Implementation of information technology (IT) governance through IT strategic planning

Information technology (IT) governance is identified as an organizational skill of great importance to the strategic alignment and delivery of value through information technology (IT). Implementing IT governance, however, is a challenge to organizations. This paper aims to demonstrate the application of a method of information technology strategic planning (ITSP) for implementation of IT governance. This method has been developed considering the contributions of ITSP methods and guidelines for implementation of IT governance, both available in existing literature. The proposed method was then applied to twenty Brazilian organizations from different sectors. The application results indicate that IT strategic planning is adequate for implementation of IT governance, creating a structured approach of implementation and emphasizing the IT strategic alignment.


INTRODUCTION
Information technology governance, essentially defined in literature as specification of decision-making structures, processes and relational mechanisms for direction and control of IT operations, is identified as an organizational skill of great importance to strategic alignment, value delivery, risk management and IT resource (Sambamurthy and Zmud, 1999;Weill and Ross, 2004;Van Grembergen and De Haes, 2007).
Since the dawn of the theme of IT governance in the 1990s, studies have reported the benefits of proper IT governance in organizations.Although the available studies are not conclusive, they provide important evidences about the relevance of IT governance to organizational performance.A good IT governance, as stressed by Weill and Ross (2004) and Broadbent and Kitzis (2005), is important to develop: (1) trust and transparency among the stakeholders, (2) a better way to deliver results through IT projects and, (3) desirable *Corresponding author.E-mail: bermejo@dcc.ufla.br.Tel: +55 (35) 3829-1545.
behavior in using IT in alignment with organizational priorities and organizational strategies.Weill and Ross (2004) and Lunardi et al. (2009) further complement that IT governance is the most important foundation for the generation of value to the organization through information technology.Weill and Ross (2004), in a survey with 250 organizations around the world, found out that companies with superior IT governance have profits at least 20% higher than those with poor governance, considering the same strategic objectives.Lunardi et al. (2009), analyzing the Brazilian context, found that organizations with developed IT governance have significantly improved organizational performance, especially with regard to measurements of profitability such as returns on assets and profit margin.
Despite evidences showing the relevant role of IT governance in organizations, implementing it in the proper way is a great challenge.In this sense, enhanced knowledge about ways to implement IT governance turns out to be of great importance to practitioners and researchers (Bermejo and Tonelli 2011).
Several studies have reported the challenges and factors that influence the implementation of IT governance in organizations.The need of interaction and mutual understanding between IT and business areas to ensure strategic alignment (Henderson and Venkatraman, 1993;Weill and Ross, 2004;ITGI, 2007a,b;Van Grenbergen and De Haes, 2007), profiles of business strategies (ITGI, 2007a;Van Grembergen and De Haes, 2007), influence of a wide range of contingencies (Ahituv and Zviran, 1989;Tavakolian, 1989;Clark, 1992;Brown and Magill, 1994;ITGI, 2007a,b;Van Grembergen and De Haes, 2007;Anand, 2006) and the need of construction of a continuous, adaptive and interactive process for IT governance (Van Grembergen and De Haes, 2007) are among the main issues covered in literature.
In order to overcome this challenge, different studies have been developed proposing tools to aid in the development of IT governance in IT organizations.These tools are defined by their creators as: frameworks (Sambamurthy and Zmud, 1999;Weill and Ross, 2004;ITGI, 2007a;Van Grembergen and De Haes, 2009), set or model of best practices of generic domain (OGC, 2002a;PMI, 2004), standard (ISO, 2008), methodology (OGC, 2002a, b) and system (Kaplan and Norton, 1997).Among the available tools, are highlighted the frameworks for specification of decision-making rights on IT, proposed by Sambamurthy and Zmud (1999) and Weill and Ross (2004), guidelines for implementation proposed by Van Grembergen and De Haes (2009) and control frameworks for IT processes, such as Cobit, RiskIT and ValIT (ITGI, 2007a, b).
In addition to the frameworks, stand out: (1) sets and models of best practices targeted to specific points, such as IT service management in Information Technology Infrastructure Library (ITIL) (OGC, 2002a) and project management in the Project Management Body of Knowledge (PMBOK) (PMI, 2004) (ISO 2008) and; (3) balanced scorecard, originally designed for managing organizational performance (Kaplan and Norton, 1997) and adapted to the context of IT governance, as proposed by (Van Grambergen and De Haes, 2005).
The exception of Cobit, sorted by ITGI (2007a) as a complete framework for IT governance, and ISO/IEC 38500, designed specifically to address this issue; the other tools are in specific issues of IT governance, covering it incompletely.Additionally, the available tools have missing details with structured and comprehensive guidance for being generic and having general purpose.
Therefore, this paper aims to propose and implement a method of IT strategic planning (ITSP) for development of IT governance in Brazilian organizations.
ITSP is identified in literature as a key factor in IT integration and alignment to the organization and to the business, to increase competitive advantages, aiming to provide direction, concentration of efforts, constancy of purpose and flexibility, also a continuing strength of the business to improve the strategic position (Boar, 1994;Newkirk et al., 2003;Lee and Bai, 2003).Moreover, the ITSP theory addresses essential components to the development of IT governance such as strategic alignment.Among the seven components of the ITSP theory proposed by Lederer and Salmela (1996), one can identify the three components as being directly relevant to the implementation of IT governance: (1) consideration to the internal environment of the organization, (2) analysis of the internal environment and; (3) alignment of the business plan with the IT plan.
The proposed method was then applied to twenty Brazilian organizations from different sectors.Results show that the implementation of the ITSP in the development of IT governance helps to: (1) facilitate IT governance implementation in a structured way, (2) emphasize strategic alignment and consideration to organizational characteristics; (3) implement IT governance to meet the needs of medium and long terms of organization, (4) implement IT governance in a systematic, continuous and iterative way.
This article is organized as follows; methodology used at work; description of the proposed method for implementation of IT governance through strategic planning; description and discussion of the results obtained with the empirical validation of the method; conclusions; contributions and proposals for future papers.

METHODOLOGY
This paper is based on the research on the implementation of IT strategic planning for deployment of IT governance.
Initially a theoretical proposition was sought based on existing theories and documentation.After that, a method of IT strategic planning for implementation of the IT governance was designed.In designing the method, the following references were considered: 1. ITSP precursor methods developed before the 1990s: Business Systems Planning (IBM, 1975), Critical success factors, Rockart (1979), Information engineering, (Martin, 1982), Value chain analysis, (Porter, 1984) 2. ITSP recent methods developed from the 1990s: the method proposed by Bernard Boar (Boar, 1994), the method proposed by Mark Lutchen (Lutchen, 2004), and the Praxis and method (Amaral and Varajão, 2007).3. Guidelines for development of IT governance, including: components of IT governance (Weill and Ross, 2004;Peterson, 2003;Van Grembergen and De Haes, 2007), hands on approach  (Peterson, 2003;Weill and Ross, 2004;ITGI, 2007b;Van Grembergen and De Haes, 2007;2009).
After being developed, the method was applied in twenty Brazilian organizations for implementation of IT governance.The application was carried out by twenty teams of Master of Business Administration (MBA) students in IT governance at the Universidade Federal de Lavras (UFLA), being led and guided by the authors of this paper.Table 1 lists the organizations covered in the study, given fictitious names and areas of each organization.
Interviews with semi-structured scripts were used to collect data from the organizations studied.The sample used was simple causal (Jung, 2004).The criteria for selection of the sample followed the interest of the organization to provide the necessary conditions for the accomplishment of the case study.More specifically, these criteria contemplated the full implementation of the method and the proposed and direct participation of members of the top board of directors and the average managers of the organization in providing the necessary information to accomplish the ITSP.
Upon analyzing the results, we tried to effectively discuss issues related to the inclusion and application of strategic planning of information technology in the implementation of IT governance.

Proposal of method for implementation of IT governance through the ITSP
The proposed approach consists of five phases, as illustrated in Figure 1: (1) alignment of IT with the business, (2) assessment of performance and capacity, (3) IT strategic planning, (4) IT tactical planning and (5) socialization and closing.These phases are subdivided into a set of steps and form a set of activities.
Phase 1 -Alignment of IT with business -aims to create the basis for promoting the strategic alignment and IT value delivery by contemplating the understanding of organizational context and definition of IT objectives aligned to objectives of the business, hands on approach as defined by control objectives of information and related technology (Cobit) (ITGI, 2007a), and guidelines (Van Grembergen and De Haes, 2007) for setting goals.
The results of phase 1 are: (1) knowledge of the organizational context and (2) identification of IT objectives aligned to business objectives.These results will guide the activities planned in phase 2 of the method.
Phase 2assessment of performance and capacityis intended to verify the current capacity of the IT organization.To do so, the following activities are run: (1) identification and assessment, the maturity of critical IT processes, with reference to business objectives of IT to be pursued (ITGI, 2007a;Van Grembergen and De Haes, 2007); (2) SWOT Analysis of IT resources, identified as information, people, applications and infrastructure (ITGI, 2007a), and; (3) Survey and analysis of the IT governance arrangement matrix currently practiced according to what was proposed by Sambamurthy and Zmud (1999) and Weill and Ross (2004).
The results of phase 2 are: (1) a set of critical IT processes to be managed and controlled to achieve the goals of IT, (2) current status of critical IT processes to promote achievement of IT objectives, (3) SWOT analysis of IT resources applied to critical processes, and (4) an IT governance arrangement matrix.These results are exposed in the form of gaps between current and desired status, the latter being represented by the business and IT goals.
Phase 3 -IT strategic planningis designed to: (1) provide definition of indicators for measuring the goals reached and the efficiency of critical processes, (2) define strategic actions should cover the elimination or reduce the gaps identified in phase 2, being ultimately aimed at achieving the objectives of phase 1 and; (3) composition of the IT balanced scorecard, as proposed by Kaplan and Norton (1997), Keyes (2005), and Van Grembergen and De Haes (2005,2007), contemplating goals related to their actions and metrics.IT BSC consists of the main result of this phase.
In Phase 4 -IT tactical planningaction plans (tactical plans) are formulated to achieve the IT and business strategies.This plan consists of: (1) strategic projects, (2) strategies for acquisition of IT resources, (3) strategies for human resource training, and (5) strategies for outsourcing IT services.These components of the tactical plan are, finally, prioritized according to the current governance structure.
Finally, phase 5socialization and closingthe results of the planning are validated and disseminated.To this end, the following activities are provided: (1) review and validation of results, according to the current IT governance structure in the organization; (2) dissemination of results in the organization and; (3) obtaining commitment of employees in the activities of project implementation and execution of acquisition strategies, outsourcing and training; (4) commitment of the committees to the continuity, through the exercise of the responsibilities that fit them.
Alongside each planned activity, every lesson learned is documented, filed and available for reference.Such measure is needed so that those involved can take advantage of past experiences and record the experiences to be used in future initiatives to improve IT governance.

RESULTS
The results obtained with the method in this study covering twenty organizations would be discussed.To this end, examples derived from some organizations covered will be used.Additionally, the presentation will be divided considering the partial results obtained by applying each step of the proposed method.

Phase 1: Alignment of IT with the business
The execution of the phase 1 in organizations helped to create the basis for development of the project implementation of IT governance, as well as creating the foundation for IT strategic alignment with the business.
Each organization that has been studied had a separate committee to implement the method.All committees formed were trained and supervised by the authors of the method.
The committees had different compositions.Organizations that operate in information technology relied on the significant presence of project managers, systems analysts and software architects, besides representatives of senior management and support areas (for example, financial and commercial).In other organizations, where IT is not a core business activity, the committees were formed by representatives of the top management, by the IT area leader and representatives of three business strategic areas.
Following the formation of the committee, steps proposed in phase 1 were taken to understand the organization and define business and IT goals.From these steps, the substantiation of the IT strategic alignment of IT with the business was created.
In Alef Laboratory, which primary business strategy is to diversify operations to highly profitable sectors, business goals and IT objectives were defined from their preexisting business plan.These were defined in order to create the basis for strategic alignment of IT with the business.Figure 2 shows the alignment of IT goals to business goals in the Alef Laboratory.

Phase 2: Performance and capacity analysis
From the implementation of phase 2 of the proposed method, the performance and capacity of IT to meet the IT objectives defined in phase one were evaluated, considering the critical IT processes, IT resources and IT governance arrangement matrix.
In Kaf Organization, a company which main strategy is to start operations in a dynamic sector that requires high responsiveness to customer service, critical processes, IT resources and IT governance arrangement matrix have been defined and evaluated.Figure 3 shows a summary of results of evaluation and capacity performance in the Kaf Organization.
In Kaf Organization, starting from the business and IT goals, it was determined trough the use hands-on approach proposed by Cobit (ITGI, 2007a), the critical process "Define processes, organization and relationships".Due to the approach used to define business goals, IT goals and processes, it is possible to establish hierarchical relationships between them.Thus, the critical process defined for the Kaf Organization aims to operationalize the goal of creating IT-related IT agility.
This process aims to structure the IT infrastructure from a framework of processes and responsibilities for various activities in the IT organization.This is expected to achieve greater agility due standardization activities and optimizing the relationship between IT and business, through formalization of clear responsibilities.
Besides the critical process during phase 2, schemes of decision making through the IT governance arrangement matrix and analyzing the IT resources required to deliver IT services to business areas were defined.
Together, the analysis of critical processes, arrangement matrix and IT resources form a set of gaps present between the current status and the future state of IT in the Kaf Organization related to the creation of IT agility in meeting the requirements of the business.Essentially, these gaps are related to the lack of standardization in activities and IT/business relationships, the low decision making power of IT, decentralized information and difficulty of access and IT knowledge deficit in relation to the negotiation processes.

Phase 3: IT strategic planning
During phase three, strategic actions and indicators were set for, respectively, implementation, measurement of performance of IT governance in the organizations studied.
Considering the results previously described in phase 1 and 2 obtained in the Kaf Organization, strategic actions and indicators were set as shown in Figure 4.
In order to meet the gaps identified during phase 2 and achieve the IT objectives defined in phase 1, strategic actions were defined with the purpose of achieving the objectives of IT by improving the relationship with the business and knowledge of IT teams in business processes and to define and disseminate IT processes for delivering services in the business areas.
In order to complement the strategic actions, performance indicators to design to measurement of the achievement of the IT objective and the efficiency of the process defined critical were defined.

Phase 4: Tactical IT planning
The implementation of phase 4 strategic projects was designed to implement the actions defined in the strategic plan for implementation of IT governance (Phase 3).
In Het Organization, the application of the method considered objectives for the medium and long-term expansion of the organization in the international market and to provide orderly growth.These business objectives and critical IT processes were defined in order to outline the actions for implementation of IT governance.In summary, the IT objectives defined for the Het Organization establish the need to organize and standardize processes to support an orderly growth and spread good practices among employees in the area.
Considering the aforementioned demand in terms of objectives and results of evaluation of IT resources, IT governance arrangement matrix and critical processes, a tactical plan was defined, illustrated in Table 2, which includes a horizon of four years, during which the company aims to make the process of international expansion of operations.

Phase 5: Socialization and closing
During the implementation of phase 5 in the organizations studied, workshops were held with the participation of top management for final validation and dissemination of results.In addition, the basis for commitment and accountability were defined for implementation of set tactical plans.Such commitment was aimed to create directions to ensure the proper implementation and monitoring of strategic planning for implementation of IT governance in organizations.
In the Vav Company, the definition of responsibilities and tactical commitment required the involvement of three agents (Figure 5): top management, consisting of five members, the strategic committee, consisted of seven representatives of business areas and a representative of top management teams and project execution.
Figure 5 shows the system of roles and responsibilities and the relationship between the three major agents -top management, IT committee and project teams -involved in implementation of projects defined in the tactical plan for implementation of IT governance.Following this pattern, teams of project implementation report to the committee which then report to the top management.Top management and the committee are responsible for decisions that will direct the work of the agents present at lower levels.Decisions related to budgets, conflict solution in strategic level and validation are concentrated in the top management, while decisions related to plans  1 2 3 4  1 2 3 4 Restructuring department of IT projects -Implementation of the projects office X X X X Creation of the CEO Panel: IT performance management X Restructuring of IT processes and business relationship with the business X X X Creation of CEO support office X Automating the management of IT services X X X X Improvement process of developing and acquiring software X X X Improvement of IT infrastructure: Shared services X X X for project management, allocation of approved resources and conflict resolution in level of project management are responsibility of the committee.
To each one of the agents illustrated in Figure 5 decision rights, and accountability, and responsibilities were defined, as shown in Table 3.

Top management
1. Approval and release of the budget (including resources to projects) for the execution of tactical plan 2. Final decision on priorities in the tactical plan 3. Solution of conflicts among the projects 4. Take note of the results of projects and evaluate the achievement of strategic objectives

Strategic committee
1. Review of project plans before execution 2. Formation of teams for strategic projects 3. Guidance to strategic project teams 4. Monitoring and execution of the tactic plan 5. Elaboration of periodic report about the execution of tactic plan for the top management 6.Validation of supplies of strategic projects.

Project teams
1. Implementation of the project according to the revised plan (prior to its execution) and the committee guidelines 2. Preparation of periodic report on implementation of the project for the committee.

DISCUSSION AND CONCLUSION
The application of the proposed method in twenty organizations found three main contributions related to the use of IT strategic planning for implementation of IT governance: (1) insertion of a structured approach that emphasizes the strategic alignment, (2) possibility of handling the demands of long-term business through IT governance, and (3) creation of foundation for continuous improvement of IT governance in the organization.
The results showed that the application allows the ITSP to implement IT governance in a structured and standardized way.This is a relevant finding due to the lack of structured and comprehensive guidance of available IT governance tool such as Cobit, ITIL, and ISO 38500.The results also showed that the ITSP can contribute to the implementation of the IT governance tools available in the market in a structured manner.Results obtained in Kaf Organization indicate that ITSP can articulate the Cobit components (as business and IT objectives, processes, indicators and IT resources) and decision-making structures in a structured approach (Weill and Ross, 2004;Van Grembergen and De Haes, 2009;Sambamurthy and Zmud, 1999).
Multiple sources consider the emphasis on strategic alignment to be essential for IT governance (Sambamurthy and Zmud, 1999;Weill and Ross, 2004;ITGI, 2007a;ITGI, 2007b;Van Grembergen andDe Bermejo et al. 11187 Haes, 2007, 2009).That emphasis occurs in the way the method forces the study of organizational context and business strategy, being these two factors translated into IT and business goals that will guide the development of IT governance.Results obtained in Alef, Kaf, and Het Vav presented in the results area illustrate this emphasis.
The results of applying the method also showed that the emphasis on alignment is also influenced by a commitment by top management and business units to provide information for the execution of activities foreseen in the method.Such results were more evident in Gimel and Bet companies and Ted Cooperative.Because there are no formal business plans in these organizations, the application of the method counted on the direct involvement of top management in defining business goals, a crucial factor for creating the basis for IT strategic alignment.In other organizations where business plans were formalized, the involvement of senior management and representatives of business areas was also considered essential to: (1) complement strategic information contained in the business plan and validation during phase 1, for example, the IT objectives defined, (2) attainment of the view of IT customers during phase 2 -business unitsrelated to resources used and; (3) during phase 3, specification of strategic actions and indicators aligned to the overall direction of the organization and also considering the specific demands of each sector for resources and information technology services.
Another contribution associated with the use of ITSP for implementation of governance was the focus on the needs of medium and long-term requirements, instead of considering only short-term demands.This contribution is in line with Peterson's (2003) definition of IT governance, contemplating the need for this focus on long-term needs of the organization.In the method, the analysis of organizational strategy and setting business goals synthesizes a vision for medium and long-term organization, which is considered in the development activities of IT governance through the ITSP.Such a feature could be observed when applying the method in Het Organization, whose aim is to expand into the international market, took place in a horizon of four years.
The method's third contribution -creation of foundation for continuous improvement of IT governance in the organization -helped to create the foundation for IT governance to be constantly improved, as emphasized by Van Grembergen andDe Haes (2007) andITGI (2007b).The inclusion of a continuous approach provided greater flexibility for organizations to meet, from the point of view of IT governance, changes in the business environment.In the method, the continuity of the actions of IT governance was provided by the following components: (i) committees to exercise responsibility and decision making, (ii) relational mechanisms for communication between those involved in the actions of IT governance; (iii) monitoring of performance indicators, (iv) awareness workshops held in the socialization phase and closing, and (v) consulting and permanent record keeping of lessons learned.This contribution is justified by the results obtained during Phase 5 in Vav Company, where the scheme to specify the necessary roles and responsibilities for implementing and monitoring the implementation of the ITSP was shown.
The results suggest that the use of ITSP can contribute to the challenge of implementing IT governance in the proper way.Thus, this work contributes to going forward with the knowledge about structured and clearer guidelines for implementing and improving IT governance in organizations.
Based on the method proposed in this paper, practitioners may find references to how to structure and organize, through an ITSP approach, guidelines and activity for implementation of IT governance in the literature.
Nonetheless, this study has some limitations.First, the study is based on qualitative data gathered from a limited number of Brazilian organizations.Although the study indicates the adequacy of ITSP to implement IT governance in the studied organizations, these results do not support generalizations.Therefore, further research could consider organizations of different contexts and countries to verify the adequacy of the proposed method.
Second, this study leaves some questions unanswered.The effect of different compositions of the committee in the implementation of IT governance was not considered in this study.The authors believe that different profiles of committee member could affect directly in the success in the application of the method.Therefore, further research could adopt this perspective to evaluate the applicability of the proposed method.
Another question unanswered by this study is whether the presence of formalized business objectives and strategies impact in the success of the application of the method.Based on this gap, future research could deepen the understanding of the effects of formalized and nonformalized business strategies on the applicability of the proposed method.

Figure 1 .
Figure 1.The proposed approach consisting five phases.

Figure 2 .
Figure 2. Alignment of IT goals to business goals in Alef Laboratory.

Figure 3 .
Figure 3. Summary of results of evaluation and capacity performance in Kaf Organization.

Figure 4 .
Figure 4. Results in phase 1 and 2 obtained in the Kaf Organization, strategic actions and indicators.

Figure 5 .
Figure 5. System of roles and responsibilities and the relationship between the three major agentstop management.

Table 1 .
Organizations investigated in the study.
for alignment and processes for IT governance(ITGI, 2007a,b)and guidelines for implementation of IT governance

Table 2 .
Schedule for implementation of projects in the tactical plan for IT in the Het Organization.

Table specifying
roles and responsibilities for implementing the tactical plan in the Vav Company.