) .
Strategy -How to accomplish strategic alignment between business and IT in the complex and dynamic environment of the real world remains a great unanswered challenge for the CIO and CEO (Ekstedt, et al., 2004;Silva, Plazaola and Ekstedt, 2006), therefore ITG should be dealt with as a business strategy (Park, Jung, Lee and Jang, 2006).Some research projects focus on how strategic alignment impacts business performance (Simonsson, Johnson and Ekstedt, 2008).Strategy had even already been proposed as a possible contingency factor of ITG by Brown and Grant (2005).
Ethical -To promote ethical business practices, an organization needs a leader who is committed to something more than profits.Ethical awareness in corporate governance has a strong effect to ensure employee trust in the workplace (Memiyanty and Putera, 2010).In the interviews performed by Maidin and Arshad (2010), most of the respondents agreed that ethics of compliance is an important aspect for ITG practices.
Trust -Many scholars claim that the concept of trust and cooperation is crucial for solving or at least minimizing governance failure (Memiyanty and Putera, 2010).
In the current literature review, few researchers approach such kind of factors.In this section, the researchers analyzed the main literature and proposed a set of Contingency Factors (supported by the literature) that organizations should put into consideration before an ITG implementation.

Evaluation
To evaluate the identified Contingency Factors, nine interviews were performed (90 minutes each) with ITG experts who have strategic alignment and ITG knowledge in their organizations.Seven interviews were performed in Portugal and two in Ireland by Skype.The interviewees were 3 consultant organizations marked as C in first column (1, 2 and 7) and 6 non-consultant marked as NC in first column (3, 4, 5, 6, 8 and 9) organizations.
Table 4 shows a summary of the results of the interviews.To turn Table 4 easier to read, the researchers used colors such as yellow and orange to highlight the first (yellow) and second (orange) choice of the interviewees (they were asked to rank the contingency factors by relevance), and green and red in the "yes/no" questions in order to highlight the positive (green) and negative (red) responses.Overall, the Contingency Factors are seen as relevant, complete and useful by the interviewees.Fifth, sixth and seventh interviewees stated that some factors were missing.The fifth and sixth referred to the organizations' financial power (which the researchers believe that it could be related to organization size since bigger organizations certainly have more financial power and vice versa), while the seventh mentioned the people (which the researchers believe to be related to ethic and trust, since ethic and trust are social values that should cross the entire human resources).
Culture, structure, industry and maturity are seen as the most relevant contingency factors for ITG implementation.On the other side, Regional Differences wasn't chosen by any interviewee, which can be justified by the fact that in general the interviewees are not familiar with ITG implementations beyond their country.
Several conclusions could be withdrawn from the interviews: • Culture, structure, industry and maturity are seen as the most relevant contingency factors for ITG implementation.
• Contingency factors were identified by all the interviewees as a relevant concern and useful as information available at the beginning of ITG implementations.
• Regional Differences was the only contingency factor not chosen by the interviewees.However, as already explained, it could be related to the fact that the interviewees only had experience in one country.
• Consultant organizations tend to give more importance to industry and maturity.Factors for consultants and non-consultants must be explored.Moreover, it is interesting that existing Frameworks also don't make any reference to the different viewpoints of consultant and non-consultant organizations since many non-consultant organizations hire consultant organizations to implement some domains as ITG; and such divergent viewpoints of what should be given the priority can be the reason of some problems.This research has some limitations as well.So far, the researchers leverage the Contingency Factors based on literature review and also validated them with experts' interviews.However, more interviews are required in order to achieve more concrete and coherent results.

Conclusion
Frameworks keep affirming that each case is a different case and still not providing any help in this field.With this research, a formalization of the Contingency Factors that must be considered by organizations before any ITG implementation is achieved.
Organizations are now able to analyse what can influence their ITG implementation and decide what should be done in the first place, given the environment of each organization.
Since the most known Frameworks lack a scientific viewpoint, the researchers leveraged the Contingency Factors based on literature review giving them theoretical foundation.Yet, in order to keep providing a practitioner viewpoint, interviews were performed with ITG experts.Then, Contingency Factors are argued to be built under both scientific and practitioner viewpoint.With the identification of the Contingency Factors the organizations are able to begin the collection of information in a correct format and leave precious information for other organizations, standardizing as much as possible the initial approach of the ITG implementation process.Then, organizations with similar contexts can easily realize what they should do first in order to avoid some mistakes.
Future work must pass by the integration of the Contingency Factors with an ITG framework.At the same time, more interviews should be realized to increase the empirical validity of the mentioned Contingency Factors.
It is important that organizations begin to consider this kind of factors before their ITG implementation.How the Contingency Factors influenced their ITG implementation in their organization context must be recorded in order to create a consolidated data base to minimize the risks of future ITG implementations by other organizations.

Table 2
presents a summary of the several definitions proposed in the last 20 years.Noticed is that a consensus about ITG definition still does not exist.The purpose of this research is not to decide which the most appropriate ITG definition is, or even propose a new one; however, the concern is stated and a historical overview of the main ITG definitions in the literature presented.