Journal Review : Linking Business Goals to IT Goals and COBIT Processes
Wim Van Grembergen, Steven De Haes and Jan Moons
Information technology has become pervasive in today’s dynamic and often turbulent business environments. While, in the past, business executives could delegate, ignore or avoid IT decisions, this is now impossible in most sectors and industries. In this context, many organizations have started with the implementation of IT governance to achieve the fusion between business and IT and to obtain the needed IT involvement of senior management.1 IT governance can be defined as the leadership and organizational structures and processes that ensure that IT sustains and extends the organization’s strategy and objectives.2 As described in this definition, a crucial element of IT governance is achieving a better link between business and IT, also referred to as strategic alignment. However, this relationship is complex and addresses aligning business goals to IT goals and processes. To gain a more thorough and pragmatic understanding of how business goals drive IT goals in different industries and how the IT goals are supported by IT processes, the IT Governance Institute® (ITGI) assigned a research project to the ITAG Research Institute of the University of Antwerp Management School (www.uams.be/itag). This article summarizes results and conclusions of the first phase of this research. The material will be refined in further research initiatives during 2005. It appears that defining the link between business goals and IT goals was not always an easy exercise for interviewees and that many of the identified goals were very high-level and generic.
To achieve more insight into the complex relationship among business goals, IT goals and IT processes, eight different industries were analyzed: financial, health, government, retail, pharmaceutical, utilities, IT services and consulting, and transportation. Within each industry, interviews were conducted with an IT manager, a business manager and a senior consultant/expert of the sector. During these interviews, questionnaires were used to identify the most important business goals and the IT goals contributing to those goals. In addition, COBIT processes were identified that support the achievement of the reported IT goals. These relationships were summarized for each industry in two matrices and supplemented with background information on the major characteristics, value drivers and risk drivers of the industry under review.
The reported results regarding the characteristics and the value and risk drivers are a synthesis of the answers of the interviewees and, consequently, their perception. The IT goals/business goals matrices are based on the information collected during the interviews. Whenever IT and/or business goals were similar, they are labelled by one unique term. The IT goals/COBIT matrices are based on the input of the interviewed consultants and, when necessary, are complemented by the researchers. For reasons of conciseness and manageability, the list of COBIT processes is reduced to the 15 most important COBIT processes as selected in 2001 by the Information Systems Audit and Control
Specific Research Results
As an example, this section will summarize the results of two sectors from which well-balanced results were obtained:
the financial and the pharmaceutical sectors. For each sector, the most important characteristics and value and risk drivers
are described. Next, two matrices are shown, one presenting the links between business goals and IT goals (figures 1 and 3) and one between COBIT processes and IT goals (figures 2 and 4). Reading these matrices in combination enables a better understanding of how IT processes support IT goals, which in turn support business goals. In the matrices, a distinction is made between primary (P) and secondary (S) relationships.
Value and Risk Drivers of the Financial Sector
• Value drivers:
– Diminishing transaction costs—Because of higher transaction volumes, even small improvements may lead to substantial cost reductions.
– Introduction of new and innovative services, such as e-banking
– Increasing emphasis on customer orientation instead of product orientation
• Risk drivers
– Security breaches—Because high-visibility security breaches, whether small or large, are widely noticed, they inevitably have important implications.
– High-liability factor—The huge amounts of money being processed by the financial institutions lead to high liability, and even apparently insignificant mistakes can lead to considerable losses.
– Many changes in a short span of time—Pressured by evertightening legislation (e.g., Basel II and Sarbanes-Oxley) and competition (e.g., the introduction of Internet banking applications), the financial sector has been forced to make many changes to its IT architecture in a relatively short period of time.
General Research Results
After analysis of all sectors, it was found that 46 percent of all business goals and 37 percent of all IT goals provided by the interviewees could be considered “specific” to their sector, i.e., they are not equally important for all other sectors. Examples
are “achieving compliance with Basel II regulations” as a specific business goal for the financial sector and “taking IT measures to satisfy FDA requirements” as a specific IT goal for the pharmaceutical sector. On the other hand, more than 50 percent of all goals are generic, such as “improving customer orientation and service,” “IT disaster recovery and business continuity” and “standardizing IT systems.”
The business goals and IT goals that were mentioned most frequently are summarized in figure 5. The links between
those business and IT goals are set by the researchers as an example; they are not based on the input of the interviewees. It
appears that the most frequently mentioned business goals are rather high-level and generic. The IT goals are at a lower level
but still generic. The matrix in figure 6 maps the five most frequently mentioned IT goals to the 15 most important COBIT processes.
These links are again filled out by the development team as an example.
This eight-sector research project provides a view of the links between business and IT goals, and the relationships between COBIT processes and IT goals. It appears that defining the link among business goals, IT goals and IT processes was a difficult exercise for the interviewees, and that many of the mentioned business and IT goals were generic. The given examples of linking IT processes to IT goals and business goals can provide guidance for in-house COBIT implementations, more specifically in defining those IT processes on which to focus. Conclusions are tentative because they are based on a limited set of arbitrarily chosen interviewees per sector. To accredit more value to the results, a more detailed study is needed based on in-depth case studies and a larger number of respondents. Detailed research could provide more insight in the cascade starting from high-level strategic business goals to lower-level operational IT goals and processes. This cascade would more closely represent a real-life business scenario.