it governance model for small and medium- sized enterprises - ISEing
it governance model for small and medium- sized enterprises - ISEing
it governance model for small and medium- sized enterprises - ISEing
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
European, Med<strong>it</strong>erranean & Middle Eastern Conference on In<strong>for</strong>mation Systems 2012 (EMCIS2012)<br />
June 7-8, Munich, Germany<br />
IT GOVERNANCE MODEL FOR SMALL AND MEDIUM-<br />
SIZED ENTERPRISES<br />
Can Adam Albayrak, Harz Univers<strong>it</strong>y of Applied Sciences, Germany<br />
calbayrak@hs-harz.de<br />
Andreas Gadatsch, Bonn-Rhein-Sieg Univers<strong>it</strong>y of Applied Sciences, Germany<br />
<strong>and</strong>reas.gadatsch@h-brs.de<br />
Abstract<br />
This paper first summarizes key aspects of established IT <strong>governance</strong> <strong>model</strong>s that are primarily<br />
used in large companies. As <strong>it</strong>s first contribution, <strong>it</strong> analyses the current s<strong>it</strong>uation in the IT<br />
management of <strong>small</strong> <strong>and</strong> <strong>medium</strong>-<strong>sized</strong> <strong>enterprises</strong> (SMEs) based on a recent empirical survey<br />
conducted by the authors w<strong>it</strong>hin Germany. In this context, particular attention is paid on how IT<br />
management in SMEs is organized in practice, e.g., who is responsible <strong>for</strong> IT in the company,<br />
which IT related functions are per<strong>for</strong>med internally or externally, <strong>and</strong> how can the degree of<br />
matur<strong>it</strong>y in the company be evaluated? Because there do not exist specific established concepts,<br />
the paper’s second contribution is the introduction of several concepts <strong>for</strong> a compact IT<br />
<strong>governance</strong> <strong>model</strong> <strong>for</strong> SMEs that support access to professional IT management.<br />
Keywords: SME, in<strong>for</strong>mation management, IT management, IT <strong>governance</strong><br />
1 INTRODUCTION<br />
1.1 IT management <strong>and</strong> <strong>governance</strong><br />
In<strong>for</strong>mation technology (IT) in a company addresses the IT requirements of <strong>it</strong>s functional departments.<br />
IT services have to support the business processes of the company’s core business <strong>and</strong> <strong>it</strong>s support<br />
processes, <strong>and</strong> even parts of process chains of customers <strong>and</strong> suppliers. The availabil<strong>it</strong>y of appropriate<br />
organizational structures is an important prerequis<strong>it</strong>e to provide IT services at the right time, at the<br />
right place <strong>and</strong> at the required qual<strong>it</strong>y. To per<strong>for</strong>m IT management as a leading rule, this availabil<strong>it</strong>y<br />
does not only include the company’s organizational structure but also the establishment of appropriate<br />
control <strong>and</strong> regulatory processes of IT management, the so-called IT <strong>governance</strong>. It is well known that<br />
<strong>small</strong>er <strong>and</strong> <strong>medium</strong>-<strong>sized</strong> <strong>enterprises</strong> (SMEs) deviate from large companies in their way of business<br />
management. There<strong>for</strong>e, <strong>it</strong> can be assumed that the type <strong>and</strong> manner of IT leadership significantly<br />
differs at SMEs from those at large companies. Un<strong>for</strong>tunately, IT management <strong>and</strong> <strong>governance</strong> aimed<br />
at SMEs is hardly considered in the l<strong>it</strong>erature; <strong>for</strong> exceptions consult, e.g., (Johnston <strong>and</strong> Wright,<br />
2004) or (Elia et al., 2007). Motivated by this poor s<strong>it</strong>uation <strong>and</strong> because we wanted to collect data on<br />
how IT is managed in SMEs, we have conducted as research method a scientific survey on the<br />
organization of IT <strong>for</strong> SME whose results are presented in Section 2. Be<strong>for</strong>e we do so, we give an<br />
overview on the organization of IT in large companies, <strong>and</strong> we consider the notion of IT <strong>governance</strong>.<br />
In add<strong>it</strong>ion, we have designed an IT <strong>governance</strong> <strong>model</strong> that is introduced in Section 3 by presenting<br />
the core elements of such a <strong>governance</strong> <strong>model</strong>. Section 4 closes this paper w<strong>it</strong>h summarizing the paper<br />
<strong>and</strong> discussing the future work.<br />
1.2 IT organization in large <strong>enterprises</strong><br />
The IT Governance Inst<strong>it</strong>ute is a non-prof<strong>it</strong> organisation developing international IT st<strong>and</strong>ards <strong>for</strong> the<br />
planning <strong>and</strong> control of internal in<strong>for</strong>mation systems. They underst<strong>and</strong> IT <strong>governance</strong> as the main<br />
Albayrak <strong>and</strong> Gadatsch 380<br />
IT <strong>governance</strong> <strong>model</strong> <strong>for</strong> <strong>small</strong> <strong>and</strong> <strong>medium</strong>-<strong>sized</strong> <strong>enterprises</strong>
Business Orientation<br />
internal external<br />
European, Med<strong>it</strong>erranean & Middle Eastern Conference on In<strong>for</strong>mation Systems 2012 (EMCIS2012)<br />
June 7-8, Munich, Germany<br />
target to foster underst<strong>and</strong>ing of the strategic relevance of IT in optimising a company’s targets <strong>and</strong><br />
strategies <strong>for</strong> future enhancements of business operations (IT Governance Inst<strong>it</strong>ute, 2008). Weill <strong>and</strong><br />
Ross define IT <strong>governance</strong> as “the decision rights <strong>and</strong> accountabil<strong>it</strong>y framework <strong>for</strong> encouraging<br />
desirable behaviours in the use of IT” (Weill <strong>and</strong> Ross, 2004). Van Grembergen <strong>and</strong> his co-authors<br />
consider IT <strong>governance</strong> more in the context of temporary orientation <strong>and</strong> business process orientation.<br />
According to their defin<strong>it</strong>ion, IT <strong>governance</strong> is more than IT management that has a strong internal<br />
orientation to the ent<strong>it</strong>y. IT <strong>governance</strong> is more externally oriented <strong>and</strong> more strongly adjusted to the<br />
future, but not as intense as a long term IT strategy (van Grembergen et al., 2004).<br />
Business<br />
Strategy<br />
IT Strategy<br />
IT Governance<br />
IT Management<br />
Border Lines<br />
Present<br />
temporary Aspect<br />
Future<br />
Figure 1. Classification of IT management <strong>and</strong> IT <strong>governance</strong> according to van Grembergen et al., 2004.<br />
ISO / IEC 38 500, existing since 2008, distinguishes the concepts of IT management <strong>and</strong> IT<br />
<strong>governance</strong> as follows: IT <strong>governance</strong> refers to the setting of strategic goals <strong>and</strong> rules of the IT<br />
managers to mon<strong>it</strong>or the achievement of objectives by the use of IT. IT management is the existing<br />
system of processes <strong>and</strong> controls that is necessary to achieve the strategic goals. However, ISO / IEC<br />
38 500 as a “high level st<strong>and</strong>ard advisotory” can be understood as a counsellor <strong>and</strong> thus <strong>it</strong> is not a<br />
reference <strong>model</strong> like CobiT is.<br />
In large companies, IT is often divided into two parts: the IT dem<strong>and</strong>-side <strong>and</strong> the IT supply-side. The<br />
dem<strong>and</strong>-side is controlled by the Chief In<strong>for</strong>mation Officer (CIO) of the organization <strong>and</strong> has the task<br />
to consider all IT, including elic<strong>it</strong>ing requirements from functional departments, consolidating these<br />
requirements <strong>and</strong> procuring appropriate IT services (as a customer to the supply-side would do). The<br />
supply-side delivers IT services in exactly the way the dem<strong>and</strong>-side wishes. Services delivered to the<br />
dem<strong>and</strong>-side are typically data centre services <strong>and</strong> the provision of PCs <strong>and</strong> IT networks <strong>for</strong> the<br />
transmission of data <strong>and</strong> speech, <strong>and</strong> may also include software development. All functional<br />
departments procure IT services directly (if their representatives are part of the dem<strong>and</strong>-side) or<br />
indirectly (if their representatives are not part of the dem<strong>and</strong>-side) from the IT dem<strong>and</strong>-side. The CIO<br />
is very much involved in corporate <strong>governance</strong> <strong>and</strong> is often a member of the Executive Board.<br />
1.3 Key questions<br />
In the context of our research activ<strong>it</strong>ies we have examined how far SMEs could <strong>and</strong> would like to<br />
adopt established structures from large companies, <strong>and</strong> which of these structures are qualified to be<br />
taken over w<strong>it</strong>h regard to the IT management function. Because we wanted to collect data on how IT is<br />
managed in SMEs <strong>and</strong> such data was very rare available in l<strong>it</strong>erature be<strong>for</strong>e, we chose the scientific<br />
survey as research method. Our scientific survey has analyzed how SMEs organize their IT <strong>and</strong> what<br />
IT <strong>governance</strong> processes are already deployed. In add<strong>it</strong>ion, we have developed several concepts based<br />
on this scientific survey, which enables one to lead the IT organization of an SME.<br />
Albayrak <strong>and</strong> Gadatsch 381<br />
IT <strong>governance</strong> <strong>model</strong> <strong>for</strong> <strong>small</strong> <strong>and</strong> <strong>medium</strong>-<strong>sized</strong> <strong>enterprises</strong>
European, Med<strong>it</strong>erranean & Middle Eastern Conference on In<strong>for</strong>mation Systems 2012 (EMCIS2012)<br />
June 7-8, Munich, Germany<br />
2 ANALYSIS OF IT MANAGEMENT IN GERMAN SMES<br />
The aim of our survey was to investigate how in<strong>for</strong>mation management <strong>for</strong> SMEs is organised, <strong>and</strong><br />
how senior management executes the management function of IT. We have also examined how far<br />
SMEs (w<strong>it</strong>h regard to the IT management function) have already adopted structures of large<br />
companies, or if they are able or willing to do so. Moreover, we have questioned the popular<strong>it</strong>y <strong>and</strong>/or<br />
implementation of reference <strong>model</strong>s <strong>for</strong> IT <strong>governance</strong>. Finally, we have analyzed how IT projects are<br />
h<strong>and</strong>led <strong>and</strong> which issues of IT are currently discussed, in order to get an overall impression of the<br />
health of an IT organization.<br />
W<strong>it</strong>hin the study we have used the defin<strong>it</strong>ion of SME of the Inst<strong>it</strong>ut für M<strong>it</strong>telst<strong>and</strong>s<strong>for</strong>schung (IfM),<br />
where an SME must meet the following two requirements: (1) <strong>it</strong>s number of employees must be less<br />
than 500 <strong>and</strong> (2) <strong>it</strong>s annual turnover must not exceed 50 million Euros (Günterberg <strong>and</strong> Wolter, 2003).<br />
The European Union (EU, 2003) also defines SMEs on the number of employees <strong>and</strong> the annual<br />
turnover of the company, but differs in the numbers (“Companies, which employ fewer than 250<br />
persons <strong>and</strong> which e<strong>it</strong>her achieve an annual turnover not exceeding 50 million Euros, or whose<br />
balance sheet total is not exceeding EUR 43 million”).<br />
2.1 Questions <strong>and</strong> approach<br />
The questionnaire of our online scientific survey is divided into questions<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Of the organization of IT,<br />
Of the degree of IT outsourcing,<br />
Of the perception of IT in the company,<br />
Of the use of st<strong>and</strong>ard <strong>model</strong>s <strong>for</strong> IT <strong>governance</strong>,<br />
Concerning IT projects,<br />
Concerning current IT topics, <strong>and</strong><br />
On statistical in<strong>for</strong>mation such as industry, company size, IT budget, number of IT staff <strong>and</strong><br />
number of deployed desktop systems (PCs <strong>and</strong> notebooks).<br />
For obtaining company in<strong>for</strong>mation we used a database of a service provider <strong>and</strong> filtered from this<br />
database those companies that meet the cr<strong>it</strong>eria described above. As approximately 220,000 companies<br />
in Germany f<strong>it</strong> the cr<strong>it</strong>eria, we selected 1562 representative companies r<strong>and</strong>omly, which comply w<strong>it</strong>h<br />
the defined clusters consisting of the number of employees <strong>and</strong> annual sales. These selected<br />
companies were asked to take part in the survey between May 2011 <strong>and</strong> September 2011.<br />
2.2 Results of the survey<br />
38 of the companies surveyed answered the questionnaire, whereas only 36 could be considered due to<br />
the companies’ sizes (equivalent to 2.3% of the companies surveyed). Given that the survey was<br />
directed towards management, <strong>for</strong> the most part managing directors, managing partners, assistants of<br />
the executive board or IT managers replied. The companies have on average 104 employees <strong>and</strong> 7 fulltime<br />
equivalent employees who are exclusively engaged in IT. The annual turnover of the companies<br />
surveyed is between 120,000 € <strong>and</strong> 50 million €, w<strong>it</strong>h IT costs lying between 4,000 € <strong>and</strong> 480,000 €<br />
annually. Interesting is also how many companies were not able to provide statistical in<strong>for</strong>mation:<br />
while all companies knew how many desktop systems existed, 49% of respondents could not designate<br />
the total amount of IT costs <strong>and</strong> 69% could not provide the total costs of IT operations. Table 1<br />
summarizes the statistics:<br />
Minimum of<br />
all mentions<br />
Maximum of<br />
all mentions<br />
Median<br />
Missing<br />
data<br />
Albayrak <strong>and</strong> Gadatsch 382<br />
IT <strong>governance</strong> <strong>model</strong> <strong>for</strong> <strong>small</strong> <strong>and</strong> <strong>medium</strong>-<strong>sized</strong> <strong>enterprises</strong>
European, Med<strong>it</strong>erranean & Middle Eastern Conference on In<strong>for</strong>mation Systems 2012 (EMCIS2012)<br />
June 7-8, Munich, Germany<br />
Table 1.<br />
Annual turnover 120,000 € 50 Mio. € 6.5 Mio. € 29%<br />
Desktop systems incl. notebooks 5 300 30 0%<br />
IT costs 4,000 € 480,000 € 63,000 € 49%<br />
Costs of IT operations 4,000 € 100,000 € 15,000 € 69%<br />
Statistical in<strong>for</strong>mation of the companies surveyed.<br />
84% of the companies have a manager who is responsible <strong>for</strong> IT. He or she usually belongs to the first<br />
(32%) or second (52%) management level. The manager who is responsible <strong>for</strong> IT is mostly called IT<br />
Manager, Head of IT, Director of IT, or Chief of IT. In few companies (16%), no manager is<br />
responsible <strong>for</strong> IT; interestingly, this s<strong>it</strong>uation is often (75%) not seen as a s<strong>it</strong>uation that needs to be<br />
changed. 36% of the companies indicated that basically everyone h<strong>and</strong>les several tasks <strong>and</strong> that there<br />
does not exist a division of the IT tasks. IT services are provided mostly w<strong>it</strong>hin the company but a<br />
third of the companies surveyed consider allocating IT to external providers (IT outsourcing). While<br />
IT development is often fully or partially outsourced (68%), desktop support is at 49% fully or<br />
partially outsourced, <strong>and</strong> data centre operations are only outsourced at 30%.<br />
Table 2 shows how IT is perceived in companies. It conveys that IT is usually perceived to create a<br />
benef<strong>it</strong> in relation to <strong>it</strong>s costs; only few companies (11%) regard IT as pure cost.<br />
IT is only seen as a cost factor, the concrete benef<strong>it</strong> is unclear<br />
IT supports the workflow, but nevertheless IT is too expensive<br />
11%<br />
8%<br />
IT is of much use, but IT costs are in fact too high 42%<br />
Figure 2.<br />
IT brings up more benef<strong>it</strong>s than <strong>it</strong> costs 24%<br />
IT enables the company to offer products <strong>and</strong> services, which would be<br />
impossible w<strong>it</strong>hout IT; IT benef<strong>it</strong>s outweigh the IT costs<br />
Perception of IT in <strong>enterprises</strong> (multiple answers possible).<br />
IT projects or projects related to IT are planned in 91% of the companies. In 60% of the companies<br />
there is a wr<strong>it</strong>ten project proposal, in 66% a detailed project plan, <strong>and</strong> 44% of them conduct projects<br />
according to a specific process <strong>model</strong>. However many instruments such as wr<strong>it</strong>ten project proposals<br />
(40%), risk analysis (71%) <strong>and</strong> change-request processes (77%) are mostly not used.<br />
St<strong>and</strong>ard <strong>model</strong>s <strong>for</strong> IT <strong>governance</strong> are only employed in 20% of the companies. The IT <strong>governance</strong><br />
framework CobiT is merely known to 30%, while <strong>it</strong> is used partially in just 6% of the companies.<br />
Concerning IT service management, the framework ITIL is known to 37% <strong>and</strong> is partially deployed in<br />
8% of the companies. None of the companies uses CobiT or ITIL completely, which could be<br />
expected in view of the complex<strong>it</strong>y of these <strong>model</strong>s <strong>for</strong> SMEs.<br />
Current IT topics of SMEs are business cases of IT projects (53%), IT reorganization (40%), use of<br />
social media in the enterprise (36%), IT-outsourcing (33%) <strong>and</strong> the use of cloud computing (27%)<br />
(multiple answers possible). In contrast, IT issues such as mergers & acquis<strong>it</strong>ions (67%) <strong>and</strong> IT<br />
<strong>governance</strong> (62%) play l<strong>it</strong>tle or even no role (also multiple answers possible).<br />
42%<br />
3 CORE ELEMENTS OF AN SME IT GOVERNANCE MODEL<br />
Overall, the study shows that in particular the transparency of IT is not often given. Consequently, the<br />
control function in the IT <strong>and</strong> can not be per<strong>for</strong>med adequately. In this section we there<strong>for</strong>e introduce<br />
Albayrak <strong>and</strong> Gadatsch 383<br />
IT <strong>governance</strong> <strong>model</strong> <strong>for</strong> <strong>small</strong> <strong>and</strong> <strong>medium</strong>-<strong>sized</strong> <strong>enterprises</strong>
European, Med<strong>it</strong>erranean & Middle Eastern Conference on In<strong>for</strong>mation Systems 2012 (EMCIS2012)<br />
June 7-8, Munich, Germany<br />
a control organization <strong>and</strong> a per<strong>for</strong>mance measurement system (section 3.3). To improve the structure<br />
of the IT project management, we introduce in section 3.4 a <strong>model</strong> that can support the basic project<br />
structure.<br />
The experience from the above empirical research has shown that the core elements of an IT<br />
<strong>governance</strong> <strong>model</strong> <strong>for</strong> SMEs largely meet those of large companies, though their contents have to be<br />
designed much leaner <strong>and</strong> the tools <strong>for</strong> the main functions have to be reduced. An IT <strong>governance</strong><br />
<strong>model</strong> <strong>for</strong> SMEs there<strong>for</strong>e contains at least the following basic elements:<br />
• Control of the IT organization,<br />
• IT strategy <strong>and</strong> IT planning,<br />
• IT per<strong>for</strong>mance measurement system, <strong>and</strong><br />
• St<strong>and</strong>ards <strong>for</strong> IT projects.<br />
For example, the <strong>model</strong> of (Albayrak et al., 2009), which describes an IT per<strong>for</strong>mance measurement<br />
<strong>model</strong> <strong>for</strong> SMEs, can be considered as one of many steps. Here, we define IT per<strong>for</strong>mance<br />
measurement according to (Becker <strong>and</strong> Winkelmann, 2004) as purchasing, preparing <strong>and</strong> analysing<br />
data to prepare target-oriented decisions <strong>for</strong> purchase <strong>and</strong> to realise <strong>and</strong> run hardware <strong>and</strong> software.<br />
Schauer enumerates strategic tasks of IT per<strong>for</strong>mance measurement: fixing IT strategy, IT budgeting,<br />
managing IT portfolio <strong>and</strong> measuring benef<strong>it</strong>s (Schauer 2006). However, especially rapidly grown<br />
companies often hes<strong>it</strong>ate to make changes in their IT division. We suspect that many possibil<strong>it</strong>ies of<br />
improvement in IT only extend to the technical area <strong>and</strong> that other changes in the organization are not<br />
even known to <strong>it</strong>s leadership.<br />
3.1 IT control organization<br />
The IT control organization accompanies the implementation of a company’s IT strategy w<strong>it</strong>h regard<br />
to the realisation of appropriate IT equipment (hardware, software, services). In large companies,<br />
dem<strong>and</strong>-supply-organizations are common to per<strong>for</strong>m this task (see above). They separate the roles of<br />
IT <strong>governance</strong> <strong>and</strong> IT service provision. The Chief In<strong>for</strong>mation Officer or, respectively, the Head of<br />
In<strong>for</strong>mation Management is responsible <strong>for</strong> IT <strong>governance</strong>. The IT service provider can be an internal<br />
department, a company belonging to the corporate group or an external service provider. Such<br />
solutions are not practical <strong>for</strong> SMEs due to the considerably less available staffing level. Because of<br />
this, the roles of the IT control organization are not very differentiated <strong>and</strong> cannot be transferred to<br />
different people. Often IT managers in SMEs also deal w<strong>it</strong>h operational tasks, in add<strong>it</strong>ion to the<br />
strategic tasks. They often have an enormous detailed technical knowledge. For these reasons, we<br />
propose a simplified control <strong>model</strong> (see Figure 3), which certainly holds the management more to<br />
account in order to ensure the strategic secur<strong>it</strong>y of any measures.<br />
Figure 3.<br />
IT control organization.<br />
Albayrak <strong>and</strong> Gadatsch 384<br />
IT <strong>governance</strong> <strong>model</strong> <strong>for</strong> <strong>small</strong> <strong>and</strong> <strong>medium</strong>-<strong>sized</strong> <strong>enterprises</strong>
European, Med<strong>it</strong>erranean & Middle Eastern Conference on In<strong>for</strong>mation Systems 2012 (EMCIS2012)<br />
June 7-8, Munich, Germany<br />
W<strong>it</strong>hin this framework of control, management is responsible <strong>for</strong> basic questions about the use of IT<br />
<strong>and</strong> delegates the management of IT projects <strong>and</strong> the responsibil<strong>it</strong>y <strong>for</strong> IT operations to the IT<br />
department or the IT managers. The functional departments address requirements to the IT department<br />
<strong>and</strong> use their services. A cost <strong>and</strong> service allocation of IT services is indeed conceivable in larger<br />
SMEs but is not always necessary.<br />
3.2 IT strategy <strong>and</strong> planning<br />
The IT strategy <strong>and</strong> planning of an SME describes the desired target state of the company w<strong>it</strong>h regard<br />
to <strong>it</strong>s IT equipment. To do this, the need <strong>for</strong> action <strong>for</strong> realization, i.e., a description of the actual IT<br />
s<strong>it</strong>uation <strong>and</strong> the IT weaknesses, has to be displayed. The result of the IT strategy is an action plan<br />
listing the responsibil<strong>it</strong>ies of the IT department <strong>and</strong> specifying dates of completion <strong>for</strong> the involved<br />
functional departments. The IT strategy should include the following topics:<br />
<br />
<br />
<br />
<br />
Hardware (What kind of hardware will be used in future, <strong>and</strong> <strong>for</strong> which tasks? Is the hardware<br />
purchased, are there rental agreements, or is there a total or partial outsourcing? Which<br />
external companies take care of the hardware? What emergency concepts exist?)<br />
Software (What kind of software will be used in the future, <strong>and</strong> <strong>for</strong> which tasks? Who in the<br />
IT department looks after the software, or which external service provider does so? What<br />
software is being developed in-house or by external service providers? Which st<strong>and</strong>ard<br />
software is used?)<br />
Services (What services does the IT department provide? For example, advice, operation of<br />
applications, or management of IT users?)<br />
Processes (How are projects implemented? How are work processes documented?)<br />
Table 2 summarizes the issues together w<strong>it</strong>h related instruments <strong>for</strong> implementation.<br />
No. Issues Instruments<br />
1 Hardware<br />
IT infrastructure planning<br />
IT st<strong>and</strong>ards<br />
2 Software<br />
Application area <strong>for</strong> individual/st<strong>and</strong>ard software<br />
IT development planning<br />
IT st<strong>and</strong>ards <strong>for</strong> proprietary development<br />
3 Services<br />
IT service<br />
Management of IT service providers<br />
4 Processes<br />
Table 2.<br />
Process <strong>model</strong>s / documentation<br />
Project management / project <strong>governance</strong><br />
Thematic areas <strong>and</strong> instruments of IT strategy.<br />
Planning of hardware <strong>and</strong> data centre<br />
St<strong>and</strong>ards <strong>for</strong> desktop systems<br />
Usage strategy <strong>for</strong> software<br />
IT arch<strong>it</strong>ecture<br />
IT service catalogue w<strong>it</strong>h service level agreements<br />
IT service guidelines<br />
Software “ARIS Business Arch<strong>it</strong>ect”<br />
IT project office<br />
Project guidelines manual<br />
Each of the areas mentioned above can be secured by a balance of arguments, which has to be<br />
coordinated w<strong>it</strong>h the company’s functional departments. An example of a balance of arguments on the<br />
subject of outsourcing a data centre is shown in Table 3.<br />
Albayrak <strong>and</strong> Gadatsch 385<br />
IT <strong>governance</strong> <strong>model</strong> <strong>for</strong> <strong>small</strong> <strong>and</strong> <strong>medium</strong>-<strong>sized</strong> <strong>enterprises</strong>
European, Med<strong>it</strong>erranean & Middle Eastern Conference on In<strong>for</strong>mation Systems 2012 (EMCIS2012)<br />
June 7-8, Munich, Germany<br />
Outsourcing<br />
Table 3.<br />
Aspects Pros Cons<br />
Placing of the hardware in a<br />
secured data centre<br />
High safety <strong>and</strong> fire safety<br />
st<strong>and</strong>ards <strong>for</strong> the IT<br />
St<strong>and</strong>by 7x24<br />
IT strategy <strong>and</strong> balance of arguments.<br />
Maintenance of hardware by<br />
external service providers<br />
Personnel resources can be used<br />
<strong>for</strong> services <strong>and</strong> projects<br />
Higher operating costs <strong>for</strong><br />
external support <strong>and</strong> data lines<br />
Dependence from external<br />
service providers<br />
Extensive communication ef<strong>for</strong>t<br />
is necessary<br />
No direct access to any<br />
hardware or data<br />
The operational strategy <strong>for</strong> software can be displayed using a simple portfolio which differentiates<br />
process types (core processes, management processes <strong>and</strong> support processes) <strong>and</strong> types of software<br />
(software, software). Different strategies can be set depending on the quadrant. In the example of<br />
Figure 4, customized software is used <strong>for</strong> core processes because then compet<strong>it</strong>ive advantages can be<br />
generated. However, support processes are supposed to be supported by st<strong>and</strong>ard software only. In the<br />
area of management processes, a mix strategy is recommended that takes not only st<strong>and</strong>ard software<br />
but also individually developed software into account.<br />
Figure 4.<br />
IT strategy / application strategy <strong>for</strong> software.<br />
Ideally, the strategy is complemented by an IT development plan (see Figure 5). W<strong>it</strong>h this instrument,<br />
the applications used by the company <strong>and</strong> the processes supported by the applications can be<br />
demonstrated graphically, so that the planning can be visualized <strong>and</strong> documented. This tool <strong>for</strong><br />
displaying the actual s<strong>it</strong>uation as well as possible planning scenarios is particularly convenient in<br />
conversations between IT management, functional departments <strong>and</strong> top management. Its<br />
implementation is feasible using graphics tools of common office software packages <strong>and</strong> thus does not<br />
require add<strong>it</strong>ional ef<strong>for</strong>t.<br />
Albayrak <strong>and</strong> Gadatsch 386<br />
IT <strong>governance</strong> <strong>model</strong> <strong>for</strong> <strong>small</strong> <strong>and</strong> <strong>medium</strong>-<strong>sized</strong> <strong>enterprises</strong>
European, Med<strong>it</strong>erranean & Middle Eastern Conference on In<strong>for</strong>mation Systems 2012 (EMCIS2012)<br />
June 7-8, Munich, Germany<br />
Figure 5.<br />
IT development plan.<br />
3.3 Key per<strong>for</strong>mance indicator system<br />
The usual key per<strong>for</strong>mance indicator (KPI) systems based on business intelligence applications are<br />
often only partially su<strong>it</strong>able <strong>for</strong> SMEs. There<strong>for</strong>e, the IT scorecard (Kaplan <strong>and</strong> Norton 2001) has<br />
become established <strong>for</strong> the operational control of the IT strategy. It combines goals, key figures, target<br />
values <strong>and</strong> measures to ensure the implementation as a whole. Although larger companies typically<br />
use the IT scorecard, <strong>it</strong> is also well su<strong>it</strong>ed <strong>for</strong> IT <strong>governance</strong> in <strong>small</strong>er companies, in combination<br />
w<strong>it</strong>h a budget <strong>and</strong> measure overview (Bernroider et al. 2003), (Martinsons et al. 1999), (Müller et al.<br />
2002). The selection of goals, key figures <strong>and</strong> other elements is carried out on a company-specific<br />
basis, but <strong>it</strong> should also comprise the classical viewpoint of “internal IT clients”, IT processes, IT<br />
employees <strong>and</strong> IT costs. Every measurement of the IT scorecard has to be planned <strong>and</strong> constantly<br />
mon<strong>it</strong>ored w<strong>it</strong>hin the framework of budgeting. This requires a planning of measures w<strong>it</strong>hin the IT<br />
budget, as is illustrated in Figure 6.<br />
Figure 6.<br />
Planning of measures w<strong>it</strong>hin the IT budget.<br />
3.4 IT project structures<br />
Even in <strong>medium</strong>-<strong>sized</strong> companies <strong>it</strong> is necessary to implement a procedural <strong>model</strong> that can be based<br />
on fundamental project structures instead of making ad-hoc procedures. The management is generally<br />
the highest authorization instance <strong>for</strong> projects <strong>and</strong> generally conducts prior<strong>it</strong>ization in case of conflicts<br />
over resources or the like (cf. Figure 7). Project proposals are the starting point <strong>for</strong> appropriate<br />
Albayrak <strong>and</strong> Gadatsch 387<br />
IT <strong>governance</strong> <strong>model</strong> <strong>for</strong> <strong>small</strong> <strong>and</strong> <strong>medium</strong>-<strong>sized</strong> <strong>enterprises</strong>
European, Med<strong>it</strong>erranean & Middle Eastern Conference on In<strong>for</strong>mation Systems 2012 (EMCIS2012)<br />
June 7-8, Munich, Germany<br />
decisions. In add<strong>it</strong>ion, the management is responsible <strong>for</strong> the strategic <strong>governance</strong> of the project <strong>and</strong><br />
<strong>for</strong> making specific decisions in case of conflicts.<br />
Depending on the size of the company, there should be a project office set up w<strong>it</strong>hin the existing IT<br />
environment, which is responsible <strong>for</strong> ongoing project authorizations, project <strong>governance</strong> <strong>and</strong> control<br />
of <strong>small</strong>er project proposals, <strong>and</strong> <strong>for</strong> the transaction of the operational project portfolio management.<br />
Further tasks of the project office should be the evaluation of subm<strong>it</strong>ted project proposals, crossproject<br />
coordination, continuous mon<strong>it</strong>oring of <strong>and</strong> reporting on the project status <strong>and</strong> providing these<br />
reports to the upper management <strong>and</strong>, if required, the compos<strong>it</strong>ion of project teams <strong>for</strong> new projects.<br />
The project team is the operative working instance that operates the actual project <strong>and</strong> regularly<br />
reports to the project office (e.g., project progress, special issues, problems <strong>and</strong> conflicts, urgent<br />
decision needs). As in large companies, IT projects in SMEs have to be well structured. This includes<br />
the designation of the project leader <strong>and</strong> his or her allocated internal <strong>and</strong> external staff. The leader of<br />
the project is mainly responsible <strong>for</strong> the <strong>governance</strong> <strong>and</strong> the compliance w<strong>it</strong>h the project goals, to keep<br />
to restrictions (dates <strong>and</strong> schedules, costs, personnel <strong>and</strong> material resources), as well as <strong>for</strong> st<strong>and</strong>ards<br />
<strong>and</strong> guidelines plus reporting.<br />
Figure 7.<br />
Structures of IT projects.<br />
Of central importance is the use of a procedural <strong>model</strong> <strong>for</strong> the implementation of projects. As shown in<br />
Figure 8, such a <strong>model</strong> comprises different phases, each of which can be executed several times if<br />
required. Loop backs to prior phases are also usual. In the context of specifications, a description of<br />
the project idea together w<strong>it</strong>h the functional <strong>and</strong> technical requirements (including the first cost <strong>and</strong><br />
benef<strong>it</strong> estimations) is given. The requirements specification determines the intended implementation,<br />
including the selection of st<strong>and</strong>ard software. It also includes in<strong>for</strong>mation on project planning, so that<br />
all estimations in reference to ef<strong>for</strong>t, time, resources <strong>and</strong> benef<strong>it</strong>s are integrated as accurately as<br />
possible.<br />
Albayrak <strong>and</strong> Gadatsch 388<br />
IT <strong>governance</strong> <strong>model</strong> <strong>for</strong> <strong>small</strong> <strong>and</strong> <strong>medium</strong>-<strong>sized</strong> <strong>enterprises</strong>
European, Med<strong>it</strong>erranean & Middle Eastern Conference on In<strong>for</strong>mation Systems 2012 (EMCIS2012)<br />
June 7-8, Munich, Germany<br />
Figure 8.<br />
Procedural <strong>model</strong> <strong>for</strong> IT projects.<br />
After the completion of the concepts, the realization can be started. The focus here is on the<br />
development <strong>and</strong> the programming of the planned solution, on the purchase <strong>and</strong> the customizing of<br />
st<strong>and</strong>ard software, <strong>and</strong> on developer tests carried out by software engineers. Hereafter, the actual<br />
testing <strong>and</strong> approval follow; this includes specialized individual tests that are generally realized by a<br />
special business un<strong>it</strong>, the rectification that is done by the developers, a technical approval conducted<br />
by the IT leader <strong>and</strong>, finally, the acceptance of the software after an integration test by the functional<br />
department. Be<strong>for</strong>e the project is finished, a production takeover is required. This phase includes the<br />
actualization, the collection of data (e.g., master data, tables), the data transfer from the legacy system,<br />
the individual customizing of the system, the preparation <strong>for</strong> the productive usage (backups of older<br />
<strong>and</strong> current data) <strong>and</strong> the production release (IT leading). After all these preparatory steps, the system<br />
is ready <strong>for</strong> live operation. During the use of the system, simultaneous projects are carried out w<strong>it</strong>h the<br />
aim of further development <strong>and</strong> maintenance of the software.<br />
4 CONCLUSIONS AND FUTURE WORK<br />
This paper examined how SMEs can adopt familiar corporate IT <strong>governance</strong> structures of large<br />
companies. Compared to large companies <strong>and</strong> due to the well-known characteristics of SMEs, much<br />
more attention has to be paid to which advantages <strong>and</strong> disadvantages can occur. Our results show that<br />
SME-specific <strong>model</strong>s still need to be developed. In our opinion, the main focus lies on the<br />
establishment of an IT steering organization, the development of an IT strategy <strong>and</strong> IT planning, <strong>and</strong><br />
the integration of an IT KPI system <strong>and</strong> IT project structures. Although concepts developed by larger<br />
organizations cover also a wide range of specific SME activ<strong>it</strong>ies, they are often too complicated <strong>and</strong><br />
utterly impracticable <strong>for</strong> SMEs. The concepts of IT <strong>governance</strong> structures <strong>for</strong> SMEs introduced here<br />
are intended to help in<strong>it</strong>iating discussion about the topic.<br />
Regarding future research, we propose to look more closely at the following issues:<br />
1. Which kinds of precond<strong>it</strong>ions must a company fulfil to be able to successfully adopt <strong>and</strong><br />
implement our proposed IT <strong>governance</strong> <strong>model</strong>?<br />
Albayrak <strong>and</strong> Gadatsch 389<br />
IT <strong>governance</strong> <strong>model</strong> <strong>for</strong> <strong>small</strong> <strong>and</strong> <strong>medium</strong>-<strong>sized</strong> <strong>enterprises</strong>
European, Med<strong>it</strong>erranean & Middle Eastern Conference on In<strong>for</strong>mation Systems 2012 (EMCIS2012)<br />
June 7-8, Munich, Germany<br />
2. Which advantages <strong>and</strong> disadvantages may implementing our IT <strong>governance</strong> <strong>model</strong> bring<br />
about? Is there a compet<strong>it</strong>ive advantage?<br />
3. Which correlations exist between the depth of IT production <strong>and</strong> the benef<strong>it</strong> of introducing the<br />
corporate <strong>governance</strong> <strong>model</strong>?<br />
It is also planned to implement the <strong>model</strong> described here in selected SMEs in order to demonstrate<br />
in practice the basic abil<strong>it</strong>y of implementation <strong>and</strong> moreover the effectiveness of our <strong>model</strong><br />
References<br />
Albayrak CA., Gadatsch A <strong>and</strong> Olufs D. 2009. ‘Life Cycle Model <strong>for</strong> IT Per<strong>for</strong>mance Measurement –<br />
A Reference Model <strong>for</strong> Small <strong>and</strong> Medium Enterprises (SME)’. In: Dhillon G, Bernd Carsten<br />
Stahl BC <strong>and</strong> Baskerville R (Eds.). ‘In<strong>for</strong>mation Systems – Creativ<strong>it</strong>y <strong>and</strong> Innovation in<br />
Small <strong>and</strong> Medium-Sized Enterprises, Proceedings of IFIP WG 8.2 International Conference,<br />
CreativeSME’: 180-191.<br />
Becker J <strong>and</strong> Winkelmann A. 2004. ‘IV-Per<strong>for</strong>mance measurement’. Wirtschaftsin<strong>for</strong>matik, 46 (3):<br />
213-221.<br />
Bernroider EWN, Hampel A <strong>and</strong> Sumper AF. 2003. ‘An Application of the Balanced Scorecard as a<br />
Strategic IT-Per<strong>for</strong>mance Measurement Instrument <strong>for</strong> E-Business Development’. The Third<br />
International Conference on Electronic Business - Business Paradigms: Strategic<br />
Trans<strong>for</strong>mation <strong>and</strong> Partnership.<br />
CobiT. 2008 CobiT 4.1 Excerpt, IT Governance Inst<strong>it</strong>ute. http://www.isaca.org/.<br />
Elia E, Lefebvre LA <strong>and</strong> Lefebvre E. 2007. ‘Focus of B-to-B E-Commerce In<strong>it</strong>iatives <strong>and</strong> Related<br />
Benef<strong>it</strong>s in Manufacturing Small- <strong>and</strong> Medium-<strong>sized</strong> Enterprises’. In<strong>for</strong>mation Systems <strong>and</strong><br />
E-Business Management, volume 5, number 1: 1-23.<br />
van Grembergen W, de Habs S, Guldentops E. 2004. ‘Structures, Processes <strong>and</strong> Relational<br />
Mechanisms <strong>for</strong> IT Governance’. In: van Grembergen W (Ed.). ‘Strategies <strong>for</strong> In<strong>for</strong>mation<br />
Technology Governance. Idea Group’: 1-36.<br />
IT Governace Inst<strong>it</strong>ute. 2008. http://www.<strong>it</strong>gi.com.<br />
Johnston DA <strong>and</strong> Wright L. 2004. ‘The E-Business Capabil<strong>it</strong>y of Small <strong>and</strong> Medium Sized Firms in<br />
International Supply Chains’. In<strong>for</strong>mation Systems <strong>and</strong> E-Business Management, volume 2,<br />
numbers 2-3: 223-240.<br />
Kaplan RS, Norton PN. 2001. ‘Strategy Maps: Converting Intangible Assets into Tangible Outcomes’.<br />
Martinsons M, Davison R <strong>and</strong> Tse D. 1999. ‘The Balanced sScorecard: A Foundation <strong>for</strong> the Strategic<br />
Management of In<strong>for</strong>mation Systems’. Decision Support Systems, 25 (1): 71-88.<br />
Müller A <strong>and</strong> v. Thienen, L. 2002. ‘E-Business-Controlling m<strong>it</strong> der Balanced Scorecard’. In: Blomer<br />
R <strong>and</strong> Bernhard M (Eds). ‘Balanced Scorecard in der IT, Praxisbeispiele - Methoden –<br />
Umsetzung’: 183-209.<br />
Schauer H. 2006. ‘Vergleichende Buchbesprechung IT-Controlling’. In: Wirtschafsin<strong>for</strong>matik, 48 (3):<br />
212-218.<br />
Weill P <strong>and</strong> Ross JW. 2004. ‘IT Governance on One Page’. Center <strong>for</strong> In<strong>for</strong>mation Systems Research<br />
Working Paper No. 349, MIT Sloan School of Management.<br />
Albayrak <strong>and</strong> Gadatsch 390<br />
IT <strong>governance</strong> <strong>model</strong> <strong>for</strong> <strong>small</strong> <strong>and</strong> <strong>medium</strong>-<strong>sized</strong> <strong>enterprises</strong>