IT GOVERNANCE IN DIGITAL TRANSFORMATIONA COBIT 5 overview according IDC MaturityscapeAna Catarina Saldanha JerónimoDissertation as requirement for obtaining the Master’sdegree in Information Managementi


NOVA Information Management SchoolInstituto Superior de Estatística e Gestão de InformaçãoUniversidade Nova de LisboaIT GOVERNANCE IN DIGITAL TRANSFORMATIONA COBIT 5 overview according IDC MaturityscapebyAna Catarina Saldanha JerónimoDissertation as a requirement for obtaining the Master’s degree in InformationManagement, with specialization in Information Systems and Technologies Management.Advisor: Professor Vitor Duarte dos SantosNovember 2018iii

ACKNOWLEDGEMENTSI would like to thank to my thesis advisor Professor Vitor Duarte dos Santos of the NovaInformation Management School at Universidade Nova de Lisboa, for the continuousorientation and the construction criticism that allowed the study evolution.I would also like to thank to Bruno Horta Soares of IDC for the advices and comments givento this study, which were really important to improve the work and understand the vision ofsomeone expert in those frameworks.A special thanks to my family for all the support that was needed thru all this process.iv

ABSTRACTWe live in an era where digital transformation is highly increasing, gaining a new importanceto the company’s business. This digital transformation introduces an all new paradigm wherecompanies have to adapt to be more competitive, more costumer related, allowing them topresent new solutions and new business models.When implementing this kind of changes, companies must pay attention to the ITGovernance to help them align the IT strategy with the company and the stakeholder’sstrategy and goals.The motivation and objective of this thesis is to understand how COBIT5 can help to achievea higher digital transformation maturity .This study presents a matrix of the different dimensions of the IDC digital transformationmaturity matrix and relate them with the COBIT5 procedures, helping the organizationsachieve a better maturity in a certain dimension.This matrix can be used as a guide for organizations dealing with digital transformation, thatafter understanding their maturity level on a specific dimension, search assistance tounderstand what changes to implement to achieve a higher maturity level.KEYWORDSCompany strategy, New IT, Governance frameworks, best practices, maturity matix,procedures.v

Index1.1. Background . 11.2. Motivation, objectives and study relevance . 22. Literature Review . 42.1. IT Governance. 42.1.1. Concepts . 42.1.2. Benefits . 42.1.3. Frameworks . 52.1.4. COBIT 5 . 62.2. Digital Transformation. 222.2.1. Concepts . 222.2.2. Main Areas. 232.2.3. IT Governance in Digital transformation . 242.3. IDC Maturity Matrix . 252.3.1. Concept. 252.3.2. Maturity Scape Stages . 262.3.3. Maturity Scape dimensions . 263. Methodology . 303.1. Design Science Research . 303.2. Investigation Strategy . 314. Building a Framework . 324.1. Assumptions . 324.2. Framework. 334.3. Discussion and analysis . 465. ConcLusion. 505.1. Summary of the developed work . 505.2. Limitations . 505.3. Future Work. 51References . 52vi

LIST OF ABBREVIATIONS AND ACRONYMSDSRDesign Science ResearchIDCInternational Data CorporationISInformation SystemsITInformation technologyITDGIT demand governanceITGIT GovernanceITRGIT-Related GoalsROIReturn on investmentvii

FIGURESFigure 1 - IT Governance Frameworks (Larsen & Andersen, 2006) . 5Figure 2 - COBIT 5 - Priciples (ISACA, 2012b) . 6Figure 3 - COBIT 5 - Circle of life of the implementation (ISACA, 2012b) . 8Figure 4 - COBIT 5 - Processes of Governance of Enterprise IT (ISACA, 2012b). 9Figure 5 - COBIT 5 - IT Processes objectives (ISACA, 2012a) . 12Figure 6 - Evolution of digital transformation (Tannou & Westerman, 2017) . 22Figure 7 - 3rd Platform of Digital Transformation (Magee, 2016) . 23Figure 8 - IDC MaturityScape stages (Holly Muscolino, 2017) . 26viii

TABLESTable 1 - IT Related Goal and Metrics provided by COBIT5 (ISACA, 2012a) . 11Table 2 - COBIT 5 ITRG relation to the IDC matrix dimensions . 33Table 3 - COBIT 5 governance practices to suport the digital transformation - Leadership . 35Table 4 - COBIT 5 governance practices to suport the digital transformation – Omniexperience . 38Table 5 - COBIT 5 governance practices to suport the digital transformation – Talent Hiring. 40Table 6 - COBIT 5 governance practices to suport the digital transformation – OperationalModel . 42Table 7 - COBIT 5 governance practices to suport the digital transformation – Information 45ix

INTRODUCTION1.1. BACKGROUNDIn the last few years there was a great change in the Information Systems. With the quick evolutionof the new technologies it is imperative that organizations adapt in order to be competitive. Subjectslike cloud, mobility, artificial intelligence come directly in to our lives. With the unlimited access tothe internet and, as a result the access to an enormous amount of information, clients gain a newfreedom and knowledge that was not possible before, this makes them the most exigent clients tillnow (Vey, n.d.). They also have access to new ways of making business (consumer to consumer) andhave access to all the organization offers anytime anywhere.Those changes in society forces the organizations to stay competitive by adapting to the newtechnologies, not just using them as a performance improvement, but also using them as keys tobusiness, resolving problems, creating value and act like innovation tools, disrupting the system,(Westerman, Calméjane, Bonnet, Ferraris, & McAfee, 2011) which lead to the 4th industrialrevolution (Vey, n.d.).This transformation that is happening is called the digital transformation, where companies usetechnology as leverage to create value and as a disrupt agent for business.But to grow in terms of digital transformation it is not just to implement concepts like cloud, internetof things or artificial intelligence, it is not technology for technology, but technology as a part of thecompany strategy oriented to the business (Hess, Benlian, Matt, & Wiesböck, 2016).In addition to these trends there are others uprising so IT governance must quickly adapt to all ofthose changes.Although it’s very important that organizations enter in this digital transformation, for reasons likecosts, time and lack of knowledge this change is not universal.Each company has its own level of digital transformation and this level can be analysed using amaturity level matrix.There is a great quantity of matrixes to evaluate a company level (for example CCMI, SPICE, etc)(Proença & Borbinha, 2016) but most of them are process oriented.Nevertheless, there are new concepts of matrixes that are digital transformation oriented like ICDmaturity escape.1

According to ICD (Magee, 2016), this matrix evaluates the organizations from a vast number ofquestions answered according to the actual performance of the company in terms of digitaltransformation framing the company in one of the 5 matrix levels: AD HOD – Digital resister,Opportunistic – Digital Explorer, Repeatable – Digital Player, Managed – Digital transformer andOptimized – Digital disruptor.To align this implementation with the company strategy it is vital to use Information Technologygovernance. Although IT governance has its own characteristics it has to be applied as part of thecorporate governance since the final objective is always the company (Zhu & Li, 2014).According to National Computing Centre, the IT governance has to guarantee: strategic alignmentwith the company, value delivery, risk management, resource management, performancemeasurement, return on investment, opportunities and partnership, performance improvement andexternal compliance, so it is important that organizations have to know how they can improve thoseaspects (National Computing Centre, 2005).Back in the days, organizations tend to standardize and homogenise the IT in order to reducecomplexity, reduce risks and reduce costs, but today with the current disruption of the business andIT, it is impossible to continue in the same path. Those new trends impact on how governance has tobe managed, resulting in new frameworks , standards, processes and strategic planning (Smith,2013).1.2. MOTIVATION, OBJECTIVES AND STUDY RELEVANCEThe digital transformation requires a set of great changes to implement in a company, so it isnecessary to understand how to implement it as an asset to the company strategy.It can be taken as an example a context were data analysis, now days, is one of the most importantassets. Companies do not just use data for a specific information, but as a way to find patterns thatcan be used to generate new business models, based on the client’s preferences. This new way ofthinking require that governance have new preoccupations that weren’t needed before (Hess,Benlian, Matt, & Wiesböck, 2016).The aim of this study is to understand the main concerns to have in mind when implementinggovernance in a digital transformation and how they are treated by frameworks like COBIT5.2

The main question to answer is “What are the key dimensions to follow when implementinggovernance in digital transformation, according to IDC maturityscape, and how are they are managedby COBIT5” which will lead to the main objective of creating a comparison matrix between those twoframeworks, that can be used as a support guide for companies to have in mind what processes ofCOBIT5 can help when achieving a higher level of digital transformation maturity.This object will be constructed based on the following sub-objectives that respond to specificquestions:How to implement IT governance? Comprehend the concept of governance applied to IT and how itis implemented.What are the most important dimensions to follow according to the maturity scape? Understandhow the matrix is organized and what are the dimensions to follow to achieve the maximum level ofthe matrix.Is COBIT5 prepared for the digital transformation according to the maturityscape? Understand theprinciples of COBIT5 and if they are aligned with the new changes.What dimensions do the frameworks follow when dealing with digital transformation? How COBIT5anticipate the needs and what do they suggest when dealing with digital transformation.Organizations can use this matrix after analysing the maturity level in digital transformation,searching for the best practices that can leverage the company to grow in terms of maturity.3

2. LITERATURE REVIEW2.1. IT GOVERNANCE2.1.1. ConceptsAccording to Gartner “IT governance (ITG) is defined as the processes that ensure the effective andefficient use of IT in enabling an organization to achieve its goals. IT demand governance (ITDG—what IT should work on) is the process by which organizations ensure the effective evaluation,selection, prioritization, and funding of competing IT investments” (Gartner, 2017).The IT Governance main areas are (National Computing Centre, 2005): Alignment between IT andBusiness, IT value delivery, Risk Management, Resource Management.Governance is extremely important to organizations because: sometimes it is verified a general lackof responsibility and clarity of responsibilities within the projects; there are some majorcommunication failures between clients and suppliers; there are a lot of gaps between what theclients require and the IT can deliver; organizations don’t have the perception of what value IT canbring; it is necessary to measure the risks of IT implementations; IT is very complex and it is alwayschanging so it is needed a better management and control (National Computing Centre, 2005). Toprevent all of those points IT Governance provides a framework that offers a path to follow.2.1.2. BenefitsGovernance brings many benefits to the organizations when well implemented, providing a greatertransparency and accountability for costs, processes and decision making, guaranteeing a Return onInvestment (ROI) and value for the Stakeholders (understanding the best practices to apply ITaccording the strategy and objectives of the company allowing the stakeholders to understand therisks and returns that IT can bring), creating new opportunities and partnership (enabling contactsbetween companies improving the response to market challenges), creating external compliance likeintegrating laws, regulations and requisites , Providing a better performance by using the IT not justas a support mas as additional value, leading to better practices and avoiding unnecessary costs(National Computing Centre, 2005).4

2.1.3. FrameworksTo help the Governance implementation, there are a set of tools that are available as starting pointsfor it governance model development.As it can be seen from the following table there are a lot of frameworks that can be used bycompanies in order to achieve the best practices in Governance(Larsen & Andersen, 2006).ITIL provides a comprehensive, consistent volume of best practices drawn from the collectiveInformationTechnologyInfrastructure Libraryexperience of thousands of IT practitioners around the world. ITIL focuses on critical businessprocesses and disciplines needed for delivering high-quality services. Out of the ITIL framework, theBritish Standard BS15000 has emerged. BS15000 is the world’s first standard for managing IT services.ITILAll activity is classified under two broad umbrellas, i.e. Service Management and Service Delivery. Thisapproach defines IT quality as the level of alignment between IT services and actual business needs.As a result, organizations can mature their best practices without regard to specific technologies.Has been developed as a generally applicable and accepted standard for good Information TechnologyControl Objectives forInformation andRelated Technology(IT) security and control practices (Lainhart 2000). The tools include:(1) Performance Measurement elements, i.e. outcome measures and performance drivers for all ITprocesses;COBIT(2) A list of Critical Success Factors (CSF) that provides succinct, non-technical best practices for eachIT process;(3) Maturity Models to assist in benchmarking and decision-making for capability improvements.A collection of best practice guidance for managing application development and maintenance. It isthe public domain standard for application management, separate from the IT Infrastructure LibraryApplication ServicesLibraryASL(ITIL), but linked to it in terms of adherence to standards for managing processes and providing acoherent, rigorous, public domain set of guidance.ASL is a part of the ITService Management (ITSM) Library. ASL recognises three types of control, i.e.functional application and technical control. Where Information Technology Infrastructure Library(ITIL) is a generally accepted standard for organizing technicalmanagement, the Application Services Library (ASL) offers a framework for the organization ofapplication managementA methodology used to develop and refine an organization’s software development process. Themodel describes a five-level evolutionary path of increasingly organized and systematically moreThe CapabilityMaturity ModelCMMImature processes. CMM was developed and is promoted by the Software Engineering Institute (SEI),a research and development center sponsored by the U.S. Department of Defense (DoD). The CMMsuggests 5 Maturity Levels of Software Processes, i.e. the initial, repeatable, defined, managed andoptimizing level.CMM is through the years developed further integrating the different activities, i.e. CMM Integration(CMMI). Whereas CMM is based on the classical waterfall model, CMMI is addressingiterative development and is being more result oriented.Provides the techniques and tools to improve theSix StandardDeviationsSix sigmacapability and reduce the defects in any process. The Six Sigma methodology improves any existingbusiness process by constantly reviewing and retuning the process. To achieve this, Six Sigma uses amethodology known as DMAIC (Define opportunities, Measure performance, Analyze opportunity,Improve performance, Control performance). Customer requirements, design quality, metrics andmeasures, employee involvement and continuous improvement are main elements of Six SigmaProcess Improvement. Figure 1 - IT Governance Frameworks (Larsen & Andersen, 2006)5

Each framework provides a guide to follow with the best practices that an organization can follow toimplement, manage and monitor IT governance, providing guidelines and measures to effectivelyutilize IT resources and processes within an organization (Business, On, & Change, 2005).Most of the frameworks are complementary with strengths in different areas but all of them arebased on: the organization Structure, the decision process and communication (Business et al.,2005).2.1.4. COBIT 5The business orientation of COBIT consists of linking business goals to IT goals, providing metrics andmaturity models to measure their achievement, and identifying the associated responsibilities ofbusiness and IT process owners (ISACA, 2012b).Information is fundamental for all the organizations, and technology have an important part in thecompany’s business. To use technology as a value to the company it is important improve andmaintain high quality information to support business decisions, use IT effectively to achieve businessgoals, use technology to promote operational excellence, ensure IT risk is managed effectively,ensure organizations realize the value of their investments in IT, achieve compliance with laws,regulations and contractual agreements (ISACA, 2012b).In order to achieve those values, COBIT 5 is based on five principles:Figure 2 - COBIT 5 - Priciples (ISACA, 2012b)6

The first principle, Meeting the stakeholders needs it is focused on bring value to all theorganization’s parts, balancing the benefits with risks and resources. These parts have differentinterests, and priorities, so it is necessary to achieve a middle term to achieve the corporationobjectives, the IT objectives and the people objectives (ISACA, 2012b).The second principle, Covering the enterprise end-to-end means that COBIT 5 tries to integrate the ITgovernance in the corporation governance and tries to cover all functions and processes and all thepeople intern and externs that are important for the organization. To achieve this principle, it isnecessary to have in mind the governance enablers (resources, models, principles, processes andpractices) the governance scope, the roles, the activities and relationships to comprehend theorganization as a single organism (ISACA, 2012b).The third principle, applying a single integrated framework, intend to use COBIT 5 as a unique modelof governance and management instead of using different frameworks for different topics. It createsa standard language not technical that can be applied easily by its own or easily integrated with otherframeworks (ISACA, 2012b).The fourth principle, enabling a Holistic approach, divide the organization in seven enablers withdifferent objectives connected between them. Those enablers are: principles, politics and models;processes; organizational structures; culture, etic and behaviours; information; services,infrastructures and applications, people, skills and competences (ISACA, 2012b).The fifth principle, separating Governance from management, require a separation between thegovernance and management activities because they attend to different purposes. Nevertheless, it isimportant that those areas keep interacting (ISACA, 2012b).To implement the COBIT 5 model it was created a life cycle that should be followed to achieve thechanges through their complexity in a more structured way (ISACA, 2012b).This model is structured in three main components programme management, change enablement,and continual improvement life cycle that are incorporated in seven different phases (ISACA, 2012b).It starts with the recognition and acceptance of the need of an implementation, it identifies theactual weaknesses and creates a desire of change, then it passes by the scope definition, for a targetdefinition making and exhaustive analyses to identify possible flaws and possible solutions givingpriorities, then it is the phase of planning practical solutions assuring that the benefits can beidentified and measured. On the fifth phase it is time to implement, measure and monitor thechanges, so that in the next phase it is possible to understand if the benefits were achieved. On the7

last phase the success of the implementation it is analysed, and new requisites are identifying for aneed of continual improvement (ISACA, 2012b).Figure 3 - COBIT 5 - Circle of life of the implementation (ISACA, 2012b)The process focus of COBIT 5 is illustrated by a process model that subdivides IT into four domains:Align, Plan and Organize, Build, Acquire and Implement, Deliver Service and Support, MonitorEvaluate an Assess (ISACA, 2012b).For those domains, the COBIT5 has built and reference model that define and describe a list ofprocesses of governance and management usually related to the IT activities (ISACA, 2012b).8

Figure 4 - COBIT 5 - Processes of Governance of Enterprise IT (ISACA, 2012b)To implement this framework in the first place it is necessary to understand the organization context,the etic, the culture, laws and regulations, missions, vision and values, politics and practices, businessplan and strategic intentions, operational model, maturity levels, management style, risk capacity,resources and industry practices. Each one of these components will influence on what models andbest practices should be used (ISACA, 2012b).For this particular study these processes will be evaluated to understand if they are engaged inaccomplish the maturityscape objectives.COBIT 5 have an IT-Related Goal (ITRG) approach where it tries to identify the most importantobjectives to accomplish in order to achieve the enterprise objectives (ISACA, 2012b).The ITRG are seventeen goals divided in four categories: Financial, Customer, Internal and Learningand Growth. To accomplish the goals there are several metrics to be achieved as it is described in thefollowing table (ISACA, 2012a).9

CategoryIT related Goal1. Stakeholder value ofbusiness investmentsMetric Percent of investments where value delivered meets stakeholder expectations Percent of products and services where expected benefits are realised Percent of investments where claimed benefits are met or exceeded Percent of products and services that meet or exceed targets in revenuesand/or market share2. Portfolio ofcompetitiveproducts and services Ratio of products and services per life cycle phase Percent of products and services that meet or exceed customer satisfactiontargets Percent of products and services that provide competitive advantage Percent of critical business objectives and services covered by risk assessment3. Managed businessrisk(safeguarding of assets) Ratio of significant incidents that were not identified in risk assessments incidents Frequency of update of risk profileFinancial Cost of regulatory non-compliance, including settlements and fines4. Compliance withexternallaws and regulations Number of regulatory non-compliance issues causing public comment ornegative publicity Number of regulatory non-compliance issues relating to contractual agreementswithbusiness partners Percent of investment business cases with clearly defined and approvedexpected costsand benefits5. Financialtransparency Percent of products and services with defined and approved operational costsand expected benefits Satisfaction survey of key stakeholders regarding the transparency,understanding and accuracy ofenterprise financial information Percent of service cost that can be allocated to users Number of customer service disruptions due to IT service-related incidents(reliability)6. Customer-orientedservice culture Percent of business stakeholders satisfied that customer service delivery meetsagreed-on levels Number of customer complaints Trend of customer satisfaction survey results Number of customer service interruptions causing significant incidentsCostumer7. Business servicecontinuity andavailability Business cost of incidents Number of business processing hours lost due to unplanned serviceinterruptions Percent of complaints as a function of committed service availability targets8. Agile responses to achanging businessenvironment Level of board satisfaction with enterprise responsiveness to new requirements Number of critical products and services supported by up-to-date businessprocesses Average time to turn strategic enterprise objectives into an agreed-on and10

approved initiative Degree of board and executive management satisfaction with decision making9. Information-basedstrategic decisionmaking Number of incidents caused by incorrect business decisions based on inaccurateinformation Time to provide supporting information to enable effective business decisions Frequency of service delivery cost optimisation assessments10. Optimisation ofservicedelivery costs11. Optimisation ofbusinessprocess functionality Trend of cost assessment vs. service level results Satisfaction levels of board and executive management with service deliverycosts Frequency of business process capability maturity assessments Trend of assessment results Satisfaction levels of board and executives with business process capabilities Frequency of business process cost optimisation assessments12. Optimisation ofbusinessprocess costsInternal Trend of cost assessment vs. service level results Satisfaction levels of board and executive management with businessprocessing costs Number of programmes on time and within budget13. Managed businesschange programmes Percent of stakeholders satisfied with programme delivery Level of awareness of business change induced by IT-enabled business initiatives14. Operational andstaffproductivity Number of programmes/projects on time and within budget15. Compliance withinternalpolicies Number of incidents related to non-compliance to policy Cost and staffing levels compared to benchmarks Percent of stakeholders who understand policies Percent of policies supported by effective standards and working practices Level of stakeholder satisfaction with staff expertise and skills16. Skilled andmotivatedpeople Percent of staff

Table 2 - COBIT 5 ITRG relation to the IDC matrix dimensions . 33 Table 3 - COBIT 5 governance practices to suport the digital transformation - Leadership . 35 Table 4 - COBIT 5 governan