Information Technology Plan as an IT Governance Maturity Driver

Having an information technology (IT) plan is a minimum baseline for optimal IT governance. But, creating a plan is only one problem, executing it poses even more challenging problems. In this research, we investigate the correlation between an organization's IT plan and the organization's IT governance maturity level. We show that, on one hand, executing an IT plan requires a certain IT governance maturity level, on the other hand, the experience of executing an IT plan drives the organization IT governance maturity level. We compare the situations in two government institutions and found indications that the organization with an ambitious IT plan has more mature IT governance than the other whose IT plan is relatively modest. The results suggest that an effective IT plan should include plans for the development of IT governance mechanisms relevant to the goals that the plan is intended to achieve, and the plan's implementation schedule, also known as the IT roadmap, should take into consideration the growth of the IT governance mechanisms' maturity levels. Memiliki rencana untuk teknologi informasi (TI) adalah base line untuk tata kelola TI yang optimal. Tapi, membuat rencana hanyalah satu masalah, melaksanakannya akan menciptakan masalah baru yang lebih menantang. Dalam penelitian ini, kami menyelidiki korelasi antara rencana TI suatu organisasi dengan tingkat maturity tata kelola TI-nya. Kami menunjukkan bahwa, di satu sisi, untuk melaksanakan rencana TI memerlukan tingkat kematangan tata kelola TI tertentu, di sisi lain, pengalaman dalam menjalankan rencana TI mendorong organisasi dalam meningkatkan tata kelola TI. Kami membandingkan situasi di dua lembaga pemerintah dan menemukan indikasi bahwa organisasi dengan rencana TI yang ambisius memiliki tata kelola TI lebih matang dari organisasi yang rencana TI-nya relatif sederhana. Hasil penelitian menunjukkan bahwa perencanaan TI yang efektif harus mencakup rencana untuk pengembangan mekanisme tata kelola TI yang relevan dengan tujuan yang ingin dicapai, dan jadwal pelaksanaan rencana atau roadmap TI, harus mempertimbangkan pertumbuhan tingkat mekanisme tata kelola TI.


Introduction
Information Technology (IT) planning is among the top ten essential processes that constitute the minimum baseline for optimal IT governance [1]. This process is one of the core SURFHVVHV IRU HQVXULQJ WKDW EXVLQHVV ¶ VWUDWHJLF DQG tactical plans are aligned with IT strategies and tactical plans, and vice versa. For an organization to be effective in governing its IT, it must have a plan that serves as guidance to various IT-related decisions that the organization must take. The IT plan should lay out the strategic direction for the development, the architectural blueprint, and the LPSOHPHQWDWLRQ URDGPDS RI WKH RUJDQL]DWLRQ ¶V ,7 However, having an IT plan is just one part of the journey toward aligning IT with business, another part that is more challenging is executing the plan successfully. Executing an IT plan involves making decisions about resource allocation, risk assessment and mitigation, as well as organizational change, among other things. Processes and structures that govern such decision making are within the domain of IT governance.
In this research, we investigate the interrelationship between the characteristics of an RUJDQL]DWLRQ ¶V ,7 SODQ DQG WKH RUJDQL]DWLRQ ¶V ,7 governance maturity level. The motivation behind this investigation is to collect case-based data that supports our hypothesis that an organization IT governance maturity is closely tied with the RUJDQL]DWLRQ ¶V SODQ IRU LWV ,7 0RUH VSHFLILFDOO\ the judgment whether an organization IT governance is mature enough or not is relative to WKH QDWXUH RI WKH RUJDQL]DWLRQ ¶V ,7 SODQ ,Q addition, we are also interested in finding out whether a more ambitious IT plan drives an organization toward a higher IT governance maturity level, through the experience gained by the organization in embarking on such an ambitious, and typically riskier, IT plan. We believe that this provides further support for the LQWHUUHODWLRQVKLS EHWZHHQ DQ RUJDQL]DWLRQ ¶V ,7 plan and its IT governance maturity level.
This research was conducted through case studies at two government institutions at the level of directorate general (one level below ministry/state-department) within the government of Republic of Indonesia. The institutions requested that their institution names not to be disclosed.
According to the Information Technology Governance Institute (ITGI), IT governance is the responsibility of executives and the board of directors, and consists of the leadership, organizational structures and processes that ensure that the enWHUSULVH ¶V ,7 VXVWDLQV DQG H[WHQGV WKH RUJDQL]DWLRQ ¶V VWUDWHJ\ DQG REMHFWLYHV [2]. As the governance of IT typically covers a broad scope of activities, it can be helpful to conceptualize the DSSOLFDWLRQ RI ,7 JRYHUQDQFH WR DQ RUJDQL]DWLRQ ¶V day-to-day activities in terms of business processes. Three of the most prominent process frameworks, according to Betz [3], are the Capability Maturity Model Integration or CMMI [4], WKH ,7*, ¶V &RQWURO 2EMHFWLYHV IRU ,QIRUPDWLRQ and related Technology or COBIT, and the 2*& ¶V ,QIRUPDWLRQ 7HFKQRORJ\ ,QIUDVWUXFWXUH Library or ITIL. These frameworks include some sort of capability maturity model components [5].
The central concept behind a maturity model is the notion that it is possible to evaluate the maturity of various processes based on a hierarchical scale. Although numerous maturity models exist, what they have in common is the idea that it is possible to view organizational development as a continuum of stages that organizations pass through as their processes go from immaturity to maturity [6]. Despite minor differences in terminology, all models begin with a Level Zero (process nonexistent) or Level One (initial process), continuing on with Level Two (repeatable process), Level Three (defined process), Level Four (managed process), and Level Five (optimized process). De Haes and Van Grembergen see the value of a maturity model as a tool that offers an easy-to-understand way to determine the as is and to be positions and enables the organization to benchmark itself against best practices and standard guidelines. In this way, gaps can be identified and specific actions can be defined to move toward the desired level of strategic alignment/governance maturity [7]. The COBIT framework focuses on process control in that it positions itself as a methodology that enables organizations to manage IT governance processes, and in particular, to conduct audits. COBIT is often characterized as a set of control objectives and management guidelines that organizations can apply to any of the IT processes that the IT Governance Institute has identified [8]. There four domains and 34 IT processes defined in COBIT. The domains are Plan & Organize (PO), Acquire & Implement (AI), Deliver & Support (DS), and Monitor & Evaluate (ME). The processes in each domain are shown in table I.
In addition to the control objectives, COBIT also features critical success factors, as well as a six-level maturity model that organizations can use to implement IT governance functions. As stated in COBIT 4.1 documentation, determining what the desired state is for the maturity of any of the IT process areas (capability) depends primarily on the return on investment that an organization seeks.

Methodology
This research can be categorized as casebased study which focuses on describing conditions relevant to the research question that are specific to the organization where the study is conducted. As mentioned in the introduction, two organizations were chosen as the subjects of the study. Because we were requested not to disclose the names of the organizations, we will call the two institutions Organization-A and Organization-B. Organization-A and organization-B developed their IT plans in 2008 and 2007, respectively. Each of the IT plans was developed through a number of stakeholders meeting sessions to assure that the plan has been given input, collective approval and support by the stakeholders of the organization.
Our investigation into the links between IT plan and IT governance maturity proceeds in a number of steps. First, we identify the IT processes that are necessary to assure the HIIHFWLYHQHVV RI WKH ,7 SODQ ¶V LPSOHPHQWDWLRQ 7KLV LV GRQH E\ PHDQV RI &2%,7 ¶V ,7 JRDO WR ,7 processes mapping table [9]. For each IT development program in the IT plan, we identify the relevant IT goal or goals that the program is intended to achieve. An IT development program is an initiative that consists of one or more IT related projects. From the list of IT goals, we then identify the relevant IT processes based on the &2%,7 ¶V PDSSLQJ WDEOH Next, we measure the maturity level of the RUJDQL]DWLRQ ¶V UHOHYDQW ,7 SURFHVVHV LGHQWLILHG LQ the earlier step. The IT process maturity of each organization is measured using a simplified checklist that we developed based on the COBIT 4.1 process maturity model [10]. The maturity of each process in each of the four COBIT domains is scored using the standard Software Engineering ,QVWLWXWH ¶V &00-based process maturity [4], ranging from 0 to 5. The reason why we use a simplified checklist rather than a more elaborate scoring system is that the list is much easier for stakeholders in the organization to understand, and thus, it is much easier for us and the RUJDQL]DWLRQ ¶V VWDNHKROGHUV WR DJUHH RQ WKH PDWXULW\ OHYHO RI WKH RUJDQL]DWLRQ ¶V ,7 SURFHVVHV The simplified checklist rates the maturity of an IT process using the criteria as shown in table II. From the result, we look for any indications that each organization defines its IT development programs which executions require IT processes that are relatively mature.
To support our hypothesis that the RUJDQL]DWLRQV ¶ SDVW H[SHULHQFH GURYH WKH RUJDQL]DWLRQV ¶ ,7 JRYHUQDQFH PDWXULW\ OHYHO ZH ask the organizations about the major risks that they perceive could impede the implementation of their IT plans. Risks, including the risk of not delivering values to the organization, are the main drivers in the implementation of IT governance [11]. We identify the risks through interviews with the head of IT division at each of the organizations by asking about the conditions that are perceived as impediments to the execution of WKH RUJDQL]DWLRQ ¶V ,7 SODQ 7KH UHVSRQGHQWV ZHUH asked with the following question:

%DVHG RQ \RXU RUJDQL]DWLRQ ¶V H[SHULHQFH XS until now, what are the major risks in executing the current IT plans?
We then extracted the risk statements from the answers and consolidated risk statements that represent the same type of risk. For each of the risks, we identify IT process or processes that embed controls to mitigate the risk. From the result, we identify whether the awareness of the risks coincides with the relatively high maturity level of the IT processes that control the risks.     From this mapping, we obtain the relevant IT processes that each of the organizations must master to effectively execute their planned IT development programs. The maturity levels of the relevant processes for organization-A and organization-B, respectively, are shown in figure  1 and 2. The maturity levels are measured using the simplified checklist described earlier.
As can be seen in figure 1, organization-$ ¶V IT plan defines IT development programs that involve 22 IT processes, 20 (91%) of which have maturity levels of 2 (repeatable) or higher, and 9 (41%) of which have maturity levels of 3 (defined). For organization-B (see figure 2), 12 IT processes are involved, 9 (75%) of which have maturity levels of 2 (repeatable) or higher, and 2 (17%) of which have maturity levels of 3 (defined).
When asked about the potential risks in executing their IT plans, the answers can be summarized as shown in table IV and V for organization-A and organization-B, respectively. The IT process that best addresses each of the risks is also shown in the tables. For organization-A, the identified IT plan execution risks are covered by IT processes (AI 2, AI 5, and DS 7) that are relatively mature, i.e., defined (level 3). For organization-B, the identified risks are covered by process AI 5 whose maturity level is repeatable (level 2). A number of procurement processes resulted in contract winners that were not competent enough to deliver the intended results.

Conclusion
The results suggest that there is a reciprocal influence between an organizatLRQ ¶V ,7 governance maturity level and how the organization plans its IT capability, the more mature its IT governance the more complex its IT plan, conversely, the experiences gained from executing an ambitious IT plan provide an organization with valuable lessons to improve its IT governance effectiveness. The question is then what should an organization address first, IT governance before IT plan or IT plan before IT governance? Our result indicates that, on one hand, an organization gains IT governance maturity through exercises involved in executing its IT plan, on the other hand, executing a complex IT plan without mature IT governance is prone to failures. We believe that the answer is WKDW DQ RUJDQL]DWLRQ ¶V ,7 SODQ VKRXOG LQFOXGH SODQV for the development of relevant IT governance mechanisms. By relevant we mean IT governance mechanisms that are needed to guard the implementation of the rest of the IT plan. This consideration will add more complexity to the development of the IT roadmap, as IT governance maturity level becomes another factor in scheduling the implementation of the IT plan, in addition to the usual factors such as precedence relation amongst projects and amount of efforts vs. resources availability consideration. One possible scenario is for an organization to schedule its IT plan implementations starting with projects KDYLQJ ULVNV ZLWKLQ OHYHOV WKDW WKH RUJDQL]DWLRQ ¶V IT governance mechanisms can handle, followed by projects with slightly higher risks to allow the required IT governance mechanisms to be exercised and improved to the desired maturity levels, before embarking further on much riskier IT projects. Taking this approach, COBIT ¶V ,7 goal to IT process mapping and IT process maturity assessment guideline, as demonstrated here, can help organizations plan their IT capability more effectively.