See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/262371916

IT governance and performance measurement: research study on Croatian

companies

Conference Paper · February 2008

CITATIONS READS

0 3,439

3 authors, including:

Mario Spremic
University of Zagreb
56 PUBLICATIONS   382 CITATIONS   

SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Digitalna transformacija hrvatskih poduzeća (Digital Transformation of Croatian Companies) View project

All content following this page was uploaded by Mario Spremic on 27 October 2015.

The user has requested enhancement of the downloaded file.

 IT Governance and Performance Measurement – research study on
Croatian companies
MARIO SPREMIĆ, Ph.D., Associate Professor
Faculty of Economics and Business Zagreb, University of Zagreb
Kennedy’s sq 6, 10000 Zagreb
CROATIA
e-mail: [email protected]

ZLATAN ŽMIRAK, M.Sc., Key Account Manager, King ICT Ltd.

Buzinski prilaz 10, 10000 Zagreb
CROATIA
e-mail: [email protected]

KRUNOSLAV KRALJEVIĆ, M.Sc., Key Account Manager, S&T Croatia Ltd.,

Borongajska cesta 81a, 10000 Zagreb
CROATIA
e-mail: [email protected]

Abstract: As the organizations are becoming increasingly dependent upon IT in order to achieve their corporate
objectives and meet their business needs, the necessity for implementing widely applicable IT best practices standards
and methodologies, offering high quality IT services is evident. IT profession has been in search for solid standards and
performance measurement frameworks for decades, but it seems that by the 1990’s such efforts had dramatically
improved. One of the reasons for such tendencies may be in changing role of IT performance metrics over years. While
in 1980’s the focus of IT performance metrics was solely on technical efficiency, in 1990’s process efficiency was
attached, these efforts nowadays converge to comprehensive concept of value added IT-related business benefits. IT
Governance issues are not only any more marginal or ‘technical’ problems and become more and more a ‘business
problem’. Therefore, in this paper emerging issues in IT Governance are discussed and the necessity for IT Audit and
Performance Measurement initiatives stressed. Contemporary issues in measuring IT performance are associated with
engaging in periodical audits of IT and their contribution to the business. The concept of IT Audit, as a systematically
‘tool’ for measuring IT performance, is shown and explained in further details, together with the methodologies used for
their implementation (CobiT, ITIL, ISO 27001). Finally, on the sample of selected Croatian large companies, research
question about the level of IT maturity used in businesses is answered. Vast majority of IT Governance components and
issues are argued in the research.

Key-Words: IT Governance, IT Audit, IT Performance Measurement, Croatia, CobiT, ITIL

control of the infrastructure, the devices it contains and

1. Introduction the data it generates [10]. The next stage, IT service
management (ITSM), sees the IT organizations actively
In the early days of implementing IT in the business, it
identifying the services its customers need and focusing
was often seen as a technical support function and was
on planning and delivering those services to meet
typically managed by finance departments. When
availability, performance, and security requirements. In
evolving from technology providers into strategic
addition, IT contributes to the businesses by managing
partners, IT organizations typically follow a three-stage
service-level agreements, both internally and externally,
approach. Each evolutionary stage builds upon the
as well as by meeting agreed-upon quality and cost
others beginning with IT infrastructure management
targets. Ultimately, when IT organizations evolve to IT
(ITIM). During this stage, the IT’s role in the
business value management (IT Governance), they are
organizations focus on improving the management of
transformed into true business partners enabling new
the enterprise (technological) infrastructure. Effective
business opportunities [8]. In that stage, IT processes
infrastructure management mainly is associated with
are fully integrated with the complete lifecycle of
maximizing return on computing assets and taking
business processes improving service quality and

1
business agility. achieved by putting in place a management of IT that is
As the IT initiatives has become far more than a means service oriented (ITSM) and by establishing an IT
of improving efficiency and reducing costs and Governance capable of aligning IT with the Enterprise
increasingly account for enabler of business innovation, Governance objectives.
it still seems that it is less understood business resource.
One of reason could be that often there is no 3. Core Principles of IT Governance –
systematically way of measuring IT performances. In
this paper we investigated the practices by which IT can
literature review
contribute to the business as well as how to measure it.
In order to understand the concept of IT governance a
Emerging issues in IT Governance were argued and the
detailed insight into the principles of corporate
necessity for IT Audit and Performance Measurement
governance and its constituents is needed. In their
initiatives stressed. On the sample of selected Croatian
publications on measuring the performance of corporate
large companies, the organizational position and the
boards, M.J. Epstein and M.J. Roy state that
role of IT in the business has been investigated, while
“governance concerns relate to practices of both
specific research interest was to get the clear view of
corporate boards and senior managers” and “the
the maturity level of IT usage. We hoped that such
question being asked is whether the decision-making
approach could be useful when trying to answer the
process and the decisions themselves are made in the
posed research question: what stage of IT maturity level
interest of shareholders, employees, and other
(from technical support to IT Governance) reflects the
stakeholders or whether they are primarily in the
IT practices in the Croatian large companies?
interests of the executives2.” The corporate governance
framework is there to encourage the efficient use of
2. Evolving the IT Governance model resources and equally to require accountability for the
stewardship of those resources. The aim is to align as
A good theoretical path to IT Governance issues could nearly as possible the interests of individuals,
be found in IT Strategy and IT/Business Alignment corporations and society3.
literature. Venkatraman [10], for example, illustrates IT governance concerns relate to IT practices of boards
the changes that occur in the perceived contribution of and senior managers. The question is whether IT
IT by the business during the transformation from structures, processes, relational mechanisms and IT
Service Provider to Strategic Partner as presented in decisions are made in the interest of shareholders and
Table 1. other stakeholders, or primarily in the executives’
interests. IT governance closely relates to corporate
Service provider Strategic partner governance, the structure of the IT organization and its
 IT is for efficiency  IT for business growth objectives and alignment to the business objectives.
 Budgets are driven by  Budgets are driven by ITGI defines IT Governance as the responsibility of the
external benchmarks business strategy board of directors and executive management [4]. It is
 IT is separable from the  IT is inseparable from an integral part of enterprise governance and consists of
business the business the leadership and organizational structures and
 IT is seen as an  IT is seen as an processes that ensure that the organization’s IT sustains
expense to control investment to manage and extends the organization’s strategies and objectives.
 IT managers are  IT managers are Van Grembergen [9] stands on that point and defined
technical experts business problem IT Governance as the organizational capacity exercised
solvers by the Board, executive management and IT
Table 1: IT as Service provider or as Strategic partner management to control the formulation and
implementation of IT strategy and in this way ensure
Van Grembergen [8], [9] also stands on that point, but the fusion of business and IT. The primary focus of IT
also emphasizes the strategic potential IT initiatives governance is on the responsibility of the board and
could have if managed (or rather ‘governed’) properly. executive management to control formulation and the
When engaging in those changes, IT becomes not only implementation of IT strategy, to ensure the alignment
a success factor for survival and prosperity, but also an of IT and business, to identify metrics for measuring
opportunity for differentiation and achieving business value of IT and to manage IT risks in an
competitive advantage1. This should undoubtedly be
2
Epstein, M.J., M.J. Roy, (2004): “How Does Your Board
Rate?,” Strategic Finance, February, p. 25-31, 2004.
1 3
Van Grembergen, W., (2004): Strategies for Information Sir Adrian Cadbury (2000): Global Corporate Governance
Technology Governance, Idea Group, 2004. Forum, World Bank, 2000.

2
effective way. Nolan and McFarlan [5] recently pointed organization. Conceptually, the process can be seen as
out that ‘a lack of board oversight for IT activities is an IT results flow depicted below4.
dangerous; it puts the firm at risk in the same way that
failing to audit its books would’. Corporate strategy
IT Governance is partly driven by the external
regulatory demands like Sarbanes-Oxley act, Basel II,
the European 8th Directive and MiFID. Besides that, an
IT strategy
increasing number of companies acknowledge that a
well defined structure and high level of guidance truly
can contribute to the overall cost efficiency and
performance of IT. According to Van Grembergen [8], IT resources, IT processes
one of the key focuses of IT governance is to align IT to
business objectives. As an explanation it could be said
that IT governance is the mix between Corporate IT Audit and IT Metrics
Governance and IT management.
There are several ways of looking at the similarities
between corporate governance and IT governance, as
described in literature ([8],[9],[10]). Van Grembergen IT Business value
et al. use Shleifer and Vishny’s work ([6]) and stress
three key questions that the management should address Figure 1: IT Business value from corporate strategy
to display the connectivity between corporate
governance and IT governance. Having defined IT Governance, it is necessary to
understand its most important elements. The IT
Corporate IT Governance Governance Institute suggests that fundamentally, IT
Governance Questions: Governance is concerned about two things [4]:
Questions: - IT should deliver value to the business and
How do suppliers of How does management - IT risks need to be mitigated.
finance get managers to get their CIO and IT This leads to the four main focus areas of the IT
return some of the organization to return Governance, all driven by stakeholder value. Two of
profits to them? some business value to them are outcomes: value delivery and risk mitigation.
them? Two of them are drivers: strategic alignment and
How do suppliers of How does top performance measurements. While value delivery is
finance make sure that management make sure focused on the creation of business value, risk
managers do not steal that their CIO and IT management is focused on the preservation of business
the capital they supply organization does not value [8].
or invest it in bad steal the capital they Gartner stands on that point by proposing that IT
projects? supply or invest in bad Governance should consist of four different
projects? components namely [7]:
How do suppliers of How does top 1. IT value and IT/Business Alignment,
finance control management control 2. IT Control Framework and Management
management? their CIO and IT Accountability for IT
organizations? 3. IT Performance Measurement framework
Table 2: Corporate and IT governance questions 4. IT Risk Management models.
As shown in Figure 2., IT Governance represent the
4. Key IT Governance Components necessary ‘connections’ of strategic visions (IT Strategy
and IT/Business Alignment initiatives) and the results
of their implementation by performing periodic IT
As we previously introduced, one of the IT Governance Audits with which IT performances could be measured,
goals is to align IT initiatives with the business IT risk identified and IT controls put in place.
objectives defined by the Corporate Governance. These
high-level organizational goals and objectives are used
as input to derive goals, objectives and performance
metrics needed to manage IT effectively. At the same
time, the IT auditing processes are put in place in order
4
to measure and analyze the performance of the Panian, Z., Spremic, M, (2007): Corporate Governance and
IT Audit, Zgombic & Partners.

3
 profitability study of the purchase or preparation of a
system, etc.

5. Methods and frameworks for IT

Audit implementation
In recent years various groups have developed world-
wide known IT Governance and IT Audit frameworks
and guidelines to assist management and auditors in
Figure 2: IT Governance Components developing optimal performance and controls systems.
Contemporary frameworks are:
4. IT Audit as a framework for - CobiT (Control Objectives of Information and
related Technology),
Performance Measurement - ISO 27000 ‘family’ (ISO 27001:2005, ISO
27002:2005), and
A good, or rather, inevitable approach for measuring - ITIL (IT Infrastructure Library).
the performance of IT should include thorough audit of Developed by ISACA and ITGI, CobiT is the widely
all aspects of IS and IT, including hardware, software, accepted IT governance framework organized by key
data, networks, organization and key business IT control objectives, which are broken into detailed IT
processes. The primary goal of the information system controls. Current version 4.1 of CobiT divides IT into
audit (IT audit) is to identify the key business processes four domains (Plan and Organise, Acquire and
that depend on IT, to systematically and carefully Implement, Deliver and Support, and Monitor and
examine their IT controls efficiency, to identify key risk Evaluate), which are broken into 34 key IT processes,
areas and constantly measure the risk level, to warn and then further divided into more than 300 detailed IT
about possible failures, as well as to offer suggestions control objectives. For each of the 34 IT processes
to the executive management how to improve current CobiT defines:
IT risk management practices5. This in particular mean - performance goals and metrics (for example,
that by engaging in IT auditing process companies can RPO, RTO, availability time),
periodically measure the IT performances using the - KRI (Key Risk Indicator), KPI (Key
well-proved, world-wide frameworks or methods such Performance Indicator)
as CobiT, ITIL, ISO 27001, etc. Such tendencies are - maturity models (0-5 scale) to assist in
mostly motivated by specific regulatory pressures (for benchmarking and decision-making for process
example, Sarbanes-Oxley act, Basel II framework, etc.), improvements,
rather than by IT value-added initiatives. - a RACI chart identifying who is Responsible,
In addition to the term of information systems auditing, Accountable, Consulted, and/or Informed for
the term such as information technology auditing (IT specific IT process.
Audit) is often used. Regardless of different terms being ITIL (Information Technology Infrastructure Library)
used, the goal of the information systems audit is to developed and published in late 1980s by Central
systematically, thoroughly, and carefully examine the Computer and Telecommunication Agency, now the
controls within the information system, to measure the British Office of Government Commerce, becomes
IT performance, to warn about possible omissions and widely embraced in private and public sectors as a
risks, and thus examine the quality of the company's reference framework for IT Service Management. ITIL
information system. is a series of books representing a repository of best
The information systems audit covers numerous areas practices in IT service management and related
of development, and application of the information processes, promoting business driven approach to the
systems in business, among others, development, management of IT and a performance driven approach
functioning and maintenance of the system, data in achieving business effectiveness and efficiency in the
integrity, business applications, safety, and privacy, use of IS and IT. Basic ITIL process’ objectives are:
access rights and authentication, plan of restarting the - to define service processes in IT organization,
system in emergency situations, feasibility and - to define and improve the quality of IT
services,
5
Spremic, M. (2005): Managing IT risks by implementing - to understand and improve IT service
information system audit function, Proceedings of the 3 rd provision, as an integral part of an overall
International Workshop in Wireless Security Technologies,
Westminster University, London, 04-05.04.2005, pp. 58-64

4
 business requirement for high quality IS communication with CIOs.
management, The survey resulted in 37 responses, representing
- to determine what service the business requires acceptable response rate, but also limiting the research
of the provider in order to provide adequate due to the small scope. The strengths of the
support to the business users, and methodology used represent the fact that the
- to ensure that the customer has access to the respondents weren’t self-selecting the questions and
appropriate services to support the business themes. They were rather interviewed about their IT
functions. Governance and IT Audit practise.
Since the 1980s there were 3 major revisions of ITIL
best practices. Version 2 described 11 major IT service 6.3. Analyses of research results and the discussion
areas within two broad categories of: The analysis of the responded questionnaires reflects
- Service Support – (operational processes, that only moderate number (46,7%) of Croatian
consisted of Service Desk, Incident organizations have implemented an IS strategic plan, as
Management, Problem Management, a part of overall strategic plan. Considering relatively
Configuration Management, Change low level of IT investment (53,7% of companies
Management, Release Management) and allocate less then 2% of total annual revenue for IT), it
- Service Delivery – (tactical processes can be concluded that Croatian companies are just
comprising Service Level Management, IT keeping present IS in working conditions on the same
Financial Management, Capacity Management, level of technology with no initiative for improving or
IT Service Continuity, Availability developing new IS. These results imply that Croatian
Management). companies underestimate necessity of IT planning and
New version 3 of ITIL brings evolutionary that in Croatian organizations IT is neglected resource.
improvements to the IT Service Management concept, With such a poor IT planning as well as IT budgeting
consisting of 5 key categories (Service Strategy, one cannot expect progressive IT Governance and IT
Service Design, Service Transition, Service Operation, audit politics. This contribution is by all means strong
Continual Service Improvement), but the supported where IT strategy is linked with business strategy, thus
processes remains the same in its core as in ITIL v2. IT can initiate major changes in organization structure,
business processes and overall activities.
6. Research study on the IT Table 2. indicate that 53,7% of surveyed Croatian
companies intend to spend less than 2% of their budget
Governance and IT Audit issues on for IT issues in general, while further 39,2% of them
Croatian large companies are planning to spend 2-5% of their operating budget
for IT support and related issues. This indicates that
6.1. Survey instrument remaining 7,1% of respondents are planning
The key objective of the research has been to examine a considerable investment in IT/IS issues and have a solid
number of issues regarding IT Governance, IT Audit IT funding. Majority of them are engaged in so called
and IT Performance Measurement practices. As these ‘information-intensive’ industries (such as
terms interfere through the IT Governance concepts, we telecommunications, banking etc.) and majority of them
posed the following research questions: what stage of are using IT standards and frameworks such as ISO
maturity level (from technical support to IT 27001, ITIL and CobiT on a regular basis. One of the
Governance) reflects the use of IT in the Croatian large reason may be that their parent companies (almost all of
companies? To address the research’s objectives, a them are own by foreign companies) are regulatory
survey questionnaire was considered the most obliged to do so.
appropriate methodology. Before pilot-tested with five
senior IS executives, the questionnaire was pre-tested Table 2. IT budget as a portion of total operating budget
on postgraduate and doctoral students for content %
validity and readability. Less than 2% 53,7%
2-5% 39,2%
6.2. Research Sample
The questionnaire was then sent to 100 CIOs (Chief More than 5% 7,1%
Executive Officers) in Croatian large companies
selected from the Register of ‘100 Large’ companies, An information system (IS) which does not serve
which are more likely to represent the structure of the corporate strategies should be a source of managerial
Croatian economy. The survey was performed from concern and frustration and any misalignment of IS and
March 2007 to April 2007 and was conducted by verbal corporate strategy could have detrimental effect on

5
organizational performance. Therefore, aligning IS with But, no matter of methodology used, it is at least
business objectives represent one the most important equally important who in corporate hierarchy is making
activities that add value to the business and proper decisions about IT investments. We would expect that
measures for evaluating its contribution to the business executive management will be responsible for making
is needed. Research results suggest that in 58,7% of decisions on IT investments, especially for strategic IT
companies there is no measure for evaluating the investments issues. In Croatian companies only in small
influence of IT on business productivity, although the number of cases executive management is responsible
conscience of having such a metrics is highly for making IT investment decision. Majority of IT
appreciated (average mark 3,95 on a 1-5 scale). This in investments decision is the line manager’s
particular means that there is no periodic IT Audits responsibility, which in Croatian companie’s case is the
which can help business measure the performance of IT CFO (chief financial officer) responsibility, since the IT
to the business. Also, there is no management department is the organizational unit inside the
commitment to do so, unless they are regulatory financial department. Methods used for making
obliged. Furthermore, 89,1% of total number of decision about IT investments primarily include cost-
companies that implement IT strategic planning (46% benefit analysis, while there are number of companies
of companies do have IT strategic plan) have formally that use no metrics for evaluating IT performance. On
defined and well documented IS audit procedures, as the other hand, only small number of CIO (IS
well as proper action plan. Also, only moderate number Executives) have heard of contemporary initiatives in
of sampled companies (less than 40%) have IT Governance and IT Audit such as CobiT and ITIL.
implemented some IS security procedures, while 21,7%
of them have an information system audit department. References:
In most of the cases, information system audit
department is an autonomous organizational unit inside [1.] Champlain, J.J. (2003): Auditing Information Systems,
IT department, or inside audit department. 2nd ed. John Wiley & Sons, SAD.
[2.] Epstein, M.J., M.J. Roy, (2004): “How Does Your
Board Rate?,” Strategic Finance, February, p. 25-31,
7. Conclusion 2004.
[3.] Hunton, J.E., Bryant, S.M., Bagranoff, N.A.: (2004):
In this paper we argued about IT Governance and IT Core Concepts of Information Technology Auditing,
Audit prospects in Croatian large companies. Research John Wiley &Sons Inc., SAD.
conducted emerged with a conclusion that Croatian [4.] ITGI (2003): Board Briefing on IT Governance, 2nd
companies underestimate the role IT can have in ed., IT Governance Institute, Rolling Meadows,
increasing productivity. This in particular means that Illinois, SAD.
managers are not aware of the fact that there are world- [5.] Nolan, R. and McFarlan, F.W., (2005): Information
wide frameworks and methodologies (CobiT, ITIL, ISO Technology and Board of Directors, Harvard Business
27001) used for measuring the performance of IT. Such Review, October, 2005.
[6.] Schleifer, A., Vishny, R., (1999): A survey on
tendencies, under the IT Audit 'umbrella', may help
corporate Governance, The Journal of Finance, Vol.
them to measure the quality of IT Services and the 3., 1997.
performance of IT Governance initiatives. Therefore, [7.] Symons, C., (2005): IT Governance Framework:
the answer to the posed research question is: Croatian Structures, Processes and Framework, Forrester
companies use IT as a technological (infrastructure) Research, Inc.
support, while the small number of them are exploring [8.] Van Grembergen, W., (2004): Strategies for
the IT Governance and IT Audit benefits to the full. Information Technology Governance, Idea Group.
They are doing so namely by complying to the [9.] Van Grembergen, Guldentops, D.R., (2004):
regulatory IT Governance and IT Audit frameworks, Structures, Processes and Relational Mechanisms for
which often means that they are using IT as a strategic IT Governance, Idea Group
[10.] Venkatraman, N., (1999): Valuing the IS Contribution
business resource, fully aligned with corporate
to the Business, Computer Sciences Corporation.
governance objectives.

View publication stats