Exploring differences between smaller and large organizations' corporate governance of information technology
Introduction
Given information technology's (IT's) pervasive role in organizational processes that support business objectives, and with global IT expenditure projected as $3.7 trillion in 2015 (Gartner, 2015), value delivery from IT investment remains a concern (Kohli and Grover, 2008, Wilkin et al., 2013, Wu et al., 2015). Our paper focuses on corporate governance of information technology (CGIT), a subset of corporate governance, particularly its strategic focus on improved organizational performance and maximizing IT value. Defined as “the responsibility of the board of directors and executive management, CGIT … consists of the leadership and organizational structures and processes that ensure that the organization's IT sustains and extends the organization's strategies and objectives” (ITGI, 2003 p. 10).
To enhance IT's capability to create business value, a number of CGIT-related tools and management systems have been developed. These include: PRINCE2 (Projects in Controlled Environments), ITIL (IT Infrastructure Library), COBIT2 (Control Objectives for Information and Related Technology), Val IT (Value from IT investments) and ISO/IEC 38500:2008 (an international standard for CGIT). Whilst the body of research concerned with IT governance issues in Australia is growing (e.g., Zhao et al., 2008, Campbell et al., 2009, Robb and Parent, 2009, Wilkin and Riddett, 2009, Wilson and Pollard, 2009, Wilkin et al., 2013), few studies have explored practitioner views of CGIT, including the influences, challenges and perceived benefits related to an organizations' application of CGIT policies and practices. Research is also lacking regarding how organizations perceive ISO/IEC 38500:2008′s principles to be relevant. Our research aims to address these knowledge gaps through a survey in Australia of business and IT executives from large (LO) and smaller (SO) organizations whose roles engage with CGIT. Moreover, recognizing that resource-constrained SOs face significant challenges in managing their assets to achieve sustainable competitive advantage (Beck et al., 2005, Cragg et al., 2011), our research aim was also to investigate any perceived differences between SOs and LOs in this regard. Besides such perceptions, the survey collected quantitative data about each organization, the status of CGIT policy and related responsibilities.
Findings from the 143 respondents (43 from SOs and 100 from LOs) showed the key implications as: SOs were equally engaged with CGIT and business/IT alignment as their LO counterparts; that human engagement with CGIT was a primary source of challenge for both (with strategies related more to defining accountabilities than upon control); and that risk management was a primary influence upon organizations of both sizes to engage with CGIT. In particular, we found: that (1) project management methodologies had higher levels of awareness and implementation than frameworks more directly related to IT governance; (2) the meaning of CGIT was construed in terms of IT alignment and value from IT; and (3) LOs were more likely to have a written policy than SOs. Influences for CGIT policy development reportedly relate to focusing on what IT could do for the organization (risk management and achieving alignment) rather than the issue of adequate organizational resources.
Benefits achieved by CGIT were found to include alignment of IT with business needs, and definition of accountabilities and responsibilities. Identified challenges primarily concern human issues (i.e., acceptance, commitment, communication and change management). Structural mechanisms by which to achieve CGIT were found to be formal in nature, i.e., IT steering committees (mainly LOs), formal policies and procedures and the Chief Information Officer's (CIO) role on the board. There was general agreement with ISO/IEC 38500:2008′s principles for CGIT, particularly regarding CGIT's role in ensuring regulatory compliance, appropriate delegations being in place and IT being fit for purpose.
The study's relevance can be gauged from evidence of high-profile IT project failures (e.g., Hutchinson, 2010, Toomey, 2009) and organizations' failure to realize benefits from IT investments (e.g., Barua et al., 2010). For example, a Commission of Inquiry into Queensland Health's payroll IT disaster reported that this failure related to governance practice, not the relevant standards (Chesterman, 2013). Even so, Standards Australia released an updated Information and Communications Technology (ICT) governance standard as a response (Clarke, 2014). Similarly, conflicted reports are evident in the USA. The US Air Force's development of the Expeditionary Combat Support System, which was scrapped after spending over a billion dollars for reportedly “zero results” (Shaw, 2012 p. 1), has been attributed to the lack of an assigned “accountable leader” who would exercise authority to enforce organizational changes necessary for successful project implementation (Stross, 2012 p. 2). In other words, the failure was in the exercise of IT governance, not necessarily in the relevance of an applicable standard.
These scenarios suggest that investigation is required into what constitutes current CGIT practice, the relevance of related tools/standards, and their capability to deliver organizational value from IT. In reporting our investigation, the paper is organized as follows. After reviewing the relevant literature, we introduce our theoretical perspective. We then outline the research methods and the study's context. After discussing our findings and their implications, we outline limitations and suggest opportunities for future research.
Section snippets
Background and theory
In this section, we link the two themes of literature that underpin the study, namely that:
- 1.
as an organizational capability, CGIT is a means to govern organizational IT assets in order to deliver organizational value; and
- 2.
in accord with the resource-based view (RBV), the organizational competence that deploys assets and capabilities in order to create value, relates to organizational size.
The section concludes with the four research questions that direct our investigation.
Research context: Smaller and large organizations
The decision to compare SOs and LOs stems from the important yet distinct economic and employment contributions each make to national economies, including through investment in IT. Whilst no universal classification exists, the distinction between small enterprises (SE), medium enterprises (ME) and large enterprises (LO) is customarily made based on employee numbers. Here, variances are apparent. For example:
- 1.
In the European Union, small-and-medium enterprises (SMEs) are defined as having ≤ 250
Awareness and implementation of frameworks and methodologies that assist with CGIT
We explored awareness and implementation of CGIT (RQ1) as related to the standard/methodologies/frameworks presented in Fig. 1 (see Section 2.1.2, Table 1). Respondents (n = 138, i.e., SOs 41 and LOs 97) answered by indicating (via a tick) which of the identified IT governance and management frameworks (see Table 3 below) they were aware of and/or was implemented in their organization. Holistically, our findings reveal medium levels of awareness of Val IT, COBIT and Risk IT (frameworks related to
Discussion and research contributions
This study explored: (1) the extent of awareness and implementation of IT governance and management frameworks; (2) the practices, benefits, challenges and supporting mechanisms associated with the use of CGIT; and (3) whether there were differences between SOs and LOs in this regard. Theoretically, this perspective is relevant to organizational RBV if CGIT is perceived as being a distinctive capability that facilitates linkage of intangible assets (i.e., people, commitment and resource
Conclusion
Given that SOs are widely regarded as having an operational rather than strategic focus, the extent of SOs' engagement with CGIT and their primary focus on alignment constitutes new knowledge about their governance rather than simply management focus on IT to achieve RBV. Whilst acknowledging the limitation of our sample size, findings reveal human engagement with CGIT as a primary source of challenge for SOs and LOs, with responsibilities managed in terms of assigned responsibility and
Acknowledgements
The authors would like to thank, Anne Fortin, Christopher O′Connor, two anonymous reviewers and participants at the 2015 UWCISA Symposium on Information Integrity and Information Systems Assurance for their helpful feedback on earlier versions of this manuscript.
References (84)
- et al.
Organizational information systems competences in small and medium-sized enterprises
Inf. Manag.
(2011) - et al.
Theory of the firm: managerial behaviour, agency costs, and ownership structure
J. Financ. Econ.
(1976) - et al.
The impact of adopting IT governance on financial performance: an empirical analysis among Brazilian firms
Int. J. Account. Inf. Syst.
(2014) - et al.
Beyond strategic information systems: towards an IS capability
J. Strateg. Inf. Syst.
(2004) - et al.
On IT governance structures and their effectiveness in collaborative organizational structures
Int. J. Account. Inf. Syst.
(2012) - et al.
Is innovation always beneficial? A meta-analysis of the relationship between innovation and performance in SMEs
J. Bus. Ventur.
(2011) - et al.
The Survey Research Handbook
(2004) Summary of IT Use and Innovation in Australian Business. 2013–14
(2015)Australian Small Business, Key Statistics and Analysis
(2012)Communications Report 2012–13 Series: Report 1—Australian SMEs in the Digital Economy
(2014)
Is the resource-based “view” a useful perspective for strategic management research? Yes
Acad. Manag. Rev.
Creating, capturing and measuring value from IT investments: could we do better?
Commun. Assoc. Inf. Syst.
Financial and legal constraints to growth: does firm size matter?
J. Financ.
The Modern Corporation and Private Property
Using thematic analysis in psychology
Qual. Res. Psychol.
Towards a Conceptual Map of IT Governance: A Review of Current Academic and Practitioner Thinking, UK Academy for Info. Syst. Conf. Proc.
The Committee on the Financial Aspects of Corporate Governance
ISO/IEC 38500: The IT Governance Standard
Public and private sector IT governance: identifying contextual differences
Australasian J. Info. Syst.
Challenge of Adopting Multiple Process Improvement Frameworks
Enabling effective IT governance: leveraging ISO/IEC 38500:2008 and COBIT to achieve business–IT alignment
EDPACS
Corporate governance: decades of dialogue and data
Acad. Manag. Rev.
Analysing the impact of enterprise governance of IT practices on business performance
Int J IT/Bus Alignment & Governance
Surveys in Social Research 5th Ed
IT governance and process maturity: a multinational field study
J. Inf. Syst.
The Australian Industry Group National CE Survey: Business Investment in New Technologies
Knowledge management in SMEs: a literature review
J. Knowl. Manag.
Growing the global economy through SMEs
Core IS capabilities for exploiting information technology
Sloan Manag.Rev.
Management development in small firms
Int. J. Manag. Rev.
Integrating case study and survey research methods: an example in information systems
Eur J Info Syst
Human resources and SME performance in services: empirical evidence from the UK
Int. J. Hum. Resour. Manag.
The Discovery of Grounded Theory: Strategies for Qualitative Research
Applied Thematic Analysis
Strategic alignment: leveraging information technology for transforming organisations
IBM Syst. J.
Exploring IT dependence and IT governance
Inf. Syst. Manag.
A new look at IT governance
J. Corp. Account. Financ.
Cited by (0)
- 1
Consultant.