Copyright © 2007 ISACA. All rights reserved. www.isaca.org.

How Does the Business Drive IT?

Identifying, Prioritising and Linking Business and IT Goals
By Wim Van Grembergen, Steven De Haes and Hilde Van Brempt

I
n today’s complex and constantly changing business world, For the prioritisation and linking of the goals, a Delphi
the governance of information technology (IT) and the method was used. This method is based on a structured
alignment of IT to the business are high on the agenda of process for collecting and distilling knowledge from a group
executive management. Strategic planning based on the of experts by means of several feedback rounds. A team of
alignment of IT goals to business goals is a key component in experts was asked to prioritise a list of business and IT goals
business/IT alignment. It is important that an organisation by using a ranking technique, and the averaged results were
start with a clear view on its corporate mission and a returned to them. Different rounds were performed to achieve
thorough definition of its supporting strategy and business consensus amongst the experts on which were the important
goals. Then, these need to be translated into goals for the IT goals and how the business goals linked to the IT goals.
department, which are the basis for the IT strategy. Finally, The ISACA database was used as a major source for
the supporting IT processes must be carefully planned to identifying subject experts. In total, the participants were 158
translate the IT strategy into action. For these planning efforts, business and IT professionals (managers and auditors) from
companies may be looking for guidance to identify the set of companies in one of the sectors previously mentioned and
important business goals and IT goals and determine how with more than 150 employees. One of the assumptions was
they interrelate. that these experts have sufficient knowledge on both IT and
The IT Governance Institute (ITGI)’s research on this business goals. Figure 1 presents the expert team’s
subject was illustrated by a previous article1 in the Information composition by sector and geographic area.
Systems Control Journal and led to the publication of a set of
generally applicable business goals for IT and associated IT
goals in COBIT 4.0. Extensive follow-up research was Figure 1—Expert Team Composition
performed to gain more insight into this set of business and
IT goals and their linkage. This article presents the results of Expert Team per Sector
the follow-up research project in which experts in different
sectors were asked to validate, prioritise and link a set of
business goals and IT goals. This research resulted in a Retail Transportation: 16
significant improvement of the business goals for IT and Financial: 38
associated IT goals in COBIT 4.1.

Government, Utilities,
Research Background Healthcare: 39
This research project was based on the findings of a pilot Manufacturing,
study that resulted in a list of 20 generic business goals and Pharmaceutical: 25
28 generic IT goals, published in COBIT 4.0. The objective of
this research was to:
• Validate these lists for completeness, consistency and clarity IT Professional Service,
Telco, Media: 40
• Gain more insight into goals’ priorities for different sectors
• Examine the relationship between IT goals and business goals
In practice, every enterprise has its own distinct sets of Expert Team per Geography
business and IT goals. Priorities within these sets differ Australia: 7
depending on a variety of internal and external factors, such Asia: 28
as company size, market position, degree of IT dependency,
industry and geography. This project chose an industry North America: 51
approach and started with a pilot study in the financial sector
that was then replicated in the following four sectors: Africa: 14
• Manufacturing and pharmaceuticals
• IT professional services, telecommunications and media
• Government, utilities (energy, oil and gas) and healthcare Middle East: 18 Latin America: 3
• Retail and transportation
Europe: 37

I N F O R M AT I O N S Y S T E M S C O N T RO L J O U R NA L , VO L U M E 6 , 2 0 0 7 1
 Findings speaking, the most important business goals and IT goals.
The following findings resulted from the study. Filtering the results per company size and geography
confirmed the stability of these top 10 lists of goals.
Identification of Business and IT Goals
The outcome of the exercise was an in-depth understanding Financial and Customer-oriented Goals2
of business goals and IT goals, and how they interrelate. Although priorities may differ from sector to sector, in
During the research, the original list of IT goals and business general, business goals categorised in the customer and
goals (published in COBIT 4.0) was reviewed multiple times financial perspective of the BSC score high in the ranked list,
and evolved to a generic list of 17 (IT-related) business goals whilst the internal and learning and growth perspective goals
and 18 IT goals. Overlaps, inconsistencies and ambiguities receive lower scores overall. As an example, the customer-
amongst the different goals were reduced to a minimum. The oriented business goals ‘improve customer orientation and
goals turned out to be generically defined and applicable service’ and ‘establish service continuity and availability’ and
across all sectors. Figure 2 presents the final list of business the financial-oriented business goals ‘comply with external
and IT goals, categorised by their corresponding balanced laws and regulations’ and ‘manage IT-related business risks’
scorecard (BSC) perspectives. The generically defined goals make up the top four in the generic list and are also
provide a guideline to help companies identify their set of systematically ranked high to very high in the individual lists
important business and IT goals. In practice, enterprises will by sector, geography and company size.
need to develop their own subset, but they can do this This trend is confirmed in the IT goals list. The IT goals for
efficiently by: the related IT BSC perspective’s corporate and user are higher
• Starting from these generic business and IT goals in the list than those for the learning and growth perspective.
• Updating them for enterprise specifics (strategy, For example, the corporate contribution-related goals ‘align the
infrastructure, etc.) IT strategy to the business strategy’ and ‘provide IT
• Adding measures to track goal achievement compliance with laws and regulations’ and the user-oriented
goals ‘make sure that IT services are reliable and secure’ and
Top 10 Business and IT Goals ‘provide service offerings and service levels in line with
Both lists of business and IT goals have been prioritised business requirements’ are systematically ranked high for the
over five different sectors. Figure 3 presents the top 10 most different sectors, geographies and company sizes.
important business and IT goals, consolidated over all sectors. It is remarkable that the future-oriented business goal for
Apart from some minor exceptions, the separate lists of the acquiring and maintaining the necessary skills only just makes
different sectors include the same business goals and IT goals it in the top 10 list of business goals (number 8), and that its IT
in their individual top 10 lists. This proves that there is a very counterpart goal, ‘acquire, develop and maintain IT skills that
high degree of consensus that these 10 goals are, generically respond to the IT strategy’, falls out of the top 10 most
important IT goals.

Figure 2—Validated Lists of Business Goals and IT Goals

Business Goals IT Goals

Financial (Corporate) Perspective Corporate Contribution
• Manage (IT-related) business risks. • Offer transparency and understanding of IT cost, benefits and risks.
• Provide a good return on investment of (IT-enabled) • Provide IT compliance with laws and regulations.
business investments. • Account for and protect all IT assets.
• Improve financial transparency. • Drive commitment and support of executive management.
• Comply with external laws and regulations. • Improve IT’s cost-efficiency.
• Align the IT strategy to the business strategy.
Customer Perspective User Orientation
• Improve customer orientation and service. • Make sure that IT services are reliable and secure.
• Establish service continuity and availability. • Provide service offerings and service levels in line with business
• Offer competitive products and services. requirements.
• Achieve cost optimisation of service delivery. • Translate business functional and control requirements in effective and
• Create agility in responding to changing business requirements. efficient automated solutions.
• Obtain reliable and useful information for strategic decision • Accomplish proper use of applications, information and technology
making. solutions.
Internal Perspective Operational Excellence
• Improve and maintain business process functionality. • Maintain the security (confidentiality, integrity and availability) of
• Improve and maintain operational and staff productivity. information and processing infrastructure.
• Enable and manage business change. • Deliver projects on time and on budget, meeting quality standards.
• Comply with internal policies. • Optimise the IT infrastructure, resources and capabilities.
• Optimise business process costs. • Provide IT agility (in responding to changing business needs).
• Seamlessly integrate applications and technology solutions into
business processes.
Learning and Growth Perspective Future Orientation
• Acquire, develop and maintain skilled and motivated people. • Acquire, develop and maintain IT skills that respond to the IT strategy.
• Identify, enable and manage product and business innovation. • Acquire knowledge and expertise in emerging technologies for business
innovation and optimisation.
• Ensure that IT demonstrates continuous improvement and readiness
for future change.

2 I N F O R M AT I O N S Y S T E M S C O N T RO L J O U R NA L , VO L U M E 6 , 2 0 0 7
 Figure 3—Top 10 List of Business Goals and IT Goals

Top 10 Prioritised Business Goals Top 10 Prioritised IT Goals

1. Improve customer orientation and service. 1. Align the IT strategy to the business strategy.
2. Comply with external laws and regulations. 2. Maintain the security (confidentiality, integrity and availability) of
3. Establish service continuity and availability. information and processing infrastructure.
4. Manage (IT-related) business risks. 3. Make sure that IT services are reliable and secure.
5. Offer competitive products and services. 4. Provide service offerings and service levels in line with business
6. Improve and maintain business process functionality. requirements.
7. Provide a good return on investment of (IT-enabled) 5. Provide IT compliance with laws and regulations.
business investments. 6. Translate business functional and control requirements in
8. Acquire, develop and maintain skilled and motivated effective and efficient automated solutions.
people. 7. Deliver projects on time and on budget, meeting quality
9. Create agility in responding to changing business standards.
requirements. 8. Drive commitment and support of executive management.
10. Obtain reliable and useful information for strategic 9. Improve IT’s cost-efficiency.
decision making. 10. Account for and protect all IT assets.

The Role of Sector-specific Characteristics The Role of Size and Geography

Although a relatively high degree of general consensus was When comparing the differences amongst geographic
found regarding the top 10 business and IT goals, a number of locations or company size, fewer variations were identified.
sector-specific characteristics were identified. This may indicate that sector-related characteristics have a
In the IT professional services sector, its high dependency higher impact on setting priorities. Still, some minor but
on IT skills is confirmed with a higher ranking for the goal interesting differences were identified. For example, larger
‘acquire, develop and maintain IT skills that respond to the IT organisations tend to pay more attention to business goals such
strategy’. Another important asset (differentiator) for as ‘comply with external laws and regulations’ and ‘manage
companies operating in this sector is (knowledge of) advanced (IT-related) business risks’ than smaller organisations do. In
technology, which explains the higher importance of ‘identify, Europe, the Middle East and Africa, the IT goal ‘acquire,
enable and manage product and business innovation’. On the develop and maintain IT skills that respond to the IT strategy’
other hand, the business goals ‘establish service continuity and appears to be less important compared to other regions in the
availability’ and ‘improve and maintain business process world.
functionality’ score lower compared to most other sectors. This
may be explained due to a lower focus (and lower budgets) on Generic IT Goals
their own internal processes whilst most efforts go to customer Another finding is that, in general, the level of agreement
services. amongst the experts for the list of prioritised business goals is
Typical for the government/utilities/healthcare sector is that lower than the level of agreement for prioritised IT goals. An
internal policies are to be strictly followed, which is confirmed by explanation may be found in the fact that business goals may
the highly ranked goals ‘improve financial transparency’ (number differ more depending upon some external or internal factors,
6) and ‘comply with internal policies’ (number 9), respectively such as sector-specific characteristics, company size, geography
nine and seven places higher than for the other sectors. This is and others, whilst IT goals’ prioritisation may follow a more
even reinforced in the utilities sector, which may be a consequence generic pattern and is less influenced by these aspects.
of the specific market situation (monopoly/oligopoly) requiring a
controlled environment. Further, because of this sector’s nonprofit Different Levels of Linking Relations
orientation, cost-optimisation-related goals, such as ‘provide a This research also contains detailed findings on how the IT
good return on investment of (IT-enabled) business investments’ goals can support business goals. Figure 4 shows how IT goals
and ‘achieve cost optimisation of service delivery’ score lower in are related to business goals. From this matrix, it becomes
the importance list. This specificity of the sector can also explain (visually) clear that some goals are defined on a higher level
the low ranking of ‘offer competitive products and services’, compared to others. For example the IT goal ‘align the IT
which is ranked 10 places lower compared to the other sectors. strategy to the business strategy’ supports all business goals in
Another characteristic of governmental institutions is that they are a primary (P) or secondary (S) manner, indicating that its
trying to increase their focus on providing adequate customer scope is broadly defined and covers multiple areas of IT
(citizen) service, which is confirmed by the high priority for the responsibilities. On the other hand, business goal number 15,
customer-oriented goals ‘improve customer orientation and goals’ ‘improve financial transparency’, and IT goal number 13,
and ‘establish service continuity and availability’. ‘offer transparency and understanding of IT cost, benefits and
The retail and transportation sector is characterised by low risks’, show only a primary relationship to each other,
profit margins, which explains the higher ranking for goals confirming their similar and narrowly defined scope.
such as ‘optimise business process costs’. Customer loyalty is
also seen as one of the challenges in this sector, and initiatives Practical Application of the Results
are undertaken to deal with this. This is translated into the top
four of most important business goals, which are all customer- Preliminary results of this research have already been taken
oriented. This is also the only sector where the business goal into consideration for the continuous Control Objectives for
for compliance with external laws and regulations is not in the Information and related Technology (COBIT) developments,
top three, indicating that compliance is not yet a top priority in and they contain valuable new opportunities for further updates
the retail and transportation sector. and follow-up research. The results of this research provide
practical guidance for professionals in the attempt to build a
cascade of business goals and IT goals for their specific

I N F O R M AT I O N S Y S T E M S C O N T RO L J O U R NA L , VO L U M E 6 , 2 0 0 7 3
 Figure 4—Linking IT Goals to Business Goals

7. Provide a good return on investment of (IT-enabled) business investments.

10. Obtain reliable and useful information for strategic decision making.
9. Create agility in responding to changing business requirements.

17. Identify, enable and manage product and business innovation.

8. Acquire, develop and maintain skilled and motivated people.

14. Improve and maintain operational and staff productivity.

2. Provide compliancy with external laws and regulations.

6. Improve and maintain business process functionality.

11. Achieve cost optimisation of service delivery.

3. Establish service continuity and availability.

16. Provide compliancy with internal policies.

1. Improve customer orientation and service.

5. Offer competitive products and services.

13. Enable and manage business change.

4. Manage (IT-related) business risks.

12.Optimise business process costs.

15. Improve financial transparency.

Business Goals
IT Goals
1. Align the IT strategy to the business strategy. P S S P P P S S P P S S P S S S P
2. Maintain the security (confidentiality, integrity and availability) of information and processing infrastructure. P P P P S S P
3. Make sure that IT services are reliable and secure. P P P P S S S S S S S S
4. Provide service offerings and service levels in line with business requirements. P P S P P S S S S S S S S S
5. Provide IT compliancy with laws and regulations. S P P S S S P
6. Translate business functional and control requirements in effective and efficient automated solutions. S S S S P S S S S S S S S S
7. Deliver projects on time and on budget meeting quality standards. S S S S S S S S S S
8. Drive commitment and support of executive management. S S S S S S S S S S
9. Improve IT’s cost-efficiency. S P P P S
10. Account for and protect all IT assets. S S S S S S
11. Acquire, develop and maintain IT skills that respond to the IT strategy. S S P S S S S S
12. Provide IT agility (in responding to changing business needs). S S S S P P S
13. Offer transparency and understanding of IT cost, benefits and risks. S S S S P
14. Optimise the IT infrastructure, resources and capabilities. S S P S P S S
15. Accomplish proper use of applications, information and technology solutions. S S S S S S S S S S S S S
16. Seamlessly integrate applications and technology solutions into business processes. S S P S S S S S S S S
17. Ensure that IT demonstrates continuous improvement and readiness for future change. S S S P S P
18. Acquire knowledge and expertise in emerging technologies for business innovation and optimisation. S S P S S S S P

organisations. Enterprises can do that efficiently by starting impact, the associated goals are called ‘Corporate
from these generic business and IT goals, selecting what Contribution’ and ‘User Perspective’.
applies to them and updating it for enterprise-specific
situations. This will be a good starting point toward Wim Van Grembergen
implementing IT governance. is a professor in the information systems management
department of the University of Antwerp and an executive
Acknowledgements professor at the University of Antwerp Management School.
This research project was commissioned by ITGI and was He is also academic director of the ITAG Research Institute.
performed by the Information Technology Alignment and Van Grembergen has been involved in research and
Governance (ITAG) Research Institute of the University of development activities for several COBIT products.
Antwerp Management School (UAMS) in Belgium. ITGI also
provided the necessary contact information from the ISACA Steven De Haes
member database for building the expert team. The authors and is responsible for the information systems management
researchers are grateful for the valuable support of the COBIT executive programmes at the University of Antwerp
Steering Committee and would like to thank Erik Guldentops Management School. He is managing director of the ITAG
who initiated this research and provided many ideas on IT Research Institute and is currently finalising a Ph.D. in IT
governance. Thanks also go the expert team members for governance. De Haes has also been involved in research and
taking the time during several rounds to provide valuable development activities for several COBIT products.
answers and feedback on the questionnaires.
Hilde Van Brempt
Endnote is senior researcher for the ITAG Research Institute. She has
1
Van Grembergen W.; S. De Haes; J. Moons; ‘IT Governance: many years of experience in large organisations and is now
Linking Business Goals to IT Goals and COBIT Processes’, involved in organising and executing international research
Information Systems Control Journal, vol. 4, 2005 programmes. She is currently starting a Ph.D. research project
2
Because IT may not have a direct financial and customer on IT governance and IT skills.

4 I N F O R M AT I O N S Y S T E M S C O N T RO L J O U R NA L , VO L U M E 6 , 2 0 0 7
 Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by the Information Systems Audit and Control Association, Inc.. Membership in the association, a voluntary
organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal.

Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of the Information Systems Audit
and Control Association and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journal
does not attest to the originality of authors' content.

© Copyright 2004 by Information Systems Audit and Control Association Inc., formerly the EDP Auditors Association. All rights reserved. ISCATM Information Systems Control AssociationTM

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the
association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles
owned by the Information Systems Audit and Control Association Inc., for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume,
and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the
association or the copyright owner is expressly prohibited.

www.isaca.org

I N F O R M AT I O N S Y S T E M S C O N T RO L J O U R NA L , VO L U M E 6 , 2 0 0 7 5