Implementing COBIT 5 in Small and Medium Enterprises€¦ · Therefore, the problem addressed in...
Transcript of Implementing COBIT 5 in Small and Medium Enterprises€¦ · Therefore, the problem addressed in...
Implementing COBIT 5 in Small and Medium Enterprises
David Miguel Mendonca da Silva
Thesis to obtain the Master of Science Degree in
Information Systems and Computer Engineering
Supervisors: Prof. Miguel Leitao Bignolas Mira SilvaProf. Ruben Filipe de Sousa Pereira
Examination Committee
Chairperson: Prof. Ana PaivaSupervisor: Prof. Miguel Leitao Bignolas Mira SilvaMember of the Committee: Prof. Henrique O’Neill
November 2018
Acknowledgments
First and foremost, I would like to begin by thanking my whole family for their encouragement, caring,
and patience over all these years. My family gave me the financial and emotional support that was
essential to overcome this journey, without their effort nothing would be possible.
Furthermore, I would like to express my gratitude to my dissertation supervisors Prof. Miguel Mira da
Silva and Prof. Ruben Pereira for their availability, useful insights, guidance and sharing of knowledge
that allowed me to learn as a researcher and conclude this master thesis.
Last but not least, to all my colleagues and friends who have shared this experience with me or who
have unconditionally supported me over the years. With them I lived the best and worst moments of my
academic life, it was thanks to them that I also grew as a person and became what I am today.
Finally, I would like to thank all the participants that collaborated in this research, making it possible.
Their valuable feedback was essential to the completion and success of this research.
To each and every one of you – Thank you!
Abstract
Information Technology (IT) has become fundamental for most organizations since it is vital to their sus-
tainability, development, and success. This pervasive use led organizations to a critical dependency on
IT. Despite the benefits, it exposes organizations to several risks. Hence, a significant focus on Enter-
prise Governance of IT (EGIT) is required. EGIT involve the implementation of processes, structures
and relational mechanisms to support the business/IT alignment and the creation of business value from
IT investments. In order to support an EGIT implementation, there are broad and complete best prac-
tices frameworks from which the COBIT 5 is a reference. This kind of frameworks are considered highly
complex and require considerable investments and resources which, in general, are extremely scarce in
Small and Medium Enterprises (SMEs). However, no specific guidance is provided to help these organi-
zations. Therefore, the problem addressed in this research is the lack of support for the implementation
of COBIT 5 in SMEs. To solve this problem, this research proposes a solution that identifies the fun-
damental mechanisms to implement effective EGIT in SMEs and then, establishes the correspondence
between the EGIT mechanisms and the COBIT 5 components that support its implementation. The
proposed solution was evaluated according to several methods, including qualitative semi-structured in-
terviews with experts and specific methods to evaluate IT artifacts. Finally, this research work followed
the Design Science Research principles and guidelines.
Keywords
Information Technology; Enterprise Governance of IT; Enterprise Governance of IT Mechanisms; COBIT
5; Small and Medium Enterprises.
iii
Resumo
Tecnologia de Informacao (TI) tornou-se fundamental para a maioria das organizacoes, uma vez que e
vital para a sua sustentabilidade, desenvolvimento e sucesso. Este uso difundido conduziu as organizacoes
a dependencia critica de TI. Apesar dos benefıcios, isto tambem expoe as organizacoes a diversos
riscos. Por isso, e necessario um foco significativo na Enterprise Governance of IT (EGIT). EGIT
envolve a implementacao the processos, estruturas e mecanismos relacionais para suportar o alin-
hamento negocio/TI e a criacao de valor comercial a partir de investimentos em TI. De forma a apoiar
uma implementacao de EGIT, existem frameworks de boas praticas completas e abrangentes das quais
o COBIT 5 e uma referencia. Este tipo de frameworks e considerado altamente complexo e requer
investimentos e recursos consideraveis que, em geral, sao extremamente escassos na Pequenas e
Medias Empresas (PMEs). Portanto, O problema abordado nesta investigacao e a falta de apoio para
a implementacao do COBIT 5 em Pequenas e Medias Empresas. Para resolver este problema, esta
investigacao propoe uma solucao que identifica os mecanismos fundamentais para implementar EGIT
eficaz em Pequenas e Medias Empresas e, em seguida, estabelece a correspondencia entre os mecan-
ismos EGIT e os componentes COBIT 5 que suportam a sua implementacao. A solucao proposta foi
avaliada de acordo com diversos metodos, incluindo entrevistas qualitativas semi-estruturadas com es-
pecialistas e metodos especificos para avaliar artefactos de TI. Por fim, the trabalho de investigacao
seguiu os principios e diretrizes da Design Science Research.
Palavras Chave
Tecnologias de Informacao; Enterprise Governance of IT ; Mecanismos Enterprise Governance of IT ;
COBIT 5; Pequenas e Medias Empresas;
iv
Contents
1 Introduction 2
1.1 Research Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.2 Proposal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.3 Thesis Outline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2 Research Methodology 7
2.1 Interviews . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
3 Literature Review 11
3.1 Enterprise Governance of IT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
3.2 EGIT Mechanisms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
3.3 COBIT 5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
3.4 EGIT in SMEs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
3.5 Minimum Baseline of EGIT Mechanisms . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
3.6 ITIL implementation on SMEs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
3.7 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
4 Research Proposal 25
4.1 Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
4.2 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
5 Minimum Baseline of EGIT Mechanisms for SMEs 28
5.1 Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
5.1.1 Data Analysis and Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
5.1.1.A Main Findings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
5.1.1.B Cross-study Comparison . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
5.2 Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
5.2.1 Expert interviews - Ex ante evaluation . . . . . . . . . . . . . . . . . . . . . . . . . 43
5.2.2 Osterle et al. principles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
v
6 Mapping between Baseline Mechanisms and COBIT 5 46
6.1 Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
6.2 Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
6.2.1 Wand and Weber Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
6.2.2 Osterle et al. principles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
6.2.3 Expert interviews . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
6.2.3.A Evaluation criteria by Prat et al. . . . . . . . . . . . . . . . . . . . . . . . 56
6.2.3.B Results Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
7 Conclusions 61
7.1 Objectives evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
7.2 Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
7.3 Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
7.4 Communication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
7.5 Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
A List of EGIT Mechanisms 77
B Questionnaire upon EGIT Mechanisms 83
C Questionnaire upon Mapping 90
D Results of Mapping Evaluation 95
vi
List of Figures
3.1 The five fundamental domains of EGIT [1] . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
3.2 Structure, processes and relational mechanisms for EGIT. Adapted from [2] . . . . . . . . 15
3.3 COBIT 5 related to other standards and frameworks [3] . . . . . . . . . . . . . . . . . . . 16
3.4 COBIT 5 Process Reference Model [4] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
3.5 Seven Phases of the Implementation Life Cycle [5] . . . . . . . . . . . . . . . . . . . . . . 18
5.1 Averages of the difficulty of implementation and effectiveness . . . . . . . . . . . . . . . . 34
5.2 Pick Chart (Difficulty of implementation x Effectiveness) . . . . . . . . . . . . . . . . . . . 42
6.1 Average ratings of correspondences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
6.2 Evaluation of Prat et al. criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
vii
List of Tables
2.1 Design-Science Research Guidelines [6] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
3.1 Empirical Research on EGIT Mechanisms . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
5.1 IT experts’ details. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
5.2 Results from interviews with IT experts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
5.3 Ten most important mechanisms selected by each interviewee. . . . . . . . . . . . . . . . 33
5.4 Part of interviewees’ quotations about the best and worst EGIT mechanisms for SMEs. . 35
5.5 Interviewees’ quotations about the Chargeback process for SMEs. . . . . . . . . . . . . . 37
5.6 Interviewees’ quotations about the Partnership Rewards and Incentives for SMEs. . . . . 37
5.7 Interviewees’ quotations about accumulation of responsibilities in SMEs. . . . . . . . . . . 38
5.8 Interviewees’ quotations regarding the outsourcing in SMEs. . . . . . . . . . . . . . . . . 39
5.9 Comparison of baselines of EGIT Mechanism for different contingencies. . . . . . . . . . 40
5.10 EGIT Mechanisms in different contingencies. . . . . . . . . . . . . . . . . . . . . . . . . . 40
6.1 Mapping between Baseline Mechanisms and COBIT 5 Components . . . . . . . . . . . . 49
6.2 COBIT 5 experts’ details. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
6.3 Evaluation criteria selected from the hierarchy proposed by Prat et al. [7]. . . . . . . . . . 56
A.1 List of EGIT Mechanisms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
D.1 Results of correspondences evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
D.2 Results of Prat et al. criteria evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
viii
Acronyms
IT Information Technology
ITG Information Technology Governance
EGIT Enterprise Governance of Information Technology
SMEs Small and Medium Enterprises
EU European Union
COBIT 5 Control Objectives for Information and Related Technologies 5
ISACA Information Systems Audit and Control Association
DSR Design Science Research
IS Information Systems
ITSM Information Technology Service Management
ITIL Information Technology Infrastructure Library
1
1Introduction
Contents
1.1 Research Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.2 Proposal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.3 Thesis Outline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2
Over the last decades, Information Technology (IT) has been increasingly developed and disseminated
into every market, industry or sector. It has been used to automate and integrate business processes,
contributing to increase productivity and achieve a competitive advantage [8]. The IT is crucial to the
sustainability and growth of organizations but also to develop new business strategies, becoming recog-
nized as a strategic partner instead of a mere service provider [9,10].
Despite all the advantages, the use of IT exposes organizations to internal and external threats, in-
cluding abuse, cybercrime, fraud, errors and omissions [2]. The pervasive role of IT made organizations
dependent and raised the need to deliver more value from IT investments while managing IT-related
risks. Furthermore, the need to comply with regulatory and contractual obligations promoted the aware-
ness about the importance of a well controlled and managed IT environment [5], [8]. Consequently, a
significant focus on Information Technology Governance (ITG) is required [5], [8].
The concept of ITG emerged in literature during the nineties [11], [12], generating a lot of discus-
sion but mainly within the IT area. As the engagement of the business side is imperative to realize
the expected business value from IT investments, the concept evolved to Enterprise Governance of
Information Technology (EGIT) [2].
An effective EGIT contributes to business/IT alignment and creation of business value through the
use of IT [2]. To accomplish this, organizations should adopt a holistic approach using a mixture of EGIT
mechanisms, such as structures, processes and relational mechanisms [9]. However, the definition
of the appropriate EGIT mechanisms to implement is influenced by a variety of internal and external
contingency factors [13], [14], such as strategy, industry, geography and size [8]. Therefore, what is
appropriate for one organization may not produce the same results on the others [15].
Benefits achieved through effective EGIT vary. Previous researches have reported the positive im-
pact on value delivered by IT initiatives [10], the achievement of higher profitability [16], and the achieve-
ment of business/IT alignment [9]. This is valid for large enterprises but also to Small and Medium
Enterprises (SMEs) [17].
Nowadays, SMEs are considered the backbone of Europe’s economy, representing 99% of all busi-
nesses in Europe1. Throughout this research, the authors will follow the European Union (EU) criteria for
the definition of SMEs [18]. Therefore, an SME is an organization that falls within the upper limit of 250
employees. However, it is essential to recognize that challenges experienced by SMEs and larger orga-
nizations are quite different [19]. When compared, SMEs are usually constrained in terms of material,
financial and human resources [20].
In order to support the implementation of EGIT, organizations are using best-practices frameworks
such as Control Objectives for Information and Related Technologies 5 (COBIT 5). “COBIT 5 provides
a comprehensive framework that assists enterprises in achieving their objectives for the governance
1https://ec.europa.eu/growth/smes_en
3
and management of enterprise IT. Simply stated, it helps enterprises create optimal value from IT by
maintaining a balance between realizing benefits and optimizing risk levels and resource use” [3]. This
framework is recognized as the best and most complete EGIT framework [21].
Undoubtedly, SMEs are also dependent of IT and need to manage and control their IT-related assets.
However, COBIT5 involves an enormous number of interrelated components, such as processes and
organizational structures, that can make implementation a quite difficult task for larger organizations
which do not know where to start [22], [23]. This complexity raises the need for research on COBIT as
an artifact [24]. According to De Haes et al., there is a lack of knowledge regarding which components
of the framework are required to implement effective EGIT. Thus, De Haes et al. suggest verifying which
COBIT 5 processes and related structures are perceived by the organizations as effective and easy to
implement. [24]
Therefore, COBIT5 implementation can be an even more complex and challenging task for SMEs
since they have different characteristics, mainly more constraints than larger ones such as scarce IT
resources. Taking the first step towards implementing COBIT 5 can be frightening, especially for smaller
organizations with few resources [25]. This can contribute to the extremely low levels of COBIT5 adop-
tion in SMEs.
1.1 Research Problem
In this section, the authors will address the motivation for this research and present the research problem
identified through the analysis of relevant literature about this subject. To substantiate and corroborate
our ideas, several interviews were conducted with experienced members of Information Systems Audit
and Control Association (ISACA), including Mike Hughes (ISACA International Board Member Director)
and Marc Vael (ISACA Belgium Chapter President).
In every country, the vast majority of organizations are SMEs [26] which represent a key engine
to promote socio-economic development by ensuring employment to the majority of the workforce and
encouraging flexibility and innovation to address new market demands [27].
The extensive use of IT generated huge benefits to SMEs. However, SMEs became completely
dependent on IT to maintain their businesses and hence, vulnerable to a variety of risks [2]. Considering
the relevance of these organizations, it is crucial their IT-related investments deliver the expected value
while the assets are managed and controlled to prevent that such risks compromise their business
operations. Mike Hughes stated that “Small and Medium Enterprises are considered a key component
of large organizations’ supply chain. So, get an EGIT structure that works for them is vital to satisfy their
customers.”
A reliable way to ensure this is by implementing EGIT recognizing that the challenges experienced
4
by SMEs and larger organizations are significantly different [19]. The characteristics of SMEs do not
promote the adoption of comprehensive EGIT frameworks, leading to the existent perception that the
implementation process is too expensive and unfeasible [28]. As Marc Vael referred “in SMEs everything
has to have a return, a function. So, typically, it is perceived as costing too much to maintain for the
purpose of what we do.”
Generally, organizations decide to implement EGIT using well-established best-practice frameworks
(e.g. COBIT 5) [23]. COBIT 5 is a complete and broad framework providing a set of practices and
objectives that all organizations should follow to effectively implement EGIT [29].
In spite of the undeniable usefulness [23], COBIT5 implementation is widely recognized as exces-
sively complex [24,29]. This complexity is reflected in the 6188 interfaces, representing the interconnec-
tions and dependencies between the 214 practices that compose the 37 process defined in the COBIT
5 [22,23]. Another factor is the lack of detailed guidance to correctly plan, structure and begin a difficult
and expensive implementation as the COBIT 5 implementation [8, 24], namely choosing the processes
and the order in which these must be implemented [24].
Therefore, the perceived complexity can act as a barrier to the adoption of COBIT 5 in SMEs [29,30].
As confirmed by Mike Hughes, “The adoption in SMEs is almost zero. Since SMEs are usually very lean
and got different realities, it should not be too burdensome. It needs to be appropriate and proportionate
to SMEs so they also see business value from that”. Marc Vael added “SMEs have to figure out the most
relevant mechanisms and controls that work for them”.
Considering the lack of detailed guidance for COBIT5 implementation, its inherent complexity and
the fact that SMEs characteristics does not favor the implementation of frameworks like COBIT5, the
authors believe that COBIT5 implementation in SMEs requires further research. Therefore, the problem
that will be addressed is the lack of support for the implementation of COBIT5 in SMEs.
1.2 Proposal
During the literature review performed, the authors verified that, in general, EGIT in SMEs constitutes
an area where the existing body of knowledge is quite limited, so further research addressing this topic
is indispensable. Several studies were developed to investigate and identify EGIT mechanisms in dif-
ferent contingencies [8], [31], [32], [33], but none of them focused on the organization’s size criterion.
Scientific research addressing specifically the EGIT mechanisms in SMEs is almost inexistent and these
mechanisms are crucial to implement effective EGIT in organizations, as aforementioned.
Firstly, in order to support and facilitate the implementation of COBIT 5 in SMEs, it is fundamental to
identify and understand which are the most important EGIT mechanisms to be implemented in the con-
text of this type of organization. Only then will the authors be able to discover and establish which are the
5
most relevant COBIT 5 components to implement effective EGIT in SMEs or, in the worst case, to reveal
that COBIT 5 does not specify any elements that support the implementation of certain fundamental
mechanisms for these organizations.
Due to all these aspects, the authors decided to start by evaluating a comprehensive set of EGIT
mechanisms in order to elicit a minimum baseline of EGIT mechanism for SMEs. This baseline will
contain the fundamental EGIT mechanism for SMEs’ context according to the feedback provided by IT
experts with experience in these type of organizations. Posteriorly, the authors will establish a mapping
between the EGIT mechanisms present in the baseline and the components of COBIT 5. This mapping
will allow practitioners to use the best practices and guidelines provided by COBIT 5 to support the
implementation of those mechanisms in their organizations.
The methodology chosen to guide this research was the Design Science Research. Therefore, the
authors will create two distinct artifacts in order to address the identified problem.
1.3 Thesis Outline
This document is structured as follows: An introduction of the adopted research methodology will be
presented in Chapter 2. The literature review and related work describing the fundamental issues and
relevant solutions in the context of this research will be analyzed throughout the Chapter 3. Next, in
Chapter 4, the solution objectives are presented followed by a brief explanation of our proposal. The
Chapters 5 and 6 will address the design and evaluation of each one of the constructed artifacts in scope
of this thesis. Finally, the conclusion of this research, including the contributions, limitations and future
work, is presented in Chapter 7.
6
2Research Methodology
Contents
2.1 Interviews . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
7
The research methodology selected to guide this thesis was Design Science Research (DSR). In this
section the methodology will be described in order to make our research as transparent as possible.
Information Systems (IS) field is socio-technical in nature comprising people, information technology,
organizational concepts, and their interrelationships [34]. This environment contributes to unique and
challenging problems that call for new and creative ideas [35].
Despite all the research about EGIT, the practitioners still fail to implement EGIT successfully in their
organizations [36]. Several authors stated the lack of professional relevance of IS research [37], [38].
The goal of DSR is to develop knowledge that practitioners can use and apply in the problems they
face in the field [39]. The adoption of DSR in IS research promotes closer ties between researchers
and practitioners, thereby contributing to positively impact the management practices implemented in
organizations [40]. Thus, DSR is recognized as an important paradigm in IS research [35].
DSR is an iterative methodology that aims to create and evaluate IT artifacts that solve identified
organizational problems [35]. Examples of such artifacts include decision support systems, modeling
tools, and governance strategies [35]. An accurate evaluation should cover the novelty, utility and effi-
cacy of the artifact [6].
DSR in IS usually does not result in deterministic solutions since this field is characterized by involving
several factors and variables. Only in rare cases an artifact can be formally verified. Rather, the artifact
is either accepted or rejected by experts that reviews its justification or implementation outcome [34].
Furthermore, the development of useful artifacts can be complex due to the need for creative advances
in areas in which existing theory is scarce and insufficient [6].
The design-oriented IS research follows an iterative process comprising four phases [34]:
1. Analysis: The business problem is identified and research objectives, questions, and gaps are
specified. The state of the art of problem-solving approaches known in business and science is
analyzed.
2. Design: Artifacts should be created using generally accepted methods, be justified as much as
possible and be contrasted with existing solutions.
3. Evaluation: Scientific rigor demands validation of artifacts produced against the specified objec-
tives. The review process prior to scientific publications is part of the evaluation.
4. Diffusion: The obtained results should be diffused among the target groups mainly through sci-
entific papers, practitioner papers or dissertation theses.
As recommended by De Maere and De Haes [38], the researchers adopting the DSR in the EGIT
area should adhere to the guidelines provided by Hevner et al. [6]. These guidelines are presented in
Table 2.1 and will be verified in the evaluation phase.
8
Table 2.1: Design-Science Research Guidelines [6]
2.1 Interviews
Interviews are considered a research instrument used as data collection method. It can be seen as a
conversation with the purpose to obtain in-depth information about the subject under study by under-
standing the interviewee’s perception and interpretation of this specific subject [41].
As stated by Osterle et al., DSR applied in the IS field uses research methods taken from business,
social, computer, and engineering sciences. Some of the most used methods for exploration in the anal-
ysis phase includes surveys, case studies and expert interviews. Furthermore, the artifact evaluation
can be performed adopting different methods, such as laboratory experiments, expert reviews and field
experiments [34]. Therefore, interviews can be a quite relevant research method in DSR.
There are three basic types of interview: structured, semi-structured and unstructured. These types
differ in terms of their degree of standardization, that is, they have varying degrees of flexibility [42].
• Structured interviews: In a structured interview, the questions are predetermined both in content
and in form. A complete script is prepared beforehand to guarantee that all respondents are asked
the same questions with the same wording and in the same sequence. There is no room for
improvisation. Generally, this type of interviews is used in surveys where the interviews are not
9
necessarily conducted by the researcher [42], [43].
• Semi-structured interviews: In the semi-structured interview, the content of the questions is
predetermined but not their form. The researcher has particular topics to investigate, prepares a
limited list of questions to be covered and during the interview ask follow-up questions. There is
a need for improvisation [44], [43], [45]. The order in which the various questions are addressed
and the wording of the questions are decided by the interviewer. The interviewer is free to ask any
question he deems appropriate, to explain or ask for clarification if the answer is not clear, and to
prompt the interviewee to elucidate further [42].
• Unstructured interviews: In the unstructured interview, neither the content nor the form of the
questions are predetermined, so it may vary between interviews. The interviewer’s role is to raise
the topics to address during the conversation and to simply respond to the topics that seem worthy
of being followed [42], [44]. The interviewee will be allowed to develop the chosen theme as he
wants and to maintain the initiative in the conversation [42].
The qualitative interview is the most common and one of the most important data gathering tools. It
is an adequate and excellent method for gathering data and feedback, and has been used extensively
in IS research [46]. In qualitative interviewing, there is much greater interest in the interviewee’s point of
view, thus the researcher wants to obtain rich and detailed answers. The two main types of qualitative
interviews are the unstructured and the semi-structured interview, both types can be conducted in a
responsive way [44], [45]. Throughout this thesis, the authors decided to use semi-structured interviews
as a mean of collecting valuable information regarding the phenomenon under study.
Semi-structured interviews are especially appropriate because they are more flexible and powerful
than structured interviews, allowing the interviewers to probe and extend the interviewee’s responses
and perspectives. Therefore, interviewers can obtain in-depth information about the phenomenon in
terms of the interviewee’s perception [47], [45].
In next chapters, the authors will present all the relevant details regarding the semi-structured inter-
views performed and the results obtained from those interviews.
10
3Literature Review
Contents
3.1 Enterprise Governance of IT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
3.2 EGIT Mechanisms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
3.3 COBIT 5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
3.4 EGIT in SMEs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
3.5 Minimum Baseline of EGIT Mechanisms . . . . . . . . . . . . . . . . . . . . . . . . . . 20
3.6 ITIL implementation on SMEs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
3.7 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
11
An initial and fundamental step in every research is the review of prior and relevant literature. An effec-
tive literature review establishes a robust foundation that facilitates the development of theories, closes
highly researched areas and reveals others where further research is required. Therefore, this is vital to
promote and guarantee the knowledge evolution [48].
In this section, the authors present the literature research performed about the relevant issues and
solutions in the context of this thesis. We start by introducing the fundamental concepts and definitions
related with EGIT, EGIT Mechanisms and the framework COBIT 5. Next, we present some of the
characteristics of EGIT in SMEs. Posteriorly, several researches related with a minimum baseline of
EGIT mechanisms are introduced. Lastly, cases of ITIL implementation in SMEs will be addressed.
3.1 Enterprise Governance of IT
Corporate scandals in the nineties left investors and shareholders worried and led to the emergence of
corporate governance standards and regulations that provide the transparency of risks and the protec-
tion of shareholder value [1]. Corporate governance include all “procedures and processes according to
which an organization is directed and controlled. It also specify the distribution of rights and responsi-
bilities among the board, managers, shareholders and other stakeholders and the rules and procedures
for decision-making” [49].
Meanwhile, IT was introduced as a mean to integrate with business partners, increase productivity,
attain competitive advantage and shape new business strategies but it also exposes organizations to
several IT-related risks. Nowadays, most of the organizations are increasingly aware of the importance
of IT, realizing its ubiquity in business processes, its capability to create value and the huge investment
required [50].
A large percentage of the market value of enterprises has shifted from tangible assets like inventory
and facilities to intangible assets such as information, knowledge, expertise or patents that generally
revolve around the use of IT [1]. So, IT has become part of the business as it is essential to manage
and control the transactions, information and knowledge that are indispensable to sustain and develop
organizations, directly influencing their success [1], [51]. With IT so intrinsic and pervasive within orga-
nizations’ environment, business and IT models became virtually inseparable [52] and corporate gover-
nance needs to focus attention to the use and management of IT-related assets [1], [8]. For this reason,
EGIT became a “must have” for all organizations.
Steven de Haes et al. defined EGIT as “an integral part of corporate governance, exercised by the
Board, overseeing the definition and implementation of processes, structures and relational mechanisms
in the organization that enable both business and IT people to execute their responsibilities in support
of business/IT alignment and the creation of business value from IT-enabled business investments” [2].
12
As stated before, this concept reinforce the importance of the business side to deliver IT-value. EGIT
covers obviously more than the IT-related responsibilities, it also includes IT-related business processes
required for business value creation [2]. In addition, within the context of EGIT, it is of extreme importance
to clearly differentiate the concepts of IT governance and IT management, since it can influence the
design and effectiveness of the EGIT practices.
IT management is mainly focused on the internal aspects of IT-related services and products and
the effective management of the present IT operations under the directions set by the governance body.
IT governance, in turn, has a much broader responsibility that includes ensuring IT has the neces-
sary capabilities to meet present business operations and performance and also preparing IT for future
demands of the internal and external customers. Obviously, IT governance and IT management are
complementary and although EGIT is the ultimate responsibility of the board and executive managers,
all activities executed through all the levels of the enterprise should reflect the direction set by the gov-
ernance body [1,52].
EGIT should direct and manage IT efforts to guarantee that the following objectives are satisfied [1]:
• Alignment between business and IT strategies and delivery of the expected benefits.
• IT usage to exploit new opportunities and maximizing benefits.
• Responsible and adequate allocation and use of IT resources.
• Proper management of IT-related risks.
Based on this, we can identify the five fundamental domains of EGIT which are totally driven by
the stakeholders drivers or needs: strategic alignment, value delivery, risk management, performance
management and resource management (Fig. 3.1) [1], [53]. The value delivery and risk management are
considered the outcomes while the remaining three domains are the drivers to realize these outcomes.
Value delivery is driven by the strategic alignment, while the risk management is driven by incorporating
accountability into the enterprise. Additionally, both outcomes need to be supported by the resources
and measured to guarantee that the expected results are achieved [1].
Fundamentally, EGIT covers every aspects of all IT-related decisions and accountability [54], such
as “how decisions are made, who makes the decisions, who is held accountable, and how the results
of decisions are measured and monitored” [55]. In order to help and support the implementation of
effective EGIT, organizations should apply an EGIT framework. Steven de Haes defined framework
as “set of guiding principles and good practices that are explicitly designed to be adapted by adopting
organizations” [24]. Thus, an EGIT framework is the set of guidelines and good practices that specify
methods to implement, direct and monitor IT-related activities.
Organizations can develop their own frameworks from scratch using the expertise and practices ex-
istent within the organization or they can adopt best-practices frameworks that were formulated and im-
13
Figure 3.1: The five fundamental domains of EGIT [1]
proved by combining knowledge and field-experience of hundreds of organizations and experts. Thereby,
enterprises that adopt and correctly adapt the frameworks to their environment and context can attain a
variety of benefits [56].
Each EGIT framework can be successfully deployed using a mixture of the necessary set of mecha-
nisms, namely structures, processes and relational mechanisms [10], [57].
3.2 EGIT Mechanisms
EGIT comprises a set of high-level definitions, including principles, values and goals that should be
operationalized through different types of mechanisms [58]. The first step to implement effective EGIT is
to develop a high-level model but obviously, it is not enough to guarantee that EGIT is really functioning
in the organization. The next crucial step is to deploy this model in a sustainable way throughout all
levels of the organization [2]. In order to accomplish this, organizations should adopt a holistic approach
by using a mixture of several types of EGIT mechanisms, namely structures, processes and relational
mechanisms [9] (Fig. 3.2).
• Structure mechanisms refer to organizational units and roles responsible for IT-related decisions,
such as IT strategy committee or architecture steering committee [2], [10].
• Processes mechanisms correspond to formal processes of strategic IT decision-making and IT
monitoring in order to ensure that day-to-day behaviors are aligned with policies and provide in-
formation back to decision-making functions, like portfolio management and IT performance mea-
surement [2], [10].
14
Figure 3.2: Structure, processes and relational mechanisms for EGIT. Adapted from [2]
• Relational mechanisms include the active participation of, and the collaboration among, the cor-
porate executives, IT managers and business managers that contribute to disseminate EGIT prin-
ciples. It is fundamental to support the business/IT alignment and can include cross-training or
EGIT awareness campaigns [2], [10].
Organizations should implement these mechanisms as a mean to direct and operationalize IT-related
decision-making ensuring that IT assets, activities and investments are consistent with the organization’s
strategy, tactics, norms and culture [10], [17]. However, it is fundamental to understand that there
is a host of internal and external factors influencing the design of an effective EGIT [13], [14], [59].
Strategies and tactics that work for one enterprise do not necessarily work for others since they are
highly dependent on the context and surrounding environment. Therefore, determining the appropriate
mechanisms to implement EGIT can be a rather complex task [15], [59].
A study performed by De Haes and Van Grembergen suggests the existence of a close relationship
between the implementation of EGIT mechanisms and the achievement of a business/IT alignment [9],
which contributes to the expected value delivery [1]. Another study reports organizations that imple-
mented EGIT mechanisms considerably enhanced their profitability. These mechanisms have been
used to improve efficiency through cost reduction and resource management [16].
3.3 COBIT 5
COBIT 5, developed by ISACA, is an internationally well-established best-practices framework that as-
sists the board, executive managers and operational managers from business and IT in achieving their
objectives for EGIT [2]. For this purpose, COBIT 5 addresses all the fundamental aspects of EGIT, such
as strategic alignment, performance management, value delivery, resource management, risk manage-
ment [60]. In theory, this framework is recognized as “generic and useful for enterprises of all sizes,
whether commercial, not-for-profit or in the public sector” [3].
COBIT 5 framework is based on five core principles that are considered crucial to the governance
15
and management of IT within organizations:
• Meeting Stakeholder Needs: An enterprise has the ultimate objective of creating value for all its
stakeholders, which can raise conflicts. The governance body should evaluate the stakeholders
needs and then transform these needs into an attainable enterprise strategy. To support this
procedure, a mechanism called goals cascade was created becoming an entry point of COBIT
5. It aims to transform the stakeholder needs into specific enterprise goals that afterwards will be
linked to IT-related goals and finally mapped to enabler goals, such as relevant COBIT 5 processes.
Therefore, this principle promotes the strategic alignment [2,3].
• Covering the Enterprise End-to-End: COBIT 5 provide an organization-wide perspective, not
focusing only on IT functions but considering IT as an organizational asset that need to managed
and controlled to create value. COBIT 5 scope is the entire enterprise, following the idea that
business should take the accountability for managing the use of IT to create business value from
IT investments. To accomplish this, COBIT 5 define both IT processes and IT-related business
processes and RACI charts including business and IT roles [2,3].
• Applying a Single Integrated Framework: COBIT 5 is recognized as an overarching framework
that provides an extremely broad knowledge area and integrates with several standards and frame-
works (Fig. 3.3). The COBIT 5 process reference model covers five different domains: Evaluate,
Direct and Monitor (EDM), Plan and Build (APO), Build, Acquire and Implement (BAI), Deliver,
Service and Support (DSS) and finally, Monitor, Evaluate and Assess (MEA). For all the domains,
COBIT 5 provides a complete overview of what needs to be done but to obtain a more detailed
guidance it can be necessary to use integrated standards and frameworks [2,3].
Figure 3.3: COBIT 5 related to other standards and frameworks [3]
• Enabling a Holistic Approach: As aforementioned, to implement an effective EGIT framework
is required an holistic approach using a mixture of interacting components, such as structures,
16
processes and people. COBIT 5 define a set of enablers that are considered as “factors that,
individually and collectively, influence whether something will work - in this case, governance and
management over enterprise IT”. It describes seven types of enablers: (1) Principles, policies
and frameworks, (2) Processes, (3) Organizational structures, (4) Culture, ethics and behavior, (5)
Information, (6) Services, infrastructure and applications and (7) People, skills and competencies
[2,3].
• Separating Governance from Management: COBIT 5 establish a clear separation between gov-
ernance and management, considering that they involve distinct organizational structures and
purposes. “Governance ensures that stakeholder needs, conditions and options are evaluated
to determine balanced, agreed-on enterprise objectives to be achieved; setting direction through
prioritization and decision making; and monitoring performance and compliance against agreed-
on direction and objectives.” On the other hand, “Management plans, builds, runs and monitors
activities in alignment with the direction set by the governance body to achieve the enterprise
objectives” [3].
Beyond this principles, COBIT 5 consider processes as one of the most relevant enablers since it allows
to organize the IT-related activities in a repeatable and reliable way. So, this framework provides a
reference guide to the 37 COBIT 5 processes distributed over governance and management domains
(Fig. 3.4) [4].
For each process, it provides a short description and purpose statement. These are converted into a
set of goals and metrics at distinct levels, namely process goals, IT-related goals and enterprise goals.
Figure 3.4: COBIT 5 Process Reference Model [4]
17
The idea is that the achievement of process goals will contribute to the achievement of IT-related goals,
which in turn will support the achievement of enterprise goals [2,3].
Each process is decomposed in a set of base practices that provide a set of high-level requirements
for the process, in total COBIT 5 define more than two hundred practices. Then, for each practice are
defined the inputs and outputs and also a RACI chart indicating the roles, from the 26 defined by COBIT
5, that will be involved in the practice. Finally, each practice is decomposed into a set of activities that
describes the required steps to successfully implement the practice. To obtain a more practical guidance
it is necessary to follow a more specific framework that is integrated with COBIT [2, 4]. The framework
states the flow of inputs and outputs between practices, creating an exorbitance of interdependencies
which definitely, increase the complexity of its implementation.
Figure 3.5: Seven Phases of the Implementation Life Cycle [5]
Recognizing the quite complex and challenging task that is implementing EGIT, COBIT 5 recom-
mends to apply an implementation life cycle (Fig. 3.5). However, this life cycle is divided in seven
distinct phases that include three interrelated components: the EGIT continual improvement life cycle,
the change enablement and the management of the programme. Change enablement is concerned with
cultures and behaviors affected by ongoing changes.
The complexity of COBIT 5 and its initial implementation problems require specific and detailed
guidance [24,30]. Despite existing an implementation guide, it still an high-level description of the several
phases containing interrelated components that should be dealt at the same time [5]. Thus, the guide is
not very concrete on how to address the complexity and problems encountered during implementation.
COBIT covers every IT-related aspect of the enterprise becoming a very complete framework. Hence,
it also becomes highly complex and not even larger organizations implement COBIT 5 totally. The
complexity induced by huge number of interrelated components required to effectively implement EGIT
18
can easily overwhelm enterprises that desire to adopt it and consequently, they do not know where
to start and how to approach the implementation process. Definitely, this can represent a substantial
obstacle to the implementation of this framework [23], even more in SMEs.
3.4 EGIT in SMEs
“Small and medium-sized enterprises (SMEs) are the backbone of Europe’s economy. They represent
99% of all businesses in the EU. In the past five years, they have created around 85% of new jobs and
provided two-thirds of the total private sector employment in the EU”1. SMEs are considered as a key
element to promote economic growth, innovation, job creation, and social integration.
These organizations play a fundamental role in nowadays economies, so their issues should be
rigorously addressed and investigated. They can have a direct impact in the larger ones since they
are crucial components in their supply chains and then the larger ones can impose that they follow
determined standards and frameworks.
As bigger companies, SMEs also want to create value by applying IT in their strategic activities. “It
would be wrong to think that SMEs are not concerned by it, just as it would be wrong to think that they
have nothing to gain, strategically speaking, from it” [61]. For SMEs, the IT adoption can produce diverse
benefits such as higher productivity, enhanced efficiency and greater ease of access and competition
in international markets [62]. Therefore, it can imply critical consequences on growth and survival in a
highly competitive market [50, 63], becoming critical in this globalization era [62]. Thus, EGIT is also
fundamental to SMEs and must be studied [63].
Most of EGIT frameworks, such as COBIT 5, are often criticized for being more appropriate for large
enterprises and less for SMEs since they do not consider the characteristics of SMEs that distinguish
them from the larger ones [63], particularly with regard to their organizational structures, financial and
IT resources and IT management postures [17].
For example, regarding the organizational structure, SMEs do not always have a board of directors.
The decision-making organizational structures tend to be centralized, flat and informal [19], [64]. These
are centralized around the CEO or owner, exhibiting low levels of formalization and complexity [65] which
enables the owner or CEO to personally influence the decision processes [66]. The expertise of SME
owner or CEO generally lays on non-IT aspects of the business which can have a huge impact on the
business’s perception and adoption of IT [67].
Financial and IT resources limitations are much bigger in SMEs, hence they spend much less on
IT [68] and have difficulty in attracting capable IT staff which afterwards impact the IT management
posture. This definitely contributes to the lack of IT specialists and to have smaller or no IT departments
1https://ec.europa.eu/growth/smes_en
19
[19]. SMEs’ employees tend to be hired for their business skills to ensure core business survival and,
therefore, may be unaware of the potential benefits and costs of IT [67].
In turn, adopting a broad and complete EGIT framework requires capable IT staff with EGIT exper-
tises which normally do not exist in SMEs. Most organizations maintain small internal IT departments,
responsible for IT management, that are focused on short-term solution and operational efficiency [66].
Generally, SMEs lack long-term vision of their business and tend to adopt a more operational than a
strategic view [69], [70]. Thus, these departments tend to search outsourced IT-enabled business solu-
tions [68]. For this reason, SMEs must often be dependent of outsourcing and external consultants for
service and support, including to implement EGIT [19]. Outsourcing can present problems such as the
instability of service providers and a lack of service level agreements, making SME extremely vulnerable.
Additionally, time can also be a problem for these enterprises since the owner and managers are
regularly overloaded with other business priorities [71].
To summarize, the resources limitations and the lack of IT knowledge within the organization will have
a negative impact in the perception and adoption of IT. Undoubtedly, these SMEs’ characteristics make
the implementation of broad and large EGIT frameworks extremely difficult. They are complex and costly
to implement, hence SMEs perceive it as a frightening and unpractical implementation process [28].
Thus, the best approach is to scale-down and adapt the existing frameworks to fit within those particular
SMEs [72].
3.5 Minimum Baseline of EGIT Mechanisms
The complexity of broad best-practice frameworks for EGIT implementation, and especially COBIT 5,
is a problematic issue. It requires the coordination of a large number of components, namely struc-
tures, processes and relational mechanisms. According to De Haes et al. [24], problems with COBIT 5
implementation starts at an early phase when practitioners have to decide what are the processes to
implement and its implementation order.
A possible and suitable solution is to identify a capable minimum baseline of EGIT mechanisms that
could serve as starting point or basis to effectively implement EGIT in organizations [8, 23]. However,
different organizational contexts may imply different EGIT mechanisms [73]. Therefore, it is clear that the
minimum baseline will not be suitable and sufficient to all organizations. The minimum baseline should
be used as a roadmap to implement the most significant EGIT mechanisms in specific organizational
contexts [31]. However, it should be adapted and supplemented with other mechanisms as required by
the organization environment [8].
In the literature, were found several researches aimed to identify minimum baselines to support and
facilitate EGIT implementations in distinct environments. De Haes and Van Grembergen [8] provided a
20
minimum baseline of EGIT mechanisms for Belgian financial services organizations that is regarded as
the necessary set of mechanisms to implement EGIT in this sector. Pereira et al. have also contributed
by identifying minimum baseline of EGIT mechanisms for two different Portuguese sectors, namely
the financial industry [32] and the healthcare industry [31]. Analyzing the differences in the obtained
baselines, it becomes clear that the contingency factors can definitely have a huge impact in EGIT.
Afterwards, Bianchi et al. identified a baseline for implementing EGIT in universities based on in-
depth interviews involving universities of Brazil, Portugal and Netherlands [33]. The resultant baseline
was compared with all the previously identified minimum baselines, namely the baselines for the Por-
tuguese financial and healthcare industries and for the Belgian financial industry, allowing to detect the
similarities and dissimilarities between them.
Bartens et al. applied a slightly different approach, his research was mainly focused on the pro-
cesses, specifically COBIT 5 processes that could be a basis to effectively implement COBIT 5 reducing
its inherent complexity. However, the other enablers defined by COBIT 5 are also extremely relevant and
the authors suggest that further research should consider also the other enablers [23]. This approach
can be useful but we consider that a mixture of mechanisms is essential to the effective implementation
of EGIT, so it should not comprise only the processes mechanisms but also other types of mechanisms.
All these researches followed the same procedure, several experts were interviewed in order to eval-
uate an overarching list of EGIT mechanisms in terms of its effectiveness and ease of implementation.
Subsequently, each of them was asked to elect the 10 most important mechanisms based on the previ-
ous evaluation and their personal experience. Their answers were instrumental in supporting the choice
of the minimum baselines. The only exception was the research developed by Bartens et al. in which
the experts analyzed and evaluated the list of COBIT 5 processes instead of a list of EGIT mechanisms,
as in the other studies.
All the aforementioned authors have stated that further investigations are needed in order to identify
and evaluate other contingencies influencing the EGIT mechanisms. As an example, further investiga-
tions could “address the impact of specific contingencies such industry, geography and size” [8].
Therefore, we consider that a minimum baseline of EGIT mechanisms to effectively govern IT in
SMEs would definitely contribute to facilitate EGIT implementation in this specific context.
3.6 ITIL implementation on SMEs
Initially, we started by searching in the literature for concrete cases of COBIT5 implementation in SMEs
but there was no relevant material. Consequently, we tried to search for implementation of similar
frameworks, such as Information Technology Infrastructure Library (ITIL).
The pervasive use of IT leads to organizations increasingly dependents of IT services to satisfy busi-
21
ness needs and objectives. It is mandatory that IT services achieve their expected function. Therefore,
Information Technology Service Management (ITSM) emerged to define quality rules to guarantee per-
formance and to satisfy customer needs as a result of efficient service management practices during
services life cycle [74].
The most common framework for ITSM is ITIL [75]. ITIL is globally recognized as a reference frame-
work presenting guidance to IT service providers on the provision of IT services in accordance to the
customers’ demands regarding to functionality, quality of service and transparency. Generally, it provides
processes and procedures considered efficient, reliable and adaptable to organizations of all sizes [75].
This standard defines a service life cycle divided in five stages: Service Strategy, Service Design,
Service Transition, Service Operation and Continual Service Improvement. Each stage is influenced
and dependent on the others to receive inputs and provide feedback [75]. However, identification of the
first process to implement is a complex question especially for SMEs. The implementation order is also
one of the problems recognized in ITIL implementations [76], as it is in COBIT 5 implementations.
To address this problem J.A. Calvo-Manzano et al. performed two different surveys [76]. The first sur-
vey, directed to SMEs, had the objective of determining which ITIL processes are used in organizations
and which processes will be implemented in the future.
The top-three processes already used include two processes from Service Operation, the Request
Fulfillment process and the Problem Management process which include incident, request and problem
management, and one process from Continual Service Improvement, the Seven-step improvement pro-
cess. Therefore, analyzing the results, we can perceive that SMEs are mostly focused in maintaining
and improving their critical business operations to guarantee that IT services are delivered effectively
and efficiently.
The top-three process that are planned to implement in the future are Knowledge Management, IT
Service Continuity Management or Supplier Management or Change Evaluation and, finally, Design
Coordination or Information Security Management or Event Management. Thus, the processes to be
implemented are related with Service Design and Service Transition contributing to correctly design new
services and to properly build and deploy services, respectively.
The second survey, directed to experts, intends to know which is the order for implementing the
ITIL processes in SMEs according to their experience. The results showed that the first process to be
implemented is the Incident Management process, the second process is the Service Level Management
or the Service Catalogue Management. Lastly, the third process is Service Asset or Configuration
Management Process. Additionally, the experts interviewed were asked to identify the criteria used to
perform the prioritization of ITIL processes. The most referred criteria were Quick Wins, Strengthen
Service Support, Customer Services and Demands prioritization.
From this results, we can notice that the first ITIL process to implement belongs to the Service
22
Operation stage. Furthermore, one of the most used criteria in the prioritization was quick wins which
allow the business operations to easily perceive the positive impact that ITSM processes would have if
effectively implemented. Other common criteria were also focused in the business operations such as
Strengthen Service Support or Customer Services.
Finally, after analyzing the results of both surveys it is clear that an ITIL implementation in a SME
will typically start with processes from to the Service Operation stage, contributing to the focus of these
enterprises in business operations.
Philipp Schmidtbauer et al. investigated whether ITIL is suitable for SMEs as it is or some adaptations
are necessary [77]. His research is focused on a case study at Nordex, a wind turbine manufacturer
from Germany, to explore the processes and changes when introducing ITIL Service Operation in real-
life SME. In this case, the ITIL implementation followed a project-based approach. It started by the
Service Operations processes due to the fact that they have strong operation focus and to build the
basis for further implementation activities.
At beginning, specific staff were selected to ITIL training on Foundation Level. The processes flow
diagrams were then customized to fulfill the requirements of Nordex, resulting in a 3-layered process.
It involved the modeling and documentation of the ITIL processes in a predefined format. Thus, all
employees understand the processes diagrams and can suggest improvements.
According to the literature and the Nordex case study, the author concluded that there is no standard
procedure to implement ITIL but the project-based ITIL implementation used showed that general project
activities can be useful. This case study demonstrated that the implementation of Service Operations
processes based on ITIL can be a viable and beneficial solution but the processes and roles have
to adapted to the IT department and resources available in a SME. As ITIL implementation depends
fundamentally on the needs and context of the enterprise, the experiences collected in the case study
should be considered only as inspiration.
3.7 Related Work
As part of the literature review, the authors searched for empirical studies that specifically addressed
EGIT mechanisms in order to understand the existing body of knowledge and how the findings of this
study will contribute to knowledge advancement [78]. As aforementioned, the review of the related
work allows to close highly researched areas and reveal others where further research is required [48].
Thus, Table 3.1 presents a set of relevant empirical studies regarding the use of EGIT mechanisms in
organizations. The column “SMEs” represents if the study was focused on SMEs.
There are some relevant empirical studies about EGIT mechanisms, but few are focused on SMEs.
One of them, developed by Huang, Zmud and Price [17], addresses specifically SMEs but it exam-
23
Table 3.1: Empirical Research on EGIT Mechanisms
Source Description SMEs[79] Examine empirically four EGIT mechanisms that influence the overall effective-
ness of EGIT in Australian Public Sector organizations.No
[8] Studies the effectiveness and ease of implementation of EGIT mechanisms anda provides minimum baseline of EGIT mechanisms, focusing only on Belgian fi-nancial services organizations ranging from 100 to over 1000 employees.
No
[17] Research that examine qualitative data of three SME case sites with focus onthe influence of EGIT mechanisms related with two specific aspects: IT steeringcommittees and IT-related communication policies.
Yes
[80] Investigate EGIT mechanisms in a multi-sourced IT environment. Presents a real-life example of EGIT mechanisms at a leading multinational financial servicesprovider and proposes a framework of mechanisms suitable for this context.
No
[81] Examine empirically the EGIT mechanisms that influence the overall effectivenessof EGIT. Investigate the relationship of effective EGIT, the extent of IT outsourcingdecisions, and the level of IT Intensity.
No
[50] Research based on surveys of SMEs in the Australian tourist accommodationindustry regarding their use of EGIT mechanisms to define a framework of thecore elements to implement in this context.
Yes
[16] Investigate if Brazilian companies that have adopted EGIT mechanisms have im-proved their financial performance, by measuring pre and post adoption perfor-mance indicators.
No
[32] Exploratory study that intends to elicit and validate possible EGIT mechanismspatterns and identify the most relevant EGIT mechanisms for financial servicesorganizations based six interviews in Portuguese organizations.
No
[31] Exploratory research aiming to elicit ITG mechanisms patterns based on casestudies analysis and to draw conclusions about ITG mechanisms for Portuguesehealthcare industry based on six semi-structured interviews in large healthcareservices organizations.
No
[33] Exploratory research to identify an EGIT mechanisms’ baseline for universitiesbased on six case studies comprising of in-depth interviews three large and publicuniversities in Brazil, Portugal and the Netherlands.
No
ines the influence of EGIT Mechanisms related with only two specific aspects of EGIT: the IT steering
committees and communication policies. The results presented by this study are definitely interesting.
However, the authors believe that evaluating all aspects of EGIT in a holistic way will also be a great
contribution. Therefore, further research in this topic is required.
The second research that focused on SMEs, developed by Wilkin [50], intends to investigate and
identify the core EGIT mechanisms to implement in the context of SMEs that operate in the Australian
tourist accommodation industry. This study motivated us to investigate the fundamental EGIT mecha-
nisms for SMEs adopting a more comprehensive approach. The authors consider that it will be interest-
ing to evaluate the EGIT mechanisms not being restricted to only one specific industry.
24
4Research Proposal
Contents
4.1 Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
4.2 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
25
This section is related with the Analysis phase of the DSR process where the research objectives are
specified. Therefore, the objectives and a brief description of our proposal to solve the problem identified
will be presented.
4.1 Objectives
The main objective of the proposed solution is to facilitate COBIT 5 implementation in SMEs, con-
tributing to overcome the obstacles mentioned in section 1.1. In order to achieve this, we consider that
the proposed solution should comply with the following objectives:
• Objective 1: Identify the fundamental mechanisms to implement effective EGIT in SMEs;
• Objective 2: Establish the correspondence between the fundamental EGIT mechanisms for SMEs
and the Processes and Organizational Structures defined in COBIT5;
Thus, the authors seek to contribute to the knowledge base regarding EGIT in SMEs, produce a suit-
able solution that helps practitioners from these organizations understand the fundamental processes
and organizational structures to implement EGIT using the COBIT5 framework in the future, and possibly
promote its adoption in this type of organizations.
4.2 Description
In order to realize the aforementioned objectives and solve the research problem, we propose a solution
that implies the development of two distinct artifacts. The first artifact will be used for the construction of
the second artifact.
The first artifact consists in a minimum baseline of EGIT mechanisms for SMEs. It corresponds
to the minimum set of fundamental mechanisms to implement effective EGIT in SMEs. This baseline
will be extracted from an overarching list of mechanisms that was based on the list initially provided by
De Haes and Van Grembergen [8] and complemented with other mechanisms identified in Almeida’s
literature review [82]. Besides being recent, the authors consider that Almeida’s study references some
of the most relevant studies regarding EGIT mechanisms such as [10], [13], [14], [55], [52]. Thus, the
authors consider this list as a good reference to the possible EGIT mechanisms to implement.
The minimum baseline will be defined following a similar procedure as the aforementioned researches
about minimum baselines, allowing to compare the results obtained in different studies to draw new con-
clusions. The procedure will be based on semi-structured interviews with several experts with experi-
ence in the IT decision-making process in a SME context, ensuring that the baseline is appropriate and
26
connected as much as possible to the real environment of SMEs. To ensure that the interviewees under-
stand all the EGIT mechanisms, the list containing the definitions (Appendix A) will be sent in advance
as well as the questionnaire (Appendix B). As stated before, a minimum baseline of EGIT mechanisms
can play a fundamental role reducing the complexity associated with broad best-practice frameworks for
EGIT implementation such as COBIT 5.
The second artifact intend to establish the mapping between each EGIT mechanism present in the
baseline and the COBIT 5 Processes and Organizational Structures that support the implementation
of such mechanisms, ensuring their purpose. In order to enable a solid and substantiated mapping
between mechanisms and COBIT 5 components, we intend to use complete and detailed mechanisms’
definitions. Then, COBIT 5 best-practices could be used to support the implementation of the desired
mechanism. Furthermore, through this artifact, it will be possible to identify differences between the
mechanisms and the mapped COBIT 5 component or even EGIT mechanisms that are not present
in the COBIT 5 framework but are recognized as fundamental to SMEs, which can also be a great
contribution of this research.
Starting with the identified minimum baseline of EGIT mechanisms for SMEs it will be possible to
understand the most relevant EGIT mechanisms for this specific context. The implementation of these
mechanisms has to be prioritized, adapted and complemented according to the specific needs of each
organization [8]. Then, the mapping between these mechanisms and COBIT 5 framework enables
the identification of fundamental Processes and Organizational Structures defined in COBIT 5 that are
required to effectively implement those mechanisms. The development and analysis of both artifacts will
be presented and explained in detail throughout the following chapters.
27
5Minimum Baseline of EGIT
Mechanisms for SMEs
Contents
5.1 Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
5.2 Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
28
This chapter addresses the Design and Evaluation phases of the DSR process for the first artifact. As
aforementioned, this phase should encompass the construction of the artifact using generally accepted
methods and the contrast with existing solutions. Moreover, the created artifacts should be evaluated
according to the pre-established objectives. The review process that precedes the scientific publications
is also part of this evaluation. Therefore, a detailed description of the Design and Evaluation phase for
the minimum baseline of EGIT mechanisms for SMEs will be presented.
In section 5.1, the authors describe in detail the procedure performed to investigate and elicit the
minimum baseline of EGIT mechanisms for SMEs, which was the main goal. Given the lack of research
addressing the EGIT mechanisms in SMEs, the qualitative analysis performed enables the authors to
get significant information about EGIT mechanisms based on practitioners’ perceptions. This qualitative
analysis also contributes to the advancement of the existing body of knowledge. Next, section 5.2 will
present and explain all the details regarding the evaluation of this mechanism.
5.1 Design
Multiple studies were developed to investigate EGIT mechanisms when exposed to different contingen-
cies. However, few studies sought to explore the appropriate mechanisms to implement an effective
EGIT in SMEs. Therefore, this is an exploratory study aiming to identify a minimum baseline of EGIT
mechanisms to be implemented in SMEs.
As aforementioned, the authors decided to use a qualitative research since it allows to study things
in their natural environment and to understand a phenomenon based on interviewees’ perspectives that
deal with it in that specific setting [83, 84]. In this case, the focus is the EGIT mechanisms in SMEs’
context.
In order to collect suitable and valuable information about EGIT mechanisms in SMEs, eleven semi-
structured interviews were performed. First, interviews are valuable because they report detailed views
of interviewees that can express their own experience and feelings about the phenomenon being study.
Semi-structured interviews are especially appropriate to this study because they are more flexible and
powerful than structured interviews, allowing the interviewers to probe and extend the interviewee’s
responses and perspectives [45,47].
All the interviewees were IT experts with knowledge and experience in SMEs. It includes CEOs,
CIOs, IT Directors and IT Managers which are the main roles involved in the IT-related decision-making
[1], thereby ensuring that the results are appropriate and linked as much as possible to the reality of
SMEs. Table 5.1 presents the profile of each interviewee, including their background and professional
experience. The fifth and sixth columns correspond to their experience in IT and SMEs, respectively. In
addition, the eighth column shows the size of the organization compared to the size of the IT department
29
whereas the ninth corresponds to the duration of the interview.
Table 5.1: IT experts’ details.
The contextualization of other contingency factors would be important for future generalization of
the results [85], such as the industry, culture, strategy or maturity. However, these factors were not
possible to identify because the interviewees answered based on all their experience in SMEs and not
limited to one organization. Furthermore, the size of the organization corresponds to the current or last
organization in which the interviewee worked.
Several SMEs and experts were contacted by e-mail and phone presenting our study and inviting
them to an interview. When accepted, the interview was scheduled and two different documents where
sent via email to each interviewee. The first document contained the EGIT mechanisms definition to
guarantee that all the interviewees have the same knowledge of each mechanism (Appendix A), the
second document was the questionnaire that will guide the interview.
This questionnaire is composed of two distinct parts (Appendix B). The first part involves a few ques-
tions about the academic qualifications and personal experience of the interviewees, while the second
part is related with the evaluation of EGIT mechanisms. This evaluation comprises two parameters: the
difficulty of implementation and potential effectiveness in SMEs’ context. Subsequently, each intervie-
wee was asked to select the ten most important mechanisms based on their professional experience in
SMEs.
The difficulty of implementation of a mechanism is defined as the quantity of time and effort required
to implement it and the effectiveness of a mechanism is defined as the extent to which it contributes
to the achievement of IT-related goals and objectives. The evaluation was based on Likert scale [86],
ranging from 0 to 5. For difficulty of implementation, 0 means “not difficult at all” and 5 means “extremely
difficulty”, while for effectiveness 0 means “not effective” and 5 means “extremely effective”.
30
The interviews were performed mainly via Skype but, when possible, they were face-to-face inter-
views. These interviews were conducted in Portuguese and were recorded using Quick Time player in
face-to-face interviews and using ECAM call recorder in Skype interviews.
As the interviews were semi-structured, the interviewer played a fundamental role in leading the in-
terview. The interviewer asked some open-ended questions allowing the interviewee to express their
perspective using their own terms and meanings. It was fundamental to get more in-depth answers, un-
derstand the rationale behind some classifications and ensure a feasible evaluation of the mechanisms.
In the next section, the analysis of collected data is presented.
5.1.1 Data Analysis and Discussion
The results of the evaluation performed during the interviews are presented in Table 5.2. This table
contains the list of EGIT mechanisms and eleven columns presenting interviewees’ answers. Each
column includes two sub-columns. These are based on questions previously used in reputable studies,
facilitating future comparisons between the results obtained. The column ‘D’ corresponds to the difficulty
of implementation of the mechanism while the column ‘E’ corresponds to its effectiveness. Lastly, the
column ‘E-D’ corresponds to the difference between the total values of ‘E’ and ‘D’.
The interviews were incredibly productive and insightful. A lot of valuable data was collected during
the interview. The quantitative data was analyzed using Microsoft Excel to calculate the total values for
each mechanism and the average of each type of mechanisms. These results are also presented in
Table 5.2. In this table, the mechanisms are sorted in descending order according to the value of ‘E-D’,
reflecting the importance that each mechanism may have in a SMEs’ context. When the difference is
equal the major ‘E’ prevails. Furthermore, the recorded interviews were transcribed enabling a qualitative
analysis of this data. With this analysis, the authors intend to get further details about EGIT mechanisms.
The authors would like to stress that a different approach was taken regarding the evaluation of
some mechanisms in comparison with previous researches about EGIT mechanisms in different con-
tingencies [8], [33], [32], [31]. The three possible models for IT Organization Structure, the Centralized,
Decentralized and Federal, were separately evaluated while for other studies it was generically evalu-
ated as IT Organization Structure. In addition, the mechanisms CIO on Executive Committee and CIO
reporting to CEO and/or COO were evaluated as two distinct mechanisms, while in previous researches
they were considered as being only one.
After the evaluation, each interviewee selected the ten fundamental EGIT mechanisms to effectively
implement EGIT in SMEs. Table 5.3 shows the results and contains only the mechanisms selected at
least by one interviewee. The columns represent the eleven interviewees and the cells in grey indicate
the mechanisms they selected as fundamentals. The ‘Freq.’ column indicates the number of times that
each mechanism was selected.
31
Table 5.2: Results from interviews with IT experts.
32
Table 5.3: Ten most important mechanisms selected by each interviewee.
33
Given the number of interviewees, the authors consider that the minimum baseline should be com-
posed of EGIT mechanisms that were selected as fundamental to SMEs at least by five interviewees.
Following this criterion, nine distinct mechanisms were identified as the minimum baseline of EGIT
mechanisms for SMEs. These mechanisms are highlighted with green color in Table 5.3.
Due to all reasons aforementioned, the authors believe that the minimum baseline should be consid-
ered as a good starting point to effectively implement EGIT in SMEs. However, the minimum baseline
may not be the required and sufficient set to every organization. Therefore, the authors recommend
looking at the remaining mechanisms with high classifications of ‘E-D’ in Table 3 as a possible comple-
ment.
5.1.1.A Main Findings
When analyzing the results of the evaluation of EGIT mechanisms (Table 5.2), the authors verified
that there are differences between structures, processes and relational mechanisms, as represented
in Figure 5.1. Comparatively to structures and processes, the relational mechanisms present better
average values for difficulty of implementation and effectiveness. In addition, structural mechanisms are
perceived as the less effective and the most difficult to implement in a SME’s context.
Figure 5.1: Averages of the difficulty of implementation and effectiveness
Despite not being a huge difference, the relational mechanisms present better results in both pa-
rameters. This is not surprising. SMEs are distinguished for exhibiting low levels of complexity and
formalization, which do not contribute to implement formal structures and processes.
Considering the values of ‘E-D’ in Table 5.2, it is worth mentioning the mechanisms that obtained
the best and worst classifications. In order to complement this quantitative evaluation with relevant
qualitative data, Table 5.4 presents quotations collected through the open-ended questions.
The structure, process and relational mechanism with higher classifications are the Centralized IT
Organization Structure, IT Budget Control and Reporting and Informal Meetings, respectively.
The majority classified the Centralized IT Organization Structure as very effective and easy to im-
34
Table 5.4: Part of interviewees’ quotations about the best and worst EGIT mechanisms for SMEs.
35
plement. According to interviewees’ responses present in Table 5.4, this can be extremely important
when there are IT-related resources limitations. Furthermore, some interviewees added this mechanism
is inherent to any SME, being “born” with the organization while the decentralized and federal models
are complex and require great effort to manage.
The process with higher classification was the IT Budget Control and Reporting. Many interviewees
referred that, given the lack of resources that generally affects SMEs, this process can be extremely
effective, enabling a permanent control of the available IT budget. However, one interviewee shared a
negative experience where this control was the responsibility of the financial administrator. Due to his
lack of understanding, this administrator refused several IT investments without realizing the negative
impact on business. Thus, the mechanism can be effective to SMEs but requires that the responsible
recognize the role of IT in their business.
Finally, the relational mechanism was Informal Meetings. As reported by the interviewees, this is
easy to implement and became the main point of the relationship between business and IT, thereby
building human relationships which facilitates work in a group. It also allows an open discussion of
timely issues of both sides, IT and business, promoting the business/IT strategic alignment.
Contrastingly, the structure, process and relational mechanism with lower classifications are IT Lead-
ership Council, ITG Assurance and Self-Assessment and Job Rotation, respectively.
The IT Leadership Council intends to manage a mix of responsibilities for infrastructure services,
enterprise-wide and at business unit level. It was considered poorly effective and difficult to implement
and the reasons were consensual. The interviewees stated this mechanism does not make sense for
SMEs, being only appropriate for larger organizations that do not apply a centralized structure.
The ITG Assurance and Self-Assessment is a process to perform assessments on the governance
and control over IT. Several interviewees considered it is quite difficult to implement. The main reason
was that given the dimension and priorities of these organizations, a process that regularly reviews IT
governance will make the crucial business processes extremely heavy.
Finally, the Job Rotation was evaluated by the most of interviewees as difficult to implement. Based
on the interviewees’ comments, one of the main reasons was the risk of compromising the normal
performance of both functions since they imply specific knowledge and competencies, and moreover,
require time for adaptation. Another reason was the resistance of people to leave their comfort area.
Through analysis of qualitative feedback, the authors have identified contradictory opinions regarding
the Chargeback process. As presented in Table 5.5, two interviewees mentioned that this mechanism
does not worth to be implemented in SMEs because it is too arduous for the benefits produced. However,
two other interviewees had the opposite opinion. They referred this mechanism is relatively easy and
may be useful for an SME. Moreover, several interviewees with experience in the public sector mentioned
that there is a lack of culture and habits that support the implementation of this mechanism.
36
Table 5.5: Interviewees’ quotations about the Chargeback process for SMEs.
Similarly, several interviewees reported the lack of culture and habits that promote the implemen-
tation of reward mechanisms in the public sector (see Table 5.6). Thus, the mechanism Partnership
Rewards and Incentives is extremely difficult to implement in public SMEs. However, several intervie-
wees with experience in private SMEs stated that the major difficulty is related to the capacity of SMEs
to provide financial incentives. One of these interviewees recommended providing other types of incen-
tives, such as training.
Based on the feedback presented in Table 5.7, the authors also verified that SMEs struggle to imple-
Table 5.6: Interviewees’ quotations about the Partnership Rewards and Incentives for SMEs.
37
Table 5.7: Interviewees’ quotations about accumulation of responsibilities in SMEs.
ment EGIT structures, which was expectable. As mentioned by interviewees from both public and private
sectors, an SME typically has a small set of administrators that are responsible for all the decisions that
affect the organization, including for IT-related decisions.
The interviewees also stated that, given the scarcity of financial and IT resources, there are structural
mechanisms that are impossible to implement by creating a formal committee or position exclusively for
that responsibility. However, sometimes their purpose is extremely relevant and, therefore, SMEs tend to
accumulate the responsibility of various EGIT structures into existing structures within the organization,
such as the IT administrator or the administrative committee referred to above.
The interviewees mentioned that typically this administrative committee is responsible for performing
the function of different EGIT structures, namely the IT Strategy Committee, IT Steering Committee,
38
and IT Investment Committee. In the same way, the IT administrator is responsible for performing the
function of the ITG Officer and Business/IT Relationship Manager. As declared by one interviewee, ”The
SMEs have to be pragmatic and there is usually the accumulation of functions”.
According to the quotations presented in Table 5.8, there are also EGIT structures that do not worth
to be implemented internally, such as the IT Audit Committee and the IT Security Committee. In these
cases, SMEs typically resort to outsourcing.
Table 5.8: Interviewees’ quotations regarding the outsourcing in SMEs.
The authors believe that all these facts about several EGIT mechanisms, extracted from the feed-
back of professionals, may be a valuable and useful information to all practitioners. Mainly for SME’s
managers. For researchers, it can be a motivation to investigate other contingency factors and how it
influences the management of organizations.
5.1.1.B Cross-study Comparison
Next, Table 5.9 presents the baseline of EGIT Mechanisms for SMEs in comparison with the baselines
identified for other contingencies. The cells in grey represent the mechanisms from the baseline for
SMEs that were also selected to the baseline for a different contingency.
It is interesting to note that there are no mechanisms in common to all contingencies that have been
studied. Furthermore, there are two distinct mechanisms that do not appear in any other baseline.
These mechanisms are the Shared Understanding of Business/IT Objectives and Informal Meetings.
Such evidence suggests that contingency of organization’s size may have a direct and singular influence
on the implementation of effective EGIT.
Next, Table 5.10 compares our results with similar studies (see Table 5.9). It is important to refer
that the results from the Belgian financial industry [8] are not compared because the research does not
provide the required information.
39
Table 5.9: Comparison of baselines of EGIT Mechanism for different contingencies.
Baseline forSMEs (SME)
Baseline forHigher Education
(HE) [33]
Baseline forBelgiumFinancial
Industry [8]
Baseline forPortuguese
FinancialIndustry (FI) [32]
Baseline forPortugueseHealthcare
Industry (HC) [31]1 [S] Governance
Tasks in Roles andResponsibilities
[S] GovernanceTasks in Roles andResponsibilities
2 [S] IT OrganizationStructure (Central-ized)
[S] IT OrganizationStructure
[S] IT OrganizationStructure
[S] IT OrganizationStructure
3 [S] IT ProjectSteering Commit-tee
[S] IT ProjectSteering Commit-tee
[S] IT ProjectSteering Commit-tee
4 [P] IT Budget Con-trol and Reporting
[P] IT Budget Con-trol and Reporting
[P] IT Budget Con-trol and Reporting
5 [P] Strategic In-formation SystemPlanning
[P] Strategic In-formation SystemPlanning
[P] Strategic In-formation SystemPlanning
[P] Strategic In-formation SystemPlanning
6 [P] Service LevelAgreement
[P] Service LevelAgreement
7 [R] Shared Under-standing of Busi-ness/IT Objectives
8 [R] Informal Meet-ings (Business andIT Seniors)
9 [R] IT Leadership [R] IT Leadership [R] IT Leadership [R] IT Leadership
The values for the most relevant mechanisms are calculated based on the ten fundamental mecha-
nisms selected by each interviewee. Furthermore, the values of effectiveness and difficulty of implemen-
tation for SMEs were on a different scale since this research was based on eleven interviews, while the
others were based only on six. Therefore, the authors had to calculate the proportional average values
of both parameters.
Table 5.10: EGIT Mechanisms in different contingencies.
From Table 5.10, the authors can clearly perceive that there are differences and similarities between
these contingencies. Similar to the financial industry and higher education, the relational mechanisms
are the less relevant for SMEs while for healthcare industry are the processes. For SMEs, structures are
40
the most relevant mechanisms as they were for the healthcare and financial industry. In contrast, the
processes are the most relevant for higher education.
In terms of effectiveness, the relational mechanisms are the most effective and the structures are
the less effective for the healthcare industry, higher education and SMEs. However, for the financial
industry, the processes are the most effective and the relational mechanisms are the less effective. In
terms of difficulty, the relational mechanisms are less difficult to implement for the healthcare industry,
higher education and SMEs while for the financial industry are the structures.
Next, Figure 5.2 corresponds to a pick chart containing the five EGIT mechanisms that obtained
higher values of ‘E’+’D’ in the evaluations performed in the several studies that addressed EGIT mech-
anisms under different contingency factors [31–33]. The authors had to analyze and synthesize a large
amount of information from these studies to compare the EGIT mechanisms in distinct contingencies.
The scale for the difficulty of implementation was inverted to make it easier to read the pick chart.
Therefore, 0 means “extremely difficult” and “not effective at all” and 5 means “not difficult at all” and
“extremely effective”, ensuring that highly effective and easy to implement mechanisms will be in the
upper right quadrant.
This chart allows the analysis of the trade-off between the difficulty of implementation and effective-
ness. Different shapes were used to identify the studies while numbers were used to represent each
mechanism. The circles (©), squares (�), triangles (4) and rhombus (♦) represent the mechanisms
extracted from the study regarding SMEs, higher education, financial industry and healthcare indus-
try, respectively. The shapes in grey represent the top five mechanisms of each study, the others are
presented to enable the comparison of those mechanisms under different contingencies.
The five mechanisms with the higher classification for SMEs are all in the upper right quadrant.
Furthermore, it is important to refer that four of the five best classified EGIT mechanisms for SMEs were
also selected to be in the baseline. The mechanisms present in the baseline and also in the pick chart
may represent some quick wins in the implementation of effective EGIT in SMEs.
In general, the vast majority of the mechanisms are in the upper right quadrant. However, the finan-
cial industry has several mechanisms in the upper left quadrant where the mechanisms are considered
highly effective but difficult to implement. The best mechanisms for the financial and healthcare indus-
tries have greater effectiveness but are more difficult to implement in comparison with SMEs and higher
education.
Furthermore, this pick chart analysis allowed the identification of mechanisms that were evaluated as
one of the best for more than one study. Despite the similarities, these mechanisms obtained different
values for effectiveness and difficulty of implementation when evaluated under different contingency
factors. Therefore, it is possible to investigate how the same mechanism can be perceived differently
depending on the contingencies.
41
Figure 5.2: Pick Chart (Difficulty of implementation x Effectiveness)
42
The IT Organization Structure for SMEs, which is centralized, is perceived as much easier to imple-
ment than for the healthcare and financial industry. Furthermore, it is considered as much more effective
for the financial and healthcare industries than for higher education.
The Informal Meetings for higher education are recognized as much easier to implement than for
the financial industry. Despite that, it is more effective for the healthcare industry than for the higher
education.
Finally, the CIO reporting to CEO and/or COO is slightly easier to implement for higher education
than for SMEs however, it is much more effective for SMEs than for higher education. Such evidence
demonstrates that different contingencies have a huge impact on EGIT mechanisms.
5.2 Evaluation
This section corresponds to the Evaluation phase. As aforementioned, this phase aims to evaluate
and measure how well the artifact supports the solution, comparing the obtained results against the
defined objectives. Hevner et al. [6] state that the business environment influences the requirements
upon which the artifact should be constructed and its evaluation is an essential part of the research
process. Moreover, the evaluation methods selected must be appropriate for the designed artifact. The
descriptive methods should be applied for innovative artifacts for which other evaluation methods may
not be feasible [6]. In this section, the ex ante evaluation of the artifact through expert interviews is
explained and the fulfillment of Osterle et al.principles is verified.
5.2.1 Expert interviews - Ex ante evaluation
DSR processes have been criticized for strictly follow the sequence of build and evaluate activities and
performing this evaluation late in the process. However, different evaluation sequences and methods
can be applied depending on the context and objectives of the evaluation [87]. Particularly, if the Design
phases are extremely time-consuming or expensive, it can be advantageous and productive to prevent
disappointments in later stages by applying early control measures, such as ex ante evaluation [88].
Pries-Heje et al. [89] refers that evaluation in DSR is not restricted to a activity at the end of the
construction phase. This evaluation in IS field and in DSR can be performed at two points in time
relative to the artifact construction [90]. The ex ante evaluation intends to evaluate the artifacts before
their design and construction, while the ex post evaluation aims to evaluate the artifacts after they have
been constructed [88], [89].
Generally, the purpose of an ex ante evaluation is to guarantee that the resulting design will not be a
failure. With an ex ante evaluation, the researchers are able to forecast and identify important guidelines
43
and restrictions of the design of the artifact. Therefore, this crucial information can be incorporated in
advance in the designing process [88].
As previously mentioned, qualitative interview is one of the most used data collection method. This
is an appropriate method of gathering relevant feedback from the interviewees and it has been widely
used in IS research [46]. As referred in section 2.1, expert interviews are one of the methods that could
be applied in DSR to evaluate the constructed artifact [34], [87]. Furthermore, Sonnenberg and Vom
Brocke [87] also state that expert interviews are considered as appropriate and pertinent to be applied
particularly in ex ante evaluations.
According to this information, the authors consider that all the interviews performed with IT experts
that have experience in SMEs in order to evaluate a comprehensive list of EGIT mechanisms and to
elicit a minimum baseline of mechanisms for SMEs can be seen as an ex ante evaluation of this arti-
fact. Through these interviews, the authors were able to extract important guidelines and restrictions
regarding the design of the artifact such as the mechanisms evaluations, the mechanisms selected as
fundamental for SMEs, and all the qualitative feedback recorded during the interviews and posteriorly
analyzed. This minimum baseline was defined based on experts’ and potential practitioners’ evalua-
tions and choices, therefore, the authors consider that the performed interviews definitely contributed to
guarantee that resulting artifact will not be a failure.
5.2.2 Osterle et al. principles
Furthermore, several principles regarding the artifacts created were defined. In this subsection, the
authors will explain how the constructed artifact respond to each one of these principles.
According to Osterle et al. [34], scientific research should be characterized by abstraction, originality,
justification and publication to differentiate it from the way solutions are developed by practitioners (e.g.
in user organizations) or commercial providers (e.g. consulting companies). Therefore, Osterle et al.
defined four basic principles to which all design-oriented IS research must comply [34]:
• Abstraction: Each artifact must be applicable to a class of problems - The authors consider the
proposed minimum baseline of EGIT mechanisms is useful and applicable to SMEs that intend to
implement effective EGIT since it was elicited based on the experts’ and practitioners’ choice.
• Originality: Each artifact must substantially contribute to the advancement of the body of knowl-
edge - Based on the literature review performed, there are no studies addressing the EGIT mech-
anisms in SMEs with the purpose of evaluate them and elicit a minimum baseline for this specific
context. Therefore, this artifact contributes to the advancement of the current body of knowledge
and the originality principle was satisfied. Furthermore, the qualitative information gathered during
the construction of the artifact is also a contribution to the current body of knowledge.
44
• Justification: Each artifact must be justified in a comprehensible manner and must allow for its
validation - The proposed artifact was constructed based on reputable work. The presented mo-
tivation and research problem justify the need for this artifact. The entire research, including the
methods applied, are meticulously described and justified in a clear and transparent way through-
out this thesis report.
• Benefit: Each artifact must yield benefit – either immediately or in the future – for the respective
stakeholder groups - The stakeholders that will benefit from this artifact are the managers and
practitioners from SMEs. The minimum baseline elicited enables the practitioners to understand
what can be the fundamental mechanisms to implement effective EGIT in their organizations.
Furthermore, the implementation of this EGIT mechanisms may yield benefits to the organization
in the future.
45
6Mapping between Baseline
Mechanisms and COBIT 5
Contents
6.1 Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
6.2 Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
46
Like the previous one, this chapter will also address the Design and Evaluation phases of the DSR pro-
cess but now for the second artifact. Therefore, the authors will start by describing the construction of the
mapping between the minimum baseline of EGIT mechanisms for SMEs and the COBIT 5 components.
Afterwards, the evaluation of the referred artifact will be described and presented in order to verify the
achievement of the predefined objectives.
Next, section 6.1 will present and explain the proposed mapping between the minimum baseline of
EGIT mechanisms identified and the COBIT 5 components (Processes and Organizational Structures)
that could support the implementation of these specific mechanisms. Therefore, the best practices
specified in COBIT 5 can help practitioners on how to implement the referred mechanisms. In section
6.2, the artifact produced will be evaluated according to several methods and criteria.
6.1 Design
After the elicitation of the minimum baseline for SMEs, the authors were able to start the development
and definition of the proposed mapping. Given the EGIT mechanisms present in this baseline, the
authors started by carefully analyzing the description of each mechanism. Then, for each mechanism the
COBIT 5 Process Domains (EDM, APO, BAI, DSS or MEA) that seems more related to the mechanism
purpose, in general, was identified.
Following this step, the authors searched for the process whose description encompasses or is more
related with the mechanism description. Going further, the authors established the correspondence
between each mechanism and a specific practice whose description, activities and respective inputs
and outputs are extremely related with mechanism description and, thereby, the best practices defined
in COBIT 5 framework can contribute to its implementation. Moreover, COBIT 5 also refer other specific
frameworks that could help practitioners when implementing one of these mechanisms.
Except when the description clearly states that the mechanism is composed by people such as
an officer, a committee or a council. In this case, the authors did not searched for a Process but
focused their attentions on the Organizational Structures Enabler of COBIT 5 and sought, among the
26 structures existing in the COBIT manual, an organizational structure that includes the functions or
responsibilities performed by the respective mechanism. As referred in COBIT 5 framework, these
26 structures are not intended to correspond to positions that enterprises have implemented but the
described purpose of the structure remains valid for most enterprises.
The proposed mapping is presented in Table 6.1. The left side, in blue, corresponds to the nine
EGIT mechanisms present in the minimum baseline for SMEs and the respective descriptions which
were previously extracted from the literature (Appendix A). The right side, in grey, contains COBIT 5
components selected by the authors and the respective description taken from the COBIT 5 manuals [4],
47
[3]. Therefore, the matching between the two descriptions presented in this table works as a justification
for the mapping proposed.
The main objective was not to establish an exhaustive mapping with all the related components in
COBIT 5, if so this will result in a extensive list of components for each mechanism. As aforementioned,
COBIT 5 presents more than 6000 interconnections and dependencies between the 214 practices that
compose the 37 processes. This represents the complexity associated with the COBIT 5 framework
which can act as barrier for its implementation in SMEs.
Therefore, the authors tried to identify only the Practice or Organizational Structure that is more
related with the mechanism in question to maintain an acceptable level of complexity in the initial phase
of the EGIT implementation in SMEs. It follows the idea expressed by Mike Hughes (ISACA International
Board Member Director): ”Since SMEs are usually very lean and got different realities, it should not be
too burdensome. It needs to be appropriate and proportionate to SMEs so they also see business value
from that”. This idea was also subscribed by several IT experts with experience in SMEs during the
interviews performed.
The activities and the several inputs and outputs that COBIT 5 defines for each practice were also
analyzed to justify the establishment of these mapping. This information is not presented in order to
simplify the visual interpretation of this table. Thus, the practitioners would access the COBIT 5 manual
to consult these informations.
As an example, the authors will use a few mechanisms to explain how these correspondences were
established. Regarding the Governance Tasks in Roles and Responsibilities, the authors start by check-
ing the EDM domain since it encompass the governance process whereas the APO domain is part of
the management processes. In the EDM domain, the authors verified the process EDM01 - Ensure
Governance Framework Setting and Maintenance and the practice EDM01.02 - Direct the governance
system. The authors concluded that this practice is related but more with the definition and communica-
tion of high-level EGIT principles and requirements. As it can be perceived, it is related but there is no
proper match between the two descriptions.
Then, the authors verified the process APO01 - Manage the IT Management Framework and iden-
tified the practice APO01.02 - Establish roles and responsibilities. Through the analysis of the descrip-
tions, the recommend activities and respective outputs, the authors concluded that this practice is deeply
related with this mechanism. Based on the high-level principles, this practice intends to agree and com-
municate roles and responsibilities for IT-related stakeholders, in alignment with business needs and ob-
jectives and should produce as output the “Definition of IT-related roles and responsibilities”. Therefore,
based on the descriptions match and the expected output, the authors selected the Practice APO01.02
as the COBIT 5 component that is more related to this EGIT mechanism and could support its imple-
mentation.
48
Table 6.1: Mapping between Baseline Mechanisms and COBIT 5 Components
Mechanism Mechanism Description COBIT 5 Component Description
COBIT 5 Component
1
Governance Tasks in Roles
and Responsibilities
[Structure]
Clear and unambiguous definitions of the roles and the responsibilities of the involved parties are a crucial prerequisite for an effective ITG. It includes governance/alignment tasks for business and IT people and it is the responsibility of the board and executive management to communicate and to make sure that they are clearly understood throughout the whole organization. The best idea is to document all roles and responsibilities.
Establish, agree on and communicate roles and responsibilities of IT personnel, as well as other stakeholders with responsibilities for enterprise IT, that clearly reflect overall business needs and IT objectives and relevant personnel’s authority, responsibilities and accountability.
Process APO01 Manage the IT Management Framework
Practice
APO01.02 Establish roles
and responsibilities
2 IT Organization
Structure [Structure]
The possibility of effective governance over IT is of course also determined by the way the IT function is organized and where the IT decision-making authority is located in the organization. The adoption of a particular mode is influenced by different determinants, such as history, economies of scale, size, industry, etc. Decision-making structures are the natural approach to generate commitment within the organization.
Position the IT capability in the overall organizational structure to reflect an enterprise model relevant to the importance of IT within the enterprise, specifically its criticality to enterprise strategy and the level of operational dependence on IT. The reporting line of the CIO should be commensurate with the importance of IT within the enterprise.
Process APO01 Manage the IT Management Framework
Practice
APO01.05 Optimize the
placement of the IT function.
3
IT Project Steering
Committee [Structure]
Steering committee composed of business and IT people focusing on prioritizing and managing IT projects.
A group of stakeholders and experts who are accountable for guidance of programmes and projects, including management and monitoring of plans, allocation of resources, delivery of benefits and value, and management of programme and project risk.
Organizational Structure
Project and Programme
Steering Committee
4
IT Budget Control and Reporting [Process]
Processes to control and report upon budgets of IT investments and projects.
Implement a cost management process comparing actual costs to budgets. Costs should be monitored and reported and, in the case of deviations, identified in a timely manner and their impact on enterprise processes and services assessed.
Process APO6 Manage Budget
and Costs
Practice APO06.05
Manage costs
5
Strategic Information
System Planning [Process]
Formal processes to define and update the IT strategy of the organization, including aligning IT with business goals, exploiting IT for competitive advantage, directing efficient and effective management of IT resources, and developing technology policies and architectures. These processes should assure the IT priorities and investments are strictly aligned with the mission, objectives and goals of organization
Create a strategic plan that defines, in co-operation with relevant stakeholders, how IT-related goals will contribute to the enterprise’s strategic goals. Include how IT will support IT-enabled investment programmes, business processes, IT services and IT assets. Direct IT to define the initiatives that will be required to close the gaps, the sourcing strategy and the measurements to be used to monitor achievement of goals, then prioritize the initiatives and combine them in a high-level road map.
Process APO02 Manage Strategy
Practice
APO02.05 Define the Strategic
Plan
49
6 Service Level
Agreement (SLA) [Process]
A Service Level Agreements (SLA) is defined as “a written contract between a service provider of a service and the customer of the service”. The functions of SLAs are: Define what levels of service are acceptable by users and are attainable by the service provider; define the mutually acceptable and agreed upon set of indicators of the quality of service. Three basic types of SLAs can be defined: in-house, external and internal SLAs.
Define and prepare service agreements based on the options in the service catalogues. Include internal operational agreements.
Process APO09 Manage Service
Agreements
Practice APO09.03 Define and
prepare service agreements
7
Shared Understanding of Business/IT
Objectives [Relational]
Mechanism that promote the mutual understanding of business and IT objectives and plans by business and IT people and the respect of each other’s contribution. Therefore, business and IT people can accurately interpret and anticipate actions and, if necessary, coordinate adaptively. This mechanism is considered a paramount for attaining and sustaining business/IT alignment.
Understand current business issues and objectives and business expectations for IT. Ensure that requirements are understood, managed and communicated, and their status agreed on and approved.
Process APO08 Manage
Relationships
Practice APO08.01 Understand
business expectations
8
Informal Meetings
(Business and IT Seniors)
[Relational]
Informal meetings, with no agenda, where business and IT senior management talk about general activities, directions, etc. (e.g. during informal lunches)
9 IT Leadership
[Relational]
Ability of CIO or similar role to articulate a vision for IT’s role in the company and ensure that this vision is clearly understood by managers throughout the organization. The goal is the coordination across the organization.
Communicate awareness and understanding of IT objectives and direction to appropriate stakeholders and users throughout the enterprise.
Process APO01 Manage the IT Management Framework
Practice
APO01.04 Communicate management objectives and
direction
50
Next, the IT Project Steering Committee definition clearly indicates that it consists in a group of peo-
ple, from business and IT, with the purpose of manage and prioritize the IT projects. This suggests
that it corresponds to a structure in the organization. Therefore, the authors focused on the Organiza-
tional Structures Enabler and based on the descriptions provided, identified the Project and Programme
Steering Committee as a correspondence for this mechanism. Only one mechanism was clearly an Or-
ganizational Structure, the authors believe that it can be related with the accumulation of responsibilities
that generally exists in SMEs.
There is only one mechanism that is not mapped in a COBIT 5 component, it is the Informal Meetings
between Business/IT Seniors. Given the name and description of this mechanism, the authors decided
to look at the APO Domain, more specifically to the Process APO08 - Manage Relationships. Obviously,
this process can help and support the establishment and management of the relationship between
business and IT. However, the process description includes: “Manage the relationship between the
business and IT in a formalized and transparent way that ensures a focus on achieving a common and
shared goal of successful enterprise outcomes...”. The mechanism intends to establish an informal
relationship, through meetings without a predefined agenda, while this practice recommends to manage
this relationship between business and IT in a formalized way. As can be easily perceived, this is the
opposite of the mechanism purpose. Since there is no correspondence with this EGIT mechanism, the
authors consider that the COBIT 5 framework do not support its implementation.
Analyzing the resulting mapping, the authors identified several interesting findings. First, the pro-
posed mapping does not contain any Practice from the EDM domain. This domain encompasses the
governance processes, including the responsibilities of the board for evaluating, directing and monitor-
ing the use of IT assets to create business value. It was not expected since this is a minimum baseline
of mechanisms that should be considered a good starting point to implement effective EGIT. However,
the lack of EDM Practices can be associated with the fact that the authors tried to identify only the Prac-
tice or Organizational Structure that was more related with each mechanism to maintain an acceptable
level of complexity in this initial phase of the EGIT implementation. Anyway, the EDM practices that
are relevant to the selected practices should appear associated with an input of those practices. Thus,
the practitioners know that there is a practice from EDM domain that should produce an input that will
contribute to the correct implementation of that practice.
Furthermore, all the identified Practices are from APO Processes. This domain addresses the plan-
ning and organization of the enterprise IT in order to effectively contribute to the achievement of the
business objectives, thereby including the strategic alignment between business and IT. This fact is ex-
tremely interesting since the authors identified that SMEs lack long-term vision of their business and
tend to adopt a more operational view than a strategic one. Their small IT departments are focused on
operational efficiency and short-term solutions. Therefore, the authors consider that the mechanisms
51
elicited based on the practitioners’ feedback and now mapped with APO Practices can contribute to
mitigate this problem that still exists in this type of organizations. Considering that the baseline should
be seen as a good starting point, the authors believe that it is extremely important to begin with the
implementation of practices that promote the planning and the strategic alignment from an early phase.
Only one baseline mechanism did not have a correspondence to a COBIT 5 component. Therefore,
the authors identified a correspondence for eight of the nine mechanisms included in the minimum
baseline, thereby suggesting there are guidelines and best practices provided by the COBIT 5 framework
that can also be relevant and appropriate for SMEs that intend to implement an effective EGIT. As always
some adaptation may be required. The identified correspondences contradict the idea that the COBIT 5
framework is only suitable for large organizations and that the provided best practices are not applicable
to SMEs.
With this mapping, the authors intend to facilitate the implementation of COBIT 5 in SMEs by showing
and indicating which are the main components that could support the implementation of almost all the
EGIT mechanisms present in the minimum baseline for SMEs. This solution can help to overcome
the problem related to the lack of orientation in the initial phases, namely to choose the processes or
practices to be implemented.
6.2 Evaluation
As in the previous chapter, this section will address the Evaluation Phase of the DSR but now for the
proposed mapping between the baseline mechanisms and the COBIT 5. As stated by Hevner et al. DSR
evaluation is a crucial phase of the research process [6]. However, the design researcher should balance
the interests of practitioners and researchers. The practitioners are concerned with the applicability
and usefulness of an artifact whereas the researchers are focused on the validity of the artifact and in
ensuring the rigor in the process [87]. Therefore, this artifact will be evaluated according to the Wand
and Weber method, Osterle et al. principles and expert interviews.
6.2.1 Wand and Weber Method
The developed mapping between the EGIT mechanisms and COBIT 5 components will be evaluated
using the Wand and Weber Method [91], which enables the analysis of the ontological effectiveness
of this mapping. This evaluation method is based on the ontological deficiencies that can be found in
the mapping, namely Incompleteness, Redundancy, Overload and Excess. These shortcomings can be
briefly described as:
• Incompleteness: Is each element of the first set mapped to an element of the second set? If so,
52
the mapping is considered complete. Otherwise, it is incomplete.
• Overload: Is each element of the second set mapped only by an element of the first set? If not,
the mapping is overloaded.
• Redundancy: Is each element of the first set mapped to more than one element of the second
set? If so, the mapping is redundant.
• Excess: Is each element of the second set mapped by an element of the first set? If not, the
mapping is excessive.
As referred, the proposed mapping is present in Table 6.1. In the next paragraphs, this mapping will
be evaluated according to this four ontological deficiencies.
Starting by incompleteness, it is easy to verify that the mapping is considered incomplete since there
is no correspondence between the mechanism Informal Meetings between Business/IT Seniors and a
COBIT 5 component. This fact means that COBIT 5 does not specify a concrete practice that support
and guide the implementation of the mechanism which is recognized as fundamental to SMEs. How-
ever, this incompleteness is not totally surprising because frameworks like COBIT 5 are often criticized
for being more appropriate for large organizations. Moreover, there is only one mechanism without cor-
respondence and COBIT 5 also support this relationship between Business and IT, through Process
APO08 - Manage Relationships, but not in an informal way as stated by this mechanism.
The mapping is not overloaded. This deficiency is not verified in the proposed mapping since there
are not two different mechanisms that were mapped to the same COBIT 5 component. It happens be-
cause the authors tried to map each mechanism to the most related Organizational Structure or Practice
and not only at the Process level. In conclusion, the baseline mechanisms extracted address relevant
and distinct aspects of the implementation of effective EGIT in SMEs. Therefore, the identified baseline
suggests the adoption of a holistic approach, which is highly recommended for EGIT implementation.
Furthermore, the proposed mapping is not redundant. This deficiency was not identified because, as
aforementioned, the authors tried to map only the most related practice and not all the related practices
in order to avoid a huge number of related COBIT 5 components. The increase of COBIT 5 practices
related will definitely increase the complexity associated with its implementation, which can act as barrier
to the implementation of EGIT in these organizations. Therefore, the authors selected the practice
that seems more related and appropriate to support the implementation of that mechanism. If a more
comprehensive approach is adopted, redundancy will certainly exist and is not surprising given the
complex nature of the COBIT 5 framework.
Finally, this mapping is clearly excessive. However, this was also expected since the authors decided
to establish the mapping with COBIT 5 Practices and Organizational Structures. As already referred,
53
COBIT 5 defines more than 200 Practices, that compose the 37 processes, and 26 different organiza-
tional structures or roles whereas the elicited baseline is composed only by 9 EGIT Mechanisms. This
is a minimum baseline that should be seen as an initial roadmap to the implementation of EGIT in SMEs
in general. The authors consider that, in this case, this shortcoming is normal and do not affect the
purpose and value of the proposed mapping.
6.2.2 Osterle et al. principles
As before mentioned, scientific research should be characterized by abstraction, originality, justification
and publication. Therefore, there are four basic principles to which all constructed artifact must comply
[34]:
• Abstraction: Each artifact must be applicable to a class of problems - The authors consider the
proposed mapping is useful and relevant to managers and practitioners from SMEs that desire to
implement the fundamental EGIT mechanisms for these organizations by adopting the guidelines
and best practices provided by the COBIT 5 framework.
• Originality: Each artifact must substantially contribute to the advancement of the body of knowl-
edge - After the literature review performed, the authors verified there are no studies addressing
the adoption of COBIT 5 in SMEs. More specifically there are no studies addressing the funda-
mental EGIT mechanisms for SMEs and their correspondence to COBIT 5 components, including
the recommend Practices or Organizational Structures. Therefore, this artifact contributes to the
advancement of the current body of knowledge and the originality principle was satisfied.
• Justification: Each artifact must be justified in a comprehensible manner and must allow for its
validation - As the first artifact, the proposed mapping is based on previously published articles
and in COBIT 5 official documentation. The authors consider that the motivation and research
problem presented justify the need for the proposed mapping. All the steps applied in construction
and validation of the artifact are carefully described in this report.
• Benefit: Each artifact must yield benefit – either immediately or in the future – for the respective
stakeholder groups - The stakeholders that will benefit from this artifact are the managers and
practitioners from SMEs. The proposed mapping enables these practitioners to know the CO-
BIT 5 components that support the implementation of the baseline mechanisms. Therefore, the
practitioners can access and follow the best practices and guidelines specified by the COBIT 5
framework, such as the recommended activities and respective inputs/outputs, which will be an
important help in implementing these EGIT mechanisms.
54
6.2.3 Expert interviews
As previously referred, qualitative interview has been broadly used in IS research. This is considered as
a suitable and valuable method to collect important feedback according to interviewee’s perception [46].
Furthermore, several authors declared that expert interviews are an appropriate method to apply in DSR
in order to evaluate the created artifact [34], [87], especially when other evaluation methods may not be
feasible [6].
Therefore, the authors decided to perform expert interviews, through a semi-structured approach,
with professionals who have a great deal of knowledge about EGIT and, more specifically, about the
COBIT 5 framework. The flexibility of the semi-structured interviews allowed the authors to use Likert
scales to assess the experts’ perceptions on various aspects of the mapping and to ask open ques-
tions to probe and extend their answers. Thus, the authors can understand the rationale behind their
evaluations.
The authors contacted several experts by e-mail to present the research and invite them to participate
in this evaluation. When accepted, the interview was scheduled and two documents were shared with
the interviewee (see Table 6.2). One document was the proposed mapping whereas the second was
the questionnaire containing the questions that will guide the interview. Thereby, all the interviewee had
enough time to analyze the proposed mapping.
Table 6.2: COBIT 5 experts’ details.
The interviews, through Skype, started with an introduction to the thesis and the purpose of our
work, followed by the questionnaire which is composed by three distinct parts (Appendix C). The first
part involves a few questions about the academic qualifications and personal experience of the intervie-
wees. The second part is related with the individual evaluation of each correspondence presented in the
mapping, while the third part comprise a set of questions that address several evaluation criteria for IS
55
artifacts. All these questions were answered based on a 5-point Likert scale [86].
As it can be seen in Table 6.2, a broad spectrum of professional profiles was considered, including
researchers, managers, directors and professors. These interviewees have a vast knowledge of EGIT
in general, obtaining an average of 4.5, and more specifically of COBIT 5, with an average of 4.3.
Despite not being a requirement, almost every interviewee had previous experience in SMEs which can
be extremely relevant and advantageous for gathering significant feedback through this evaluation. After
providing ratings for the 8 correspondences, the interviewees then provided ratings for a subset of the
criteria proposed by Prat et al. [7] to evaluate IS artifacts.
6.2.3.A Evaluation criteria by Prat et al.
Based on general systems theory, Prat et al. [7] proposed a hierarchy of criteria to evaluate IS artifacts.
This hierarchy of evaluation criteria was derived from all the criteria proposed in design-science research
literature and was structured according to the dimensions of a system, such as goal, environment,
structure, activity, and evolution. For each dimension, a set of criteria and sub-criteria were specified
and described. Thus, the proposed hierarchy provides a holistic of view of the evaluation criteria.
From this overarching hierarchy [7], the authors selected the criteria that were considered the most
appropriate and relevant to evaluate our artifact. Next, the selected criteria are presented in Table 6.3
with a brief description addressing how it will be applied in the context of our artifact and research.
These criteria and the achievement of the predefined objectives will be evaluated based on semi-
structured interviews which are an adequate method to collect feedback, as aforementioned. This feed-
Table 6.3: Evaluation criteria selected from the hierarchy proposed by Prat et al. [7].
56
back will be essential to realize the opinions and experience of people that can use and be directly
affected by the proposed solution. In this way, the authors will be able to conclude if the predefined
objective are actually achieved or not.
6.2.3.B Results Analysis
In this section, the authors will present and discuss briefly the results obtained regarding the evaluation
of the proposed mapping. All the data collected is presented in Appendix D. Table D.1 contains the
ratings for the individual evaluation of the nine correspondences, whereas Table D.2 comprises the
ratings given by the experts regarding the evaluation criteria selected. Starting with the evaluation of the
correspondences established in this mapping, the average results can be seen in Figure 6.1. Herein,
the letter C represents the correspondences.
Figure 6.1: Average ratings of correspondences
Thus, it is possible to verify that five out of the eight correspondences obtained an average rating
equal to or higher than 4.4. The authors consider that this is a fairly good and satisfactory average
value, thereby suggesting that these correspondences are appropriate and little improvement can be
made. Furthermore, the vast majority of the experts interviewed provided a positive feedback (4 - Agree
or 5 - Strongly Agree) regarding these correspondences:
• C1 and C5 obtained an average value of 4.40 - For both, 90% of the respondents answered
positively and 50% gave the maximum classification;
• C2 got an average value of 4.50 - 90% of the experts responded positively and 60% evaluated with
maximum rating;
57
• C6 obtained an average of 4.60 - 100% of the experts interviewed gave a positive rating and 60%
gave the maximum classification;
• C4 achieved an average of 4.70 - 100% of the experts provided a positive answer and 70% rated
the correspondence with maximum value.
The referred correspondences got quite acceptable ratings. However, as can be seen in Figure 6.1,
there are three correspondences that got lower average values when compared with the ones already
mentioned. Thus, the authors will now focus on these correspondences in order to investigate and
understand the reasons for these lower ratings, according to the qualitative feedback provided by the
experts. These correspondences obtained the following results:
• C3 got an average value of 3.50 - Just 40% of the experts answered positively and only 10% of
them gave the maximum rating;
• C7 obtained an average of 3.90 - 70% of the experts responded positively and only 20% rated the
correspondence with the maximum value;
• C9 got an average value of 4.00 - Just 70% of the experts provided a positive answer and 40%
gave the maximum classification.
This three correspondences got much lower average values and the authors consider that can be
much higher. Therefore, the authors will present some of the most consensual reasons, provided by the
experts, for these ratings. This qualitative feedback will be fundamental to identify several possibilities
of improvement of the proposed mapping, namely regarding the C3, C7 and C9.
The C3 is the correspondence between the structural mechanism IT Project Steering Committee
and the COBIT 5 organizational structure Project and Programme Steering Committees. This was the
correspondence with the worst ratings and the reasons behind it are consensual. The majority of the
experts stated that, despite agreeing that the COBIT 5 organizational structure is a proper matching,
they also consider that an effective implementation of the EGIT mechanism will imply more than solely
create an organizational structure. The proposed mapping is incomplete. Based on their feedback, this
organizational structure should base their work on the COBIT 5 best practices. Therefore, this majority
recommended implementing part of the Process BAI01 - Manage Programme and Projects in order to
achieve a suitable and sufficient correspondence.
Next, the C7 is the correspondence between the relational mechanism Shared Understanding of
Business/IT Objectives and the Practice APO08.01 - Understand business expectations. This was the
second worst correspondence and the rationale behind this ratings is somehow consensual. Three
of the interviewees have clearly stated that, besides the proposed practice is definitely related with the
EGIT mechanisms, the implementation of this mechanism implies the existence of mutual understanding
58
of objectives and plans and, furthermore, the achievement of a strategic alignment. According to the
experts’ feedback, this mutual understanding and strategic alignment should start from the board of
directors and not only at the management level. Thus, the experts suggested searching for a related
Process or Practice from the EDM domain, which comprises the Governance processes.
The C9 correspondence identifies the Practice APO01.04 - Communicate management objectives
and direction as a possible solution for the implementation of the relational mechanism IT Leadership.
The average value is not so bad as the previous ones but given the feedback gathered from the experts,
the authors considered that this correspondence can be improved. Three experts have declared that this
type of leadership is much more than simply communicate the IT objectives and direction to appropriate
stakeholders, the proposed practice is not sufficient. Based on their opinion, the communication is im-
portant and the Practice APO01.04 is relevant and applicable, however this mechanism depends heavily
on the personal capabilities of the CIO or similar role that generally is responsible for this leadership.
One of the interviewees suggested to check the Process APO02 - Manage Strategy because there can
be something relevant for this mechanism implementation. Given this feedback, the authors suggest to
investigate the Enabler People, Skills and Competences which was not consider in this research.
Finally, regarding the lack of a correspondence to the EGIT mechanism Informal Meetings between
Business and IT Seniors. Seven of the nine interviewees understood and agreed with the vision followed
by the authors and explained in section 6.1. However, several experts recommended to search in other
COBIT 5 Enabler, the Culture, Ethics and Behavior, which was also not considered in the scope of this
research. Therefore, investigation addressing the other COBIT 5 Enablers can be an excellent future
work.
Now, Figure 6.2 presents the rating given by the experts according to the Prat et al. criteria. From
the five selected criteria, there are two criteria that obtained less than 4.00. The authors consider
that these average values are relatively low and then, there are some improvements that can be done.
First, the Efficacy criteria addresses the degree to which the artifact produces its desired effect and
got an average of 3.90. The authors believe that the obtained value can be extremely higher if the
aforementioned problems are appropriately solved. Despite some of the problems identified, 80% of the
interviewees gave a positive answer about this criteria. Thus, the authors consider that a large part of
the mapping goal was achieved.
The other criteria that got a lower average value was the Level of Detail with an average of 3,50. It is
a relatively low value for a criteria that can affect the understandability and perception of the correspon-
dences established. Moreover, it can affect the perceived usefulness of the proposed artifact. According
to experts’ opinion, the problem of this criteria is related to the definitions provided for some of the EGIT
mechanisms, which were extracted from the literature. Thus, further analysis of the literature may be
required to extract more detailed definitions. The authors believe that if this aspect is improved, the
59
Figure 6.2: Evaluation of Prat et al. criteria
correspondences established could achieve higher classifications.
The criteria of Consistency and Ease of Use obtained quite good ratings, with an average of 4.40.
Furthermore, as it can be seen in Figure 6.2, 90% of the experts responded positively and 50% of them
gave the maximum rating. These ratings substantiate the quality of the proposed artifact regarding these
two criteria.
Regarding the Utility for people criteria, the artifact obtained an average of 4.00. Despite not being
an excellent result, the authors consider it is a reasonable and interesting value. Again, as can be seen
in Figure 6.2, 80% of the experts interviewed provided a positive feedback about this specific criteria.
Thus, these results suggest that the proposed mapping would be useful in practice and could be an
added value for practitioners and managers from SMEs that intend to implement effective using the
COBIT 5 framework.
It is important to reinforce that the large majority of the COBIT 5 experts interviewed had previously
experience in SMEs, therefore, the authors consider that the feedback provided about the evaluated
criteria is extremely significant and close to reality.
In spite of not being an objective, the Ease of use of this mapping by people without a great knowl-
edge of COBIT 5 framework was also evaluated. As expected, the obtained result was very low, with
an average value of 2.50. Moreover, only 20% of the experts gave a positive answer. This fact is not
surprising given the complexity that is associated with the COBIT 5 framework, which take some time to
absorb.
60
7Conclusions
Contents
7.1 Objectives evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
7.2 Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
7.3 Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
7.4 Communication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
7.5 Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
61
This chapter consists in a brief summary of the work performed during this thesis. Next, all the con-
tributions resulting from this research, as well as all the limitations identified, will be presented in the
following sections. Finally, the communication activities and the future work related to this research will
also be detailed. In this chapter, the authors will also analyze and verify if the predefined objectives for
the proposal were achieved.
As aforementioned, De Maere and De Haes [38] recommend that researchers adopting DSR in the
ITG area adhere to the guidelines defined by Hevner et al. [6]. The purpose of the guidelines is to help
researchers and reviewers to understand the requirements for an effective DSR. These guidelines will
be verified and discussed throughout the following sections.
During this research work, the authors proposed and developed two different artifacts. However, it
is important to refer that the first artifact was fundamental for the construction of the second one. First,
the minimum baseline of EGIT mechanisms for SMEs was identified. This baseline resulted from the
elicitation of the fundamental EGIT mechanisms for these organizations, according to the feedback of
experts and practitioners. Then, the second artifact was constructed. This artifact consists of a mapping
between the identified EGIT mechanisms and the COBIT 5 components that can support and help in its
implementation.
The proposed artifacts constitute a solution intended to solve a significant and relevant organiza-
tional problem: the lack of support for the implementation of COBIT5 in SMEs. As referred, SMEs
represent 99% of all businesses in the EU and are also dependent on IT. Nowadays, EGIT is cru-
cial to manage and control their IT-related assets but little empirical research addressed the EGIT in
SMEs. COBIT 5 is recognized as the best and most complete EGIT framework. However, the COBIT 5
framework involves an exorbitant number of interrelated components and this type of organizations are
normally more constrained in terms of IT resources, making COBIT 5 implementation a complex and
frightening task. Furthermore, the interviews performed with experienced members of ISACA, including
Mike Hughes (ISACA International Board Member Director) and Marc Vael (ISACA Belgium Chapter
President), contributed to substantiate and validate the relevance of the identified problem.
Regarding the guidelines provided by Hevner et al. [6] and considering the information presented in
previous paragraphs, the authors conclude that Guideline 1 - Design as an artifact and Guideline 2 -
Problem relevance were both fulfilled.
The DSR evaluation is a crucial phase of the research process [6]. The proposed artifacts were
rigorously evaluated based on well-executed evaluation methods. First, the minimum baseline of EGIT
mechanisms was evaluated through qualitative semi-structured interviews with experts and based on the
Osterle et al. principles. Next, the proposed mapping was evaluated using different methods, including
the Wand and Weber method and the Osterle et al. principles. Furthermore, semi-structured interviews
with COBIT 5 experts were performed to evaluate the correspondences established and the criteria
62
selected from the hierarchy of evaluation criteria for IS artifacts proposed by Prat et al. Thus, the authors
consider that the Guideline 3 - Design evaluation proposed by Hevner et al. was also satisfied in this
research.
7.1 Objectives evaluation
As referred in Chapter 4, the main purpose of the proposed solution is to facilitate COBIT 5 imple-
mentation in SMEs. Therefore, the authors defined that the proposed solution should comply with the
following objectives:
• Objective 1: Identify the fundamental mechanisms to implement effective EGIT in SMEs;
• Objective 2: Establish the correspondence between the fundamental EGIT mechanisms for SMEs
and the Processes and Organizational Structures defined in COBIT5;
Based on the results obtained through the various evaluation methods applied, the authors will draw
conclusions regarding achievement of this objectives.
Since the minimum baseline of EGIT mechanisms for SMEs was entirely constructed based on the
feedback collected through semi-structured interviews with IT experts knowledgeable in the context of
SMEs, the authors consider that the objective 1 was accomplished.
As can be perceived, the objective 2 is related with the proposed mapping. Given the results obtained
in the evaluation, including the evaluation of the correspondences and the selected criteria, the authors
conclude that objective 2 was partially achieved. Despite having 80% or more of positive answers about
several criteria, such as Goal efficacy, Consistency, Utility for people and Ease of use, there are some
improvements that can be performed, especially regarding the incomplete correspondences and the
level of detail presented.
In spite of one of the objectives not being totally achieved, the authors consider the obtained results
demonstrated that the proposed solution could be useful and advantageous for practitioners from SMEs
that intend to implement effective EGIT in the organization by adopting the best practices of the COBIT
5 framework. Therefore, as intended, this solution can facilitate the COBIT 5 implementation in SMEs.
7.2 Contributions
With the work performed during this research, the authors expect to contribute not only to the specific
research problem, but also to the advancement of the existing body of knowledge. Based on both scien-
tific and practitioner perspectives, this research provided several interesting and relevant findings about
63
the EGIT in SMEs. The two major contributions of this research are the artifacts produced. However,
there are other minor contributions associated.
Regarding the minimum baseline of EGIT mechanisms for SMEs, the authors started by performing
qualitative interviews with several IT experts with knowledge and experience in these organizations.
In this interviews, the experts had to evaluate an overarching list of 46 EGIT mechanisms existent in
the literature. This evaluation comprised two important parameters: the difficulty of implementation
and potential effectiveness in SMEs’ context. Afterwards, each interviewee had to select the ten most
important mechanisms based on their professional experience in SMEs. This is also a contribution since
each one of the 46 EGIT mechanisms were individually evaluated and then, the ten fundamental ones
were selected by several experts. This information can be extremely useful when the practitioners and
managers of SMEs are studying the implementation of certain EGIT mechanisms.
Based on this feedback, the authors constructed the minimum baseline of EGIT mechanisms for
SMEs, which is one of the major contributions of this thesis. Additionally, the authors analyzed the qual-
itative feedback gathered during the interviews to understand the reasons behind certain classifications
and to reveal other interesting findings regarding the perception of some EGIT mechanisms in SMEs.
Finally, a cross-study comparison with similar studies was performed. This allowed the authors to com-
pare the results obtained in previous studies focused on other contingencies and to draw conclusions
about how the EGIT mechanisms are perceived differently depending on the contingency. This qualita-
tive analysis and cross-study comparison also contributes to the advancement of the existing body of
knowledge.
Finally, the other major contribution of this thesis is the proposed mapping between the baseline
mechanisms and the COBIT 5 components. This artifact intends to establish the correspondence be-
tween each EGIT mechanism and a COBIT 5 component, a Process or an Organizational Structure, that
support its implementation. The mapping enables the practitioners to know and recognize the COBIT
5 components that support the implementation of these mechanisms. Therefore, the practitioners can
access and adhere to the best practices and guidelines specified by the COBIT 5 framework, such as
the responsibilities description or the recommended activities and respective inputs/outputs, which will
be an important help in implementing these EGIT mechanisms.
A correspondence was established for eight of the nine mechanisms included in the baseline, thereby
suggesting that the COBIT 5 framework provides guidelines and best practices that can also be relevant
and appropriate for SMEs. Therefore, this mapping intend to facilitate the implementation of COBIT 5 in
SMEs by identifying the main components that could support the implementation of almost all the EGIT
mechanisms present in the minimum baseline for SMEs.
Based on all the contributions mentioned, the authors conclude that the Guideline 4 - Research
Contributions was clearly fulfilled. Additionally, the Guideline 5 - Research rigor is related with the
64
effective use of the knowledge base, including the theoretical foundations and research methodologies.
DSR relies upon the adherence to appropriate data collection and analysis techniques to construct and
evaluate the artifact. Therefore, the authors believe that Guideline 5 was also satisfied by applying the
following techniques throughout the construction and evaluation of the artifacts: literature review, Wand
and Weber method, Osterle et al. principles and semi-structured interviews with experts. All these
methods were described in previous chapters.
7.3 Limitations
As the contributions, also the limitations are related with one of the constructed artifacts. Regarding the
minimum baseline, the authors identified some limitations. First, all the collected data was limited to the
eleven semi-structured interviews performed with IT experts and only one person of each organization
was interviewed. More interviews with IT experts can be performed, acquiring an even bigger sample to
reinforce and strengthen the results of the mechanisms evaluation and the identified baseline. However,
the authors believe that the eleven semi-structured interviews performed were a good starting point for
drawing interesting conclusions in a research area that is currently scarce and limited.
Another limitation is the fact that the transcript of the qualitative data was not presented due to space
limitations. However, the authors consider that the most significant findings extracted from the qualitative
feedback, collected through the interviews with the experts, were presented. Furthermore, there are
additional contingencies factors that could affect the reality of the SMEs, such as the geography, strategy
and culture of the organization, and they were not addressed in this research.
There are also other limitations related to proposed mapping. First, three correspondences, the C3,
C7, and C9, were assessed as incomplete by the experts. However, several possible improvements to
these correspondences were presented based on the feedback collected during the interviews. Another
limitation related to this artifact is the low Level of Detail presented. According to the experts, this is
related with the detail of the EGIT mechanisms definitions that were taken from the literature.
Finally, another limitation exists in this research, related to the DSR process. As referred, this re-
search process consists inherently in an iterative and incremental activity, where the evaluation phase
should provide and contribute to the design phase with valuable feedback. Therefore, the constructed
artifacts can be improved and completed until the requirements and constraints of the problem are sat-
isfied. However, in this research, a second iteration of the DSR process was not applied given the time
restrictions associated with the development of this thesis. Therefore, the authors consider that this is a
limitation of our research.
Thus, the Guideline 6 - Design as a search process is extremely difficult to fulfill. First, performing
several iterations is a central part of the DSR process and, as referred, in this research only one iteration
65
was accomplished due to time limitations. Moreover, there are no other competing solutions to address
the same problem situation. The comparison of the proposed solution with other developed by experts
is impossible. Therefore, the authors conclude that the Guideline 6 was not fulfilled.
7.4 Communication
The results of DSR must be presented both to technology-oriented as well as management-oriented
audiences. This enables the practitioners to benefit by applying the constructed artifact and allows the
researchers to build a cumulative knowledge base [6]. As aforementioned, the review process prior to
scientific publications is part of the evaluation. This section addresses the Diffusion phase of the DSR
process where the results obtained are shared with the interested communities.
Throughout the development of this thesis, two scientific papers were submitted. The first paper,
addressing the minimum baseline of EGIT mechanisms for SMEs, was already accepted, presented
and published in the 20th IEEE International Conference on Business Informatics 1:
• Silva, D., da Silva, M. M., & Pereira, R. (2018). Baseline Mechanisms for Enterprise Governance
of IT in SMEs. In 2018 IEEE 20th Conference on Business Informatics (CBI). Vienna, Austria.
IEEE. [92]
This paper was submitted in an intermediate stage of the research, when only seven interviews
were performed to evaluate the EGIT mechanisms and elicit a minimum baseline. Thus, the paper was
accepted as research-in-progress.
Afterwards, the authors completed the research with more interviews and submitted an article pre-
senting the results obtained to the Information Systems Management Journal 2, which is awaiting ac-
ceptance.
All the papers developed by the authors were also sent to all practitioners and experts that partici-
pated in the research. Finally, all the research performed in the scope of this thesis was presented and
described in this thesis report. Therefore, the authors conclude that the Guideline 7 - Communication of
research was also satisfied.
7.5 Future Work
Further research on this topic may focus on interesting aspects such as the identification of new EGIT
mechanisms specifically used in SMEs, the impact of the other EGIT contingency factors in SMEs’
context or the differences between public and private SMEs regarding the EGIT mechanisms, as those1https://cbi2018.big.tuwien.ac.at/2https://www.tandfonline.com/toc/uism20/current
66
evidenced through the qualitative analysis performed. Future work could also address the opposite
perceptions about the Chargeback Process and the impact of the accumulation of responsibilities in the
implementation of effective EGIT in these organizations.
Moreover, future work can also address some of the inconsistencies identified in the proposed map-
ping. Thus, future researches should start by studying the possible improvements regarding the corre-
spondences identified as incomplete. With the purpose to promote and contribute to future research,
the authors presented several possible improvements based on the experts’ opinions and perspectives.
These can be good starting points to new researches.
Finally, further research will also be fundamental to address the level of detail of the mechanisms
definitions. Based on the results obtained it is important to deepen and complement the definitions,
thereby guaranteeing an increase of the detail to an acceptable and sufficient level. In addition, future
work can also study how to facilitate the use of this type of artifacts by people without knowledge of the
COBIT 5 framework.
67
Bibliography
[1] ITGI, Board Briefing on IT Governance - 2nd Edition, 2003. [Online]. Available: http://www.itgi.org/
[2] S. De Haes and W. Van Grembergen, Enterprise Governance of Information Technology:
Achieving Alignment and Value, Featuring COBIT5, ser. Management for Professionals.
Springer International Publishing, 2015. [Online]. Available: http://link.springer.com/10.1007/
978-3-319-14547-1
[3] ISACA, A Business Framework for the Governance and Management of Enterprise IT, 2013.
[Online]. Available: www.isaca.org
[4] ——, Enabling Processes, 2012. [Online]. Available: papers3://publication/uuid/
24E0C493-40C6-4495-946E-A25765C97BF1
[5] ——, COBIT 5 Implementation, 2012.
[6] A. R. Hevner, S. T. March, J. Park, and S. Ram, “Design Science in Information
Systems Research,” MIS Quarterly, vol. 28, no. 1, pp. 75–105, 2004. [Online]. Available:
http://www.jstor.org/stable/25148625
[7] N. Prat, I. Comyn-Wattiau, and J. Akoka, “Artifact Evaluation in Information Systems Design-
Science Research - A Holistic View,” in 18th Pacific Asia Conference on Information Systems,
no. 23, Chengdu, China, 2014. [Online]. Available: https://aisel.aisnet.org/pacis2014/23
[8] S. De Haes and W. Van Grembergen, “An Exploratory Study into the Design of an IT Governance
Minimum Baseline through Delphi Research,” The Communications of the Association for Informa-
tion Systems, vol. 22, pp. 443–458, 2008.
[9] ——, “An Exploratory Study into IT Governance Implementations and its Impact on Business/IT
Alignment,” Information Systems Management, vol. 26, no. 2, pp. 123–137, 4 2009. [Online].
Available: http://www.tandfonline.com/doi/abs/10.1080/10580530902794786
68
[10] P. Weill and J. W. Ross, IT Governance: How Top Performers Manage IT Decisions Rights for
Superior Results. Boston, Massachusetts: Harvard Business School Press, 2004, no. Harvard
Business School Press Boston, Massachusetts.
[11] A. E. Brown, G. G. Grant, and E. Sprott, “Framing The Frameworks: A Review of
IT Governance Research,” Communications of the Association for Information Systems,
vol. 15, pp. 696–712, 2005. [Online]. Available: https://pdfs.semanticscholar.org/8d5c/
fd40c79ae3975a81ce15657ec02e738a13e9.pdf
[12] J. C. Henderson and H. Venkatraman, “Strategic alignment: Leveraging information technology for
transforming organizations,” IBM Systems Journal, vol. 32, no. 1, pp. 472–484, 1993. [Online].
Available: http://ieeexplore.ieee.org/document/5387398/
[13] S. De Haes, W. Van Grembergen, and E. Guldentops, “Structures, Processes and Relational
Mechanisms for IT Governance,” in Strategies for Information Technology Governance. IGI
Global, 1 2004, pp. 1–36. [Online]. Available: http://services.igi-global.com/resolvedoi/resolve.
aspx?doi=10.4018/978-1-59140-140-7.ch001
[14] V. Sambamurthy and R. W. Zmud, “Arrangements for Information Technology Governance: A
Theory of Multiple Contingencies,” MIS Quarterly, vol. 23, no. 2, pp. 261–290, 1999. [Online].
Available: http://www.jstor.org/stable/249754
[15] NV Patel, An emerging strategy for e-business IT Governance, w. grember ed. Hershey, PA: IGI
Publishing, 2003.
[16] G. L. Lunardi, J. L. Becker, A. C. G. Macada, and P. C. Dolci, “The impact of adopting IT
governance on financial performance: An empirical analysis among Brazilian firms,” International
Journal of Accounting Information Systems, vol. 15, no. 1, pp. 66–81, 3 2014. [Online]. Available:
https://www.sciencedirect.com/science/article/pii/S1467089513000122
[17] R. Huang, R. W. Zmud, and R. L. Price, “Influencing the effectiveness of IT governance
practices through steering committees and communication policies,” European Journal of
Information Systems, vol. 19, no. 3, pp. 288–302, 2010. [Online]. Available: http:
//dx.doi.org/10.1057/ejis.2010.16
[18] OECD, OECD SME and Entrepreneurship Outlook 2005. OECD Publish-
ing, 7 2005. [Online]. Available: http://www.oecd-ilibrary.org/industry-and-services/
oecd-sme-and-entrepreneurship-outlook-2005-edition 9789264009257-en
69
[19] X. Yang and J. Fu, “Review of IT/IS Adoption and Decision-Making Behavior in Small Businesses,”
Tsinghua Science & Technology, vol. 13, no. 3, pp. 323–328, 6 2008. [Online]. Available:
https://www.sciencedirect.com/science/article/pii/S100702140870052X
[20] P. Cragg, M. Caldeira, and J. Ward, “Organizational information systems competences in small
and medium-sized enterprises,” Information & Management, vol. 48, no. 8, pp. 353–363, 12 2011.
[Online]. Available: https://www.sciencedirect.com/science/article/abs/pii/S0378720611000735
[21] D. Radovanovic, T. Radojevic, D. Lucic, and M. Sarac, “IT audit in accordance with Cobit standard,”
in The 33rd International Convention MIPRO, 2010, pp. 1137–1141.
[22] Y. Bartens, S. de Haes, L. Eggert, L. Heilig, K. Maes, F. Schulte, and S. Voß, “A Visualization
Approach for Reducing the Perceived Complexity of COBIT 5,” in Advancing the Impact of Design
Science: Moving from Theory to Practice. Cham: Springer International Publishing, 2014, pp.
403–407. [Online]. Available: https://doi.org/10.1007/978-3-319-06701-8 34
[23] Y. Bartens, S. De Haes, Y. Lamoen, F. Schulte, and S. Voss, “On the way to a minimum baseline
in IT governance: Using expert views for selective implementation of COBIT 5,” HICSS, vol. 2015-
March, pp. 4554–4563.
[24] S. De Haes, W. Van Grembergen, and R. S. Debreceny, “COBIT 5 and Enterprise
Governance of Information Technology: Building Blocks and Research Opportunities,”
Journal of Information Systems, vol. 27, no. 1, pp. 307–324, 2013. [Online]. Available:
http://aaajournals.org/doi/10.2308/isys-50422
[25] L. Milner, “COBIT 5 Advantages for Small Enterprises.” COBIT Focus, no. November, pp.
1–2, 2014. [Online]. Available: http://search.ebscohost.com/login.aspx?direct=true&db=bth&AN=
99674022&lang=pt-br&site=ehost-live
[26] A. J. Berry, R. Sweeting, and J. Goto, “The effect of business advisers on the performance of
SMEs,” Journal of Small Business and Enterprise Development, vol. 13, no. 1, pp. 33–47, 2006.
[Online]. Available: https://doi.org/10.1108/14626000610645298
[27] M. J. Byrd and L. C. Megginson, Small Business Management : An Entrepreneur’s Guidebook.
McGraw-Hill Irwin, 2009.
[28] C. Upfold and D. Sewry, “An investigation of Information Security in Small and Medium
Enterprises (SMEs) in the Eastern Cape,” ISSA Conference, pp. 1–17, 2005. [Online]. Available:
http://icsa.cs.up.ac.za/issa/2005/Proceedings/Research/082 Article.pdf
[29] R. Pereira and M. Mira da Silva, “Designing a New Integrated IT Governance and IT
Management Framework Based on Both Scientific and Practitioner Viewpoint,” International
70
Journal of Enterprise Information Systems, vol. 8, no. 4, pp. 1–43, 2012. [Online]. Available:
http://services.igi-global.com/resolvedoi/resolve.aspx?doi=10.4018/jeis.2012100101
[30] M. F. I. Othman and T. Chan, “Barriers to formal IT Governance practice - insights from a
qualitative study,” in HICSS, R. H. J. Sprague, Ed. Wailea, Hawaii: IEEE, 2013, pp. 4415–4424.
[Online]. Available: https://eprints.qut.edu.au/59030/
[31] R. Pereira, M. Mira da Silva, and L. V. Lapao, “Business/IT Alignment through IT Governance
Patterns in Portuguese Healthcare,” International Journal of IT/Business Alignment and
Governance, vol. 5, no. 1, pp. 1–15, 2014. [Online]. Available: http://services.igi-global.com/
resolvedoi/resolve.aspx?doi=10.4018/ijitbag.2014010101
[32] R. Pereira, R. Almeida, and M. M. Da Silva, “IT Governance Patterns in the Portuguese Financial
Industry,” in 47th Hawaii International Conference on System Sciences (HICSS), vol. 00, 2014, pp.
4386–4395. [Online]. Available: doi.ieeecomputersociety.org/10.1109/HICSS.2014.541
[33] I. Bianchi, R. Sousa, J. Hillegersberg, and R. Pereira, “Baseline Mechanisms for IT Governance at
Universities,” ECIS 2017, vol. 2017, no. June, pp. 1551–1567, 2017.
[34] H. Osterle, J. Becker, U. Frank, T. Hess, D. Karagiannis, H. Krcmar, P. Loos, P. Mertens,
A. Oberweis, and E. J. Sinz, “Memorandum on design-oriented information systems research,”
European Journal of Information Systems, vol. 20, no. 1, pp. 7–10, 1 2011. [Online]. Available:
https://www.tandfonline.com/doi/full/10.1057/ejis.2010.55
[35] K. Peffers, T. Tuunanen, M. A. Rothenberger, and S. Chatterjee, “A Design Science Research
Methodology for Information Systems Research,” Journal of Management Information Systems,
vol. 24, no. 3, pp. 45–77, 2007. [Online]. Available: http://www.jstor.org/stable/40398896
[36] C. Marnewick and L. Labuschagne, “An investigation into the governance of information technology
projects in South Africa,” International Journal of Project Management, vol. 29, no. 6, pp. 661–670,
8 2011. [Online]. Available: http://linkinghub.elsevier.com/retrieve/pii/S0263786310001080
[37] I. Benbasat and R. W. Zmud, “Empirical Research in Information Systems: The Practice
of Relevance,” MIS Quarterly, vol. 23, no. 1, p. 3, 3 1999. [Online]. Available: https:
//www.jstor.org/stable/249403?origin=crossref
[38] K. De Maere and S. De Haes, “Is the Design Science Approach fit for IT Governance Research?”
in Proceedings of the 16th European Conference on Research Methods in Business and Manage-
ment: 22-23 June, 2017, Dublin, Ireland / Buckley, Anthony P. [edit.], 2017, pp. 399–407.
71
[39] J. E. Van Aken, “Management research as a design science: Articulating the research products of
mode 2 knowledge production in management,” British Journal of Management, vol. 16, no. 1, pp.
19–36, 2005. [Online]. Available: http://doi.wiley.com/10.1111/j.1467-8551.2005.00437.x
[40] J. G. Walls, G. R. Widmeyer, and O. A. E. Sawy, “Assessing Information System Design
Theory in Perspective: How Useful was our 1992 Initial Rendition?” Journal of Information
Technology Theory and Application, vol. 6, no. 2, pp. 43–58, 2004. [Online]. Available:
https://aisel.aisnet.org/cgi/viewcontent.cgi?article=1126&context=jitta
[41] H. Alshenqeeti, “Interviewing as a Data Collection Method: A Critical Review,” English Linguistics
Research, vol. 3, no. 1, pp. 39–45, 2014. [Online]. Available: http://www.sciedu.ca/journal/index.
php/elr/article/view/4081
[42] P. Corbetta, Social research : theory, methods and techniques. SAGE Publications, 2003.
[43] A. Fontana and J. H. Frey, “The interview : from structured questions to negotiated
text,” in Handbook of qualitative research, 2nd ed., N. K. Denzin and Y. S. Lincoln,
Eds. Thousand Oaks, Calif: Sage Publications, 2000, pp. 645–672. [Online]. Available:
https://contentstore.cla.co.uk//secure/link?id=64fc3bb6-6a36-e711-80c9-005056af4099
[44] A. Bryman, Social research methods. Oxford University Press, 2012.
[45] H. Rubin and I. Rubin, Qualitative Interviewing (2nd ed.): The Art of Hearing Data. Thousand
Oaks, CA: SAGE Publications, Inc., 2005. [Online]. Available: http://methods.sagepub.com/book/
qualitative-interviewing
[46] M. D. Myers and M. Newman, “The qualitative interview in IS research: Examining the
craft,” Information and Organization, vol. 17, no. 1, pp. 2–26, 1 2007. [Online]. Available:
http://linkinghub.elsevier.com/retrieve/pii/S1471772706000352
[47] S. Kvale, Interviews : an introduction to qualitative research interviewing. Sage Publications, 1996.
[48] J. Webster and R. T. Watson, “Analyzing the Past to Prepare for the Future: Writing a Literature
Review,” MIS Quarterly, vol. 26, no. 2, 2002. [Online]. Available: http://www.jstor.org/stable/
4132319http://www.jstor.org/http://www.jstor.org/action/showPublisher?publisherCode=misrc.
[49] European Central Bank, “European Central Bank: Annual Report 2004,” 2004. [Online]. Available:
https://www.ecb.europa.eu/pub/pdf/annrep/ar2004en.pdf
[50] C. Wilkin, “The Role of IT Governance Practices in Creating Business Value in SMEs,” Journal
of Organizational and End User Computing, vol. 24, no. 2, pp. 1–17, 2012. [Online]. Available:
http://services.igi-global.com/resolvedoi/resolve.aspx?doi=10.4018/joeuc.2012040101
72
[51] S. P.-J. Wu, D. W. Straub, and T.-P. Liang, “How Information Technology Gov-
ernance Mechanisms and Strategic Alignment Influence Organizational Performance:
Insights from a Matched Survey of Business and IT Managers,” MIS Quar-
terly, vol. 39, no. 2, pp. 497–518, 2 2015. [Online]. Available: https://misq.org/
how-information-technology-governance-mechanisms-and-strategic-alignment-influence-organizational-performance-insights-from-a-matched-survey-of-business-and-it-managers.
html
[52] R. R. Peterson, “Integration Strategies and Tactics for Information Technology Governance,” in
Strategies for Information Technology Governance, 2004, pp. 37–80.
[53] M. Spremic, “IT Governance Mechanisms in Managing IT Business Value,” WSEAS
Trans. Info. Sci. and App., vol. 6, no. 6, pp. 906–915, 2009. [Online]. Available:
http://dl.acm.org/citation.cfm?id=1639438.1639441
[54] M. Broadbent, “CIO Futures - Lead with effective governance,” ICA 36th CONFERENCE,
no. October, pp. 1–11, 2002. [Online]. Available: http://unpan1.un.org/intradoc/groups/public/
documents/APCITY/UNPAN011278.pdf
[55] C. Symons, M. Cecere, O. Young, and N. Lambert, “IT Governance Framework - Best Practices,”
Forrester, pp. 1–17, 2005.
[56] G. Spafford, “The Benefits of Standard IT Governance Frameworks,” 2003. [On-
line]. Available: https://www.researchgate.net/publication/265432476 The Benefits of Standard
IT Governance Frameworks
[57] S. De Haes and W. Van Grembergen, “IT Governance and its Mechanisms,” Information Systems
Control Journal, vol. 1, p. 27–33, 2004. [Online]. Available: http://pdf.aminer.org/000/245/098/
introduction to the minitrack it governance and its mechanisms.pdf
[58] G. Wiedenhoft, E. M. Luciano, and M. A. Macadar, “Information Technology Governance in Public
Organizations: Understanding the Expectations of Its Adoption through the Lens of Organizational
Citizenship,” European Conference on Information Systems (ECIS) 2016, 2016.
[59] R. Nolan and F. W. McFarlan, “Information technology and the board of directors,”
Harvard business review, vol. 83, no. 10, pp. 96—106, 157, 2005. [Online]. Available:
http://europepmc.org/abstract/MED/16250628
[60] ITGI, “Global Status Report on the Governance of Enterprise IT ( GEIT )—
2011,” Governance An International Journal Of Policy And Administration, p. 70,
2011. [Online]. Available: http://www.isaca.org/Knowledge-Center/Research/Documents/
Global-Status-Report-GEIT-10Jan2011-Research.pdf
73
[61] S. Blili and L. Raymond, “Information technology: Threats and opportunities for small and medium-
sized enterprises,” International Journal of Information Management, vol. 13, no. 6, pp. 439–448,
1993. [Online]. Available: https://www.sciencedirect.com/science/article/pii/026840129390060H
[62] H. Ongori and S. O. Migiro, “Information and communication technologies adoption in SMEs:
literature review,” Journal of Chinese Entrepreneurship, vol. 2, no. 1, pp. 93–104, 3 2010. [Online].
Available: http://www.emeraldinsight.com/doi/10.1108/17561391011019041
[63] F. Bergeron, A. M. Croteau, S. Uwizeyemungu, and L. Raymond, “IT Governance Theories and the
Reality of SMEs: Bridging the Gap,” in HICSS, 1 2015, pp. 4544–4553.
[64] C. Bianchi, “Introducing SD modelling into planning and control systems to manage SMEs’ growth:
a learning-oriented perspective,” System Dynamics Review, vol. 18, no. 3, pp. 315–338, 23 2002.
[Online]. Available: http://doi.wiley.com/10.1002/sdr.258
[65] A. Ghobadian and D. Gallear, “Total quality management in SMEs,” Omega, vol. 24,
no. 1, pp. 83–106, 2 1996. [Online]. Available: https://www.sciencedirect.com/science/article/pii/
0305048395000550
[66] M. Levy and P. Powell, Strategies for growth in SMEs: the role of information systems and informa-
tion technology. Elsevier Butterworth-Heinemann, 2005.
[67] R. Huang, R. W. Zmud, and R. L. Price, “IT Governance Practices in Small and Medium-Sized
Enterprises: Recommendations from an Empirical Study,” in Information Systems - Creativity and
Innovation in Small and Medium-Sized Enterprises: IFIP International Conference. Springer Berlin
Heidelberg, 2009, pp. 158–179. [Online]. Available: https://doi.org/10.1007/978-3-642-02388-0 12
[68] J. Y. Thong, “Resource constraints and information systems implementation in Singaporean
small businesses,” Omega, vol. 29, no. 2, pp. 143–156, 4 2001. [Online]. Available:
http://linkinghub.elsevier.com/retrieve/pii/S0305048300000359
[69] T. Mazzarol, “Strategic Management of Small Firms: A Proposed Framework for Entrepreneurial
Ventures,” in Proceedings of the Small Enterprise Association of Australia and New Zealand Con-
ference 2004, N.A, Ed., vol. N.A. Small Enterprise Association of Australia and New Zealand
Conference 2004, 2004, p. N.A.
[70] G. Stonehouse and J. Pemberton, “Strategic planning in SMEs – some empirical findings,”
Management Decision, vol. 40, no. 9, pp. 853–861, 11 2002. [Online]. Available: https:
//www.emeraldinsight.com/doi/10.1108/00251740210441072
74
[71] A. Gupta and R. Hammond, “Information systems security issues and decisions for small
businesses,” Information Management & Computer Security, vol. 13, no. 4, pp. 297–310, 2005.
[Online]. Available: http://www.emeraldinsight.com/doi/10.1108/09685220510614425
[72] M. Ayat, M. Masrom, S. Sahibuddin, and M. Sharifi, “Issues in implementing IT governance in Small
and Medium Enterprises,” in ISMS 2011, 2011, pp. 197–201.
[73] K. Jairak, P. Praneetpolgrang, and P. Subsermsri, “Information technology governance
practices based on sufficiency economy philosophy in the Thai university sector,” Information
Technology & People, vol. 28, no. 1, pp. 195–223, 3 2015. [Online]. Available: http:
//www.emeraldinsight.com/doi/10.1108/ITP-10-2013-0188
[74] M. Marrone and L. M. Kolbe, “Impact of IT Service Management Frameworks on the IT Organiza-
tion,” Business & Information Systems Engineering, vol. 3, no. 1, pp. 5–18, 2011.
[75] Great Britain Cabinet Office, ITIL Service Strategy. TSO, 2011.
[76] J. A. Calvo-Manzano, L. Lema-Moreta, M. Arcilla-Cobian, and J. L. Rubio-Sanchez, “How small and
medium enterprises can begin their implementation of ITIL?” Revista Facultad de Ingenieria, vol.
2015, no. 77, pp. 127–136.
[77] P. Schmidtbauer, K. Sandkuhl, and D. Stamer, “The Industrial Practice of ITIL Implementation
in Medium-Sized Enterprises,” in BIS 2013 Workshops, W. Abramowicz, Ed. Springer Berlin
Heidelberg, 2013, pp. 124–135. [Online]. Available: https://doi.org/10.1007/978-3-642-41687-3 13
[78] D. W. Martin, Doing Psychology Experiments, 2nd ed. Monterey, CA : Brooks/Cole Pub. Co, 1985.
[79] S. Ali and P. Green, “IT Governance Mechanisms in Public Sector Organisations: An Australian
context,” Journal of Global Information Management, vol. 15, no. 4, pp. 41–63, 10 2007. [Online].
Available: http://services.igi-global.com/resolvedoi/resolve.aspx?doi=10.4018/jgim.2007100103
[80] T. P. Herz, F. Hamel, F. Uebernickel, and W. Brenner, “IT Governance Mechanisms in Multisourcing–
A Business Group Perspective,” in 45th Hawaii International Conference on System Sciences.
IEEE, 1 2012, pp. 5033–5042. [Online]. Available: http://ieeexplore.ieee.org/document/6149503/
[81] S. Ali and P. Green, “Effective information technology (IT) governance mechanisms: An IT
outsourcing perspective,” Information Systems Frontiers, vol. 14, no. 2, pp. 179–193, 4 2012.
[Online]. Available: http://link.springer.com/10.1007/s10796-009-9183-y
[82] R. Almeida, R. Pereira, and M. da Silva, “IT Governance Mechanisms: A Literature
Review,” in Exploring Services Science: 4th International Conference, IESS 2013, Porto,
Portugal, February 7-8, 2013. Proceedings, J. e Cunha, M. Snene, and H. Novoa, Eds.
75
Berlin, Heidelberg: Springer Berlin Heidelberg, 2013, pp. 186–199. [Online]. Available:
https://doi.org/10.1007/978-3-642-36356-6 14
[83] N. K. Denzin and Y. S. Lincoln, Collecting and interpreting qualitative materials.
[84] R. K. Yin, Qualitative Research from Start to Finish, first edition ed. The Guilford Press, 2010.
[85] R. Pereira, R. Almeida, and M. M. da Silva, “How to Generalize an Information
Technology Case Study.” Springer, Berlin, Heidelberg, 2013, pp. 150–164. [Online]. Available:
http://link.springer.com/10.1007/978-3-642-38827-9 11
[86] R. Likert, “A technique for the measurement of attitudes,” Archives of Psychology, vol. 22, no.
140, pp. 1–55, 1932. [Online]. Available: http://www.voteview.com/pdf/Likert 1932.pdf%5Cnhttp:
//psycnet.apa.org/psycinfo/1933-01885-001
[87] C. Sonnenberg and J. Vom Brocke, “Evaluation patterns for design science research
artefacts,” in Communications in Computer and Information Science, vol. 286 CCIS. Springer,
Berlin, Heidelberg, 10 2012, pp. 71–83. [Online]. Available: http://link.springer.com/10.1007/
978-3-642-33681-2 7
[88] P. Verschuren and R. Hartog, “Evaluation in Design-Oriented Research,” Quality & Quantity,
vol. 39, no. 6, pp. 733–762, 12 2005. [Online]. Available: http://link.springer.com/10.1007/
s11135-005-3150-6
[89] J. Pries-Heje, R. Baskerville, and J. Venable, “Strategies for Design Science Research Evaluation,”
in ECIS 2008 Proceedings. 87., 2008. [Online]. Available: https://aisel.aisnet.org/ecis2008/87
[90] M. K. Sein, O. Henfridsson, S. Purao, M. Rossi, and R. Lindgren, “Action Design
Research,” MIS Quarterly., vol. 35, no. 1, pp. 37–56, 2011. [Online]. Available: http:
//dl.acm.org/citation.cfm?id=2017483.2017487
[91] Y. Wand and R. Weber, “On the ontological expressiveness of information systems analysis and
design grammars,” Information Systems Journal, vol. 3, no. 4, pp. 217–237, 1993. [Online].
Available: http://dx.doi.org/10.1111/j.1365-2575.1993.tb00127.x
[92] D. Silva, M. M. da Silva, and R. Pereira, “Baseline Mechanisms for Enterprise Governance of IT in
SMEs,” in 2018 IEEE 20th Conference on Business Informatics (CBI). Vienna, Austria: IEEE, 7
2018. [Online]. Available: https://doi.org/10.1109/cbi.2018.10044
76
AList of EGIT Mechanisms
77
Table A.1: List of EGIT Mechanisms
EGIT Mechanism Definition
1. IT Strategy Committee The IT Strategy Committee operates at the board level. The IT Strategy Committee – composed of board and non-board members – should assist the board in governing and overseeing the enterprise’s IT-related matters. This committee should ensure that IT is a regular item on the Board’s agenda and the Board has the information required to achieve the ultimate objectives of IT Governance. This committee has to work in close relationship with the other board committees and with management in order to provide input, and to review and amend the aligned enterprise and IT strategies [2],[13],[57].
2. IT Audit Committee (at level of board of directors)
Independent committee at the level of the board of directors overviewing (IT) assurance activities [2]. This committee should: identify the key business processes that depend on IT and identify key risks areas and constantly measure the risk level and systematically and carefully examine their controls efficiency [53].
3. CIO on Board The presence of the CIO on Board will ensure that IT will be a regular item on the board’s agenda and that it will be addressed in a structured manner. That presence will also enhance the ability of the board to understand the role of IT in business strategy and to map the ITG role of the executive team. The CIO should report on a regular basis to the board [10],[52],[57].
4. CIO on Executive Committee
CIO is a full member of the executive committee [2]. This ensures that IT is part of the executive team agenda’s where most strategy discussions begin and end. With that interaction IT can be an enabler of the organization [2],[55].
5. CIO reporting to CEO and/or COO
CIO has a direct reporting line to the CEO and/or COO [2].
6. IT Steering Committee The IT steering committee is situated at executive level. It is responsible for determining business priorities in IT investment [2]. It assists the Executive in the delivery of the IT strategy, overseeing the day-to-day management of IT service delivery and IT projects. IT steering committee focuses particularly on implementation [13], tracking IT investments, setting priorities and allocating scarce resources [1].
7. IT Governance Function/Officer
Structure in the organization responsible for promoting, driving, managing IT governance processes and reporting to CIO [2],[55]. The implementation of this structure sends a strong message that IT governance is important and provides a continual focus on the issue by dedicating a resource and holding a senior manager accountable for IT governance initiatives [55].
8. Security / Compliance / Risk Officer
Function responsible for security, compliance and/or risk, which possibly impacts the IT [2].
9. IT Project Steering Committee
Steering committee composed of business and IT people focusing on prioritizing and managing IT projects [2].
10. IT Security Steering Committee
Steering committee composed of business and IT people focusing on IT related risks and security issues [2].
78
11. Architecture Steering Committee
Committee composed of business and IT people providing architecture guidelines, advises on their applications and directing IT architecture design [1],[2]. The main goal of this committee is identify, communicate and enforce architecture and IT standards, strategic technologies and ensure that the architecture is compliant with legislative and regulatory
requirements [1],[10],[54],[55].
12. Integration of Governance / Alignment Tasks in Roles and Responsibilities
Clear and unambiguous definition of the roles and the responsibilities of the involved parties are fundamental for an effective IT Governance [13],[57]. It includes governance/alignment tasks for business and IT people [2] and it is the role of Board and Executive management to communicate these roles and responsibilities and to make sure that they are clearly understood throughout the whole organization [13],[57].
13. IT Councils IT Councils often report to the executive committee and contain overlapping memberships. This councils can provide a focused environment to consider several levels of policies and investments [54] and to discuss new technologies and new ways technology can be leveraged across the organization [27]. The huge items can then go to the executive committee with informed recommendations [54].
14. IT Leadership Councils IT Leadership Councils – composed by business unit IT representatives - are particularly important for large multi-business enterprises where there is a mix of responsibilities for infrastructure services, some enterprise-wide and others at business-unit level that need to be governed and managed [22],[54].
15. Business/IT Relationship Managers
Business/IT relationship managers Business/IT relationship managers act as the intermediary between the business and IS, playing a critical daily two-way role by helping IS understand how business operates and giving the business units an entry point to IS. They play an important role in communicating mandates and their implications and supporting the needs of business units managers while help them see benefits rather than inconveniences [10],[15].
16. IT Investment Committee
Committee responsible for evaluating and approving major capital expenditures, ensuring that all the IT investments approved are aligned with organization’s strategies and deliver value within acceptable risk boundaries [22],[55].
17. IT Expertise at Level of Board
Members of the board of directors have expertise and experience regarding the value and risk of IT. A lack of board oversight for IT activities is dangerous; it will put the firm at risk in the same way that failing to audit its books would [2],[10].
18. IT Organization Structure
The possibility of effective governance over IT is of course also determined by the way the IT function is organized and where the IT decision-making authority is located in the organization. The adoption of a particular mode is influenced by
Centralized In a centralized IT organization, all IT decision-making and the IT budget are in one place, they are much easier to manage and require much less effort to organize [55]. Promotes efficiency and standardization of IT infrastructure [57].
Decentralized In a decentralized organization, each decentralized IT function has developed its own IT governance processes, infrastructure and applications [55]. Promotes effectiveness and flexibility for the development of applications [57].
79
different determinants, such as history, economies of scale, size, industry, etc. Decision-making structures are the natural approach to generate commitment within the organization [10],[57].
Federal Hybrid organizations that have both centralized and decentralized components. Most infrastructure and enterprise wide applications are centralized in a corporate IT organization and operated as a shared service with chargebacks, while business units retain control over specific applications and development resources [55]. This model tries to achieve both efficiency and standardization for the infrastructure, and effectiveness and flexibility for the development of applications [13],[57].
19. Strategic Information System Planning
Formal processes to define and update the IT strategy of the organization [2], including aligning IT with business goals, exploiting IT for competitive advantage, directing efficient and effective management of IT resources, and developing technology policies and architectures. These processes should to assure the IT priorities and investments are aligned with the mission, objectives and goals of organization [2],[13].
20. IT Performance Measurement - IT Balanced Scorecard (BSC)
An important part in the implementation process of strategic alignment is the performance measurement of IT and of IT related to the business. BSC has been applied in the IT function and its processes. Recognizing that IT is an internal service provider, the proposed perspectives of BSC should be changed accordingly, with corporate contribution, user orientation, operational excellence, and future orientation. Linking the business BSC and
the IT BSC is a supportive mechanism for ITG [2],[13],[57].
21. Portfolio Management Process to prioritize and manage IT-related investments, projects and assets by means of investment programs in which business and IT people are involved (includes business cases, information economics, ROI, payback) [2],[55]. A strong IT portfolio management process is in place to ensure that all IT investments are optimized and deliver the optimal value to the organization [55].
22. Chargeback Chargeback is an accounting mechanism for allocating central IT costs to business units. The purpose of chargeback is to allocate costs so that business units IT costs reflect the use of shared services while the shared services unit matches its costs with the business it supports. When IT understands its costs and charges out accordingly, chargeback processes demonstrate the cost saving resulting from shared services. Enterprises with effective costing mechanism find that chargeback can foster useful discussions between IT and business units about IT charges, leading to better- informed ITG decisions [2],[10],[15].
23. Service Level Agreement A Service Level Agreements (SLA) is defined as “a written contract between a service provider of a service and the customer of the service”. The functions of SLAs are: Define what levels of service are acceptable by users and are attainable by the service provider; define the mutually acceptable and agreed upon set of indicators of the quality of service. Three basic types of SLAs can be defined: in-house, external and internal SLAs. The differences between those types refer to the parties involved in the definition of the SLA [2],[13],[57].
80
24. IT Governance Frameworks/ Standards
Generically, a framework is a set of guiding principles and good practices that are explicitly designed to be adapted by adopting organizations. Frameworks are distinguished from standards that are designed for monolithic adoption. An IT Governance Framework/Standard is the set of guidelines and good practices to govern and manage IT-related issues and activities [24].
25. IT Governance Assurance and Self-assessment
Process to perform regular self-assessments or independent assurance activities on the governance and control over IT [2].
26. Project Governance / Management Methodologies
Processes and methodologies to govern and manage IT projects [2].
27. IT Budget Control and Reporting
Processes to control and report upon the usage of established budgets for IT investments and projects [2].
28. Benefits Management and Reporting
Processes to monitor the planned business benefits and report the actual situation in terms of benefits realization during and after the implementation of IT investments / projects [2].
29. Business/IT Alignment Model
Model that conceptualize and direct the process and goal of achieving competitive advantage through developing and sustaining a symbiotic relationship between business and IT. One of the most used models is the well-known Strategic Alignment Model (SAM) [13].
30. IT Governance Maturity Models
To implement and improve an IT Governance framework, organizations need to have a self-diagnosing tool [13]. To be able to self-assess, measure and benchmark the IT Governance performance, organizations can use a maturity model. This is a method of scoring based on a variety of attributes that enables the organization to grade itself from non-existent (0) to optimized (5), contributing to determine the “as-is” and the “to-be” position. When these positions are known, gaps can be determined, projects defined, and specific actions can be defined to move towards the desired level of governance maturity [13],[57].
31. Demand Management Demands for IT resources come from all directions and in all forms. Some
demand is routine, other demand is strategic and complex.Demand
management forces all IT demand through a single point, where the demands can be consolidated, prioritized and fulfilled [55].
32. Architectural exception process
Technology standards are critical to IT and business efficiency. But occasionally exceptions are not only appropriate, they are necessary. Enterprises use the exception process to meet unique business needs and to gauge when existing standards are becoming obsolete. Without a viable exception process, business units ignore the enterprise
wide standards and implement exceptions with no approval.The
effectiveness of the architecture exception process depends on the ability of the IT unit to research and define standards and on the enterprise’s commitment to technology standards [10],[27].
33. Job-rotation IT staff working in the business units and business people working in IT [2]. Employees have the opportunity to rotate between different IT and business functions contributing to widen their knowledge and increase mutual insight in the business and IT [2].
81
34. Business/IT Co-location Physically locating business and IT people close to each other [2], enforcing daily contacts between them by the physical landscape of the working environment [2].
35. Cross-Training Training business people about IT and/or training IT people about business [2].
36. Knowledge Management (On IT governance)
Mechanism to communicate, share and distribute knowledge about IT governance framework, responsibilities, tasks, etc. Portals have become the premier method to implement this mechanism [2],[55].
37. Business/IT Account Management
Bridging the gap between business and IT by means of account managers who act as in-between [2].
38. Senior management giving the good example
Senior business and IT management acting as “partners” [2],[8].
39. Informal Meetings between Business and IT Senior Management
Informal meetings, with no agenda, where business and IT senior management talk about general activities, directions, etc. (e.g. during informal lunches) [2],[54].
40. IT Leadership The ability of the CIO or similar role to articulate a vision for IT’s role in the company and ensure that this vision is clearly understood by managers throughout the organization. Hence, we can say that the goal of IT leadership is to have coordination across the organization [2],[15],[8].
41. Organizational Internal Communication
Internal communication regularly addresses general IT issues [2],[8].
42. IT Governance Awareness Campaigns
Campaign to explain to business and IT people the need for ITG. Working with managers who stray from desirable behaviors is a necessary part of generating the potential value of governance processes. Therefore, it is necessary to communicate with those managers in order to educate them
for IT issues [2],[10].
43. Partnership Rewards and Incentives
Mechanism that consists in giving rewards and incentives, such as financial rewards, to employees that follow organization’s strategy and contribute to the achievement of performance objectives [13],[52].
44. Shared Understanding of Business/IT Objectives
Mechanism that promote mutual understanding of business and IT objectives and plans by business and IT people and respect of each other’s contribution. Therefore, business and IT people can accurately interpret and anticipate actions and, if necessary, coordinate adaptively. This mechanism is considered a paramount for attaining and sustaining business/IT alignment [2],[52].
45. Senior Management Announcements
Senior management announcements clarifying priorities and demonstrating commitment usually get a great deal of attention throughout an organization [10].
46. Office of CIO or ITG IT Governance needs an owner to ensure that individual mechanisms reinforce rather than contradict one another and to communicate governance processes and purposes. This mechanism also needs to ensure alignment between IT governance and the governance of organization’s other key assets (financial, human, physical, IP and relationship) [10].
82
BQuestionnaire upon EGIT Mechanisms
83
Researcher: David Miguel Mendonça da Silva ([email protected])
Interview Guide
This interview is part of a Master Thesis about implementing COBIT 5 in Small and Medium
Enterprises and will be conducted by the student David Miguel Mendonça da Silva, under the
supervision of the professors Miguel Mira da Silva (IST) e Rúben Pereira (ISCTE).
The objective of this interview is to identify the fundamental mechanisms for the
implementation of effective Enterprise Governance of IT (EGIT) in Small and Medium
Enterprises (<250 employees) based on the experience and knowledge of professionals in
the area.
The questionnaire is divided in two sections:
1. Questions regarding your education level and personal experience with IT in Small and
Medium Enterprises.
2. Questions regarding the evaluation of EGIT Mechanisms.
General information:
• This study will be conducted with IT professionals who are knowledgeable about the
COBIT 5 framework.
• The interview time is approximately 30 min. Feel free to interrupt at any time. I would
like to record the interview with your consent and authorization.
• The purpose of this interview is solely academic, your personal information and your
organisation will be protected by confidentiality.
• The results of this research may be submitted to conferences and academic journals.
All information from the interviewee and the organization will be confidential.
• The results obtained will be shared with all those involved in the interviews.
84
• Personal Information
In the following questions, mark the correct option with X:
1. Age range:
A) [20-30] □; B) [30-40] □; C) [40-50] □; D) [50-60] □; E) [60+] □;
2. Education Level:
A) Specialist □; B) Bachelor □; C) Master □; D) Doctor □;
3. Position:
A) CIO □; B) IT Director □; C) IT Manager □;
D) IT Operational □; E) Other:
4. IT Experience (years):
5. Experience in Small and Medium Organization (<250 employees)(years):
6. Number of SMEs you worked for:
7. From your experience in SMEs, indicate your experience in each sector:
A) Public sector (years): B) Private sector (years):
8. If you are currently working in a small organization, please indicate:
A) Total number of employees: B) Total number of IT employees (including outsourcing):
85
• EGIT Mechanisms evaluation:
The following table contains an overarching list of EGIT mechanisms extracted from the literature. Evaluate each of these mechanisms (line) according to the following criteria (column): Effectiveness - defined as the extent to which the mechanism contributes to the attainment of IT-related goals and objectives. Ease of implementation - defined as the amount of time and effort required for implementation.
This evaluation will be based on the following numerical scales:
• What is the ease of implementation of a particular EGIT Mechanism? Rate between 0 and 5.
Evaluate with 0 (zero) if it is not easy to implement. Evaluate with 5 (five) if it is considered to be extremely easy to implement.
• What is the effectiveness of a particular EGIT Mechanism? Rate between 0 and 5. Evaluate with 0 (zero) if it is considered to be ineffective. Evaluate with five (5) if you think it is extremely effective.
86
Mechanisms Ease of
implementation Effectiveness
1. IT Strategy Committee
2. IT Audit Committee (at level of board of directors)
3. CIO on Board
4. CIO on Executive Committee
5. CIO reporting to CEO and/or COO
6. IT Steering Committee
7. IT Governance Function/Officer
8. Security / Compliance / Risk Officer
9. IT Project Steering Committee
10. IT Security Steering Committee
11. Architecture Steering Committee
12. Integration of Governance / Alignment Tasks in Roles and Responsibilities
13. IT Councils
14. IT Leadership Councils
15. Business/IT Relationship Managers
16. IT Investment Committee
17. IT Expertise at Level of Board
18. IT Organization Structure
18.1. Centralized
18.2. Decentralized
18.3. Federal
19. Strategic Information System Planning
20. IT Performance Measurement - IT Balanced Scorecard (BSC)
21. Portfolio Management
22. Chargeback
23. Service Level Agreement
24. IT Governance Frameworks/ Standards
25. IT Governance Assurance and Self-assessment
26. Project Governance / Management Methodologies
87
27. IT Budget Control and Reporting
28. Benefits Management and Reporting
29. Business/IT Alignment Model
30. IT Governance Maturity Models
31. Demand Management
32. Architectural exception process
33. Job-rotation
34. Business/IT Co-location
35. Cross-Training
36. Knowledge Management (On IT governance)
37. Business/IT Account Management
38. Senior management giving the good example
39. Informal Meetings between Business and IT Senior Management
40. IT Leadership
41. Organizational Internal Communication
42. IT Governance Awareness Campaigns
43. Partnership Rewards and Incentives
44. Shared Understanding of Business/IT Objectives
45. Senior Management Announcements
46. Office of CIO or ITG
If there are other mechanisms that are not present in this list, please list them:
88
Given your evaluation of EGIT Mechanisms, select the 10 minimum (baseline) mechanisms that you consider fundamental to effectively implement IT Governance in Small and Medium Enterprises. Enter the name of the mechanisms or the number that identifies it in the previous table.
Minimum Baseline of EGIT Mechanisms
1
2
3
4
5
6
7
8
9
10
89
CQuestionnaire upon Mapping
90
Researcher: David Miguel Mendonça da Silva ([email protected])
Interview Guide
This interview is part of a Master Thesis about Implementing COBIT 5 in Small and Medium
Enterprises and will be conducted by the student David Miguel Mendonça da Silva, under the
supervision of the professors Miguel Mira da Silva (IST) e Rúben Pereira (ISCTE).
The goal of this interview is to perform a qualitative evaluation of the proposed Mapping
between general EGIT Mechanisms and COBIT 5 components that support their
implementation.
General information:
• This study will be conducted with IT professionals who are knowledgeable about the
COBIT 5 framework.
• The interview time is approximately 30 min. Feel free to interrupt at any time. I would
like to record the interview with your consent and authorization.
• The purpose of this interview is solely academic, your personal information and your
organisation will be protected by confidentiality.
• The results of this research may be submitted to conferences and academic journals.
All information from the interviewee and the organization will be confidential.
• The results obtained will be shared with all those involved in the interviews.
91
• Personal Information
In the following questions, mark the correct option with X:
1. Age range:
A) [20-30] □; B) [30-40] □; C) [40-50] □; D) [50-60] □; E) [60+] □;
2. Education Level:
A) Specialist □; B) Bachelor □; C) Master □; D) Doctor □;
3. Position:
A) CIO □; B) IT Director □; C) IT Manager □;
D) IT Operational □; E) Other:
4. IT Experience (years):
5. Experience in Small and Medium Organizations (<250 employees)(years):
6. Classify your knowledge regarding IT Governance ?
Scale: {1 = Unknown, 2 = heard about, 3 = Known, 4 = Known well, 5 = Expert}
1 2 3 4 5
7. Classify you knowledge regarding COBIT 5 framework ?
Scale: {1 = Unknown, 2 = heard about, 3 = Known, 4 = Known well, 5 = Expert}
1 2 3 4 5
8. Did you have any COBIT 5 formation and certification ? If yes, which level (Foundation, Implementation, Assessment) ? ______________.
92
• Evaluation of the proposed mapping:
The following questions intend to evaluate the proposed mapping between the EGIT mechanisms and the COBIT 5 components.
Part 1 - For each line of the mapping (correspondence) classify your agreement regarding
the mapping using the 5-point scale presented:
Question - Do you agree with the established mapping between the EGIT mechanism and the COBIT 5 component?
Scale: {1 = Strongly disagree, 2 = Disagree, 3 = Neutral, 4 = Agree, 5 = Strongly Agree}
o Correspondence 1:
1 2 3 4 5
o Correspondence 2:
1 2 3 4 5
o Correspondence 3:
1 2 3 4 5
o Correspondence 4:
1 2 3 4 5
o Correspondence 5: 1 2 3 4 5
o Correspondence 6:
1 2 3 4 5
o Correspondence 7:
1 2 3 4 5
o Correspondence 8: No component related to this mechanism was detected! - Do you know any component (process or structure) that is related with this type of
mechanism? If yes, which component?______________________________
o Correspondence 9:
1 2 3 4 5
93
Part 2 - The following questions will address the evaluation of certain characteristics regarding the artefact and its use in practice. Classify fom 1 to 5 using the scale presented in each question:
1. Do you agree that this mapping achieves its desired goal ?
Scale: {1 = Strongly disagree, 2 = Disagree, 3 = Neutral, 4 = Agree, 5 = Strongly Agree} 1 2 3 4 5
2. Do you agree that the level of detail presented in the definitions used to establish the mapping is sufficient?
Scale: {1 = Strongly disagree, 2 = Disagree, 3 = Neutral, 4 = Agree, 5 = Strongly Agree} 1 2 3 4 5
3. Do you consider the presented mapping is internally consistent ? (the procedure is the same for each correspondence: each correspondence presents the same information, the level of detail is equal for every correspondence, etc.)
Scale: {1 = Strongly disagree, 2 = Disagree, 3 = Neutral, 4 = Agree, 5 = Strongly Agree} 1 2 3 4 5
4. Classify the utility of this mapping between general EGIT Mechanism and COBIT 5
components if you were a practitioner that aims to start implementing effective EGIT in your Small and Medium Organization (SMEs) adopting COBIT 5 framework. (Would it be advantageous to know the fundamental mechanisms for SMEs and the correspondent COBIT 5 component that could support the implementation of those mechanisms?)
Scale: {1 = Not Useful, 2 = Little Useful, 3 = Moderately Useful, 4 = Useful, 5 = Very Useful} 1 2 3 4 5
5. Classify how easily can you identify which are the COBIT 5 components that support the implementation of a certain EGIT Mechanism.
Scale: {1 = Very Hard, 2 = Hard, 3 = Moderately Hard, 4 = Easy, 5 = Very Easy} 1 2 3 4 5
6. Classify the ease with which someone who does not have high level of knowledge about COBIT 5 can understand and use this mapping
Scale: {1 = Very Hard, 2 = Hard, 3 = Moderately Hard, 4 = Easy, 5 = Very Easy} 1 2 3 4 5
94
DResults of Mapping Evaluation
95
Table D.1: Results of correspondences evaluation
Table D.2: Results of Prat et al. criteria evaluation
96