Bruno Claudepierre
and Selmin Nurcan
Centre de Recherche en Informatique, Université Paris I – Panthéon Sorbonne
90 rue de Tolbiac, 75 634 Paris cedex 13, France
Institut d’Administration des Entreprises de Paris, Université Paris I – Panthéon Sorbonne
21 rue Broca, 75 005 Paris, France
Keywords: IT governance, IT requirements, IS development processes.
Abstract: Information systems (IS) have a role of information processing and service providing for business activities.
Moreover, the latter take place in an evolving environment and it becomes more and more crucial to
measure the effectiveness and the efficiency of the IS as a support of the enterprise activities and strategies.
The purpose of the corporate governance and the information technology governance (ITG) is to ensure that
enterprise strategy is properly implemented. The ITG can thus facilitate the anticipation of the required
evolutions of the IS. In this paper, we propose a framework for analysing and positioning ITG approaches
often referenced in the literature.
The corporate governance is a mechanism which
controls that the company strategy is well applied to
the ground. By distributing the decisional rights and
by defining objectives of control, it directs also the
decisions of the managers. That results mainly in the
implementation of vertical flows of information (or
decisional flows). This type of governance is
oriented by external actors like shareholders.
ITG must achieve goals resulting from corporate
governance. Support activities are organised into an
iterative process which aims at defining the
objectives of IT activities, making the decisions,
scheduling IT activities, controlling and measuring
the implication of the decisions and the activities on
objectives achievement. A general definition for IT
governance is given in (Van Grembergen, 2002):
“IT Governance is the organisational capacity
exercised by the Board, Executive Management and
IT management to control the formulation and
implementation of IT strategy and in this way ensure
the fusion of business and IT”.
In this paper we propose a framework for
analysing some well known ITG approaches. This
paper is organised as follow. Section 2 presents
some approaches related to IT governance. In
section 3, we propose a framework for analysing and
comparing the presented approaches.
This section briefly presents some approaches and tools
which aim to support ITG. We identified five IT
related domains impacted by these approaches: (i) IT
management, (ii) process improvement, (iii) controlling
and measuring IT services, (iv) change and flexibility,
and (v) maturity of development processes.
2.1 IT Management
From manager’s point of view, the governance is
about decision making support. Balanced Scorecard
(BSC) (Kaplan and Norton, 1996) is a methodology
helping managers to formalise their scorecard. It
suggests building a scorecard using four analysing
axes: (i) the financial perspective, (ii) the customer
perspective, (iii) the business process perspective
and (iv) the learning and growth perspective. Each
axe allows to the manager to identify the appropriate
indicators. We can add other axes to structure
specific scorecard for ITG (AFAI and CIGREF,
The synthesis of governance practices in
companies, provided in (Weill, 2004), allowed us to
identify some decisions that IT managers have to
take. This work identifies taxonomy of governance
and exposes a typology of decisions. In this context,
decision-making is an intellectual activity performed
Claudepierre B. and Nurcan S. (2007).
In Proceedings of the Ninth International Conference on Enterprise Information Systems - ISAS, pages 512-516
DOI: 10.5220/0002362105120516
by a human agent, or a group of human agents. It
consists of identifying a problem in a particular
context generally in order to face a changing
situation and to find a solution by selecting among
several choices.
(Kaplan and Norton, 1996) and (Weill, 2004)
provide a support for IT management activities by
describing the decisional context and by proposing a
method to formalise scoreboards.
2.2 Process Improvement
Process improvement was a main goal for industry
in the 80’ in order to decrease waste or product
defects. Motorola used for the first time Six Sigma
in the 80’ when American companies where under
competition from Japanese industry. Today, Six
Sigma (Biehl, 2004) approach is more and more
applied for IS engineering.
Six Sigma is a statically based technique which
is focalised on satisfying customer needs. It is
process oriented and allows a leadership based on
metrics. Processes are considered as supports to the
customer satisfaction. In order to attain this goal, Six
Sigma proposes five steps: “Define”, “Measure”,
“Analyse”, “Improve” and “Control” (DMAIC). It is
an iterative and continuous process of improvement
which leads engineers to manage quality projects, to
measure and to improve the process performance.
The main effect of process improvement is to
increase the process capability.
2.3 Measuring IT Services
A scope for ITG is to control if the decisions related to
the IT management are linked to a strategic goal of the
enterprise. Moreover, the degree of completeness for IT
strategic objectives must be measured and, the
implications of IT activities on the enterprise strategies
should be analysed. COBIT (Control Objectives for
Business and Related Technology) (AFAI and ITGI,
2002) and ITIL (IT Infrastructure Library) (Violino,
2005) make explicitly the link between enterprise
objectives and IT process performance measures.
ITIL provides a set of best practices on IT
processes. It deals with quality of services and
describes bases for the standardisation of IT processes
in companies. ITIL describes the context of service
providing: what are the support or hardware, the tools
and software used and the documentation linked to
them? The limitation of ITIL is raised on the fact that it
does not provide a framework for the improvement of
the quality of services (Niessink and Van Vliet, 1998).
CoBIT is more focalised on the control of activities
and more dedicated to business managers: it allows
them to define control objectives and indicators in
conformity of a three-dimensional perception including
(i) quality of data, (ii) processes, and (iii) IT resources.
CoBIT can help an organisation to align the use of IT
with its business goals (Ridley et al., 2004) and to
decrease IT risks to an acceptable level. CoBIT
organises processes into four domains: planning and
organisation, acquisition and implementation, delivery
and support, and monitoring.
ITIL and COBIT can be considered as
complementary frameworks. Recent works establish
links between IT frameworks: (Santana Tapia, 2006)
argues for using COBIT maturity model to evaluate the
maturity of processes deployed in the context of ITIL.
2.4 Change and Flexibility
ITG is a set of organised activities to control if
decisions related to IT are properly applied. Effects
of the decisions should be measured in order to
evaluate their applicativeness and appropriativeness
in the implementation of the change. The
“Enterprise Knowledge Development: Change
Management Method” (EKD-CMM) (Barrios and
Nurcan, 2004) provides (i) an intention driven IS
engineering model allowing to describe the company
strategy; (ii) a linkage between business processes
and strategic objectives through out top-down,
bottom-up or mixed approaches. The main
advantage resides, in fact, in the capability of the
method to support an enterprise context of change
and to keep IT support aligned with business
(Hammami-Abid and Elidrissi, 2004) identifies
implications of IT governance in the way of aligning
IT with business objectives and argues for context
anticipation by ensuring BP flexibility. Authors
identify four ideas associated with ITG: (i)
knowledge anticipation, (ii) leadership or the
capacity to take IT decisions, (iii) reaction based on
a set of indicators and measurements, and (iv) BPs
as support for value creation.
These two approaches allow enterprises to
handle change. EKD-CMM supports the change
process by using specific models (Nurcan et al.,
1999) and, through documentation, allows
anticipation (Hammami-Abid and Elidrissi, 2004).
2.5 Maturity of Development Processes
Development processes are crucial because their
products are the architectures of the enterprise
information systems. The maturity of the
development process can be measured. In this way, a
set of metrics describing the IT context is a
prerequisite. Capability Maturity Model Integration
(CMMI) is a model developed by the Software
Engineering Institute (SEI) in order to evaluate the
maturity level of the software development
processes. CMMI is composed of a set of models for
various activities in the company. CMMI for system
engineering and software engineering (SEI, 2001)
proposes a set of development processes organised
by key sectors which are representative for a
business activity. Each key sector has its own
specific goals and generic goals. For each goal, a set
of best practices is provided. CMMI proposes two
models for software engineering processes
evaluation: the continuous evaluation and the stage
evaluation. The first is mainly dedicated to small or
medium organisations which can easily identify their
key sectors and the second is more appropriate for
wild structures like international groups.
CMMI allows analysing four types of processes
decomposed by 24 processes which are evaluated
through levels of maturity depending on the selected
type of evaluation.
This section presents the framework we built for
analysing IT engineering/management approaches
on particular pertinent aspects linked with ITG. We
use this framework to compare eight approaches.
3.1 The “Four-worlds” Framework
The four-worlds framework was proposed for
understanding several IT related engineering
disciplines: information systems engineering (Jarke
et al., 1992), requirements engineering (Jarke and
Pohl, 1993), process engineering (Rolland, 1998)
and change engineering (Nurcan and Rolland, 2003).
Let us remind that for each discipline, facets and
attributes of the framework should be contextually
defined. We believe that this framework can also
help in understanding the field of ITG. This
comprehension is a prerequisite for providing IS
engineering methods aiming to anticipate ITG.
3.1.1 General Overview
The framework provides four analysis views called
also worlds. The subject world contains the reality of
ITG and is an answer to the question ‘what is ITG?’.
The usage world is linked with users objectives and
justifies ‘why using ITG?’. The development world
contains engineering processes allowing to develop an
IS which is able to support ITG. The objective of the
development world is to describe the way to deploy
ITG and it is led by the question ‘how to deploy ITG?’.
The system world describes the content of the IS, the
elements used to represent the subject world: ‘through
which’ support to communicate about ITG?’.
Each world is described using facets. A facet is
representative of a particular aspect of ITG. We use
valuable attributes to characterise a facet. Thus a world
is composed by a set of facets. An attribute is defined
on a domain of value. A domain can be of several
types: a predefined type (integer, real, boolean...), an
enumerated type (ENUM {a, b, c}), or a set (SET (a; b;
c)). In this section we represent “facets” with quotes,
ATTRIBUTES are in capital letters and values are in
italic. In the following when the facet has a unique
attribute, the latter is considered having the same name
than the facet and is not reminded explicitly.
Figure 1: Framework overview.
The four worlds are interlinked in a particular way
as shown in Figure 1: (i) the subject world generates
some objectives for the usage world, (ii) the system
world is a way to represent the reality or the subject
world, (iii) the system world is built by the engineering
processes described in the development world, (iv) the
development world is a way to attain objectives for the
usage world, finally (v) the system world is used to
support the stakeholders objectives specified in the
usage world.
3.1.2 Subject World
The subject world is described through three facets.
(Weill, 2004) allowed us to identify the “decision”
and “organisation” facets. IT managers have to make
decisions in various domains: IT architecture, IT
infrastructure, requirements, finance and project
scheduling. These decisions are mainly focalised on
ICEIS 2007 - International Conference on Enterprise Information Systems
a financial aspect. IT decisions, when they are made,
have to be accepted by all stakeholders.
“Organisation” facet represents the enterprise context
for decision-making and delegation (centralised,
decentralised or hybrid). The “coverage” facet is
representative of the main enterprise objective in
deploying ITG. Internal ITG is seen as a way to
manage IT to ensure a support for business processes.
External ITG is a support to ensure shareholders and
the directorate that IT decisions are in conformity
with their own objectives.
3.1.3 Usage World
The usage world is composed of six facets
representing main goals in using IS. IT managers
have to keep IT “aligned” with enterprise objectives
(Henderson and Venkatraman, 1993) in a particular
“risk management” context. Alignment can be
performed by strategic integration or functional
integration. Risks can be transferred to an external
entity, accepted or refused. Decisions are taken to
ensure that IT creates “values” through services
provided to the organisation or to external actors
(e.g.: customers, shareholders, providers). The
“Quality” facet is representative of the IT usability,
efficiency, efficacy and degree of goal completion
(Tricot and Tricot, 2000). The ‘Change’ facet
(Rolland, 1998). ORIENTATION can be horizontal or
vertical and the
CYCLE of change can be radical or
continuous. The “maturity of IT governance” can be
also an essential goal for managers (AFAI and
CIGREF, 2006). Maturity is performed by
instantiating a maturity model describing
(integer) and associated OBJECTIVES which is an
enumeration of enterprise objectives.
3.1.4 Development World
The development world is composed of three facets.
The “architecture approach” is representative of the
way of modelling the enterprise knowledge using
strategic modelling, cartography or being guided by
the target IS (Longépé, 2004). Here, the “quality
approach” facet is not linked with information system
characteristics but with the quality management
methodology in use. We identified two types of
quality approaches: (i) continuous improvement
where goal definition and measures creation
anticipate the future states of the enterprise and goal
redefinition, (ii) the factual approach where data
analysis is required for decision-making. Enterprises
are more and more concerned by “development
process maturity”: they use maturity models like
CMMI which presents the maturity
LEVEL (integer)
and their associated
OBJECTIVES (list of objectives).
3.1.5 System World
The system world is composed of four facets. The
“topography” facet is used to characterise the IT
deployment in the organisation. The topography
can be centralised, distributed or hybrid depending
on the “organisation” of the decision process (§
3.1.2). The “abstract level” is based on the plan
theory in the way that a plan can generate other
more ‘specific’ ones (Rolland, 1998). We can
suppose the existence of infinity of levels but we
limit them, in this framework, to three: meta-
model, model and instance. The “content” facet
describes concepts that the system offers in order to
support ITG: goal, process, service, decision and
indicator. The “description” facet is representative
of the way to represent concepts and is related to
the attributes
FORM and NOTATION used to describe
them. The notation can be formal, semi-formal or
informal. Concepts can be represented through
diagrams, text or ontology.
3.2 Discussion and Analysis
We have chosen to formalise a framework to analyse
the implication of ITG approaches on the IT
engineering methods because, in our knowledge, the
literature does not provide this kind of study does
not exist. We built our framework by defining ITG
related properties. Improvements can be made for
scaling this framework to literature analysis for other
research questions related to ITG. We measured the
pertinence of each approach on a particular aspect of
ITG (i.e. facets we defined for this purpose). Here, we
evaluate this pertinence for each world on a scale of
ten points (see Formula 1 and Table 1). Marks (N) are
proportional to the number of facets used to evaluate
an approach (f
) in comparison to the number of facets
on the concerned world (f
). A high mark on a
specific world, for a given approach, indicates that
this approach can be significantly analysed and
compared to other approaches through the facets of
this world. EKD-CMM which is an ‘enterprise
architecture and IS’ engineering approach, is less
perceived by the framework than the others. This
shows us that EKD-CMM, as enterprise knowledge
and IS engineering approach, does not integrate well
IT governance concepts. Our research aims to
improve IS engineering methods in order to deal with
the ITG requirements. In this context, the evaluation
can help us in selecting the ITG approaches which will
be used to improve IT engineering methods.
Table 1: Evaluation of approaches.
(Weill, 2004)
10.00 5.00 3.33 10.00
6.67 8.33 6.67 7.50
Six Sigma
10.00 6.67 6.67 10.00
6.67 8.33 6.67 7.50
6.67 10.00 10.00 10.00
6.67 5.00 3.33 10.00
(Hammami-Abid, 2004)
6.67 6.67 3.33 7.50
6.67 8.33 10.00 10.00
Our study considers, and situates the contributions of
IT governance approaches. This work provides a step
in the comprehension and in the appropriation of IT
governance requirements. The comprehension of these
contributions anticipates our research whose objective
is to work out an engineering method allowing us to
build “governable” information systems.
We aim (i) to improve our knowledge and
experience on method engineering in order to develop
ITG related method chunks which could be integrated
in existing IS engineering methods and (ii) as a first
case study, to extend EKD-CMM in order to anticipate
the ITG requirements for an IS under development.
Afai, Cigref (2006), Enquête 2006 sur la maturité des
entreprises Françaises en Gouvernance des SI,
Symposium IT Governance en actions, 18
May 2006,
http://www.afai.fr/public/doc/170.pdf, acceded 15/06/06.
Afai, Itgi (2002), COBIT Gouvernance, Contrôle et Audit de
l'Information et des Technologies Associées – Troisième
édition, ISBN: 2-9515149-5-6.
Barrios, J. and Nurcan, S. Model Driven Architectures for
Enterprise Information Systems, Int. Conference on
Advanced information Systems Engineering (CAISE),
Springer Verlag, Riga, Latvia, 2004.
Biehl, R., E. (2004), Six Sigma for Software, in Eickelmann N
and Hayes J H (Ed) IEEE Software, IEEE Computer
Society, pp. 68-70.
Hammami-Abid, I. and Elidrissi, D. (2004), Gouvernance des
systèmes d’information et alignement stratégique : vers
un système d’information agile et urbanisé, in Procedings
of the European and Mediterranean Conference on
Information Systems, 25-27 July 2004.
Henderson, J. C. and Venkatraman, N. (1993), Strategic
Alignment: Leverating Information Technology for
Transforming Organizations, in IBM System Journal,
32:1, pp. 4-16.
Jarke, M., Mylopoulos, J., Schmidt, J. M. and Vassiliou Y.
(1992), DAIDA - An Environment for Evolving
Information Systems, ACM Trans., in Information
Systems, Vol. 10, No. 1.
Jarke, M. and Pohl, K. (1993), Requirements Engineering: An
Integrated View of Representation, Process and Domain,
in Procedings 4th Euro. Software Conf., Springer Verlag.
Kaplan, R. and Norton, D. (1996). Balanced Scorecard –
Translating strategy into action, Harvard Business School
Press (Ed.), 1996, ISBN: 0875846513.
Longépé, C. (2004), Le projet d’urbanisation du SI –
Démarche pratique avec cas concrets – 2
Dunod (Ed.), ISBN: 2 10 007376 1.
Niessink, F. and Van Vliet, H. (1998), Towards Mature IT
Services, in Software Process: Improvement and Practice,
4:2, pp. 55-71.
Ridley, G., Young, J. and Carroll, P. (2004), COBIT and its
Utilization: A framework from the literature, in
Procedings of the 37
Hawaii International Conference
on System Sciences, Track 8, Vol. 8.
Rolland, C. (1998), A Comprehensive View of Process
Engineering, in the Proceedings of the 10
Conference CAISE’98, Lecture Notes in Computer
Science 1413, B. Pernici, C. Thanos (Eds), Springer.
Santana Tapia, R. (2006), IT Process Architectures for
Enterprises Development: A Survey from a Maturity
Model Perspective, Technical Report TR-CTIT-06-04,
CTIT, University of Twente, The Netherlands.
Software Engineering Institute (SEI) (2001), CMMI-SE/SW,
V1.1 - Continuous Representation, http://www.sei.cmu.
Tricot, A. and Tricot, M. (2000), Un cadre formel pour
interpréter les liens entre utilisabilité et utilité des
systèmes d’information (et généralisation à l’évaluation
d’objets finalisés), in Proceedings of Colloque Ergo-IHM,
Biarritz, France, 3-6 October 2000, pp. 195-202.
Van Grembergen W.(2002), Introduction to the minitrack IT
Governance and its Mechansims, Proceedings of the 35
Hawaii International Conf. on System Sciences (HICSS).
Violino, B. (2005), IT Frameworks Demystified, in Network
World, Vol. 22, Issue 7, 21
February 2005, pp. 18S-20S.
Weill, P. (2004), Don't Just Lead, Govern: How Top-
Performing Firms Govern IT. In MIS Quarterly
Executive, Vol, 8, 1, March 2004, pp. 1-17.
ICEIS 2007 - International Conference on Enterprise Information Systems