Measuring IT Governance Maturity - Evidences From Using Regulation Framework in The Republic Croatia
Measuring IT Governance Maturity - Evidences From Using Regulation Framework in The Republic Croatia
Measuring IT Governance Maturity - Evidences From Using Regulation Framework in The Republic Croatia
Abstract: In this paper we investigated the practices by which IT can contribute to the business as well as how to
measure its maturity. Main objective of this paper is to stress the importance of evolving IT Governance activities. After
analyzing IT Governance components and elements we explained external and especially national IT Governance
regulation framework in the Republic of Croatia and construct the research model upon the strategic IT/Business
alignment issues. On the sample of selected Croatian small banks, the organizational position and the role of IT in the
business has been investigated, while specific research interest was to get the clear view of the maturity level of IT
usage. We hoped that such approach could be useful when trying to answer the posed research question: can national IT
Governance regulatory framework help to start to measure IT Governance maturity and are such initiatives helpful in
aligning IT and business?
ISBN: 978-960-474-297-4 98
Proceedings of the European Computing Conference
Van Grembergen [10], [11] stands on that point, by on the creation of business value, risk management is
pointing out what strategic potential IT initiatives could focused on the preservation of business value [12].
have if managed (or rather ‘governed’) properly. When IT Governance Institute (ITGI) and their partner
engaging in those changes, IT becomes not only a institution ISACA (Information System Audit and
success factor for survival and prosperity, but also an Control Association) stands on that point by proposing
opportunity for differentiation and achieving that IT Governance should consist of five different
competitive advantage. Hunton [4] stress the control components namely [5]:
focus of IT Governance by defining it as the process for 1. Business/IT strategic alignment (IT Governance
controlling an organization’s IT resources, including procedures should ensure linkages of business and
information and communication systems and IT plans; defining, maintaining and validating the
technology. Nolan and McFarlan [7] recently stress that IT value proposition; and aligning IT operations
‘a lack of board oversight for IT activities is dangerous; with enterprise operations.
it puts the firm at risk in the same way that failing to 2. IT value creation and delivery (ensuring that IT
audit its books would’. Weill and Ross [14] indicate the delivers the promised benefits against the strategy).
performance potential by reporting that companies with 3. IT Risk management and/or value preservation
effective IT Governance have profits that are 20% (embedding of IT risk management responsibilities
higher than other companies pursuing similar strategies. into the organisation, IT risk awareness by senior
IT Governance Institute [5] focused on the strategic corporate officers, a clear understanding of the
nature of IT governance as well and define it as the enterprise’s appetite for IT risk).
responsibility of executives and board of directors, and 4. Performance measurement in IT (tracks and
consists of leadership, organizational structures and monitors IT strategy implementation, IT project
processes that ensure that enterprise’s IT sustains and completion, resource usage, process performance
extends the organization’s strategies and objectives. and service delivery).
Van Grembergen [11] stands on that point and defined 5. IT resource management (optimal investment in,
IT Governance as the organizational capacity exercised and the proper management of critical IT resources:
by the Board, executive management and IT applications, information, infrastructure and
management to control the formulation and people).
implementation of IT strategy and in this way ensure
the fusion of business and IT. As shown in Figure 1., IT Governance represent the
The IT governance relates to IT practices of boards and necessary ‘connections’ of strategic visions (IT Strategy
senior managers. The primary focus of IT governance is and IT/Business Alignment initiatives) and the results
on the responsibility of the board and executive of their implementation by performing periodic IT
management to control formulation and the Audits with which IT performances could be measured,
implementation of IT strategy, to ensure the alignment IT risk identified and IT controls put in place.
of IT and business, to identify metrics for measuring
business value of IT and to manage IT risks in an
effective way (Spremic, [8]).
3. Constructing IT Governance
components
Having defined IT Governance, it is necessary to
understand its most important elements. The IT
Governance Institute suggests that fundamentally, IT
Figure 1: IT Governance Components [6]
Governance is concerned about two things [10]:
- IT should deliver value to the business and
- IT risks need to be mitigated. 4. Regulatory frameworks in IT
Governance domain
This leads to the five main focus areas of the IT
Governance, all driven by stakeholder value. Two of IT Governance is partly driven by the external
them are outcomes: value delivery and risk mitigation. regulatory demands like Sarbanes-Oxley act, Basel II,
Two of them are drivers: strategic alignment and the European 8th Directive and MiFID. Companies
performance measurements. The remaining one refers operating on multinational markets have to comply with
to IT resource issues. While value delivery is focused several legal regulations created by public laws on
ISBN: 978-960-474-297-4 99
Proceedings of the European Computing Conference
national or international level. For instance, the an IT governance and control framework. COBIT
Sarbanes-Oxley Act (SOX) in the USA and Basel II provides good practices across a domain and process
(the current version is “Basel III”) in Europe. “New framework in a manageable and logical structure to
Capital Accord”, also known as Basel II, is a set of help optimise IT-enabled investments and ensure IT is
recommendations issued by “The Basel Committee on successful in delivering against business requirements.
Banking Supervision” regulating the adequacy of COBIT contributes to enterprise needs by:
banks' capital in relation to risk exposure. Basel II • Making a measurable link between the business
provisions apply to internationally active banks in G10 requirements and IT goals
countries. The European Union adopted a Directive • Organising IT activities into a generally accepted
(CAD3) rendering the provisions of the Accord process model
compulsory for all banks in EU member countries by • Identifying the major IT resources to be leveraged
2007. The Accord deals with requirements for the • Defining the management control objectives to be
bank's information system as a part of the operational considered
risk as a whole only through IT governance principles • Providing tools for management:
considering that it is not possible to set strict rules on - Goals and metrics to enable IT performance to
account of rapid technological changes and differences be measured.
between banks. The Committee emphasizes the - Maturity models to enable process capability to
importance of reliability of the information system, be benchmarked.
particularly in terms of information security and system - Responsible, accountable, consulted and
availability. This means that the stipulations of the informed (RACI) charts to clarify roles and
Accord have provided banks with great freedom in responsibilities.
deciding on the measures for reducing risk posed by
implementation of IT, but on the same time dictated
banks that certain IT Governance activities should be
5. National regulations on IT
put in practice in order to be compliant. Governance in the Republic of
Croatia
In recent years various groups have developed world-
wide known IT Governance best practices and In the Republic of Croatia the regulatory framework for
frameworks to assist management in measuring the IS auditing was prescribed by Croatian National Bank
maturity of IT. Contemporary IT Governance (CNB). The main objective of the obligatory
frameworks are: regulations is to effectively manage the level of
• CobiT (Control Objectives for Information and operational risks, namely IT associated risk in credit
related Technology), institutions (namely banks). The Act about credit
• ISO 27000 ‘family’ (ISO 27001:2005, ISO institutions and the Decision about appropriate
27002:2005), management of information system are the cornerstones
• ITIL (IT Infrastructure Library), or of the IT Governance regulation that obliged every
• IT BSC (IT Balanced Scorecard) credit institution to perform internal and especially
external assessment of IT risks (IS auditing) and to
4.1. Cobit prepare a report for the regulator as well as for
company’s Board. The regulatory itself is concerned to
While ISO 27000 family refers mainly to information a framework and scope of evaluating the maturity of
security risks issues and surely can’t be treated as a using IT. The areas of IT Governance and IS audit are
comprehensive IT Governance ‘tool’ (rather as a based on CobiT and in line with Basel II requirements
leading information security norm), CobiT (Control and include following areas:
Objectives for Information and related Technology) is • Framework for IT Governance (IT Governance
the widely accepted IT governance framework policy, IS strategy, IT investment plan, IT project
organized by key IT control objectives, which are management, organizational issues, etc.).
broken into detailed IT controls. Current version 4.1 of • Information system risk management policy (IT
CobiT divides IT into four domains (Plan and Organise, risk management methodology).
Acquire and Implement, Deliver and Support, and • Internal information system auditing.
Monitor and Evaluate), which are broken into 34 key IT • Information systems security (IT security policy,
processes, and then further divided into more than 300 logical access to IS, authorisation, operating and
detailed IT control objectives. ISACA and ITGI [6] system records, incident management).
defines COBIT as a comprehensive set of resources that
contains all the information organisations need to adopt
Republic of Croatia. Banks were selected due to very plan, as a part of overall strategic plan, strengthen the
simple reason: the IT Governance regulation described position of CIO as executive manager and nominated
in chapter 5 is obligatory only for banks and credit the Board member who is responsible for IT. Such
institution operating in Croatia. Small banks were results can be explained as direct effect of the
selected because of fact that there were no questions regulatory implications because of the fact that results
that large banks with large budgets will be able to meet of some comprehensive researches imply that only
the regulatory conditions, which is not likely for small modest number of Croatian large companies (research
ones. The survey has been performed once a year in a have been conducted on a sample of 100 Croatian
period from December 2007 to September 2010 and largest companies) around 46% have proper IS strategy
was conducted by sending questionnaire via e-mail. The (Spremic, [8]).
survey resulted in important responses which give us
the crucial information about the growing maturity of Table 2: Selected research results on some IT
IT Governance initiatives during years. After sending Governance issues
the survey to CIOs every year we pay a visit to 5 CIO respons. CISO IS internal
selected banks and spent a week or so having in-depth to respons. to audit dpt
dedicated discussions with CIOs and other responsible 2008 Board CIO No
employees about IT Governance practices posed in the
2009 Board Board Yes
research model. Such activities are regular IS auditing
procedures in which we were engaged. Bank1 2010 Board Board Yes
2008 Board No CISO No
6.2. Research Sample 2009 Board No CISO No
Bank
Case study analysis and series of in-depth interviews 2 2010 Board Board Yes
were performed on a sample of 5 small banks in Croatia 2008 CFO No CISO No
during the period 2008-2010. The purpose of the 2009 Board Board No
Bank
research was to show how regulative body (Croatian 3 2010 Board Board Yes
National Bank - CNB) and their regulatory guidelines
helped small banks to improve IT Governance 2008 Board Board No
practices. All selected banks has from 115 to 150 2009 Board Board Yes
Bank
employees and adequate organizational structure 4 2010 Board Board Yes
according to its size with IT department as strategic 2008 Board Board No
business function directly responsible to CEO and/or
2009 Board Board Yes
Board member responsible for IT. IT departments in all Bank
banks typically have three sub-units: application 5 2010 Board Board Yes
support, system support, business support. Specific
functions such as CISO (chief information security Table 2 indicates the growing IT Governance maturity
manager), internal IS auditor and business continuity on selected set of research criteria. But the IT
manager are extracted from IT department and Governance issues evolve through the years as the
represent autonomous organizational units. banks’ Boards realize that they have to improve the
current practices to be (stay) competitive as well as to
In bank 1 and bank 3 CEO is the member of the Board be compliant with regulatory issues. For example, by IT
responsible for IT, while in other banks this function is Governance regulations on internal audit was due on
controlled by other nominated Board member. All 01.01.2009 and stated that internal audit departments
banks have various committees who helps CIO and IT are responsible to conduct information system audits
department in IT governance procedures, such as IT (same due time for nominating CISO as an autonomous
Steering Committee (all 5 banks), IT Project function outside the IT department).
Management Committee (bank 3 solely) Business
Continuity Board (bank 2 and bank 4), IT Change Also, in the first year of the case study performed
Management Committee (bank 2 and bank 5). (2008), none of the banks did not have a help desk to
support IT incidents and problems were handled in in-
6.3. Analyses of research results and the discussion formal way with no documenting procedures. Rigorous
regulations prescribed by CNB resulted in formalizing
The analysis of the comprehensive in-depth interviews many procedures and practices (identifying roles and
conducted over the 3 year’s time reflects that all the responsibilities within processes, authorizations, logon
banks in the sample have implemented an IS strategic procedures, outsourcing issues, necessity for archiving
system and operating logs, business continuity issues, Table 3. IT policies, procedures and metrics
data recovery procedures, etc.). IT IT BCP RPO Applicat.
Furthermore, majority of the sample banks have strateg risk and and outsourci
y policy DRP RTO ng
approximately 10-14 IT employees (7% to 10% of all
bank employees). Discrepancy is noted in one bank 2008 Yes No No No Yes
(bank 5) which has 19 IT employees (around 15% of all 2009 Yes Yes No No Yes
banks employees) due to the fact that they do not use IT Bank1 2010 Yes Yes Yes Yes No
outsourcing services in developing and maintaining
2008 Yes No No No Yes
application for core business processes (they have
internal development). 2009 Yes No Yes No Yes
Bank2 2010 Yes Yes Yes Yes Yes
In the first year (2008) of the CNB guidelines and
2008 No No No No Yes
regulation in obligatory usage, in-adequate practice was
noted in one out of five banks (bank 3) where CIO was 2009 Yes No No No Yes
responsible to Chief Finance Officer (CFO) and in three Bank3 2010 Yes Yes Yes No Yes
out of five banks (bank 1, 2 and 3) where CISO was 2008 No No No No Yes
responsible to CIO or there was no CISO at all. Also, in
2009 Yes Yes No No Yes
the first year of the research conducted (2008), none of
the sampled banks had internal IS audit department or Bank4 2010 Yes Yes Yes Yes Yes
had no competent employees to perform IS audit. 2008 No No No No Yes
Internal IS audit was performed on the procedural level 2009 Yes Yes Yes Yes No
with no clear methodology and with much help of the
Bank5 2010 Yes Yes Yes Yes No
IT department employees which questioned their results
and independence. Prescribed regulations raised
Research results depicted in table 3 indicate that banks
Boards’ awareness of the IS internal audit significance,
didn’t prescribe some IT Governance procedures prior
which in following year(s) resulted in formally
to mandated regulations. In a series of in-depth
appointing qualified IS internal auditor, and defining
interviews performed from 2008 to 2010 on selected
methodology and framework which helps starting
banks we confirmed that when approved, these internal
performing internal IS audit. The various IT
acts were successfully implemented.
Governance efforts are very important especially
having in mind that small and medium size banks
Business continuity plan (BCP) and disaster recovery
compared to large ones commonly have no huge budget
plan (DRP) were only IT Governance areas that were
for IT investments. Analyzing the sample banks
last prescribed and implemented in practice. The reason
common practices, following trends in IT investments
for that may be found in the fact that BCP and DRP are
were noted:
very expensive to implement especially for small banks.
• IT investment budget were increased each year
Accordingly, all banks have performed business impact
and approximately accounts from 8 to 12% of
analysis (BIA) which showed that regulation is not
the total bank budget (or up to 30% of
suitable for small banks but for large ones with higher
investment budget) and surely help align IT
IT budgets, resources and expertise.
with the business.
• As CNB regulations were due, more investment In majority of cases implementation of the procedures
in IT is needed especially in business continuity and internal acts was not satisfactory in first (2008) and
and disaster recovery process. even in the second year (2009) of the research due to
• IT investments cover all functional areas of IS the fact that banks prescribe them just to formally fulfil
in banks. Throughout the years there has been legal obligation. Regular external IS audits, therefore,
constant increase in number of IT employees was the key research instrument to investigate the
for sampled banks, IT investments raised, from practice of IT Governance procedure in first two years
15% to up to 30% of investment budget. At the of the research, with many suggestions for
same time IT outsourcing budget in all banks improvements. During the last year of the research
were (heavily) decreased throughout years, (2010) all banks have significantly improved operative
which reflects the fact that on long-term Board effectiveness of the internal acts and procedures in
and CIOs would like to manage IT by place.
themselves, using in-sourcing strategies.