Proceedings of the European Computing Conference

Measuring IT Governance Maturity – Evidences from using regulation

framework in the Republic Croatia
MARIO SPREMIĆ, Ph.D., CGEIT, Full Professor
Faculty of Economics and Business Zagreb, University of Zagreb
Kennedy’s sq 6, 10000 Zagreb, CROATIA
e-mail: mspremic@efzg.hr

HRVOJE SPREMIĆ, M.Sc., CEO, SKT-Revizija Ltd.

10000 Zagreb, CROATIA
e-mail: hrvoje.spremic@skt-revizija.hr

Abstract: In this paper we investigated the practices by which IT can contribute to the business as well as how to
measure its maturity. Main objective of this paper is to stress the importance of evolving IT Governance activities. After
analyzing IT Governance components and elements we explained external and especially national IT Governance
regulation framework in the Republic of Croatia and construct the research model upon the strategic IT/Business
alignment issues. On the sample of selected Croatian small banks, the organizational position and the role of IT in the
business has been investigated, while specific research interest was to get the clear view of the maturity level of IT
usage. We hoped that such approach could be useful when trying to answer the posed research question: can national IT
Governance regulatory framework help to start to measure IT Governance maturity and are such initiatives helpful in
aligning IT and business?

Key-Words: IT Governance, IT Maturity, IT Audit, Croatia, CobiT

the maturity level of IT usage. We hoped that such

1. Introduction approach could be useful when trying to answer the
posed research question:
In the early days of implementing IT in the business, it
was often seen as a technical support function and was 2. Key IT Governance concepts -
typically managed by finance departments. When literature review
evolving from technology providers into strategic
partners, IT organizations typically follow a three-stage A good theoretical path to IT Governance issues could
approach: IT infrastructure management, IT service be found in IT Strategy and IT/Business Alignment
management and IT business value management (IT literature. Venkatraman [12], for example, illustrates
Governance). As the IT initiatives has become far more the changes that occur in the perceived contribution of
than a means of improving efficiency and reducing IT by the business during the transformation from
costs and increasingly account for enabler of business Service Provider to Strategic Partner as presented in
innovation, it still seems that it is less understood Table 1.
business resource. One of reason could be that often
there is no systematically way of measuring IT Table 1: IT as Service provider or as Strategic partner
performances and implementing IT Governance Service provider Strategic partner
practices. In this paper we investigated how regulatory • IT is for efficiency • IT for business growth
framework can affect the level of IT Governance • Budgets are driven by • Budgets are driven by
performance and foster measuring IT performance by external benchmarks business strategy
using world-wide best IT maturity models. Main • IT is separable from the • IT is inseparable from
objective of this paper is to stress the importance of business the business
evolving IT Governance activities. • IT is seen as an • IT is seen as an
On the sample of selected Croatian banks and in a form expense to control investment to manage
of detailed in-depth interviews with responsible experts
• IT managers are • IT managers are
(CIOs and Board members), the IT Governance issues
technical experts business problem
were discussed, the organizational position and the role
solvers
of IT in the business has been investigated, while
specific research interest was to get the clear view of

ISBN: 978-960-474-297-4 98
 Proceedings of the European Computing Conference

Van Grembergen [10], [11] stands on that point, by on the creation of business value, risk management is
pointing out what strategic potential IT initiatives could focused on the preservation of business value [12].
have if managed (or rather ‘governed’) properly. When IT Governance Institute (ITGI) and their partner
engaging in those changes, IT becomes not only a institution ISACA (Information System Audit and
success factor for survival and prosperity, but also an Control Association) stands on that point by proposing
opportunity for differentiation and achieving that IT Governance should consist of five different
competitive advantage. Hunton [4] stress the control components namely [5]:
focus of IT Governance by defining it as the process for 1. Business/IT strategic alignment (IT Governance
controlling an organization’s IT resources, including procedures should ensure linkages of business and
information and communication systems and IT plans; defining, maintaining and validating the
technology. Nolan and McFarlan [7] recently stress that IT value proposition; and aligning IT operations
‘a lack of board oversight for IT activities is dangerous; with enterprise operations.
it puts the firm at risk in the same way that failing to 2. IT value creation and delivery (ensuring that IT
audit its books would’. Weill and Ross [14] indicate the delivers the promised benefits against the strategy).
performance potential by reporting that companies with 3. IT Risk management and/or value preservation
effective IT Governance have profits that are 20% (embedding of IT risk management responsibilities
higher than other companies pursuing similar strategies. into the organisation, IT risk awareness by senior
IT Governance Institute [5] focused on the strategic corporate officers, a clear understanding of the
nature of IT governance as well and define it as the enterprise’s appetite for IT risk).
responsibility of executives and board of directors, and 4. Performance measurement in IT (tracks and
consists of leadership, organizational structures and monitors IT strategy implementation, IT project
processes that ensure that enterprise’s IT sustains and completion, resource usage, process performance
extends the organization’s strategies and objectives. and service delivery).
Van Grembergen [11] stands on that point and defined 5. IT resource management (optimal investment in,
IT Governance as the organizational capacity exercised and the proper management of critical IT resources:
by the Board, executive management and IT applications, information, infrastructure and
management to control the formulation and people).
implementation of IT strategy and in this way ensure
the fusion of business and IT. As shown in Figure 1., IT Governance represent the
The IT governance relates to IT practices of boards and necessary ‘connections’ of strategic visions (IT Strategy
senior managers. The primary focus of IT governance is and IT/Business Alignment initiatives) and the results
on the responsibility of the board and executive of their implementation by performing periodic IT
management to control formulation and the Audits with which IT performances could be measured,
implementation of IT strategy, to ensure the alignment IT risk identified and IT controls put in place.
of IT and business, to identify metrics for measuring
business value of IT and to manage IT risks in an
effective way (Spremic, [8]).

3. Constructing IT Governance
components
Having defined IT Governance, it is necessary to
understand its most important elements. The IT
Governance Institute suggests that fundamentally, IT
Figure 1: IT Governance Components [6]
Governance is concerned about two things [10]:
- IT should deliver value to the business and
- IT risks need to be mitigated. 4. Regulatory frameworks in IT
Governance domain
This leads to the five main focus areas of the IT
Governance, all driven by stakeholder value. Two of IT Governance is partly driven by the external
them are outcomes: value delivery and risk mitigation. regulatory demands like Sarbanes-Oxley act, Basel II,
Two of them are drivers: strategic alignment and the European 8th Directive and MiFID. Companies
performance measurements. The remaining one refers operating on multinational markets have to comply with
to IT resource issues. While value delivery is focused several legal regulations created by public laws on

ISBN: 978-960-474-297-4 99
 Proceedings of the European Computing Conference

national or international level. For instance, the an IT governance and control framework. COBIT
Sarbanes-Oxley Act (SOX) in the USA and Basel II provides good practices across a domain and process
(the current version is “Basel III”) in Europe. “New framework in a manageable and logical structure to
Capital Accord”, also known as Basel II, is a set of help optimise IT-enabled investments and ensure IT is
recommendations issued by “The Basel Committee on successful in delivering against business requirements.
Banking Supervision” regulating the adequacy of COBIT contributes to enterprise needs by:
banks' capital in relation to risk exposure. Basel II • Making a measurable link between the business
provisions apply to internationally active banks in G10 requirements and IT goals
countries. The European Union adopted a Directive • Organising IT activities into a generally accepted
(CAD3) rendering the provisions of the Accord process model
compulsory for all banks in EU member countries by • Identifying the major IT resources to be leveraged
2007. The Accord deals with requirements for the • Defining the management control objectives to be
bank's information system as a part of the operational considered
risk as a whole only through IT governance principles • Providing tools for management:
considering that it is not possible to set strict rules on - Goals and metrics to enable IT performance to
account of rapid technological changes and differences be measured.
between banks. The Committee emphasizes the - Maturity models to enable process capability to
importance of reliability of the information system, be benchmarked.
particularly in terms of information security and system - Responsible, accountable, consulted and
availability. This means that the stipulations of the informed (RACI) charts to clarify roles and
Accord have provided banks with great freedom in responsibilities.
deciding on the measures for reducing risk posed by
implementation of IT, but on the same time dictated
banks that certain IT Governance activities should be
5. National regulations on IT
put in practice in order to be compliant. Governance in the Republic of
Croatia
In recent years various groups have developed world-
wide known IT Governance best practices and In the Republic of Croatia the regulatory framework for
frameworks to assist management in measuring the IS auditing was prescribed by Croatian National Bank
maturity of IT. Contemporary IT Governance (CNB). The main objective of the obligatory
frameworks are: regulations is to effectively manage the level of
• CobiT (Control Objectives for Information and operational risks, namely IT associated risk in credit
related Technology), institutions (namely banks). The Act about credit
• ISO 27000 ‘family’ (ISO 27001:2005, ISO institutions and the Decision about appropriate
27002:2005), management of information system are the cornerstones
• ITIL (IT Infrastructure Library), or of the IT Governance regulation that obliged every
• IT BSC (IT Balanced Scorecard) credit institution to perform internal and especially
external assessment of IT risks (IS auditing) and to
4.1. Cobit prepare a report for the regulator as well as for
company’s Board. The regulatory itself is concerned to
While ISO 27000 family refers mainly to information a framework and scope of evaluating the maturity of
security risks issues and surely can’t be treated as a using IT. The areas of IT Governance and IS audit are
comprehensive IT Governance ‘tool’ (rather as a based on CobiT and in line with Basel II requirements
leading information security norm), CobiT (Control and include following areas:
Objectives for Information and related Technology) is • Framework for IT Governance (IT Governance
the widely accepted IT governance framework policy, IS strategy, IT investment plan, IT project
organized by key IT control objectives, which are management, organizational issues, etc.).
broken into detailed IT controls. Current version 4.1 of • Information system risk management policy (IT
CobiT divides IT into four domains (Plan and Organise, risk management methodology).
Acquire and Implement, Deliver and Support, and • Internal information system auditing.
Monitor and Evaluate), which are broken into 34 key IT • Information systems security (IT security policy,
processes, and then further divided into more than 300 logical access to IS, authorisation, operating and
detailed IT control objectives. ISACA and ITGI [6] system records, incident management).
defines COBIT as a comprehensive set of resources that
contains all the information organisations need to adopt

ISBN: 978-960-474-297-4 100

 Proceedings of the European Computing Conference

• Information system maintenance (change Governance processes (CIOs and CEOs).

management, service providers, outsourcing).
• Business continuity management (policies, 6.1. Survey instrument
disaster recovery plan, data restore and recovery). The key objective of the research has been to examine a
• Information system analysis and development number of issues regarding IT Governance and
and possible outsourcing therefore we build the research model around 5
• E-banking. different IT Governance components described in
chapter 3. The research instrument includes series of in-
According to the regulatory framework, the Board of depth interviews with CIOs and CEOs of selected
every credit institution in Croatia is responsible for banks and the research model was constructed around
mitigating risks associated to every single area and to following IT Governance elements:
effectively manage the level of the acceptable IT risk. • do the analysed companies have IS Strategy
Some detailed and precise regulatory responsibilities aligned with business strategy, IT Steering
include: Committee and IT investment policy
• to nominate the member of the Board who is (Business/IT strategic alignment focus),
responsible for managing and controlling • % of the budget invested in IT (Business/IT
information system, strategic alignment focus),
• to define information system strategy, • to whom Chief Information Officer (CIO)
• to define clear and precise responsibilities for reports (IT Risk Management focus)
managing information system, • do the surveyed companies have IT risk
• to nominate the autonomous CISO function management methodology and policy (IT Risk
(Chief Information Security Officer), Management focus)
• to nominate the IT Steering Committee, • do the surveyed companies regularly perform
• to define the information system risk IS audits and measure the IS maturity
management methodology and processes, (Performance measurement focus),
• to assess information system risks and to reduce • do the selected companies have Business
them to acceptable level, Continuity Plan (BCP) and Disaster Recovery
• to classify and protect information, Plan (DRP) (IT Risk Management focus)
• internal audit is responsible to conduct • do the surveyed companies have defined
information system audits, metrics to control key IT processes (for
• Board is responsible to establish the process of example, Recovery Point Objective(RPO) and
Recovery Time Objective (RTO) as key metrics
business continuity planning and management,
for BCP initiatives (Performance measurement
• Board is responsible to create the business
focus),
impact analysis, to accept the business
• number of key applications outsourced (IT
continuity plan, to accept the disaster recovery
resource management focus),
plan and to test their functionality and
effectiveness, • % of the IT staff employed ((IT resource
• Board is responsible for establishing management focus), etc.
appropriate incident management process,
As all these elements interfere through the IT
• Board is responsible for establishing the
Governance concepts, we posed the following research
process of data recovery which will be stored
questions: can national IT Governance regulatory
on the alternative location.
framework help to start to measure IT Governance
maturity and are such initiatives helpful in aligning IT
6. Research study on the IT and business?
Governance practices To address the research’s objectives, firstly we draw a
survey questionnaire to be able to collect general
Very strict and rigorous IT Governance regulations in information about IT Governance practices during years
Croatia may imply that IT Governance procedures are in banks operating in the Republic of Croatia, then we
on very mature level in almost all commercial banks narrow our focus to selected banks around them and
operating in the country. In order to be able to answer finally conduct a series of comprehensive and in-depth
the posed research questions we decided to conduct a interviews with CIOs.
survey followed with a series of comprehensive and in- The questionnaire was then sent to CIOs (Chief
depth interviews with the key people involved in the IT Information Officers) of small banks operating in the

ISBN: 978-960-474-297-4 101

 Proceedings of the European Computing Conference

Republic of Croatia. Banks were selected due to very plan, as a part of overall strategic plan, strengthen the
simple reason: the IT Governance regulation described position of CIO as executive manager and nominated
in chapter 5 is obligatory only for banks and credit the Board member who is responsible for IT. Such
institution operating in Croatia. Small banks were results can be explained as direct effect of the
selected because of fact that there were no questions regulatory implications because of the fact that results
that large banks with large budgets will be able to meet of some comprehensive researches imply that only
the regulatory conditions, which is not likely for small modest number of Croatian large companies (research
ones. The survey has been performed once a year in a have been conducted on a sample of 100 Croatian
period from December 2007 to September 2010 and largest companies) around 46% have proper IS strategy
was conducted by sending questionnaire via e-mail. The (Spremic, [8]).
survey resulted in important responses which give us
the crucial information about the growing maturity of Table 2: Selected research results on some IT
IT Governance initiatives during years. After sending Governance issues
the survey to CIOs every year we pay a visit to 5 CIO respons. CISO IS internal
selected banks and spent a week or so having in-depth to respons. to audit dpt
dedicated discussions with CIOs and other responsible 2008 Board CIO No
employees about IT Governance practices posed in the
2009 Board Board Yes
research model. Such activities are regular IS auditing
procedures in which we were engaged. Bank1 2010 Board Board Yes
2008 Board No CISO No
6.2. Research Sample 2009 Board No CISO No
Bank
Case study analysis and series of in-depth interviews 2 2010 Board Board Yes
were performed on a sample of 5 small banks in Croatia 2008 CFO No CISO No
during the period 2008-2010. The purpose of the 2009 Board Board No
Bank
research was to show how regulative body (Croatian 3 2010 Board Board Yes
National Bank - CNB) and their regulatory guidelines
helped small banks to improve IT Governance 2008 Board Board No
practices. All selected banks has from 115 to 150 2009 Board Board Yes
Bank
employees and adequate organizational structure 4 2010 Board Board Yes
according to its size with IT department as strategic 2008 Board Board No
business function directly responsible to CEO and/or
2009 Board Board Yes
Board member responsible for IT. IT departments in all Bank
banks typically have three sub-units: application 5 2010 Board Board Yes
support, system support, business support. Specific
functions such as CISO (chief information security Table 2 indicates the growing IT Governance maturity
manager), internal IS auditor and business continuity on selected set of research criteria. But the IT
manager are extracted from IT department and Governance issues evolve through the years as the
represent autonomous organizational units. banks’ Boards realize that they have to improve the
current practices to be (stay) competitive as well as to
In bank 1 and bank 3 CEO is the member of the Board be compliant with regulatory issues. For example, by IT
responsible for IT, while in other banks this function is Governance regulations on internal audit was due on
controlled by other nominated Board member. All 01.01.2009 and stated that internal audit departments
banks have various committees who helps CIO and IT are responsible to conduct information system audits
department in IT governance procedures, such as IT (same due time for nominating CISO as an autonomous
Steering Committee (all 5 banks), IT Project function outside the IT department).
Management Committee (bank 3 solely) Business
Continuity Board (bank 2 and bank 4), IT Change Also, in the first year of the case study performed
Management Committee (bank 2 and bank 5). (2008), none of the banks did not have a help desk to
support IT incidents and problems were handled in in-
6.3. Analyses of research results and the discussion formal way with no documenting procedures. Rigorous
regulations prescribed by CNB resulted in formalizing
The analysis of the comprehensive in-depth interviews many procedures and practices (identifying roles and
conducted over the 3 year’s time reflects that all the responsibilities within processes, authorizations, logon
banks in the sample have implemented an IS strategic procedures, outsourcing issues, necessity for archiving

ISBN: 978-960-474-297-4 102

 Proceedings of the European Computing Conference

system and operating logs, business continuity issues, Table 3. IT policies, procedures and metrics
data recovery procedures, etc.). IT IT BCP RPO Applicat.
Furthermore, majority of the sample banks have strateg risk and and outsourci
y policy DRP RTO ng
approximately 10-14 IT employees (7% to 10% of all
bank employees). Discrepancy is noted in one bank 2008 Yes No No No Yes
(bank 5) which has 19 IT employees (around 15% of all 2009 Yes Yes No No Yes
banks employees) due to the fact that they do not use IT Bank1 2010 Yes Yes Yes Yes No
outsourcing services in developing and maintaining
2008 Yes No No No Yes
application for core business processes (they have
internal development). 2009 Yes No Yes No Yes
Bank2 2010 Yes Yes Yes Yes Yes
In the first year (2008) of the CNB guidelines and
2008 No No No No Yes
regulation in obligatory usage, in-adequate practice was
noted in one out of five banks (bank 3) where CIO was 2009 Yes No No No Yes
responsible to Chief Finance Officer (CFO) and in three Bank3 2010 Yes Yes Yes No Yes
out of five banks (bank 1, 2 and 3) where CISO was 2008 No No No No Yes
responsible to CIO or there was no CISO at all. Also, in
2009 Yes Yes No No Yes
the first year of the research conducted (2008), none of
the sampled banks had internal IS audit department or Bank4 2010 Yes Yes Yes Yes Yes
had no competent employees to perform IS audit. 2008 No No No No Yes
Internal IS audit was performed on the procedural level 2009 Yes Yes Yes Yes No
with no clear methodology and with much help of the
Bank5 2010 Yes Yes Yes Yes No
IT department employees which questioned their results
and independence. Prescribed regulations raised
Research results depicted in table 3 indicate that banks
Boards’ awareness of the IS internal audit significance,
didn’t prescribe some IT Governance procedures prior
which in following year(s) resulted in formally
to mandated regulations. In a series of in-depth
appointing qualified IS internal auditor, and defining
interviews performed from 2008 to 2010 on selected
methodology and framework which helps starting
banks we confirmed that when approved, these internal
performing internal IS audit. The various IT
acts were successfully implemented.
Governance efforts are very important especially
having in mind that small and medium size banks
Business continuity plan (BCP) and disaster recovery
compared to large ones commonly have no huge budget
plan (DRP) were only IT Governance areas that were
for IT investments. Analyzing the sample banks
last prescribed and implemented in practice. The reason
common practices, following trends in IT investments
for that may be found in the fact that BCP and DRP are
were noted:
very expensive to implement especially for small banks.
• IT investment budget were increased each year
Accordingly, all banks have performed business impact
and approximately accounts from 8 to 12% of
analysis (BIA) which showed that regulation is not
the total bank budget (or up to 30% of
suitable for small banks but for large ones with higher
investment budget) and surely help align IT
IT budgets, resources and expertise.
with the business.
• As CNB regulations were due, more investment In majority of cases implementation of the procedures
in IT is needed especially in business continuity and internal acts was not satisfactory in first (2008) and
and disaster recovery process. even in the second year (2009) of the research due to
• IT investments cover all functional areas of IS the fact that banks prescribe them just to formally fulfil
in banks. Throughout the years there has been legal obligation. Regular external IS audits, therefore,
constant increase in number of IT employees was the key research instrument to investigate the
for sampled banks, IT investments raised, from practice of IT Governance procedure in first two years
15% to up to 30% of investment budget. At the of the research, with many suggestions for
same time IT outsourcing budget in all banks improvements. During the last year of the research
were (heavily) decreased throughout years, (2010) all banks have significantly improved operative
which reflects the fact that on long-term Board effectiveness of the internal acts and procedures in
and CIOs would like to manage IT by place.
themselves, using in-sourcing strategies.

ISBN: 978-960-474-297-4 103

 Proceedings of the European Computing Conference

7. Conclusion Governance components, by conducting long-lasting (3

year) dedicated in-depth interviews, by implementing
After explaining the IT Governance concept and IT Governance best practices (CobiT) and national
external and national regulation, in this paper we regulation on a sample of small banks (which are harder
investigate if the prescribed regulatory requirements to implement them than larger ones), we come up to a
and regular IS audits affect the IT Governance conclusion that national IT Governance regulatory
initiatives and foster strategic business/IT alignment framework can help in improving IT Governance
practices and IT risk management procedures. We maturity and strategically align IT and business and
constructed the research model around IT Governance confirm our research question. . Research results reveal
components and conducted the research by the series of that when IT and Business are strategically aligned,
long-lasting comprehensive in-depth interviews with mainly through IT Governance initiatives, IT
responsible employees (CIOs) in selected small banks investments are high, IT Maturity raise and the IT
in Croatia. These activities were regular part of external department is seen as a strategic partner to organization.
IS auditing conducted from 2008 to 2010 with the final The research might be useful because of fact that
objective of assessing the level of IT maturity. By CNB similar efforts are very rare (if there are any of them)
regulations external IS auditors have to evaluate the and there are modest evidences how industry best
maturity of IT Governance practices with qualitative practices and national regulations are used in the real
marks (completely unsatisfactory, partially business environment.
unsatisfactory, partially satisfactory, satisfactory and
completely satisfactory) and present their References:
comprehensive report to bank’s Board and CNB
authorities. CNB performs quality assurance on these [1.] Champlain, J.J. (2003): Auditing Information Systems,
reports and may refuse it and penalize authors while 2nd ed. John Wiley & Sons, SAD.
bank’s Board have to make formal response to the IS [2.] Guldentrops, E. (2004): The IT Dimension of Basel II,
Information System Control Journal, Volume 6.
auditors findings. CNB monitor the IS audits and foster
[3.] Epstein, M.J., M.J. Roy, (2004): “How Does Your
credit institutions to implement IS auditors' Board Rate?,” Strategic Finance, February, p. 25-31,
recommendation. The main objective of such a strong 2004.
regulation is to strengthen the maturity of IT [4.] Hunton, J.E., Bryant, S.M., Bagranoff, N.A.: (2004):
Governance processes in credit institutions. Some Core Concepts of Information Technology Auditing,
results of such approach may be the fact that all credit John Wiley &Sons Inc., SAD.
institutions in Croatia have a CISO (Chief Information [5.] ITGI (2003): Board Briefing on IT Governance, 2nd
Security Officer) as an autonomous person nominated ed., IT Governance Institute, Rolling Meadows,
for managing IS security. All of them are conducting IS Illinois, SAD.
auditing procedures and every single commercial bank [6.] ITGI (2007): CobiT 4.1. Framework, Control
Objectives and Maturity Models, IT Governance
operating in Croatia has to have BCP and DRP
Institute, Rolling Meadows, Illinois, SAD
integrated into risk management process and IT [7.] Nolan, R. and McFarlan, F.W., (2005): Information
Governance policies. Technology and Board of Directors, Harvard Business
Review, October, 2005.
In the first year of the research (2008) IT Governance [8.] Spremić, M. (2009): IT Governance Mechanisms in
maturity were evaluated as unsatisfactory (bank 1, bank Managing IT Business Value, WSEAS Transactions
2, bank 4) and partly satisfactory (bank 3, bank5). on Information Science and Applications, Issue 6,
However, despite the fact that CNB regulations are Volume 6, June 2009, pp. 906-915
equal for small and for large banks (but small banks [9.] Symons, C., (2005): IT Governance Framework:
eventually do not have enough funds to be in full Structures, Processes and Framework, Forrester
Research, Inc.
compliance with all CNB guidelines), IT Governance
[10.] Van Grembergen, W., (2004): Strategies for
maturity in 2010 is partly satisfactory in 4 banks and Information Technology Governance, Idea Group.
satisfactory in one bank (bank 5). [11.] Van Grembergen, Guldentrops, E. (2004): Structures,
CobiT maturity marks (scale from 0 to 5) were as Processes and Relational Mechanisms for IT
follows: Governance, Idea Group
• In a year 2008. - from 2.1 to 2.4; [12.] Venkatraman, N., (1999): Valuing the IS Contribution
• In a year 2009. - from 1.9. to 2.9; to the Business, Computer Sciences Corporation.
• In a year 2010. - from 2.4 to 3.0. [13.] Weill, P., Ross, J.W., (2004): IT Governance: How
Top Performers Manage IT Decision Rights for
Superior Results, Harvard Business School Press,
By constructing the research instrument around IT 2004.

ISBN: 978-960-474-297-4 104