it governance model for small and medium- sized enterprises - ISEing

European, Mediterranean & Middle Eastern Conference on Information Systems 2012 (EMCIS2012) 

June 7-8, Munich, Germany 

IT GOVERNANCE MODEL FOR SMALL AND MEDIUM- 

SIZED ENTERPRISES 

Can Adam Albayrak, Harz University of Applied Sciences, Germany 

calbayrak@hs-harz.de 

Andreas Gadatsch, Bonn-Rhein-Sieg University of Applied Sciences, Germany 

andreas.gadatsch@h-brs.de 

Abstract 

This paper first summarizes key aspects of established IT governance models that are primarily 

used in large companies. As its first contribution, it analyses the current situation in the IT 

management of small and medium-sized enterprises (SMEs) based on a recent empirical survey 

conducted by the authors within Germany. In this context, particular attention is paid on how IT 

management in SMEs is organized in practice, e.g., who is responsible for IT in the company, 

which IT related functions are performed internally or externally, and how can the degree of 

maturity in the company be evaluated? Because there do not exist specific established concepts, 

the paper’s second contribution is the introduction of several concepts for a compact IT 

governance model for SMEs that support access to professional IT management. 

Keywords: SME, information management, IT management, IT governance 

1 INTRODUCTION 

1.1 IT management and governance 

Information technology (IT) in a company addresses the IT requirements of its functional departments. 

IT services have to support the business processes of the company’s core business and its support 

processes, and even parts of process chains of customers and suppliers. The availability of appropriate 

organizational structures is an important prerequisite to provide IT services at the right time, at the 

right place and at the required quality. To perform IT management as a leading rule, this availability 

does not only include the company’s organizational structure but also the establishment of appropriate 

control and regulatory processes of IT management, the so-called IT governance. It is well known that 

smaller and medium-sized enterprises (SMEs) deviate from large companies in their way of business 

management. Therefore, it can be assumed that the type and manner of IT leadership significantly 

differs at SMEs from those at large companies. Unfortunately, IT management and governance aimed 

at SMEs is hardly considered in the literature; for exceptions consult, e.g., (Johnston and Wright, 

2004) or (Elia et al., 2007). Motivated by this poor situation and because we wanted to collect data on 

how IT is managed in SMEs, we have conducted as research method a scientific survey on the 

organization of IT for SME whose results are presented in Section 2. Before we do so, we give an 

overview on the organization of IT in large companies, and we consider the notion of IT governance. 

In addition, we have designed an IT governance model that is introduced in Section 3 by presenting 

the core elements of such a governance model. Section 4 closes this paper with summarizing the paper 

and discussing the future work. 

1.2 IT organization in large enterprises 

The IT Governance Institute is a non-profit organisation developing international IT standards for the 

planning and control of internal information systems. They understand IT governance as the main 

Albayrak and Gadatsch 380 

IT governance model for small and medium-sized enterprises

Business Orientation 

internal external 



target to foster understanding of the strategic relevance of IT in optimising a company’s targets and 

strategies for future enhancements of business operations (IT Governance Institute, 2008). Weill and 

Ross define IT governance as “the decision rights and accountability framework for encouraging 

desirable behaviours in the use of IT” (Weill and Ross, 2004). Van Grembergen and his co-authors 

consider IT governance more in the context of temporary orientation and business process orientation. 

According to their definition, IT governance is more than IT management that has a strong internal 

orientation to the entity. IT governance is more externally oriented and more strongly adjusted to the 

future, but not as intense as a long term IT strategy (van Grembergen et al., 2004). 

Business 

Strategy 

IT Strategy 

IT Governance 

IT Management 

Border Lines 

Present 

temporary Aspect 

Future 

Figure 1. Classification of IT management and IT governance according to van Grembergen et al., 2004. 

ISO / IEC 38 500, existing since 2008, distinguishes the concepts of IT management and IT 

governance as follows: IT governance refers to the setting of strategic goals and rules of the IT 

managers to monitor the achievement of objectives by the use of IT. IT management is the existing 

system of processes and controls that is necessary to achieve the strategic goals. However, ISO / IEC 

38 500 as a “high level standard advisotory” can be understood as a counsellor and thus it is not a 

reference model like CobiT is. 

In large companies, IT is often divided into two parts: the IT demand-side and the IT supply-side. The 

demand-side is controlled by the Chief Information Officer (CIO) of the organization and has the task 

to consider all IT, including eliciting requirements from functional departments, consolidating these 

requirements and procuring appropriate IT services (as a customer to the supply-side would do). The 

supply-side delivers IT services in exactly the way the demand-side wishes. Services delivered to the 

demand-side are typically data centre services and the provision of PCs and IT networks for the 

transmission of data and speech, and may also include software development. All functional 

departments procure IT services directly (if their representatives are part of the demand-side) or 

indirectly (if their representatives are not part of the demand-side) from the IT demand-side. The CIO 

is very much involved in corporate governance and is often a member of the Executive Board. 

1.3 Key questions 

In the context of our research activities we have examined how far SMEs could and would like to 

adopt established structures from large companies, and which of these structures are qualified to be 

taken over with regard to the IT management function. Because we wanted to collect data on how IT is 

managed in SMEs and such data was very rare available in literature before, we chose the scientific 

survey as research method. Our scientific survey has analyzed how SMEs organize their IT and what 

IT governance processes are already deployed. In addition, we have developed several concepts based 

on this scientific survey, which enables one to lead the IT organization of an SME. 





2 ANALYSIS OF IT MANAGEMENT IN GERMAN SMES 

The aim of our survey was to investigate how information management for SMEs is organised, and 

how senior management executes the management function of IT. We have also examined how far 

SMEs (with regard to the IT management function) have already adopted structures of large 

companies, or if they are able or willing to do so. Moreover, we have questioned the popularity and/or 

implementation of reference models for IT governance. Finally, we have analyzed how IT projects are 

handled and which issues of IT are currently discussed, in order to get an overall impression of the 

health of an IT organization. 

Within the study we have used the definition of SME of the Institut für Mittelstandsforschung (IfM), 

where an SME must meet the following two requirements: (1) its number of employees must be less 

than 500 and (2) its annual turnover must not exceed 50 million Euros (Günterberg and Wolter, 2003). 

The European Union (EU, 2003) also defines SMEs on the number of employees and the annual 

turnover of the company, but differs in the numbers (“Companies, which employ fewer than 250 

persons and which either achieve an annual turnover not exceeding 50 million Euros, or whose 

balance sheet total is not exceeding EUR 43 million”). 

2.1 Questions and approach 

The questionnaire of our online scientific survey is divided into questions 

 

 

 

 

 

 

 

Of the organization of IT, 

Of the degree of IT outsourcing, 

Of the perception of IT in the company, 

Of the use of standard models for IT governance, 

Concerning IT projects, 

Concerning current IT topics, and 

On statistical information such as industry, company size, IT budget, number of IT staff and 

number of deployed desktop systems (PCs and notebooks). 

For obtaining company information we used a database of a service provider and filtered from this 

database those companies that meet the criteria described above. As approximately 220,000 companies 

in Germany fit the criteria, we selected 1562 representative companies randomly, which comply with 

the defined clusters consisting of the number of employees and annual sales. These selected 

companies were asked to take part in the survey between May 2011 and September 2011. 

2.2 Results of the survey 

38 of the companies surveyed answered the questionnaire, whereas only 36 could be considered due to 

the companies’ sizes (equivalent to 2.3% of the companies surveyed). Given that the survey was 

directed towards management, for the most part managing directors, managing partners, assistants of 

the executive board or IT managers replied. The companies have on average 104 employees and 7 fulltime 

equivalent employees who are exclusively engaged in IT. The annual turnover of the companies 

surveyed is between 120,000 € and 50 million €, with IT costs lying between 4,000 € and 480,000 € 

annually. Interesting is also how many companies were not able to provide statistical information: 

while all companies knew how many desktop systems existed, 49% of respondents could not designate 

the total amount of IT costs and 69% could not provide the total costs of IT operations. Table 1 

summarizes the statistics: 

Minimum of 

all mentions 

Maximum of 

all mentions 

Median 

Missing 

data 





Table 1. 

Annual turnover 120,000 € 50 Mio. € 6.5 Mio. € 29% 

Desktop systems incl. notebooks 5 300 30 0% 

IT costs 4,000 € 480,000 € 63,000 € 49% 

Costs of IT operations 4,000 € 100,000 € 15,000 € 69% 

Statistical information of the companies surveyed. 

84% of the companies have a manager who is responsible for IT. He or she usually belongs to the first 

(32%) or second (52%) management level. The manager who is responsible for IT is mostly called IT 

Manager, Head of IT, Director of IT, or Chief of IT. In few companies (16%), no manager is 

responsible for IT; interestingly, this situation is often (75%) not seen as a situation that needs to be 

changed. 36% of the companies indicated that basically everyone handles several tasks and that there 

does not exist a division of the IT tasks. IT services are provided mostly within the company but a 

third of the companies surveyed consider allocating IT to external providers (IT outsourcing). While 

IT development is often fully or partially outsourced (68%), desktop support is at 49% fully or 

partially outsourced, and data centre operations are only outsourced at 30%. 

Table 2 shows how IT is perceived in companies. It conveys that IT is usually perceived to create a 

benefit in relation to its costs; only few companies (11%) regard IT as pure cost. 

IT is only seen as a cost factor, the concrete benefit is unclear 

IT supports the workflow, but nevertheless IT is too expensive 

11% 

8% 

IT is of much use, but IT costs are in fact too high 42% 

Figure 2. 

IT brings up more benefits than it costs 24% 

IT enables the company to offer products and services, which would be 

impossible without IT; IT benefits outweigh the IT costs 

Perception of IT in enterprises (multiple answers possible). 

IT projects or projects related to IT are planned in 91% of the companies. In 60% of the companies 

there is a written project proposal, in 66% a detailed project plan, and 44% of them conduct projects 

according to a specific process model. However many instruments such as written project proposals 

(40%), risk analysis (71%) and change-request processes (77%) are mostly not used. 

Standard models for IT governance are only employed in 20% of the companies. The IT governance 

framework CobiT is merely known to 30%, while it is used partially in just 6% of the companies. 

Concerning IT service management, the framework ITIL is known to 37% and is partially deployed in 

8% of the companies. None of the companies uses CobiT or ITIL completely, which could be 

expected in view of the complexity of these models for SMEs. 

Current IT topics of SMEs are business cases of IT projects (53%), IT reorganization (40%), use of 

social media in the enterprise (36%), IT-outsourcing (33%) and the use of cloud computing (27%) 

(multiple answers possible). In contrast, IT issues such as mergers & acquisitions (67%) and IT 

governance (62%) play little or even no role (also multiple answers possible). 

42% 

3 CORE ELEMENTS OF AN SME IT GOVERNANCE MODEL 

Overall, the study shows that in particular the transparency of IT is not often given. Consequently, the 

control function in the IT and can not be performed adequately. In this section we therefore introduce 





a control organization and a performance measurement system (section 3.3). To improve the structure 

of the IT project management, we introduce in section 3.4 a model that can support the basic project 

structure. 

The experience from the above empirical research has shown that the core elements of an IT 

governance model for SMEs largely meet those of large companies, though their contents have to be 

designed much leaner and the tools for the main functions have to be reduced. An IT governance 

model for SMEs therefore contains at least the following basic elements: 

• Control of the IT organization, 

• IT strategy and IT planning, 

• IT performance measurement system, and 

• Standards for IT projects. 

For example, the model of (Albayrak et al., 2009), which describes an IT performance measurement 

model for SMEs, can be considered as one of many steps. Here, we define IT performance 

measurement according to (Becker and Winkelmann, 2004) as purchasing, preparing and analysing 

data to prepare target-oriented decisions for purchase and to realise and run hardware and software. 

Schauer enumerates strategic tasks of IT performance measurement: fixing IT strategy, IT budgeting, 

managing IT portfolio and measuring benefits (Schauer 2006). However, especially rapidly grown 

companies often hesitate to make changes in their IT division. We suspect that many possibilities of 

improvement in IT only extend to the technical area and that other changes in the organization are not 

even known to its leadership. 

3.1 IT control organization 

The IT control organization accompanies the implementation of a company’s IT strategy with regard 

to the realisation of appropriate IT equipment (hardware, software, services). In large companies, 

demand-supply-organizations are common to perform this task (see above). They separate the roles of 

IT governance and IT service provision. The Chief Information Officer or, respectively, the Head of 

Information Management is responsible for IT governance. The IT service provider can be an internal 

department, a company belonging to the corporate group or an external service provider. Such 

solutions are not practical for SMEs due to the considerably less available staffing level. Because of 

this, the roles of the IT control organization are not very differentiated and cannot be transferred to 

different people. Often IT managers in SMEs also deal with operational tasks, in addition to the 

strategic tasks. They often have an enormous detailed technical knowledge. For these reasons, we 

propose a simplified control model (see Figure 3), which certainly holds the management more to 

account in order to ensure the strategic security of any measures. 

Figure 3. 

IT control organization. 





Within this framework of control, management is responsible for basic questions about the use of IT 

and delegates the management of IT projects and the responsibility for IT operations to the IT 

department or the IT managers. The functional departments address requirements to the IT department 

and use their services. A cost and service allocation of IT services is indeed conceivable in larger 

SMEs but is not always necessary. 

3.2 IT strategy and planning 

The IT strategy and planning of an SME describes the desired target state of the company with regard 

to its IT equipment. To do this, the need for action for realization, i.e., a description of the actual IT 

situation and the IT weaknesses, has to be displayed. The result of the IT strategy is an action plan 

listing the responsibilities of the IT department and specifying dates of completion for the involved 

functional departments. The IT strategy should include the following topics: 

 

 

 

 

Hardware (What kind of hardware will be used in future, and for which tasks? Is the hardware 

purchased, are there rental agreements, or is there a total or partial outsourcing? Which 

external companies take care of the hardware? What emergency concepts exist?) 

Software (What kind of software will be used in the future, and for which tasks? Who in the 

IT department looks after the software, or which external service provider does so? What 

software is being developed in-house or by external service providers? Which standard 

software is used?) 

Services (What services does the IT department provide? For example, advice, operation of 

applications, or management of IT users?) 

Processes (How are projects implemented? How are work processes documented?) 

Table 2 summarizes the issues together with related instruments for implementation. 

No. Issues Instruments 

1 Hardware 

IT infrastructure planning 

IT standards 

2 Software 

Application area for individual/standard software 

IT development planning 

IT standards for proprietary development 

3 Services 

IT service 

Management of IT service providers 

4 Processes 

Table 2. 

Process models / documentation 

Project management / project governance 

Thematic areas and instruments of IT strategy. 

Planning of hardware and data centre 

Standards for desktop systems 

Usage strategy for software 

IT architecture 

IT service catalogue with service level agreements 

IT service guidelines 

Software “ARIS Business Architect” 

IT project office 

Project guidelines manual 

Each of the areas mentioned above can be secured by a balance of arguments, which has to be 

coordinated with the company’s functional departments. An example of a balance of arguments on the 

subject of outsourcing a data centre is shown in Table 3. 





Outsourcing 

Table 3. 

Aspects Pros Cons 

Placing of the hardware in a 

secured data centre 

High safety and fire safety 

standards for the IT 

Standby 7x24 

IT strategy and balance of arguments. 

Maintenance of hardware by 

external service providers 

Personnel resources can be used 

for services and projects 

Higher operating costs for 

external support and data lines 

Dependence from external 

service providers 

Extensive communication effort 

is necessary 

No direct access to any 

hardware or data 

The operational strategy for software can be displayed using a simple portfolio which differentiates 

process types (core processes, management processes and support processes) and types of software 

(software, software). Different strategies can be set depending on the quadrant. In the example of 

Figure 4, customized software is used for core processes because then competitive advantages can be 

generated. However, support processes are supposed to be supported by standard software only. In the 

area of management processes, a mix strategy is recommended that takes not only standard software 

but also individually developed software into account. 

Figure 4. 

IT strategy / application strategy for software. 

Ideally, the strategy is complemented by an IT development plan (see Figure 5). With this instrument, 

the applications used by the company and the processes supported by the applications can be 

demonstrated graphically, so that the planning can be visualized and documented. This tool for 

displaying the actual situation as well as possible planning scenarios is particularly convenient in 

conversations between IT management, functional departments and top management. Its 

implementation is feasible using graphics tools of common office software packages and thus does not 

require additional effort. 





Figure 5. 

IT development plan. 

3.3 Key performance indicator system 

The usual key performance indicator (KPI) systems based on business intelligence applications are 

often only partially suitable for SMEs. Therefore, the IT scorecard (Kaplan and Norton 2001) has 

become established for the operational control of the IT strategy. It combines goals, key figures, target 

values and measures to ensure the implementation as a whole. Although larger companies typically 

use the IT scorecard, it is also well suited for IT governance in smaller companies, in combination 

with a budget and measure overview (Bernroider et al. 2003), (Martinsons et al. 1999), (Müller et al. 

2002). The selection of goals, key figures and other elements is carried out on a company-specific 

basis, but it should also comprise the classical viewpoint of “internal IT clients”, IT processes, IT 

employees and IT costs. Every measurement of the IT scorecard has to be planned and constantly 

monitored within the framework of budgeting. This requires a planning of measures within the IT 

budget, as is illustrated in Figure 6. 

Figure 6. 

Planning of measures within the IT budget. 

3.4 IT project structures 

Even in medium-sized companies it is necessary to implement a procedural model that can be based 

on fundamental project structures instead of making ad-hoc procedures. The management is generally 

the highest authorization instance for projects and generally conducts prioritization in case of conflicts 

over resources or the like (cf. Figure 7). Project proposals are the starting point for appropriate 





decisions. In addition, the management is responsible for the strategic governance of the project and 

for making specific decisions in case of conflicts. 

Depending on the size of the company, there should be a project office set up within the existing IT 

environment, which is responsible for ongoing project authorizations, project governance and control 

of smaller project proposals, and for the transaction of the operational project portfolio management. 

Further tasks of the project office should be the evaluation of submitted project proposals, crossproject 

coordination, continuous monitoring of and reporting on the project status and providing these 

reports to the upper management and, if required, the composition of project teams for new projects. 

The project team is the operative working instance that operates the actual project and regularly 

reports to the project office (e.g., project progress, special issues, problems and conflicts, urgent 

decision needs). As in large companies, IT projects in SMEs have to be well structured. This includes 

the designation of the project leader and his or her allocated internal and external staff. The leader of 

the project is mainly responsible for the governance and the compliance with the project goals, to keep 

to restrictions (dates and schedules, costs, personnel and material resources), as well as for standards 

and guidelines plus reporting. 

Figure 7. 

Structures of IT projects. 

Of central importance is the use of a procedural model for the implementation of projects. As shown in 

Figure 8, such a model comprises different phases, each of which can be executed several times if 

required. Loop backs to prior phases are also usual. In the context of specifications, a description of 

the project idea together with the functional and technical requirements (including the first cost and 

benefit estimations) is given. The requirements specification determines the intended implementation, 

including the selection of standard software. It also includes information on project planning, so that 

all estimations in reference to effort, time, resources and benefits are integrated as accurately as 

possible. 





Figure 8. 

Procedural model for IT projects. 

After the completion of the concepts, the realization can be started. The focus here is on the 

development and the programming of the planned solution, on the purchase and the customizing of 

standard software, and on developer tests carried out by software engineers. Hereafter, the actual 

testing and approval follow; this includes specialized individual tests that are generally realized by a 

special business unit, the rectification that is done by the developers, a technical approval conducted 

by the IT leader and, finally, the acceptance of the software after an integration test by the functional 

department. Before the project is finished, a production takeover is required. This phase includes the 

actualization, the collection of data (e.g., master data, tables), the data transfer from the legacy system, 

the individual customizing of the system, the preparation for the productive usage (backups of older 

and current data) and the production release (IT leading). After all these preparatory steps, the system 

is ready for live operation. During the use of the system, simultaneous projects are carried out with the 

aim of further development and maintenance of the software. 

4 CONCLUSIONS AND FUTURE WORK 

This paper examined how SMEs can adopt familiar corporate IT governance structures of large 

companies. Compared to large companies and due to the well-known characteristics of SMEs, much 

more attention has to be paid to which advantages and disadvantages can occur. Our results show that 

SME-specific models still need to be developed. In our opinion, the main focus lies on the 

establishment of an IT steering organization, the development of an IT strategy and IT planning, and 

the integration of an IT KPI system and IT project structures. Although concepts developed by larger 

organizations cover also a wide range of specific SME activities, they are often too complicated and 

utterly impracticable for SMEs. The concepts of IT governance structures for SMEs introduced here 

are intended to help initiating discussion about the topic. 

Regarding future research, we propose to look more closely at the following issues: 

1. Which kinds of preconditions must a company fulfil to be able to successfully adopt and 

implement our proposed IT governance model? 





2. Which advantages and disadvantages may implementing our IT governance model bring 

about? Is there a competitive advantage? 

3. Which correlations exist between the depth of IT production and the benefit of introducing the 

corporate governance model? 

It is also planned to implement the model described here in selected SMEs in order to demonstrate 

in practice the basic ability of implementation and moreover the effectiveness of our model 

References 

Albayrak CA., Gadatsch A and Olufs D. 2009. ‘Life Cycle Model for IT Performance Measurement – 

A Reference Model for Small and Medium Enterprises (SME)’. In: Dhillon G, Bernd Carsten 

Stahl BC and Baskerville R (Eds.). ‘Information Systems – Creativity and Innovation in 

Small and Medium-Sized Enterprises, Proceedings of IFIP WG 8.2 International Conference, 

CreativeSME’: 180-191. 

Becker J and Winkelmann A. 2004. ‘IV-Performance measurement’. Wirtschaftsinformatik, 46 (3): 

213-221. 

Bernroider EWN, Hampel A and Sumper AF. 2003. ‘An Application of the Balanced Scorecard as a 

Strategic IT-Performance Measurement Instrument for E-Business Development’. The Third 

International Conference on Electronic Business - Business Paradigms: Strategic 

Transformation and Partnership. 

CobiT. 2008 CobiT 4.1 Excerpt, IT Governance Institute. http://www.isaca.org/. 

Elia E, Lefebvre LA and Lefebvre E. 2007. ‘Focus of B-to-B E-Commerce Initiatives and Related 

Benefits in Manufacturing Small- and Medium-sized Enterprises’. Information Systems and 

E-Business Management, volume 5, number 1: 1-23. 

van Grembergen W, de Habs S, Guldentops E. 2004. ‘Structures, Processes and Relational 

Mechanisms for IT Governance’. In: van Grembergen W (Ed.). ‘Strategies for Information 

Technology Governance. Idea Group’: 1-36. 

IT Governace Institute. 2008. http://www.itgi.com. 

Johnston DA and Wright L. 2004. ‘The E-Business Capability of Small and Medium Sized Firms in 

International Supply Chains’. Information Systems and E-Business Management, volume 2, 

numbers 2-3: 223-240. 

Kaplan RS, Norton PN. 2001. ‘Strategy Maps: Converting Intangible Assets into Tangible Outcomes’. 

Martinsons M, Davison R and Tse D. 1999. ‘The Balanced sScorecard: A Foundation for the Strategic 

Management of Information Systems’. Decision Support Systems, 25 (1): 71-88. 

Müller A and v. Thienen, L. 2002. ‘E-Business-Controlling mit der Balanced Scorecard’. In: Blomer 

R and Bernhard M (Eds). ‘Balanced Scorecard in der IT, Praxisbeispiele - Methoden – 

Umsetzung’: 183-209. 

Schauer H. 2006. ‘Vergleichende Buchbesprechung IT-Controlling’. In: Wirtschafsinformatik, 48 (3): 

212-218. 

Weill P and Ross JW. 2004. ‘IT Governance on One Page’. Center for Information Systems Research 

Working Paper No. 349, MIT Sloan School of Management.

it governance model for small and medium- sized enterprises - ISEing

Create successful ePaper yourself

Delete template?

Save as template?