Page 1
IT Governance Implementation Framework for Public Sector
Organizations of Pakistan
By
Amanat Ali
10-UET/PhD-CASE-EM-65
Supervised by:
Dr. Asim Nisar
ENGINEERING MANAGEMENT DEPARTMENT
CENTER FOR ADVANCED STUDIES IN ENGINEERING
UNIVERSITY OF ENGINEERING AND TECHNOLOGY TAXILA PAKISTAN
Spring, 2018
Page 4
II
Abstract
The use of Information Technology (IT) has become imperative for Public Sector
Organizations (PSOs) to improve and sustain public service delivery and meet and extend
other organizational objectives and strategies. This pervasive use of IT demands for a special
focus on effective IT governance in these organizations. Consequently, effective IT
governance practices need to be determined, implemented and sustained if these
organizations want to encourage and achieve the desirable behavior in the use of IT.
Nevertheless, IT governance is different in different organizational contexts and its
implementation in PSOs is more complex than their private counterparts due to many reasons
including complex intra and inter-organizational interactions & synergies, more bureaucracy
& less managerial autonomy and more legal & cultural constraints etc. The PSOs in
developing countries are even more challenging. Many generic frameworks, standards and
tools are considered to be as best practices to implement IT governance in organizations but
these have some inherent shortcomings towards the context of PSOs in a developing country.
These frameworks are very generic, complex and expensive due to which these organizations
may deem the practice daunting and unattainable. Therefore, a substitute framework to
complement the inherent shortcomings of the existing frameworks towards the context of
PSOs in a developing country is required to solve the problem. This study investigated and
analyzed IT governance in Pakistani Public Sector Organizations (PakPSOs) in the context of
a developing country and proposed a framework to implement effective IT governance in
these organizations. The study was conducted into four phases. In the first phase, the existing
state of IT governance in PakPSOs was determined and analyzed in terms of maturity through
exploratory case studies of six organizations using 15 IT processes of COBIT and compared
with a developed country, a developing country and the international public sector
benchmark for learning, benchmarking and embracing best practices. The results indicated
that the average maturity of 15 IT processes across six PakPSOs laid down between level 2
and level 3 of generic maturity model of COBIT. The process “Manage Data” demonstrated
highest maturity whereas the process “Communicate Management Aims and Direction”
showed lowest maturity. The results also indicated that PakPSOs performed better than a
developing country and lower than a developed country and the international public sector
benchmark. In the second phase, the relevant IT governance practices in PakPSOs were
Page 5
III
identified and analyzed in terms of Critical Success Factors (CSFs) through exploratory case
studies of eight organizations. The results revealed that 12 CSFs were found to be relevant to
PakPSOs. In the third phase, the identified set of CSFs was validated in PakPSOs by testing
and analyzing its statistical effect on IT outcomes through confirmatory study using sample
data from PakPSOs. The results indicated that 11 CSFs demonstrated positive significant
effect on IT outcomes. The CSF “IT/business communication and partnership” found to be
most effective whereas the CSF “competitive IT professionals” found to be the least
effective. In the fourth phase, the IT governance framework was developed and evaluated
using design science research approach based on the results of the phase 3, more literature
review and qualitative and quantitative opinions from PakPSOs. This resulted into a proposed
framework for PakPSOs which consisted of effective IT governance practices in terms of
CSFs, activities to implement these practices, suitable roles and appropriate IT resources to
execute activities and operating environment in which it ought to be implemented. The
proposed framework provides a holistic view of IT governance by not only covering five
focus areas of IT governance i.e. strategic alignment, value delivery, risk management,
resource management and performance measurement but also wrapping three perspectives of
IT-business alignment i.e. human, social and intellectual perspectives. The results of the
evaluation phase indicated that the framework proved to be useful. The study provides many
practical and theoretical implications. From practitioners‟ perspective, the maturity
benchmark can help the public managers in PakPSOs and similar environment to identify and
improve weak areas and ultimately improve and sustain public service delivery. The
identified set of CSFs can assist them to recognize limited areas where focus can be given for
success. By understanding the relative importance of CSFs, they can improve their IT-related
plans and prioritize limited resources accordingly. Both IT and business management
personnel in PakPSOs can use the framework for planning, implementing and continuously
improving IT governance in their business settings. From theoretical and academic
perspective, the study fills the theoretical gap in the literature by explaining IT governance in
the perspective of CSFs approach and broadens the scope of effective IT governance
practices to the context of PSOs in developing countries. As compared to the other studies
from the relevant literature, this study provides a holistic view of IT governance by covering
both IT governance and IT-business alignment which lack in previous studies. The study
strengthens the existing IT governance frameworks like COBIT, ITIL and ISO/IEC 38500
etc. The study also provides new avenues for future researchers who want to conduct research
in the field of IT governance in PSOs of developing countries.
Page 6
IV
Acknowledgements
First of all, I express my gratitude to my advisor Dr. Asim Nisar, who encouraged and
guided me with constructive and valuable advice during the course of this entire research
work. He always supported and encouraged me when I needed some guidance regarding the
research work and related matters. His keen interest in my research work and related progress
enabled me to complete this research within time.
Secondly, my thanks go to the Ex- Chairman of Engineering Management Department of
Center for Advanced Studies in Engineering (CASE) Dr. Ali Ahsan, who always
optimistically responded me at his office and granted his busy hours to advice me about
research and other academic related matters. Being an important member of my research
committee, his useful comments and suggestions led me to enrich my research work.
Thirdly, I extend my thanks to other research committee members Dr. Danial Saeed and Dr.
Baber Zaheer for their time and review of this research work with valuable comments.
Fourthly, I would like to express my thanks to the senior management of the studied
organizations for their active cooperation in data collection phase especially the IT and
business personnel involved in interviews and surveys process to provide me meaningful data
and information without which this research was not possible.
My thanks also go to Higher Education Commission (HEC) of Pakistan for funding my
whole PhD study without which it was not possible for me to meet PhD expenses by my own
resources.
Finally, special thanks to my parents for their prayers and my wife for her encouragement,
patience, and support and taking care of my children Farheen, Diyan and Samyan.
Above all, I am always grateful to the Almighty God for all the blessings.
Thanks for all
Amanat Ali
Page 7
V
List of Tables
TABLE 2.1: LIMITATIONS OF GENERIC IT GOVERNANCE IMPLEMENTATION FRAMEWORKS TOWARDS PAKPSOS ... 39
TABLE 2.2: DIFFERENCES BETWEEN PUBLIC AND PRIVATE SECTOR ORGANIZATIONS BASED ON LITERATURE ....... 44
TABLE 3.1: MINIMUM SAMPLE SIZE FOR A TYPICAL RESEARCH (MARCOULIDES & SAUNDERS, 2006) .................. 62
TABLE 3.2: A QUICK VIEW OF THE RESEARCH METHODOLOGY ........................................................................... 65
TABLE 4.1: DISTRIBUTION OF THE RESPONDENTS IN THE SIX STUDIED PAKPSOS .............................................. 100
TABLE 4.2: AVERAGE MATURITY LEVELS OF THE 15 IT PROCESSES ACROSS THE SIX STUDIED PAKPSOS ........... 101
TABLE 5.1: THE ACCEPTED CSFS RELATED ARTICLES ..................................................................................... 110
TABLE 5.2: HARMONIZATION OF CSFS FROM THE ACCEPTED ARTICLES ........................................................... 112
TABLE 5.3: DISTRIBUTION OF THE RESPONDENTS IN THE EIGHT STUDIED PAKPSOS.......................................... 113
TABLE 5.4: THE SUMMARIZED QUALITATIVE RESPONSE OF THE INTERVIEWEES ................................................ 118
TABLE 5.5: CLASSIFICATION OF THE IDENTIFIED PRACTICES INTO FIVE FOCUS AREAS AND THREE PERSPECTIVES OF
IT-BUSINESS ALIGNMENT .............................................................................................................................. 119
TABLE 6.1: SAMPLE CHARACTERISTICS .......................................................................................................... 127
TABLE 6.2: MEASUREMENT OF CONSTRUCTS AND INDICATORS (WITH RELIABILITIES) ...................................... 128
TABLE 6.3: INTER-CORRELATION OF CONSTRUCTS AND THE CORRESPONDING SQUARE ROOT OF AVE ............... 130
TABLE 6.4: STRENGTHS AND SIGNIFICANCE OF PATH COEFFICIENTS ................................................................. 132
TABLE 7.1: THE INITIAL LIST OF ACTIVITIES FOR EACH PRACTICE EXTRACTED FROM THE EXISTING LITERATURE 140
TABLE 7.2: RELATIONSHIP OF 19 ROLES OF COBIT WITH FIVE ROLES OF SIMONSSON AND JOHNSON (2008) ..... 142
TABLE 7.3: FOUR TYPES OF IT RESOURCES CLASSIFIED BY ITGI (2007) ........................................................... 143
TABLE 7.4: DISTRIBUTION OF THE RESPONDENTS IN THE SIX STUDIED PAKPSOS .............................................. 144
TABLE 7.5: THE SUMMARIZED QUALITATIVE RESPONSE OF THE FOCUS GROUPS AFTER CONTENT ANALYSIS ...... 145
TABLE 7.6: ACTIVITIES FOR GUIDING PRACTICES WITH ROLES AND IT RESOURCES ........................................... 153
TABLE 7.7: RESPONDENTS‟ PROFILE AND THEIR SUMMARIZED SUGGESTIONS ................................................... 157
TABLE 7.8: ACTIVITIES FOR PRACTICES WITH ROLES AND IT RESOURCES ......................................................... 161
TABLE 8.1: DECISION-MAKING STRUCTURE OF THE ORGANIZATION M ............................................................. 174
TABLE 8.2: HOW ARE IT GOVERNANCE FOCUS AREAS ADDRESSED IN THE ORGANIZATION M ............................ 174
TABLE 8.3: RELEVANCY OF THE PROPOSED FRAMEWORK‟S PRACTICES WITH THE ORGANIZATION M ................. 175
TABLE 8.4: RESPONDENTS‟ PROFILE IN CASE STUDY FOR EVALUATING THE FRAMEWORK ................................. 178
TABLE 8.5: THE SUMMARY OF INTERVIEW RESPONSE ON EVALUATION CRITERIA AND RESULTANT IMPROVEMENTS
INTO THE FRAMEWORK .................................................................................................................................. 179
TABLE 8.6: ACTIVITIES FOR PRACTICES WITH ROLES AND IT RESOURCES ......................................................... 185
TABLE 9.1: COMPARISON OF THE PROPOSED FRAMEWORK WITH GENERIC FRAMEWORKS .................................. 205
Page 8
VI
List of Figures
FIGURE 1.1: THE LINKAGE OF RESEARCH PROBLEM, QUESTIONS AND OBJECTIVES .............................................. 10
FIGURE 2.1: CORPORATE AND KEY ASSET GOVERNANCE (WEILL & ROSS, 2004) ................................................ 18
FIGURE 2.2: COBIT 5 PRINCIPLES (ISACA, 2012) ........................................................................................... 28
FIGURE 2.3: ITIL SERVICE LIFECYCLE (ITIL, 2007) ......................................................................................... 31
FIGURE 2.4: ISO/IEC 38500: 2015 INFORMATION TECHNOLOGY- GOVERNANCE OF IT FOR THE ORGANIZATION
(ISO/IEC 38500:2015, 2015) .......................................................................................................................... 33
FIGURE 2.5: DEFOGIT FRAMEWORK (GÓMEZ, BERMEJO, & JUIZ, 2017) ............................................................. 34
FIGURE 2.6: STRATEGIC ALIGNMENT MODEL (HENDERSON & VENKATRAMAN, 1993) ....................................... 36
FIGURE 2.7: BALANCED SCORE CARD (KAPLAN & NORTON, 1992) ................................................................... 37
FIGURE 3.1: STAIR-CASE DIAGRAM OF RESEARCH PHASES ................................................................................. 58
FIGURE 3.2: RESEARCH PHILOSOPHICAL PARADIGMS ADAPTED FROM MYERS (2008) AND STRAUB ET AL. (2005) 60
FIGURE 3.3: RESEARCH MODEL ....................................................................................................................... 75
FIGURE 3.4: INFORMATION SYSTEMS RESEARCH FRAMEWORK (HEVNER ET AL., 2004) ....................................... 86
FIGURE 3.5: FRAMEWORK DEVELOPMENT AND EVALUATION PROCESS ............................................................... 88
FIGURE 4.1: DOMAIN WISE AVERAGE MATURITY OF THE 15 IT PROCESSES IN THE SIX STUDIED PAKPSOS ......... 103
FIGURE 4.2: MATURITY LEVELS OF THE SIX STUDIED PAKPSOS FOR THE 15 IT PROCESSES ............................... 104
FIGURE 5.1: IT GOVERNANCE PRACTICES BASED ON THE QUANTITATIVE RESPONSE OF THE INTERVIEWEES IN THE
EIGHT STUDIED PAKPSOS .............................................................................................................................. 114
FIGURE 7.1: QUANTITATIVE RESPONSE OF THE FOCUS GROUPS ON PERCEIVED EFFECTIVENESS AND EASE OF
IMPLEMENTATION OF IMPROVED ACTIVITIES................................................................................................... 150
FIGURE 7.2: THE INITIAL VERSION OF THE PROPOSED FRAMEWORK.................................................................. 152
FIGURE 7.3: FIRST VERSION OF THE FRAMEWORK ........................................................................................... 160
FIGURE 8.1: THE RELATIONSHIP AMONG IT GOVERNANCE DECISIONS AND FOCUS AREAS AND PROJECT
MANAGEMENT LIFE CYCLE PHASES................................................................................................................. 169
FIGURE 8.2: QUANTITATIVE RESPONSE ON EVALUATION CRITERIA .................................................................. 180
FIGURE 8.3: QUANTITATIVE RESPONSE ON IMPLEMENTATION ASPECTS ............................................................ 181
FIGURE 8.4: SECOND VERSION OF THE FRAMEWORK ....................................................................................... 184
FIGURE 9.1: RANKED GUIDING IT GOVERNANCE PRACTICES (1ST AND LAST) ................................................... 202
FIGURE 9.2: PRIORITY CONSIDERATION IN USING THE FRAMEWORK ................................................................. 203
Page 9
VII
List of Abbreviations
BCS Balanced Scorecard
CCTA Central Computer and Telecommunications Agency
CIO Chief Information Officer
CIPFA The Charted Institute of Public Finance & Accountancy
CMMI Capability Maturity Model® Integration
COBIT Control Objectives for Information and related Technologies
COSO Committee of Sponsoring Organizations
CSFs Critical Success Factors
EGD Electronic Government Directorate
EMD Evaluate-Direct-Monitor
HDI Human Development Index
ICT Information and Communication Technologies
IE Information Economics
IFAC International Federation of Accountants
IS Information System
ISACA Information Systems Audit and Control Association
ISACF Information Systems Audit and Control Foundation
ISO International Organization for Standardization
IT Information Technology
ITGBSC IT Governance Balanced Scorecard
ITGI IT Governance Institute
ITIL Information Technology Infrastructure Library
ITOMAT Organization Modeling and Assessment Tool
LDCs Developing Countries
MDAs Ministries, Departments & Agencies
MOST Ministry of Science and Technology
OGC Office of Government Commerce
PakPSOs Pakistani Public Sector Organizations
PC-I Planning Commission-I
PDCA Plan, Check, Do and Act
P & D Planning and Development Department
PLS Partial Least Squares
Page 10
VIII
PMBOK Project Management Body of Knowledge
PMI Project Management Institute
PRINCE2 Projects in Controlled Environments
PSOs Public Sector Organizations
PTA Pakistan Telecommunication Authority
PwC PriceWaterHouseCoopers
ROI Return on Investment
SAM Strategic Alignment Model
SEM Structural Equation Modeling
TOGAF The Open Group Architecture Framework
UNDP United Nations Development Program
Page 11
IX
Contents
ABSTRACT ................................................................................................................................................... II
ACKNOWLEDGEMENTS ......................................................................................................................... IV
LIST OF TABLES......................................................................................................................................... V
LIST OF FIGURES ..................................................................................................................................... VI
LIST OF ABBREVIATIONS ..................................................................................................................... VII
CONTENTS ................................................................................................................................................ IX
1 INTRODUCTION .................................................................................................................................. 1
1.1 CHAPTER OBJECTIVES ...................................................................................................................... 1
1.2 BACKGROUND OF THE STUDY ........................................................................................................... 1
1.3 RATIONALE FOR THE STUDY ............................................................................................................. 4
1.4 PROBLEM STATEMENT ...................................................................................................................... 6
1.5 AIMS & OBJECTIVES ......................................................................................................................... 8
1.6 RESEARCH QUESTIONS ..................................................................................................................... 8
1.7 RESEARCH PHASES ......................................................................................................................... 11
1.8 RESEARCH SCOPE ........................................................................................................................... 11
1.9 STRUCTURE OF THE THESIS ............................................................................................................. 12
2 LITERATURE REVIEW .................................................................................................................... 14
2.1 CHAPTER OBJECTIVES .................................................................................................................... 14
2.2 OVERVIEW OF IT GOVERNANCE ...................................................................................................... 14
2.2.1 Emergence of IT Governance ..................................................................................................... 14
2.2.2 IT Governance Definitions ......................................................................................................... 15
2.2.3 IT Governance and Corporate Governance ................................................................................ 17
2.2.4 IT Governance and IT Management ........................................................................................... 19
2.3 IT GOVERNANCE MATURITY .......................................................................................................... 19
2.3.1 Concept of Process Maturity in COBIT ...................................................................................... 21
2.4 IT GOVERNANCE CRITICAL SUCCESS FACTORS (CSFS) .................................................................... 22
2.5 IT OUTCOMES (DESIRABLE BEHAVIOR IN PUBLIC SECTOR OF A DEVELOPING COUNTRY) ..................... 24
2.6 GENERIC IT GOVERNANCE IMPLEMENTATION FRAMEWORKS ........................................................... 26
2.6.1 Control Objectives for Information and related Technology (COBIT) ......................................... 27
2.6.2 Organization Modeling and Assessment Tool (ITOMAT) ............................................................ 29
2.6.3 Information Technology Infrastructure Library (ITIL) ................................................................ 30
2.6.4 ISO/IEC 38500 Information Technology- Governance of IT for the Organization ....................... 31
2.6.5 Detailed Framework of Governance of Information Technologies (dFogIT)................................ 33
2.6.6 Strategic Alignment Model (SAM) .............................................................................................. 35
2.6.7 Balanced Scorecard (BSC) ........................................................................................................ 36
Page 12
X
2.6.8 Limitations of Generic IT Governance Implementation Frameworks towards PakPSOs .............. 38
2.7 CONTEXT OF PUBLIC SECTOR ORGANIZATIONS................................................................................ 41
2.7.1 Defining and Understanding Public Sector Organizations .......................................................... 41
2.7.2 Characterizing Public Sector Organizations .............................................................................. 42
2.7.3 Public Sector Organizations in Developing Countries ................................................................ 42
2.8 PREVIOUS IT GOVERNANCE RESEARCH ........................................................................................... 45
2.8.1 Previous IT Governance Research in General ............................................................................ 45
2.8.2 Previous IT Governance Research in Public Sector Organizations ............................................. 49
2.9 RESEARCH GAPS ............................................................................................................................ 52
2.10 CHAPTER SUMMARY ...................................................................................................................... 52
3 RESEARCH METHODOLOGY......................................................................................................... 54
3.1 CHAPTER OBJECTIVES .................................................................................................................... 54
3.2 METHODOLOGY ............................................................................................................................. 54
3.2.1 Research Phases ........................................................................................................................ 55
3.2.2 Research Philosophy ................................................................................................................. 59
3.2.3 Research Methods ..................................................................................................................... 60
3.2.4 Sampling Techniques and Sample Size ....................................................................................... 61
3.2.5 Data Collection Techniques ....................................................................................................... 63
3.2.6 Data Analysis Approaches ......................................................................................................... 63
3.3 RESEARCH PROCESS ....................................................................................................................... 66
3.3.1 Phase 1: Assessing the Existing State of IT Governance in PakPSOs .......................................... 66
3.3.1.1 Rationale for Selecting COBIT Framework‟s Processes ..................................................... 66
3.3.1.2 Phase Methodology ........................................................................................................... 67
3.3.2 Phase 2: Identifying the Relevant IT Governance Practices in PakPSOs ..................................... 69
3.3.2.1 Rationale for Adopting Critical Success Factor Approach .................................................. 69
3.3.2.2 Systematic Literature Review ............................................................................................ 70
3.3.2.3 Phase Methodology ........................................................................................................... 71
3.3.3 Phase 3: Investigating the Effect of IT Governance Practices on IT Outcomes in PakPSOs ........ 73
3.3.3.1 Rationale for Investigating IT Governance at Strategic Projects‟ Level ............................... 74
3.3.3.2 Phase Methodology ........................................................................................................... 74
3.3.4 Phase 4: Developing and Evaluating the Proposed IT Governance Framework .......................... 84
3.3.4.1 Rationale for Selecting Design Science Research Approach ............................................... 84
3.3.4.2 Phase Methodology ........................................................................................................... 87
3.4 VALIDITY AND RELIABILITY ........................................................................................................... 94
3.4.1 Construct Validity...................................................................................................................... 94
3.4.2 Internal Validity ........................................................................................................................ 95
3.4.3 External Validity ....................................................................................................................... 95
3.4.4 Reliability .................................................................................................................................. 96
3.5 RESEARCH ETHICS ......................................................................................................................... 96
3.6 CHAPTER SUMMARY ...................................................................................................................... 97
Page 13
XI
4 EXISTING STATE OF IT GOVERNANCE IN PUBLIC SECTOR ORGANIZATIONS OF
PAKISTAN ................................................................................................................................................... 99
4.1 CHAPTER OBJECTIVES .................................................................................................................... 99
4.2 RESULTS AND DISCUSSION.............................................................................................................. 99
4.2.1 Distribution of the Respondents in the Six Studied PakPSOs ....................................................... 99
4.2.2 IT Governance Maturity of the Studied PakPSOs ..................................................................... 100
4.2.3 Process Level Comparison ....................................................................................................... 101
4.2.4 Domain Level Comparison ...................................................................................................... 102
4.2.5 Organizational Level Comparison ........................................................................................... 103
4.2.6 Comparison of PakPSOs with Others ....................................................................................... 105
4.3 CONCLUSION AND FURTHER RESEARCH ........................................................................................ 106
4.4 CHAPTER SUMMARY .................................................................................................................... 108
5 IT GOVERNANCE PRACTICES IN PUBLIC SECTOR ORGANIZATIONS OF PAKISTAN.... 109
5.1 CHAPTER OBJECTIVES .................................................................................................................. 109
5.2 RESULTS OF SYSTEMATIC LITERATURE REVIEW ............................................................................ 109
5.2.1 Accepted CSFs Related Articles ............................................................................................... 109
5.2.2 Harmonization of CSFs from the Accepted Articles .................................................................. 111
5.3 OPERATIONALIZATION OF CSFS IN PAKPSOS ................................................................................ 113
5.3.1 Distribution of the Respondents in the Eight Studied PakPSOs ................................................. 113
5.3.2 Quantitative Response ............................................................................................................. 113
5.3.3 Qualitative Response ............................................................................................................... 115
5.4 CLASSIFICATION OF THE IDENTIFIED IT GOVERNANCE PRACTICES ................................................. 118
5.5 DISCUSSION ................................................................................................................................. 120
5.5.1 Practices Related to Human Perspective .................................................................................. 120
5.5.2 Practices Related to Social Perspective .................................................................................... 121
5.5.3 Practices Related to Intellectual Perspective ............................................................................ 122
5.6 CONCLUSION ................................................................................................................................ 123
5.7 CHAPTER SUMMARY .................................................................................................................... 125
6 EFFECT OF IT GOVERNANCE PRACTICES ON IT OUTCOMES IN PUBLIC SECTOR
ORGANIZATIONS OF PAKISTAN ......................................................................................................... 126
6.1 CHAPTER OBJECTIVES .................................................................................................................. 126
6.2 RESULTS ...................................................................................................................................... 126
6.2.1 Sample Characteristics ............................................................................................................ 126
6.2.2 Testing the Measurement Model............................................................................................... 127
6.2.3 Testing the Structural Model and Hypotheses ........................................................................... 130
6.3 DISCUSSION ................................................................................................................................. 133
6.4 CONCLUSION ................................................................................................................................ 134
6.5 CHAPTER SUMMARY .................................................................................................................... 136
Page 14
XII
7 THE FRAMEWORK: DEVELOPMENT PHASE ........................................................................... 138
7.1 CHAPTER OBJECTIVES .................................................................................................................. 138
7.2 THE INITIAL VERSION OF THE FRAMEWORK: RESULTS OF ITERATION 1 ........................................... 138
7.2.1 Background ............................................................................................................................. 138
7.2.2 Results..................................................................................................................................... 143
7.3 THE FIRST VERSION OF THE FRAMEWORK: RESULTS OF ITERATION 2 ............................................. 156
7.3.1 Background ............................................................................................................................. 156
7.3.2 Results..................................................................................................................................... 156
7.4 DISCUSSION AND CONCLUSION ..................................................................................................... 164
7.5 CHAPTER SUMMARY .................................................................................................................... 165
8 THE FRAMEWORK: EVALUATION PHASE ............................................................................... 167
8.1 CHAPTER OBJECTIVES .................................................................................................................. 167
8.2 INTRODUCTION TO THE CASE ........................................................................................................ 167
8.3 IT GOVERNANCE IN ORGANIZATION M ......................................................................................... 168
8.4 RELEVANCY OF THE PROPOSED IT GOVERNANCE FRAMEWORK WITH THE ORGANIZATION M .......... 175
8.5 EVALUATION OF THE FRAMEWORK ............................................................................................... 177
8.5.1 Respondents‟ Profile in the Case Study .................................................................................... 178
8.5.2 Results of Qualitative Response ............................................................................................... 178
8.5.3 Results of Quantitative Response ............................................................................................. 180
8.5.4 Quantitative Response on Implementation Aspects ................................................................... 180
8.5.5 Accomplishment of the Seven Guidelines of Design Science Research ....................................... 181
8.6 THE SECOND VERSION OF THE FRAMEWORK ................................................................................. 183
8.7 DISCUSSION AND CONCLUSION ..................................................................................................... 187
8.8 CHAPTER SUMMARY .................................................................................................................... 187
9 CONCLUSIONS, CONTRIBUTIONS, LIMITATIONS AND RECOMMENDATIONS ............... 189
9.1 CHAPTER OBJECTIVES .................................................................................................................. 189
9.2 SUMMARY OF THE STUDY ............................................................................................................. 189
9.3 THE FRAMEWORK ........................................................................................................................ 191
9.3.1 Background ............................................................................................................................. 191
9.3.2 Elements of the Framework ..................................................................................................... 192
9.3.2.1 Environment ................................................................................................................... 192
9.3.2.2 Organization ................................................................................................................... 193
9.3.2.3 IT Governance Focus Areas and IT-business Alignment Perspectives .............................. 193
9.3.2.4 Guiding Practices ............................................................................................................ 195
9.3.2.5 The Activities, Roles and IT Resources............................................................................ 200
9.4 IMPLEMENTATION CONSIDERATIONS ............................................................................................. 201
9.5 COMPARISON OF THE PROPOSED IT GOVERNANCE FRAMEWORK WITH GENERIC FRAMEWORKS ...... 204
9.6 APPLICATION OF THE FRAMEWORK IN THE CONTEXT OF PSOS IN A DEVELOPING COUNTRY ............ 206
9.7 CONTRIBUTIONS ........................................................................................................................... 208
Page 15
XIII
9.7.1 Contribution to Practice .......................................................................................................... 208
9.7.2 Contribution to Theory ............................................................................................................ 209
9.8 LIMITATIONS AND RECOMMENDATIONS ........................................................................................ 210
REFERENCES ........................................................................................................................................... 212
APPENDICES ............................................................................................................................................ 231
Page 16
1
1 Introduction
1.1 Chapter Objectives
This chapter provides the background of the study, rationale for conducting this research,
problem statement, aims & objectives and research questions. It also presents the brief
introduction of research phases applied to conduct this research. It begins with the description
of study background followed by the rationale for conducting this research. In the fourth
section, problem statement is presented followed by the aims and objectives of study.
Research questions are given in the sixth section. In the seventh section, a brief introduction
of research phases is presented. Research scope is discussed in the eighth section. Final
section describes the thesis structure.
1.2 Background of the Study
Public Sector Organizations (PSOs) play an important role in the socio-economic
development of a country and well-being of its people. Therefore, an improved and sustained
public service delivery is essential for these organizations. The use of Information
Technology (IT) has become imperative for many PSOs to improve and sustain public
service delivery and meet and extend other organizational objectives & strategies. This
pervasive use of IT has also been enlarged due to the increasing demands for more efficient
and cost-effective public service delivery and escalating embracement of e-government for
efficient, transparent, responsive and accountable government. However, this critical use of
IT demands for a special focus on effective IT governance in these organizations.
Consequently, effective IT governance practices need to be determined, implemented and
sustained if these organizations want to encourage and achieve the desirable behavior in the
use of IT.
IT governance is a structure and process through which organizations make right IT
investments to ensure that the resulting activities (programs, projects & operations) are
performed properly and desired benefits are achieved & preserved (Selig, 2016). It involves
Page 17
2
all assets related to IT like financial, human, physical, data and intellectual property (Weill &
Ross, 2004). Although, effective IT governance provides many benefits to organizations
including reduced costs and risks (Dintrans et al., 2013; Oyemade, 2012; Gheorghe, 2011;
Parent & Reich, 2009), increased security (Selig, 2016; PwC & ITGI, 2006), enhanced IT-
business alignment (Gheorghe, 2011; De Haes & Van Grembergen, 2009), organizational
competitiveness and performance (Park et al., 2017; Zhang et al., 2016; Rau, 2004), increased
profit or value for shareholders (Parent & Reich, 2009; Weill & Ross, 2004), improved
services and customer satisfaction (Selig, 2016; Rau, 2004) and effective and ethical
management (Selig, 2016) but these benefits are not automatic. A lot of commitment, effort,
resources and competencies are required to develop and implement suitable IT governance
structures, processes and relational mechanisms in line with organizational objectives and
competitive/market position.
Nevertheless, IT governance implementation is different in different organizational contexts
and depends on many contingency factors including organizational culture & structure,
strategy, maturity, size, industry, trust, ethical and regional differences (Pereira & Silva,
2012). A study on the design of IT governance argues that IT governance implementation
depends on the specific context, contingencies and operating environment of organizations
(Ribbers et al., 2002). Moreover, IT governance implementation in PSOs is different than
their private counterparts due to some contextual characteristics of PSOs including systematic
& complex decision making process, higher accountability, usually multiple & intangible
goals, services or public goods usually not for sale, more political influence, higher level of
IT outsourcing, higher skilled IT staff turnover and more shared IT resources, applications
and technical support instead of proprietary IT (Campbell et al., 2010; Liu & Ridley, 2005)
and control over IT function is even more crucial in PSOs (Liu & Ridley, 2005; Beaumaster,
2002). As a result, IT developments, implementations and governance in PSOs appear behind
private sector organizations due to such contextual differences (Campbell et al., 2010).
However, the quick development of technology over the past decade has narrowed down the
gap between the two sectors.
IT governance is relatively a new discipline and in developing countries, its implementation
is in early stages. Prior research mainly focuses on the PSOs of developed countries and little
research has been conducted in the PSOs of developing countries (Al Qassimi & Rusu, 2015;
Nfuka & Rusu, 2010) and even PakPSOs remained unexplored so far. This has emphasized
the need to investigate and implement IT governance in PakPSOs through contextualized
research.
Page 18
3
This study investigates and analyzes IT governance in PakPSOs and proposes an IT
governance implementation framework for these organizations. The framework is developed
and evaluated using design science research approach. The design science research is used to
develop and evaluate IT artifacts to solve known problems in organizations (Hevner et al.,
2004). IT artifacts are not only computer and computer systems but also a complex and
changing combination of people, technology and organization (Dahlbom, 1996). An IT
artifact can be a construct, model, instantiation or method (Hevner et al., 2004). However, the
researcher prefers method in the form of a framework for the purpose of this study.
This research study is conducted into four phases. In research phase 1, the existing state of IT
governance in PakPSOs is determined in terms of maturity and compared with a developed
country (Australia), a developing country (Tanzania) and the international public sector
benchmark for learning, benchmarking and embracing best practices. This is paramount to
understand the relevant IT governance context of PakPSOs in terms of maturity as compared
to others. In research phase 2, the relevant IT governance practices in PakPSOs are identified
in terms of Critical Success Factors (CSFs) through systematic literature review and
operationalised in PakPSOs through multi-case study approach. This is paramount to
understand what is being happened in PakPSOs and which practices are more relevant to this
environment. In research phase 3, the effect of the identified practices of phase 2 is tested and
analyzed on IT outcomes i.e. desired behavior in PakPSOs. The purpose is to validate a set of
the relevant practices in PakPSOs that can be used as basic building blocks of the proposed
framework. In research phase 4, the proposed IT governance implementation framework is
developed and evaluated using design science research approach based on the results of
previous research phases, more literature review, focus groups‟ responses and qualitative &
quantitative opinions and experiences in PakPSOs.
The proposed framework consists of the practices in terms of CSFs, the activities to
implement these practices, suitable roles and appropriate IT resources to execute the activities
and the operating environment in which it ought to be implemented. As compared to other
frameworks from the relevant literature, the proposed framework provides a holistic view by
not only covering five focus areas of IT governance i.e. strategic alignment, value delivery,
risk management, resource management and performance measurement but also wrapping
three perspectives of IT-business alignment i.e. human, social and intellectual perspectives
which lack in previous studies.
Page 19
4
1.3 Rationale for the Study
The significance of information systems in contemporary businesses can hardly be
undermined. A vast majority of business leaders (87%) believe that information systems are
critical for strategic success (Chen et al., 2010). Consequently, IT spending is persistently
getting higher and IT expenditure on average representing more than 4% of revenue in
organizations (Lazic et al., 2011). IT governance has attracted much attention in literature. It
is a key enabler and success factor for business performance. A study on IT governance
performance reveals that top performing organizations produce up to 40 percent more profit
than their competitors and organizations with above average IT governance produce more
than 20 percent profit than organizations with poor IT governance adopting the same strategy
i.e. customer intimacy (Weill & Ross, 2004). Another study on IT governance success
describes that many leading organizations apply IT governance to quest for increase in
efficiency, accountability and comply with regulatory and other forms (Lee et al., 2008).
Hence, IT governance is no more “nice to have” but it is “must have” because of increasing
IT investments in businesses for higher returns on assets (Webb et al., 2006). This has
emphasized the need to investigate and implement IT governance in organizations.
The need for effective IT governance has also been realized in PakPSOs because Pakistan has
introduced many adjustments to commercial and regulatory policies that, among other things,
have led towards a converged IT sector. This has also been accelerated by “National IT
Policy and Action Plan (2000)” and “E-Government Strategy and 5-Year Plan for the Federal
Government (2005)”. The PakPSOs have observed remarkable improvements regarding the
investment, use and demand of IT for public service delivery due to these adjustments.
Various IT applications like electronic processing of internal files, e-filing of income tax
return and citizen online etc. are functional in various PakPSOs. Other e-government projects
are under implementation. However, for envisaged improvement of public service delivery,
effective IT governance practices are not fully realized within and across various PakPSOs.
This has emphasized the need to investigate and implement IT governance in PakPSOs.
IT governance implementation in PSOs is more complex than their private counterparts due
to various reasons including complex intra and inter-organizational interactions and synergies
(Weill & Ross, 2004), more bureaucracy and less managerial autonomy (Lane, 2000), wider
accountability and expectations (Liu & Ridley, 2005), difficulties in setting goals and
measuring performance against these goals (Weill & Ross, 2004), changing ministerial needs
Page 20
5
legislations and frequent rollout of top management (Liu & Ridley, 2005), more legal and
cultural needs (Lane, 2000) and difficult process improvement (Shad et al., 2011). Especially,
the PSOs in developing countries are very challenging. These are affected by low institutional
capacity, limited involvement of stakeholders, high level of corruption and informality which
obstruct their decision-making, control and accountability (Mimba et al., 2007). The IT
context of the PSOs in developing countries is generally characterized by low human
development, limited IT resources, inadequate related knowledge, constraints on culture
(Nfuka & Rusu, 2011). For example, Pakistan is a developing country because Pakistan‟s
HDI is 0.550 by 2016 (UNDP, 2017) which is much lower than world average (0.717).
Pakistan is also facing limited IT resources because IT infrastructure and IT literacy
relatively remained low (MOIT, 2017) despite the outstanding raise in total tele-density (with
major contribution of mobile density) from 4.31% in 2002-03 to 72.41% up to March 2017
(PTA, 2017). Knowledge and culture are other constraints (Aasi et al., 2014). These
limitations are also coupled with the basic competing needs of citizens like electricity and
clean water and law and order problems and menace of terrorism in the country which restrict
the flow of resources towards IT. This has emphasized the need to investigate and implement
IT governance through contextualized research.
Many generic frameworks are considered to be as best practices to implement IT governance
in organizations e.g. Control Objectives of Information and Related Technologies (COBIT),
Information Technology Infrastructure Library (ITIL) and ISO/IEC 38500 are some among
others. However, these frameworks have their roots largely in private sector organizations
and resultantly less IT governance research has been conducted on these frameworks in the
perspective of PSOs (Nfuka & Rusu, 2011). These frameworks are too complex, generic and
expensive due to which organizations often deem the practice daunting and unattainable
(Zhang & Le Fever, 2013; Upfold & Sewry, 2005). These frameworks are mainly of process-
based nature and rarely focus on CSFs which are limited number of areas where focus can be
given for success. Moreover, these frameworks suggest “one size fits for all” approach for all
organizations in all situations. However, specific context of the organization should be
considered while implementing IT governance (Ribbers et al., 2002). This has emphasized
the need to develop an IT governance implementation framework based on CSFs approach
through contextualized research i.e. PakPSOs, previously unexplored. Owing the importance
and potential of IT governance and scarcity of previous research in PSOs of developing
countries especially in PakPSOs and inherent weaknesses of the existing frameworks
aforesaid, the researcher selected this study.
Page 21
6
The researcher selected design science research approach to develop and evaluate IT
governance implementation framework due to its relevance with behavioral science (Peffers
et al., 2008).
1.4 Problem Statement
Pakistan like other developing countries has been experiencing various problems regarding
the development, adoption and diffusion of technology in the country because technologies
have mainly shifted from the developed countries. However, the government of Pakistan has
enhanced the use of IT in the country as an investor, consumer, regulator and strategist like
other developed countries. Various efforts have been made by the government to uplift IT in
PakPSOs. For example, IT Board in each province and IT Directorates at district level have
been established to diffuse IT in every government department to promote economic growth
of Pakistan. Various PakPSOs have started their IT based operations to improve quality and
efficiency of public services in line with high standard of work ethics. Records of many
PakPSOs are being computerized on priority basis. Computer training has become mandatory
for every government employees to promote and implement e-government concept. However,
for envisaged improvement of public service delivery, effective IT governance practices are
not yet fully realized within and across various PakPSOs.
Nevertheless, PakPSOs like other developing countries are experiencing many governance
related problems regarding the use of IT which include: 1) fragmented IT initiatives including
IT enabled business applications and infrastructure in and across organizations (Kamal et al.,
2013; Qaisar & khan, 2010) resulting in economies of scale and synergistic losses, 2) lack of
identified critical areas where focus can be given for success (Haider et al., 2016; Nfuka &
Rusu, 2011), 3) lack of mutual understanding between business management and IT
personnel to plan, implement and monitor IT enabled business applications and infrastructure
(Qaisar & khan, 2010; Kundi et al., 2008), 4) lack of active performance measures, controls
and clear coordination regarding government activities, computerization and support in and
across organizations (Qaisar & khan, 2010; Bakari, 2007), 5) difficulties in holding
accountability of individuals for their results and addressing ineffective use of available IT
professionals for optimal use of IT (Kamal et al., 2013; Nfuka et al., 2009), 6) difficulties in
handling higher expectations regarding the contribution of IT for the responsive public sector
(MOIT, 2017; EGD, 2005), 7) higher rate of strategic IT projects failure including over-
Page 22
7
budgeting, unfulfilled promises and abandonment (Haider et al., 2016), 8) lack of focus on
non-traditional view of IT projects implementation success i.e. looking into the value that IT
projects provide to the stakeholders instead of traditional view of success i.e. project delivery
on time and within budget (Haider et al., 2016).
The aforesaid governance-related problems regarding the use of IT are also enlarged due to
inadequate focus given to the best practices for optimal use of IT resources and their
management which result in serious consequences. These consequences include IT
investment loss, reputation loss, duplication of efforts, increased redundancy, user frustration
and poor decision-making (Nfuka & Rusu, 2011). This has led to the problem in this research
namely “IT governance in PakPSOs is ineffective”.
Various researchers have responded to this problem and investigated IT governance in PSOs
of developed countries (Wiedenhoft et al., 2017; Dawson et al., 2016; Juiz et al., 2014;
Campbell et al., 2010; Hoch & Payan, 2008; Ali & Green, 2007; Liu & Ridley, 2005 etc.).
However, a little IT governance research has been conducted in the context of PSOs in
developing countries (Al Qassimi & Rusu, 2015; Nfuka & Rusu, 2010). The situation is even
worst in PakPSOs which have not previously been explored.
Generic standards and frameworks also possess some inherent inadequacies and weaknesses
regarding the research objectives and the context of this study i.e. PakPSOs. The COBIT,
ITIL and ISO/IEC 38500 are most prominent among others. These frameworks are mainly of
process-based nature and rarely focus on CSFs. Moreover, these frameworks lack in
providing a holistic view of CSFs. Generality, complexity, expensiveness, need of
customization at large scale and required expertise are major weaknesses of these
frameworks. For example, the COBIT framework possesses complicated concepts and
structure and lack of implementation guidance, therefore, overwhelming to implement
(Zhang & Le Fever, 2013). The ITIL concentrates only on IT service management and does
not cover the entire scope of IT governance (Simonsson et al., 2010). The ISO/IEC 38500
principles have a high-level, top-down organizational focus and can easily be misinterpreted.
A framework which is easy to understand and implement by both business management and
IT personnel with less expertise and resources is required for the study environment. This has
emphasized the need for further research to investigate IT governance and develop an
implementation framework through contextualized research in the study environment i.e.
PakPSOs.
Page 23
8
1.5 Aims & Objectives
The aims of this research study are to determine and analyze the existing state of IT
governance in PakPSOs and develop and evaluate a CSFs based framework for effective IT
governance implementation. The objective is to augment the IT outcomes i.e. desirable
behavior in PakPSOs. This could help to improve and sustain public service delivery in
PakPSOs. The study underpins mainly public value management theory. The theory of public
value management essentially asserts that managers in public organizations should make
active endeavors on behalf of the public to create increased public value like managers in
private organizations strive to gain superior private value (Moore, 1995). This theory has
been conceptually applied in various studies to answer the question of how superior public
value can be created through the effective use of IT resources in public sector (Pang, Lee, &
DeLone, 2014; Andersen et al., 2010; Norris & Moon, 2005). The framework is developed
and evaluated using design science research approach.
Following are the sub-objectives of the study.
To determine and analyze the existing state of IT governance in PakPSOs in terms of
maturity.
To identify and analyze the relevant IT governance practices in PakPSOs in terms of
CSFs.
To test and analyze the effect of relevant IT governance practices on IT outcomes in
PakPSOs.
To develop and evaluate a framework for effective IT governance implementation in
PakPSOs.
1.6 Research Questions
The following four research questions are investigated to achieve the aforesaid objectives.
RQ1: What is the existing state of IT governance in PakPSOs?
Page 24
9
It is paramount to determine and analyze the existing state of IT governance in organizations
before its implementation because the success of IT governance implementation depends on
the careful examination of the existing state of IT governance i.e. maturity (Pereira & Silva,
2012). This has raised the first research question of this study i.e. RQ1: What is the existing
state of IT governance in PakPSOs?
RQ2: Which IT governance practices are relevant to PakPSOs?
Effective IT governance can be implemented through a set of best practices. However, these
practices may be different in different organizational contexts. Therefore, it is paramount to
identify the relevant practices for a specific organizational context to implement IT
governance. This has raised the second research question of this study i.e. RQ2: Which IT
governance practices are relevant to PakPSOs?
RQ3: What is the effect of relevant IT governance practices on IT outcomes in PakPSOs?
The identified IT governance practices are only effective when these satisfy the desirable
behavior in organizations i.e. IT governance or IT outcomes success. This has raised the third
research question of this study i.e. RQ3: What is the effect of relevant IT governance practices on
IT outcomes in PakPSOs?
RQ4: How can effective IT governance practices be implemented in PakPSOs?
The identification and validation of the effective practices for a study environment is not the
final step in implementing IT governance. This does not automatically solve the problem of
ineffectiveness. The real challenge is to implement these practices in the study environment.
This has raised the fourth research question of this study i.e. RQ4: How can effective IT
governance practices be implemented in PakPSOs?
The linkage of research problem, questions and objectives of this study are shown in Figure
1.1.
Page 25
10
RQ1: What is the
existing state IT
governance in PakPSOs?
RQ2: Which IT
governance practices
are relevant to PakPSOs?
RQ3: What is the
effect of relevant IT
governance practices on IT outcomes in
PakPSOs?
RQ4: How can effective IT
governance practices
be implemented in PakPSOs?
IT governance in PakPSOs is
ineffective
RO1: To determine
and analyze the
existing state of IT governance in
PakPSOs in terms of
maturity
RO2: To identify and
analyze the relevant
IT governance practices in PakPSOs
in terms of CSFs.
RO3: To test and
analyze the effect of
relevant IT governance practices
on IT outcomes in
PakPSOs.
RO4: To develop and
evaluate a framework
for effective IT governance
implementation in
PakPSOs.
Sub-objectives
Research Questions
Research Problem
To augment the IT outcomes i.e. desirable
behavior in PakPSOs Main Objective
Figure 1.1: The linkage of research problem, questions and objectives
Page 26
11
1.7 Research Phases
This research study is carried out into four phases. Each research question is investigated into
a separate research phase. In this way, the four research questions are investigated into four
research phases.
Phase 1- In this phase, the first research question of this study is investigated i.e. RQ1: What is
the existing state of IT governance in PakPSOs? The objective of this phase is to determine and
analyze the existing state of IT governance in PakPSOs in terms of maturity and compare it
with a developed country (Australia), a developing country (Tanzania) and the international
public sector benchmark for learning, benchmarking and embracing best practices.
Phase 2- In this phase, the second research question of this study is investigated i.e. RQ2:
Which IT governance practices are relevant to PakPSOs? The objective of this phase is to
identify and analyze the relevant IT governance practices in PakPSOs in terms of CSFs.
These practices are identified through systematic literature review and operationalised in
PakPSOs through multi-case study approach.
Phase 3- In this phase, the third research question of this study is investigated i.e. RQ3: What
is the effect of relevant IT governance practices on IT outcomes in PakPSOs? The objective
of this phase to test and analyze the effect of the identified IT governance practices of phase 2
on IT outcomes in PakPSOs.
Phase 4- In this phase, the fourth research question of this study is investigated i.e. RQ4:
How can effective IT governance practices be implemented in PakPSOs? The objective of
this phase is to develop and evaluate a framework for effective IT governance implementation in
PakPSOs.
1.8 Research Scope
The scope of the research needs to be narrowed down to ensure the sufficient level of internal
validity within a research project (Cook & Campbell, 1979). They argued that in applied
research, internal validity has priority over external validity and construct validity. Therefore,
due to the applied nature of this research, the researcher‟s main focus is on internal validity.
The scope of the research is narrowed down on multiple aspects to ensure sufficient level of
internal validity. First, the scope is reduced in geographic terms to avoid cultural and regional
Page 27
12
differences. For this, Pakistan is selected as a developing country. Second, the scope is
reduced in terms of industry/sector because the implementation of IT governance may be
different in different types of industries. For this, public sector is selected to focus only on
one sector. Public sector is selected due to scarcity of IT governance research in this sector
(Nfuka & Rusu, 2010; Ali & Green, 2007).
Third, the scope is also reduced in terms of organizational levels. IT governance is
implemented at three levels: 1) strategic level where board is involved; 2) management level
where executive management is involved and 3) operational level where IT management is
involved (De Haes & Van Grembergen, 2006). Usually, IT management is involved in
strategic IT projects but involvement of executive management and board is also crucial to
achieve desired results. As most IT initiatives in PakPSOs are undertaken in the form of e-
government projects which are usually strategic IT projects, therefore, the study specifically
focuses on IT management level with necessary intervention of executive management at this
level.
Finally, the scope is reduced in terms of IT governance practices. There could be many
practices that lead towards effective IT governance implementation, for example, portfolio
management, knowledge management and benefit management & reporting etc. This study
mainly focuses on CSFs of effective IT governance in research questions 2, 3 and 4.
However, this study uses IT processes of COBIT framework in research question 1 where the
purpose is to determine the existing state of IT governance in PakPSOs. The measures taken
for the reduction in research scope obviously affect the external validity or generalisability of
this research. The inclusion of other countries, industries/sectors, organizational levels and
other/new practices would be the motivating area for future research.
1.9 Structure of the Thesis
This thesis contains nine chapters. It begins with the introduction of the study followed by the
literature review. In the third chapter, methodology of the research is described in detail.
Chapters 4, 5 & 6 present the results of research phases 1, 2 & 3 respectively. Seventh and
eighth chapters provide the results of research phase 4. The conclusions, contributions,
limitations and recommendations are given in chapter 9. Here is the brief description of each
of the chapters.
Page 28
13
The chapter 2 presents the literature review. This chapter provides an understanding of IT
governance and its various definitions, general standards and frameworks with their strengths
and weaknesses, public sector organizations & their characteristics and previous research in
the field of IT governance. This results in author‟s review of literature in line with the
research topic, questions and objectives to identify the research gap.
The chapter 3 presents the research methodology and process to conduct this research. This
chapter describes the research phases and research philosophy and methods applied to this
research. The underlying data collection techniques and analysis approaches are discussed in
this chapter. It provides the complete research process of the study in detail. The issues of
validity and reliability are also discussed in this chapter.
The chapter 4 provides the results of research phase 1. In this chapter, the existing state of IT
governance in PakPSOs is determined and analyzed and compared with others for learning,
benchmarking and embracing best practices.
The chapter 5 provides the results of research phase 2. In this chapter, the relevant IT
governance practices in PakPSOs are identified through systematic literature review and
operationalised in PakPSOs through multi-case study approach. The practices are then
analyzed, discussed, and conclusion is made based on results.
The chapter 6 provides the results of research phase 3. In this chapter, the statistical effect of
the relevant practices in research phase 2 is tested and analyzed on IT outcomes in PakPSOs.
The results are presented, discussed and conclusion is made.
The chapter 7 provides the results of the development phase of the proposed framework. In
this chapter, the initial and the first version of the framework are developed based on the
results. Both versions of the framework are presented in this chapter along with discussion
and conclusion.
The chapter 8 provides the results of the evaluation phase of the proposed framework. It
provides the introduction of the case where the framework is evaluated and the results of the
case study. The second version of the framework is presented in this chapter along with
discussion and conclusion.
The chapter 9 presents the conclusions, contributions, limitations and recommendations of
the study. It provides the summary of the entire study. It also describes the proposed
framework, its elements and implementation considerations in detail. Moreover, the
contributions of the study are presented in this chapter. Furthermore, the limitations of the
study and recommendations are pointed out in this chapter.
Page 29
14
2 Literature Review
2.1 Chapter Objectives
This chapter provides the author‟s review of literature in line with the research topic,
questions and objectives of the study to identify the research gap for its research questions
and objectives. Literature review begins with the overview of IT governance. In the third
section, the previous research on IT governance maturity is presented, discussed and analyzed
which results into the research gap for the research question 1 of this study. In the fourth
section, prior research on IT governance CSFs is presented, discussed and analyzed to
identify to the research gap for the research question 2 of this study. In the fifth section, the
concept of IT outcomes i.e. desirable behavior in terms of strategic IT projects‟ success is
presented, discussed and analyzed to provide rationale for investigating the research question
3 of this study. In the sixth section, generic IT governance implementation frameworks are
presented, discussed and analyzed with their strengths and weaknesses towards the context of
the study which results into the research gap for the research question 4 of this study. In the
seventh section, the context of public sector organizations is discussed and analyzed in detail.
The eights section provides an overview of previous studies in the field of IT governance.
The consolidated research gap is presented in the ninth section. The last section summarizes
the most important points of this chapter.
2.2 Overview of IT Governance
This section provides the overview of IT governance and related concepts.
2.2.1 Emergence of IT Governance
The fundamental concepts of IT governance were implicitly investigated by various
researchers up to early 1990s (Ives & Jarvenpaa, 1991; King, 1978; Garrity, 1963). The
Page 30
15
explicit concept of IT governance started to appear in literature when Henderson and
Venkatraman (1993) introduced the term “IT governance” in their seminal paper. They
described IT governance as selection and use of mechanisms to obtain and deploy IT
competencies. They proposed various mechanisms for positioning the organization in the IT
marketplace. IT governance was one among these mechanisms. The other mechanisms were
technology capability, human capability and value management. They pointed out that IT
governance is about centralization and decentralization of decision-making. Brown and Grant
(2005) described that the notation of IT governance frameworks appeared in the academic
literature by the work of others e.g. Sambamurthy and Zmud (1999) and Brown (1997) in the
late 1990s. Earlier IT governance research focused on exercise of IT arrangements and locus
of decision-making authority and mainly investigated centralized and decentralized decision-
making arrangements in organizations (King, 1983). Later on, federal or hybrid arrangements
identified (Brown & Magil, 1998). Subsequently, more complex arrangements had been
found in organizations (Weill, 2004). In centralized IT governance arrangement, decisions are
made by central or corporate unit whereas in decentralized IT governance arrangement,
decisions are made by individual business units (Sambamurthy & Zmud, 1999). In federal or
hybrid IT governance arrangement, some decisions are made by corporate unit and others are
made by business units (Sambamurthy & Zmud, 1999).
2.2.2 IT Governance Definitions
IT governance is a structure and process through which organizations make right IT
investment to ensure that the resulting activities (programs, projects & operations) are
performed properly and desired benefits are achieved and preserved (Selig, 2016). It focuses
on several aspects of IT management such as IT strategy and its association with overall
organizational strategy, IT architecture and its level of standardization & integration,
organizational policies for IT infrastructure & applications and IT investment &
prioritization. It covers all assets related to IT like financial, human, physical, data and
intellectual property. It is an integral part of corporate governance which deals with how a
corporation is directed and controlled and how stakeholders work with each other to achieve
corporate goals. IT governance is implemented at organizational level and affects the culture
of the entire organization. It directs business processes end-to-end and aligns these processes
across organizational boundaries. It means IT governance is not limited to top management
Page 31
16
but affects the processes throughout the organization. It deals with both managerial and
cultural aspects for selecting, adopting and using IT in the organization and is a holistic
approach for managing IT. IT governance is an endeavor by the entire organization with
suitable structures, processes and procedures in place to support the judicious and effective
use of IT to achieve organizational objectives. IT governance is implemented using a mixture
of structures, processes and relational mechanisms (Bianchi & Sousa, 2016; Bermejo et al.,
2014; De Haes & Van Grembergen, 2009). At its most basic level, it deals with the decisions
around IT investment i.e. what decisions are made and who make the decisions (structures),
how the decision are implemented (processes) and how the decisions are communicated
(relational mechanisms). IT governance has been defined by various researchers in various
ways. Most renowned and frequently used definitions in the literature are as under:
“Policies, procedures and systems for the allocation of design-rights to the key decision
makers both within the organization as well as external vendors and/or partners responsible
for IT management” (Venkatraman et al., 1993).
“The organizational capacity exercised by the board, executive management and IT
management to control the formulation and implementation of IT strategy and in this way
ensure the fusion of business and IT” (Van Grembergen, 2002).
“IT governance is the responsibility of the board of directors and executive management. It is
an integral part of enterprise governance and consists of the leadership and organizational
structures and processes that ensure that the organization‟s IT sustains and extends the
organization‟s strategies and objectives” (ITGI, 2007).
“Specifying the decision rights and accountability framework to encourage desirable
behavior in the use of IT” (Weill & Ross, 2004).
“IT governance is the system by which an organization‟s IT portfolio is directed and
controlled. IT governance describes (a) the distribution of IT decision-making rights and
responsibilities among different stakeholders in the organization, and (b) the rules and
procedures for making and monitoring decisions on strategic IT concerns” (Peterson, 2004).
Page 32
17
“IT governance is the strategic alignment of IT with the business such that maximum
business value is achieved through the development and maintenance of effective IT control
and accountability, performance management and risk management” (Webb et al., 2006).
Except the first definition, all other definitions provide the IT governance purpose i.e.
strategic alignment (alignment of IT with business). In the definition of Weill and Ross
(Weill & Ross, 2004), “the desirable behavior in the use of IT”, implicitly means that
desirable behavior leads to the execution of the intended strategy and hence represents
strategic use of IT. All the definitions directly or indirectly focus on allocation of decision
rights, responsibility and accountability for IT activities in organizations.
2.2.3 IT Governance and Corporate Governance
Most of the corporate governance principles can be applied to IT governance because IT
organization itself is a business within a business (McFarlan & McKenney, 1983). IT
governance is implemented to achieve corporate performance goals (Weill & Ross, 2004). It
is an integral part of corporate governance (ITGI, 2007) rather than a complement of it. The
relationship between corporate governance and IT governance established by Weill and Ross
(Weill & Ross, 2004) is shown in Figure 2.1.
Page 33
18
Figure 2.1: Corporate and key asset governance (Weill & Ross, 2004)
They defined six key organizational assets that organizations use to implement strategies and
create business value: human assets (people, skills & competencies), financial assets;
physical assets (buildings, plants & equipment), intellectual property (process know-how),
information assets (data & information) and relationship assets (brand & reputation). They
also identified various organizational mechanisms to govern these key assets such as
structures, processes, committees, procedures and audits etc. Their study revealed that
physical and financial assets typically best governed in the organizations whereas information
assets typically worst governed. They suggested that common mechanisms should be used to
govern multiple assets in order to achieve high business value from these assets i.e. the same
committee should govern both IT and financial assets.
Page 34
19
2.2.4 IT Governance and IT Management
IT governance and IT management are two related but different concepts. The difference
between the two terms is fundamental due to the distinct activities despite in some cases are
performed by the same individual (Bird, 2001). Bird (2001) highlights this distinction by
stating that managers “manage organizations by virtue of the authority delegated to them by
those who govern”. Another study argues that governors are responsible for overall
organizational policy, direction and culture whereas managers administer, design, apply and
examine business strategies on operational basis (Webb et al., 2006).
Peterson (2004) advocates that IT management is involved in managing existing IT
operations and effective supply of IT products/services whereas IT governance is involved in
performing and transforming IT to fulfill existing and future business needs internally and
customers needs externally. Peterson (2004) further states that “this does not undermine the
importance and complexity of IT management, …, but whereas elements of IT Management
and the supply of (commodity) IT services and products can be commissioned to an external
provider, IT Governance is organization specific, and direction and control over IT cannot
be delegated to the market”.
ISACA (2012) makes the distinction as “Governance ensures that stakeholder needs,
conditions and options are evaluated to determine balanced, agreed-on enterprise objectives
to be achieved; setting direction through prioritization and decision making; and monitoring
performance and compliance against agreed-on direction and objectives” whereas
“Management plans, builds, runs and monitors activities in alignment with the direction set
by the governance body to achieve the enterprise objectives”.
2.3 IT Governance Maturity
One way to assess the IT governance success is the use of IT governance maturity
measurements (Dahlberg & Lahdelma, 2007). Organizations with higher IT governance
maturity of structures and processes showed higher IT governance performance (De Haes &
Van Grembergen, 2008). IT governance maturity indicators with higher maturity levels
strongly correlated with higher IT governance performance (Simonsson et al., 2010). Also,
Page 35
20
specific context of the organizations and their geographical situations are important to
implement IT governance (Ribbers et al., 2002).
Previous IT governance research in PSOs mostly focused on IT governance approaches,
contingency factors and mechanisms for effective IT governance (Nfuka & Rusu, 2010; Ali
& Green, 2007; Lawry et al., 2007; Warland & Ridley, 2005; Weill & Ross, 2004). A few
studies were performed to measure IT governance maturity in PSOs. A study on IT control
and governance maturity was conducted after performing an international survey to set up a
reference benchmark (Guldentops et al., 2002). After interviewing approximately 20 senior
IT and audit practitioners, 15 most important IT processes were finalized out of 34 IT
processes of COBIT framework. Four classes of international benchmarks were finalized
based on maturity levels of control over IT processes: mixed, size, industry and geography.
The results indicated that majority of IT processes had maturity levels between 2 and 2.5.
Larger organizations showed higher maturity than smaller organizations. The finance sector
showed higher maturity than others sectors. Public sector showed higher maturity in planning
domain due to existence of policies and regulations. Asia and Oceania and global working
companies showed higher maturity than Americas, Europe, Middle East and Africa. Another
study investigated maturity of IT processes in the PSOs of Australia (Liu & Gail Ridley,
2005). The study used 15 IT processes earlier identified (Guldentops et al., 2002). The results
revealed that the Australian PSOs performed better than the other nations and majority of IT
processes had maturity levels between 3 and 3.5. The same 15 most important IT processes
ere used in the PSOs of Tanzania in the perspective of a developing country (Nfuka & Rusu,
2010). The results revealed that the Tanzanian PSOs performed lower than the Australian
PSOs and also internationally across a range of nations and majority of IT processes had
maturity levels below 2. It is obvious from the above literature review that most of the
previous studies investigated IT governance maturity in the context of PSOs in developed
countries. However, no study has investigated IT governance maturity in the context of PSOs
in a developing country that benchmarked a developed country, a developing country and the
international public sector across a range of nations simultaneously. This has created a gap
for the first research question of the study i.e. RQ1: “What is the existing state of IT
governance in PakPSOs?”
Page 36
21
2.3.1 Concept of Process Maturity in COBIT
The aim of the maturity model is to assist improvements in organizations. Both internal and
external stakeholders of an organization can use maturity models. For internal stakeholders,
maturity models can be used for capability development of the organization such as to assess
the current state i.e. “as–is” and set goals for future state i.e. “to-be” to discover strengths and
weaknesses and observe the success of the improvement implementation plan. For external
stakeholders such as owners, partners or customers, maturity models can be used to assess the
organization‟s capability to evaluate how the organization meet the requirements they have
set for it. Moreover, organizations can use maturity models for benchmark purposes to
compare their capabilities to the industry. Some maturity models support independent
external assessment. Organizations can improve their image by attaining evidence of high
maturity level from external assessment. Maturity models are used not to measure the actual
results achieved in the organization rather they consider and assess the policies, processes and
practices of the organization. COBIT borrows the concept of process maturity from
Capability Maturity Model (CMM) of Software Engineering Institute (SEI) which has its
roots in software development and expands it to the variety of processes of the framework for
complete IT investment lifecycle. There are five maturity levels (in addition of 0 level) to
measure maturity of IT processes: “0-Non-existent”; “1-Initial”; “2- Repeatable”; “3-
Defined”; “4-Managed”; and “5- Optimized” (Humphrey, 1988). Several maturity models
utilize these maturity levels. Each level of process maturity has three definitions in COBIT
i.e. generic, process-specific and attribute specific. COBIT claims that different processes
may have different maturity levels in and across organizations and path to higher
organizational maturity may also differ across domains and processes. It is economically
inappropriate that all processes to be at level “5- Optimized” because benefits associated with
a specific process may not justify the costs to attain and sustain it. The level of a process
maturity depends on individual process, organizational needs and priorities, IT infrastructure
and industry characteristics. For example, it may be reasonable for one process to be at level
“2-Repeatable” but it would be highly unsuitable for another more-critical process at that
level.
Page 37
22
2.4 IT Governance Critical Success Factors (CSFs)
The CSFs are “the limited number of areas in which results, if they are satisfactory, will
ensure successful competitive performance for the organization” (Rockart, 1979). These
factors are used to direct the focus on key areas central to the organizations‟ objectives where
they invest their resources for success (Ward & Peppard, 2002). Due to their importance,
such factors are applied in various perspectives from a single project to the whole
organization (Esteves, 2004). Here is a brief overview of some of the previous studies on IT
governance CSFs.
Luftman et al. (1999) identified six enablers of IT-business alignment which is one of the
objectives of IT governance (ITGI, 2007). The results indicated that these enablers were
senior management support, involvement of IT personnel in strategy development,
understanding of IT personnel about business, IT/business partnership, well-prioritized IT
projects and the role of IT leadership. Teo and Ang (999) conducted a survey in 169
organizations and identified 18 CSFs for strategic alignment by considering it as the key
objective of IT governance. The results revealed that the three top most CSFs were top
management commitment, IT management business knowledge and top management
confidence in the IT department. Ribbers et al. (2002) highlighted the need of strategic
integration of IT/business decisions, shared understanding among key stakeholders and
developing collaborative relationships among key stakeholders for effective IT governance
processes. ITGI (2003) proposed 11 CSFs for implementing effective IT governance in
organizations. These CSFs included considering IT as an integral part of the enterprise,
awareness, stakeholders‟ engagement, accountability, communication and monitoring across
the organization. Guldentops (2004) presented five CSFs. These CSFs mainly deal with
structures and processes for governance and control of IT. His study mainly focused on
formulation of IT strategies and various committees, alignment of IT-business in strategies
and operations, cascading of IT strategies and goals, applying emerging management
practices and implementing a governance and control framework for IT. Weill (2004)
identified eight success factors that are critical to effective IT governance. These included
transparency of IT governance mechanisms to all managers, actively designed mechanisms,
infrequently redesigned mechanisms, education about IT governance, simplicity of IT
governance arrangements, existence of exception handling process, governance designed at
multiple organizational levels and aligned incentives. PwC and ITGI (2006) identified six
Page 38
23
CSFs after survey of 50 CIOs worldwide. These CSFs included senior management support,
communication, enforcements, measuring benefits, change management and not over
engineering the process. Tan et al. (2007) conducted a study in Australian PSOs based on
ITIL framework and found that senior management commitment, awareness and training,
performance/benefit management, appropriate guidelines and the use of an integrate tool set
were among the essential factors for success. Bowen et al. (2007) also suggested four
influential factors for effective IT governance. These included a shared understanding among
IT/business, active involvement of committees, balanced representation of IT/business
personnel in committees and well-communicated IT strategies and policies. De Haes and Van
Grembergen (2008) investigated ten minimum baselines IT governance practices. These
practices were validated as minimum necessary conditions for implementing IT governance
in the financial service sector of Belgian. The results indicated that IT steering committee and
IT leadership were at the top of the list. Hoch and Payan (2008) investigated IT governance
in the PSOs of Germany and proposed five factors for effective IT governance
implementation in the context of PSOs. These factors included IT leadership‟s mandate,
organizational structure, decision-making process, mindset & skills and performance metrics
& incentives. Pollard and Cater-Steel (2009) conducted multi-case study in two companies of
U.S.A and two companies of Australia to study CSFs for successful implementation of ITIL
framework. The results indicated that six previous studied CSFs were confirmed and three
new were found which included creating an ITIL-friendly culture, process as a priority, and
customer- focused metrics. Aggarwal (2008) investigated CSFs of IT alignment in public
sector petroleum industry of India and found that strong financial position, extensive
computer facilities, strong market position, strong technical expertise, existing IT leadership
position, IT takes care of the human factor, sharing of IT resources, prioritization of IT effort
and IT/business partnership were confirmed as CSFs. Nfuka and Rusu (2010) conducted a
case study research in five PSOs of Tanzania in the perspective of a developing country.
They investigated the CSFs to implement effective IT governance in these organizations. The
study found 11 CSFs in five focus areas of IT governance mentioned by COBIT. The
research revealed that most of the CSFs belonged to the strategic alignment focus area of
COBIT which means IT-business alignment was an important issue in the PSOs. Nenickova
(2011) found, analyzed and summarized the most CSFs for ITIL implementation best
practices in managing and delivering ICT services in large companies. He categorized these
factors as process related versus people related and internal versus external. The result
indicated that right tools and techniques, IT-business alignment, performance tracking &
Page 39
24
measurement are process related and external factors. Optimizing competitive advantage,
services portfolio alignment, costs alignment and benefits realization of ICT are process
related and internal factors. Leadership, roles & responsibilities establishment, commitment
& participation and awareness & understanding are people related and external factors.
Optimizing IT functions is people related and internal factor. Kurti et al. (2013) performed a
review of current research on CSFs of IT-business alignment. They have identified 10 CSFs
categorized into three dimensions: human, social and intellectual. The results indicated that
most of the CSFs belonged to the human dimension. Razak and Zakaria (2014) identified 18
CSFs in Malaysian PSOs through Delphi research. They categorized the CSFs into five areas:
cost reduction, innovation, agility, customer satisfaction and compliance. Alreemy et al.
(2016) studied and extracted CSFs for effective IT governance implementation from the
literature. These factors were further analyzed, categorized and synthesized to create the
success factors for IT governance framework. The process resulted in 15 CSFs categorized in
five areas: strategic alignment; environmental effect (external); organizational effect
(internal); performance management; and resource management. The results indicated that
most of the CSFs belong to strategic alignment and organizational effect (internal) areas.
A comprehensive review of the previous literature on IT governance CSFs reveals that no
study has been conducted to identify the public sector relevant CSFs by adopting a holistic
approach that can cover five focus areas of IT governance and three aspects of IT-business
alignment and even PakPSOs remained unexplored. This has created a gap for the second
research question of the study i.e. RQ1: “Which IT governance practices are relevant to
PakPSOs?”
2.5 IT Outcomes (desirable behavior in public sector of a developing country)
Most IT initiatives in PSOs are undertaken in the form of e-government projects which are
usually strategic IT projects and PakPSOs are no exception. These projects are integrated
with business processes of organizations. However, these projects face the risk of being
abandoned, over budgeted and/or unfulfilled promises and situation is even worst in the PSOs
of developing countries. Strategic IT projects‟ success is an effective indicator of good IT
governance (Van Grembergen & De Haes, 2005). Moreover, one of the objectives of IT
governance is the strategic alignment of major IT projects with organizational goals
Page 40
25
(Hiekkanen, 2015; ITGI, 2007). Therefore, IT outcomes (desirable behavior) in this study are
referred to as strategic IT projects‟ success in PakPSOs.
IT governance ensures that IT and business share accountability regarding IT projects and
helps in measuring their effectiveness which assists in avoiding rogue investment. Through
properly implemented IT governance, IT projects are managed effectively by default. IT
projects undergo to the analysis of IT strategy, IT architecture and IT infrastructure &
applications. IT investment is made and prioritized for right IT projects. The accountability is
established, strategic alignment is enhanced and value delivery is measured against costs to
ensure that IT projects meet current and future organizational needs. Risks are properly
identified and mitigated before the start and during projects‟ execution with assurance that
projects are not deviated from the original plan. In conclusion, IT governance has become the
standard through which IT projects are identified/selected and developed with viable value
proposition and deliverables that reduce rogue investment.
Nevertheless, IT projects‟ implementation success has constantly been a challenging issue for
organizations involved in managing IT projects (Xia & Lee, 2004). The term project success
has different meanings to different organizations and stakeholders involving with competing
needs. Traditionally, project success is measured against time, budget and specifications
(requirements/quality) criteria (Agarwal & Rathod, 2006) which reflect success from project
team, vendors or suppliers‟ point of view. Non-traditionally, some researchers used the term
project performance in place of project success using attributes like process performance and
product performance (Han & Huang, 2007). Process performance is measured against cost &
schedule overruns and product performance is measured against specifications (Jun et al.,
2011). Others used process efficiency and effectiveness as dimensions of project performance
(Rai & Al-Hindi, 2000; Ravichandran, 1999). However, Aladwani (2002) provides three
dimensions of project performance: task outcomes; psychological outcomes; and
organizational outcomes. Task outcomes deal with efficiency and effectiveness,
psychological outcomes deal with people‟s satisfaction and organizational outcomes deal
with benefits to the organization (Aladwani, 2002). These dimensions provide a better view
of success in technical, social and organizational perspectives.
The literature on information system success highlights the need to measure IT projects‟
success in terms of their ability to provide meaningful benefits to stakeholders rather than
timely and within budget delivery of an artifact (Rai et al., 2002; Irani & Love, 2001). The
purpose of IT investment or project approval process is to ensure that IT investment delivers
significant benefits to the stakeholders as compared to alternative investment opportunities.
Page 41
26
No single benefit assessment technique is suitable for all organizations. For example, for
public sector IT projects, benefits are usually measured beyond traditional financial measures
due to the “best value” nature of the public sector instead of “profit” nature (Campbell et al.,
2010). A large stream of literature is available on non-financial benefits of IT investment or
project. Researchers have focused on economic benefits (Bharadwaj, 2000), public value
(Moore, 1997), organizational changes (Serafeimidis & Smithson, 2000), strategic,
informational, transactional & transformational benefits (Gregor et al., 2006) and
infrastructural benefits (Weill & Broadbent, 1998). Therefore, in the context of public sector
IT projects, a more comprehensive view of success can be obtained if such projects are
evaluated in terms of task outcomes (efficiency & effectiveness), organizational outcomes
and public outcomes which are the focus of this study. Task outcomes are referred to as IT
project‟s efficiency and effectiveness. Efficiency is a measure of amount of work produced,
cost and schedule adherences and overall efficiency of operations whereas effectiveness is a
measure of quality of work and ability of the project to meet its goals (Henderson & Lee,
1992). Organizational outcomes are referred to as the benefits that an IT project provides to
the host organization e.g. cost reduction and efficiency gains; improved quality of decision-
making (Gregor et al., 2006). Public outcomes are referred to as the benefits that an IT
project provides to citizens, businesses and employees e.g. cost and time saved using e-
services (Gilbert et al., 2004), better informed, knowledgeable about government policy
(Kolsaker & Lee-Kelley, 2008).
After the comprehensive review of the relevant literature, it is found that no single study has
investigated the determinants of strategic IT projects‟ success in terms of task, organizational
and public outcomes which is also referred to as desirable behave ior in this study. This has
created a gap for the third research question of the study i.e. RQ3: “What is the effect of
relevant IT governance practices on IT outcomes in PakPSOs?” This study investigates the
effect of relevant IT governance CSFs in PakPSOs on IT outcomes (desirable behavior) in
terms of tasks, organizational and public outcomes.
2.6 Generic IT Governance Implementation Frameworks
This section presents the generic IT governance implementation standards and frameworks.
This also presents the major weaknesses of each of the framework towards the study
Page 42
27
environment. A brief description of some of the most well-known standards and frameworks
with their strengths and weaknesses is as under:
2.6.1 Control Objectives for Information and related Technology (COBIT)
It is a globally recognized framework to control IT function in the organizations. It assists
executives and IT professionals in ensuring that IT operations are aligned with organizational
objectives. It was originated in 1996 by the “Information Systems Audit and Control
Foundation (ISACF)” as a part of evaluation framework of the “Committee of Sponsoring
Organizations of the Treadway Commission (COSO)”. The “IT Governance Institute (ITGI)”
that was constituted by the “Information Systems Audit and Control Association (ISACA)”
released the third edition of COBIT in 2000. Subsequent editions were released in 2005
(COBIT 4.0) and 2007 (COBIT 4.1). The current version is COBIT 5 published in 2012
which helps enterprises in governing and managing IT to achieve enterprise objectives. It is a
high level framework that covers other well-known standards & frameworks such as ISO/IEC
38500, TOGAF, PRINCE2, PMBOK, ITIL, ISO/IEC 20000, ISO/IEC 27000, ISO/IEC 31000
and CMMI. The COBIT 5 has been formulated by consolidating & integrating COBIT 4.1,
Val IT and Risk IT into a single framework. It is based on 5 principles and 7 enablers. The
five principles of COBIT 5 are shown in Figure 2.2.
Page 43
28
Figure 2.2: COBIT 5 Principles (ISACA, 2012)
COBIT framework provides best practices in business and process perspectives. The business
perspective relates stakeholder needs to enterprise goals, enterprise goals to IT-related goals
and IT-related goals to enabler goals and provides metrics to measure these goals. Moreover,
it fixes the roles and responsibilities for business and IT process owners. The process
perspective divides IT function into 37 processes (32 for IT management and 5 for IT
governance) scattered in five domains (one for IT governance and 4 for IT management) and
provides Process Assessment Model for process improvement.
The framework facilitates clear policy development and good control over IT throughout the
organization (ITGI, 2007). Besides a recognized practical audit guideline to review and
control IT activities, it is advocated as an IT governance implementation guideline (ITGI,
2007). It has become a de-facto standard in the field of IT governance (Simonsson &
Johnson, 2008). The framework contains an inclusive set of processes for complete IT
investment lifecycle ranging from strategic planning to day-to-day operations and covers a
complete sphere of IT activities that a typically organization is likely to perform (Debreceny
& Gray, 2009). It enables strategic alignment, value delivery and compliance to regulations
Page 44
29
(Larsen et al., 2006) and helps in measuring performance, creating value and managing risks
(Rouyet-Ruiz, 2008). The framework is useful tool to establish a baseline for process
maturity (Bünten et al., 2014; Van Grembergen & De Haes, 2005).
COBIT framework also possesses some inherent weaknesses. It is a very generic framework
and organizations need to customize it according to their context (Zhang & Le Fever, 2013)
that requires a lot of effort, trained human resources and sufficient financial resources. Hence,
implementation cost is high. The COBIT processes are very difficult to use because the
process description is complicated and time consuming. It is a very complex framework. For
each process, there is a corresponding set of activities and input/output documents that must
be reviewed. For each process, there is a specific RACI chart. There is also a plethora of
goals and metrics categorized as enterprise goals, IT-related goals and process goals. The
implementation of COBIT is difficult to evaluate and experienced analysts are required for
this purpose (Simonsson et al., 2007).
2.6.2 Organization Modeling and Assessment Tool (ITOMAT)
After applying the concepts of measurement theory (validity, reliability and costs related to
assessment), Simonsson and Johnson (2008) investigated the goodness of COBIT as an
assessment framework. They discovered some intrinsic weaknesses in COBIT particularly in
its operationalization and efficient data collection & analysis support. To rectify COBIT‟s
intrinsic weaknesses, they designed a tool known as ITOMAT for IT governance model base
assessment. This tool is based on COBIT framework and covers all of the COBIT‟s processes
but has its own special operationalization scheme. A prime benefit of using ITOMAT is that
the person conducting analysis part does not has to be an IT governance expert which may
results in cost savings as claimed by the authors. It leverages the merits and alleviates some
of the weaknesses in COBIT. It separates modeling from analysis and supports automatic
data analysis. The framework is completely transparent & formalized and provides support
for collecting every single attribute to overall maturity scores at process level and ultimately
at organization level (Simonsson & Johnson, 2008).
The ITOMAT implementation cost is relatively lower as compared to COBIT. The major
weakness of the framework is that it is based on COBIT framework only that limits its
general usability. The method is not much suited for senior managers rather more useful for
managers at operational level.
Page 45
30
2.6.3 Information Technology Infrastructure Library (ITIL)
It is a well-known framework to provide best practices for IT service management. It was
originated in 1989 by the “Central Computer and Telecommunications Agency (CCTA)”
which later became the part of the “Office of Government Commerce (OGC)” in 2000. It is
based on the experience of more than 1400 organizations. The framework mainly focuses on
processes about delivery and support of IT services. The ITIL V3 is the current version and
focuses on the Service Lifecycle shown in Figure 2.3.
Five phases are involved in the Service Lifecycle. A separate core book describes each phase
in detail. Service Strategy phase forms the core of the Service Lifecycle. The phase is used
for policy making and objective setting. All other phases revolve around this phase. Service
Design phase is used for designing & developing new or changed services and service
management practices. Service Transition phase guides for developing and improving
capabilities for transitioning new or changed services into live service operations. Service
Operation phase helps in carrying out and managing activities for day-to-day operations of
services. Continual Service Improvement phase enables learning and improvement.
Improvement initiatives are undertaken in this phase based on strategic organizational
objectives. This phase covers the entire Service Lifecycle. The Service Lifecycle of ITIL is
based on the PDCA cycle of quality control.
The framework provides integrated central processes and comprehensible performance
indicators (Elephant, 2008). It enables risk reduction, financial efficiency, reliability and user
satisfaction (ChePa et al., 2015; Cartlidge et al., 2007).
Page 46
31
Figure 2.3: ITIL Service Lifecycle (ITIL, 2007)
The ITIL framework also possesses some inherent weaknesses. It is an operational level
framework rather than strategic (Simonsson et al., 2010). The organizations need to
customize best practices according to their requirements (Worthen, 2005). Governance is the
weakest link in the ITIL service sourcing strategy. In terms of IT governance, ITIL is not as
much comprehensive as COBIT.
2.6.4 ISO/IEC 38500 Information Technology- Governance of IT for the Organization
It is a high level principle based advisory framework. It was originated in 2005 by the
Standards Australia (AS8015:2005) and later adopted by the ISO/IEC in 2008 (ISO/IEC
3800:2008). The current version of the framework is ISO/IEC 38500:2015. The purpose of
the framework is “to promote effective, efficient, and acceptable use of IT in all
Page 47
32
organizations by a) assuring stakeholders that, if the principles and practices proposed by
the standard are followed, they can have confidence in the organization's governance of IT,
b) informing and guiding governing bodies in governing the use of IT in their organization,
and c) establishing a vocabulary for the governance of IT”. The framework consists of two
parts: the governance function and the management function. In this way, it separates IT
governance from IT management. The governance function is based on the concept of EDM
(evaluate, direct and monitor) and provides three IT governance related tasks: direct, evaluate
and monitor. The management function is based on the concept of PDCA (plan, do, check
and act) and provides four tasks: plan, do, check and act. The ISO/IEC 38500:2015
framework is shown in Figure 2.4. The framework has been developed based on the six
principles of good governance: responsibility, strategy, acquisition, performance,
conformance and human behavior.
The framework provides a structure for effective IT governance for top management to
understand and fulfill their legal, regulatory and ethical obligations. It highlights the
importance of IT governance in organizations. Although, the latest version (ISO/IEC
38500:2015) has addressed many weaknesses of the previous versions like regulatory
obligations and source of authority have been added but it is still a generic framework. A lot
of expertise and customization is required to adapt it into a specific environment i.e.
PakPSOs. The framework is not public sector specific but it is based on the philosophy “one
size fits for all” as claimed by the ISO/IEC 38500: 2015. However, specific context of the
organizations and their geographical situations are important to implement the IT governance
(Ribbers et al., 2002).
Page 48
33
Figure 2.4: ISO/IEC 38500: 2015 Information Technology- Governance of IT for the Organization
(ISO/IEC 38500:2015, 2015)
2.6.5 Detailed Framework of Governance of Information Technologies (dFogIT)
The dFogIT framework was developed by University of Balearic Islands based on ISO/IEC
38500 framework. It comprises of four layers as shown in Figure 2.5. Two layers, IT
governance and IT management are identical to ISO/IEC 38500 whereas top and bottom
layers, corporate governance and IT operation are added to involve the entire organization
into IT governance (Gómez et al., 2017). The arrows in the framework point out supply or
demand of something related to IT. For instance, corporate governance layer demands for
concrete results such as IT applications in the form of IT solutions which add value to the
organization. IT governance layer provides direction to evaluate the monitoring of lower
layers. IT management layer manages projects that facilitate business processes through
Page 49
34
covered operations and resources. Nevertheless, the success or failure of dFogIT
implementation relies on how the various structures in the said layers support these pressures.
The dFogIT framework not only provides visibility of the governance structures, strategy
alignment and communications among various levels of the organization but also covers the
five IT governance decisions of Weill and Ross (2004) at different layers (Gómez et al.,
2017). The decisions which are more strategic are at top layers whereas the decisions which
are more technical are at lower layers. Juiz et al. (2014) argued that the current framework of
dFogIT does not cover the seven principles of good governance for the public sector as
proposed by (CIPFA & IFAC, 2013). Therfore, they addressed this issue by including seven
principles of good governance for the public sector into the dFogIT framework (Juiz et al.,
2014). However, the dFogIT framework is based on ISO/IEC 38500; therefore, it has the
same shortcomings as possessed by ISO/IEC 38500 i.e. high-level top down organizational
focus that may be easily misinterpreted.
Figure 2.5: deFogIT framework (Gómez, Bermejo, & Juiz, 2017)
Page 50
35
2.6.6 Strategic Alignment Model (SAM)
The concept of strategic alignment was first introduced by Henderson and Venkatraman
(1993). The concept later translated into IT-business alignment. They developed Strategic
Alignment Model (SAM) with four domains: business strategy; IT strategy; organizational
infrastructure & processes; and IS infrastructure & processes. The SAM is shown in Figure
2.6.
Strategic fit means organizational structures & processes should support and reflect business
strategy whereas IS infrastructure & processes should support and reflect IT strategy.
Functional integration means IT strategy should be aligned with business strategy whereas IS
infrastructure & processes should be aligned with organizational infrastructure & processes.
Subsequent studies mostly investigated functional integration in the literature of strategic or
IT-business alignment.
The SAM specifies the importance of alignment between business and IT strategies to
increase IT contribution (Teo & King, 1996). The two way relationship between business and
IT strategies enables potential competitive advantage to business from the use of IT
(Henderson & Venkatraman, 1993). It focuses on linking IT requirements with organizational
objectives. However, it is a conceptual framework and difficult to apply in practice (Avison
et al., 2004). It fails to describe top management involvement & support and effective use of
IT resources. It does not address effective communication between business and IT strategies.
The framework does not cover the change management and related issues. Alignment is often
considered to be as moving target and difficult to implement (Coltman et al., 2015).
Moreover, Kruger and Snyman (2002) described that no generic model of IT-business
alignment fully aligns ICT strategy with business strategy. They further added that business
managers still consider strategic ICT management separate from business strategy which
leads towards an incapability to align ICT goals with corporate goals.
Page 51
36
Figure 2.6: Strategic Alignment Model (Henderson & Venkatraman, 1993)
2.6.7 Balanced Scorecard (BSC)
Conventionally, organizations used financial measures to assess past organizational
performance. However, financial measures alone are not enough to predict future
organizational performance. BSC was developed by Kaplan and Norton (1992) to assess
organizational performance in four perspectives: financial; customer; internal business; and
innovation & learning. Financial perspective deals with the financial measures like earning
Page 52
37
per share and return on investment (ROI). Customer satisfaction and internal business
processes are important drivers to achieve financial performance. Example of customer
satisfaction is the mean-time response to a service call and example of internal process is the
manufacturing cycle time. In turn, innovation & learning drive customer satisfaction and
efficient internal processes. Example of innovation & learning is the development of an
innovative product and time to new market. The BSC developed by Kaplan and Norton
(1992) is shown in Figure 2.7.
Figure 2.7: Balanced Score Card (Kaplan & Norton, 1992)
Page 53
38
Based on the concepts of BSC, IT Governance Balanced Scorecard (ITGBSC) was prepared
to evaluate IT governance performance (Van Grembergen & De Haes, 2005). It has four
perspectives: corporate contribution; stakeholders; operational excellence; and future
orientation. The ITGBSC is a modified form of the original BSC to measure IT governance
performance (Van Grembergen & De Haes, 2005). Corporate contribution perspective deals
with ensuring maximum profit through IT with reasonable risks. Example of this perspective
is strategic match of major IT projects.
Stakeholder perspective deals with measuring up to stakeholders‟ expectations. Example of
this perspective is number complaints of stakeholders. Operational excellence perspective
deals with ensuring effective and sustained IT governance. Example of this perspective is
composition of IT committees. Future orientation perspective deals with building foundations
for IT governance delivery. Example of this perspective is level and use of IT governance
knowledge management system.
BSC is a multidimensional approach to assess and manage organizational performance. It
links performance measures with the organizational strategy (Otley, 1999). It balances the
internal and external aspects of the business (Olve et al., 2003) and enables the employees to
understand the strategy & objectives and facilitates evaluation and feedback on ongoing basis
(Pandey, 2005). It can also measure economic returns, social benefits and local impact
(Mohamad et al., 2015). It is applicable to all organizations of all sizes for assessing and
managing organizational strategy, monitoring operational efficiency and communicating
processes throughout the organization (Rohm, 2006). However, some researchers discussed
the weaknesses of the BSC. It makes invalid assumptions about causal relationships between
performance indicators (Norreklit, 2000). It provides no mechanism to sustain the relevance
of the initially defined measures (Hudson et al., 2001). It is hard to achieve a balance between
financial and non-financial measures due to the problems in the implementation of strategy
(Anand et al., 2005).
2.6.8 Limitations of Generic IT Governance Implementation Frameworks towards
PakPSOs
All the aforesaid generic IT governance implementation frameworks possess some
inadequacies and weaknesses towards the context of the study i.e. PakPSOs. Table 2.1 shows
Page 54
39
the limitations of various generic IT governance implementation frameworks towards the
context of PakPSOs.
Table 2.1: Limitations of generic IT governance implementation frameworks towards PakPSOs
Framework Limitations towards PakPSOs
COBIT It is a very generic framework and organizations need to customize it according to
their context (Zhang & Le Fever, 2013) that requires a lot of effort, trained human
resources and sufficient financial resources.
The implementation of COBIT is difficult to evaluate and experienced analysts
are required for this purpose (Simonsson et al., 2007).
The COBIT processes are very difficult to use because the process description is
complicated and time consuming.
ITOMAT It is based on COBIT framework only that limits its general usability.
The method is not much suited for senior managers rather more useful for
managers at operational level (Simonsson et al., 2010).
ITIL It is an operational level framework rather than strategic (Simonsson et al., 2010).
The organizations need to customize best practices according to their
requirements (Worthen, 2005).
Governance is the weakest link in the ITIL service sourcing strategy.
ISO/IEC 38500 The framework is generic and designed for all types of organizations i.e. public
and private (ISO/IEC 38500:2015). A lot of expertise and customization is
required to make it context specific.
The principles of the framework have been borrowed from the previous version
which still follows top-down approach which may be easily misinterpreted.
dFogIT It is based on ISO/IEC 38500 and possesses the inherent shortcomings of the said
framework.
It does not cover external stakeholders (Gómez et al., 2017)
SAM It is a very conceptual framework and difficult to apply in practice (Avison et al.,
2004).
It fails to describe top management involvement & support and effective use of IT
resources.
It does not address effective communication between business strategy and IT
strategy and change management and related issues.
Page 55
40
Table 2.1 Continued…
Framework Limitations towards PakPSOs
BSC It makes invalid assumptions about causal relationships between performance
indicators (Norreklit, 2000).
It provides no mechanism to sustain the relevance of the initially defined
measures (Hudson et al., 2001).
It is hard to achieve a balance between financial and non-financial measures due
to the problems in the implementation of strategy (Anand et al., 2005).
CMMI It does not provide any process area for effective communication and
coordination among IT and business personnel.
The level of diversity and depth to monitor & control the IT activities is missing
in CMMI (Agerfalk & Fitzgerald, 2006).
ISO 9000:2000 Different ISO standards are launched very frequently without performing
complete analysis of practices in different cultures and countries (Nadvi &
Waltring, 2004)
Organizations may face the problems of different levels of adoption of ISO
standards among different departments.
Practitioners face the problems of integration of processes of different standards
(Heras-Saizarbitoria & Boiral, 2013).
Six Sigma This framework is effective in environments/industries where IT activities are
identical and repetitive. However, the dynamics of PSOs does not allow managers
to gain ultimate objectives through this framework (Antony & Fergusson, 2004).
None of the methodologies of Six Sigma explicitly address PSOs.
TQM TQM requires additional frameworks related to management to implement its
philosophy.
Public managers may face conceptual, technical and social challenges to
implement TQM in PakPSOs.
ISO/IEC
17799:2000
This standard focuses on implementation of IT security and its management only
and does not focus on IT-business alignment which is main goal of IT
governance.
ASL Its scope is limited to application management and maintenance. Hence, it does
not cover the entire scope of IT governance.
This framework is implemented along with other frameworks like ITIL which
makes its implementation more tricky and complicated.
Page 56
41
Table 2.1 Continued…
Framework Limitations towards PakPSOs
OPM3 This framework mainly focuses on project management instead of governance
The scope of the framework is limited to improve project management maturity.
All existing models of project management do not fulfill the governance needs of
PakPSOs.
The discussion on various generic IT governance standards and framework reveals that
nothing of these standards and frameworks are specially designed to fulfill the needs of the
PSOs of a developing country. These frameworks are generic, complex and costly due to
which these organizations may deem the practice daunting and unattainable. Therefore, a
substitute framework to complement the inherent shortcomings of the existing frameworks
towards the context of PSOs in a developing country is required to solve the problem. This
has created a gap for the second research question of the study i.e. RQ4: “How can effective
IT governance practices be implemented in PakPSOs?”
2.7 Context of Public Sector Organizations
In this section, the context of PSOs regarding developments, implementations and
governance is discussed in detail.
2.7.1 Defining and Understanding Public Sector Organizations
The public sector is defined as a part of nation‟s economic and administrative life pertaining
to the provision of services/goods by and for the government at federal, provincial,
local/municipal level (Lane, 2000). The public sector covers the organizations which are
controlled by the government and rely on government budgetary allocations for their funding
(Campbell et al., 2010). It also covers the organizations which generate their own funding
independent of government budgetary allocations i.e. autonomous bodies and semi-
government organizations (Campbell et al., 2010).
Page 57
42
PSOs are constituted like pyramids. Policies, procedures and decisions are formulated at the
top of the pyramid. Roles and responsibilities are also decided at the top and delegated to the
lower levels through a hierarchical chain of command. Authority remains at the top of
hierarchy. Most PSOs are bureaucratic in nature and arranged functionally to maintain
specialization (Spittler & McCracken, 1996). This helps in assigning responsibility and
tracing accountability more easily.
However, the structure of PSOs involves various issues that occur from the employees‟
behavior in the functional areas. One major issue is the employees‟ focus on their own area of
skills with no/little understanding of how their decisions can influence the others. Other
issues are: lack of information flow, inadequate decision making and short term outlook etc.
(Spittler & McCracken, 1996).
2.7.2 Characterizing Public Sector Organizations
IT development, implementation and governance in PSOs appear behind private sector
organizations due to the contextual differences between two sectors (Campbell et al., 2010).
IT governance implementation in PSOs is more complex than their private counterparts due
to various reasons including complex intra and inter-organizational interactions and synergies
(Weill & Ross, 2004), more bureaucracy and less managerial autonomy (Lane, 2000), wider
accountability and expectations (Liu & Ridley, 2005), difficulties in setting goals and
measuring performance against these goals (Weill & Ross, 2004), changing ministerial needs,
legislator and frequent rollout of top management (Liu & Ridley, 2005) and more legal and
cultural needs (Lane, 2000). However, the quick development of technology over the past
decade has narrowed down the gap between the two sectors and even important practices may
be portable between the two sectors (Dawson et al., 2016). The summary of differences
between two sectors based on the literature of IT governance is shown in Table 2.2.
2.7.3 Public Sector Organizations in Developing Countries
Countries are categorized into two groups: developed countries; and developing countries
(United Nation, 2001). Developing courtiers can also be referred to as developing countries.
Countries in North America, Europe, Australia, New Zealand, Japan and former USSR are
Page 58
43
developed countries whereas all other countries are developing countries (United Nation,
2001). Developing countries are usually characterized by lower Human Development Index
(HDI) which is composed of life expectancy, gross national income per capita and access to
knowledge (UNDP, 2017). Other characteristics of developing countries include lower level
of industrialization and a higher level of population growth (Caiden & Wildavsky, 1980). The
PSOs in developing countries are very challenging. These are affected by low institutional
capacity, limited involvement of stakeholders, high level of corruption and high level of
informality which obstruct their decision-making, control and accountability (Mimba et al.,
2007). The IT context of PSOs in developing countries is generally characterized by low
human development, limited IT resources, inadequate related knowledge, constraints on
culture and an increasing level of IT investments (Nfuka & Rusu, 2011).
Page 59
44
Table 2.2: Differences between public and private sector organizations based on literature
Public Sector Organizations Private Sector Organizations Reference
Ownership Owned by members of political
communities
Owned by entrepreneurs or
stakeholders
Rainey et al.
(1976)
Goals Have multiple, intangible and
conflicting goals due to numerous
stakeholders with competing needs
Have specific and tangible goals Dawes et al.
(2004)
Product Provide services and public goods
usually not for sale
Provide goods and services for
sale, profit
Rocheleau and
Wu (2002)
Achievements Measured by political efficiency
and fulfillment of policy mission
Measured by financial
profitability and efficiency
Campbell et al.
(2010)
Funds Funded mostly by taxation from
public
Funded by fees paid directly by
customers
Boyne (2002)
Control Controlled principally by political
forces
Controlled principally by market
forces
Boyne (2002)
Flexibility Have more formal procedures for
decision-making and are less
flexible and more risk averse
Have flexible procedures for
decision-making and are less risk
averse than public sector
organizations
Rocheleau and
Wu (2002)
Red Tape More rigid in following the rules.
The red tape puts needless and
counter-productive mania with
rules rather than results
Less rigid in following rules. Are
more concerned with results and
outcomes
Campbell et al.
(2010)
Managerial
Autonomy
Managers have less freedom to
react to the circumstances
Much more freedom than public
sector organizations
Campbell et al.
(2010)
Shared versus
proprietary IT
Shared IT resources, applications
and technical help
Treat IT as proprietary to stay
ahead and competitive
Rocheleau and
Wu (2002)
Managerial
Values
Less materialistic More materialistic Pratchett and
Wingfield
(1996)
Skilled staff
Turnover
Face high skilled staff turnover Face low skilled staff turnover
than public sector organizations
Caudle et al.
(1991)
Outsourcing
of
IT function
High Low Caudle et al.
(1991)
Accountability High Low Nicoll (2005)
Page 60
45
2.8 Previous IT Governance Research
Previous IT governance research mainly deals with exercise of IT governance arrangements
or locus of decision-making authority, contingency factors that influence these arrangements
or decision rights, design and implementation of IT governance mechanisms of structures,
processes and relations, strategic alignment or IT-business alignment, enablers, inhibitors or
critical success factors of IT governance and IT governance performance measurement. A
short overview of previous IT governance research is presented here.
2.8.1 Previous IT Governance Research in General
Sambamurthy and Zmud (999) conducted a case study research on IT governance
arrangements at 8 organizations using theory of multiple contingencies. They argued that IT
governance arrangements in organizations are influenced by multiple interacting
contingencies instead of a single contingency. They identified three mutually exclusive sets
of multiple interacting contingencies: reinforcing; interacting; and dominating. The study
revealed that reinforcing and dominating contingencies persuade a centralized or
decentralized IT governance arrangement whereas conflicting contingencies persuade a
federal IT governance arrangement.
Peterson (2001) conducted a case study research on configurations and coordination for IT
governance at three European financial service organizations. He identified that the
organizations use federal IT governance arrangements and coordination mechanisms based
on their strategic context. He suggested that whatever IT governance arrangement is used,
mechanisms for lateral coordination (relational mechanisms) are required. Structures are not
enough for relational mechanisms and focus should be on IT governance processes.
Peterson (2004) performed a literary study on integration strategies and tactics for IT
governance. He concluded that small organizations use centralized IT governance
arrangements due to stable environment, centralized business governance structure, low IT
experience/competency and cost-focused business strategy. Conversely, large and complex
organizations use decentralized IT governance arrangements due to volatile environment,
decentralized business governance structure, higher IT management experience/competency
Page 61
46
and innovation-focused business strategy. However, he admitted that these findings are not
prescriptive.
Ribbers et al. (2002) investigated the importance of IT governance processes and structures at
9 organizations. The research revealed that management tools and related frameworks
(scorecard and information economics etc.) are not sufficient for IT governance success
rather these tools should be leveraged into the deep organizational context related to
experiences of stakeholders and their understandings and judgments. However,
considerations for experiences of stakeholders, their understanding and judgments in absence
of some cost-benefit analysis and risk analysis are unlikely to deliver pleasing results.
Weill and Ross (2004) are perhaps among the first researchers who investigated the real
effect of IT governance on business performance. They conducted case studies on IT
governance performance at more than 250 organizations. Based on their research methods
and findings, they wrote a book. This book is mostly cited book in the discipline of IT
governance (Simonsson et al., 2010). Their study revealed that top performing organizations
produce up to 40 percent more profit than their competitors and organizations with above
average IT governance produce more than 20 percent profit than organizations with poor IT
governance adopting the same strategy i.e. customer intimacy.
Csaszar and Clemons (2006) conducted a study on governance of IT function. They found
that IT functional areas‟ governance influence the firm‟s performance under most conditions.
Performance is influenced by the CIO‟s capability to communicate with the senior
management and business know-how by taking into account the quality and the pace of
consensus decisions.
De Haes and Van Grembergen (2006) conducted a cases study on IT governance best
practices at 6 organizations in Belgium. They also included a previous in-depth case study at
KBC (a large Belgian bank). They made several propositions: First, “organizations are using
a mix of structures, processes and relational mechanisms to build up an IT governance
framework.” Second, “the chosen mix of structures, processes and relational mechanisms is
dependent upon multiple contingencies.” Lastly, “a well balanced mix of structures,
processes and relational mechanisms will enable better IT governance outcomes.” Findings
revealed that all hypotheses were supported. Other interesting findings of their study are as
follows. IT steering committees are prevalent and exist with different names whereas IT
strategy committees are uncommon in Belgium. Majority of the organizations have either a
centralized or federal IT governance arrangement. In federal IT governance arrangement,
operations are centralized to gain economies of scale but developments are decentralized to
Page 62
47
remain nearer to the business needs. Regarding IT governance processes, ITIL processes such
as SLAs are more popular but the BSC and the COBIT are not (or merely) used. Many
processes and prioritization methods are identified regarding Information Economics (IE) or
other frameworks associated with ROI type of measures. Finally, various relational
mechanisms are applied in shared understanding domains of business/IT objectives, cross
functional business/IT training, business/IT job rotation and active conflict resolution.
However, these mechanisms are informally organized in most organizations.
De Haes and Van Grembergen (2009) conducted a case study research on IT governance
implementations and its impact on IT-business alignment at 10 Belgian organizations. They
finalized a list of 33 IT governance mechanisms from literature, six case studies and Delphi
research. The maturity of each IT governance mechanism was assessed by business and IT
managers with consensus using COBIT‟s maturity model. The concept of IT-business
alignment was used to assess IT governance effectiveness. Strategic alignment maturity
assessment of Luftman (2000) was used to measure IT-business alignment. Then a
comparison was made between IT governance mechanisms maturity and IT-business
alignment maturity. The study revealed that organizations with high IT-business alignment
have more and mature IT governance mechanisms than organizations with low IT-business
alignment.
Lee et al. (2008) conducted an empirical study on relationship between IT governance
inhibitors and its success at Korean organizations. Using multiple regression analysis, five
inhibitors were tested: lack of communication; inadequate stakeholder involvement; lack of
clear IT governance principle & policies; lack of clear IT governance processes; and
inadequate support of financial resources. The results showed that IT governance success is
negatively affected by these inhibitors.
Ali and Green (2009) investigated IT governance mechanisms that enable more overall IT
governance effectiveness in a cost-effective manner. Moreover, to investigate the relationship
between IT governance effectiveness and level of decisions about IT outsourcing, a
supplementary question was investigated empirically. The study comprised of 110 members
of ISACA in Australia. The results revealed that presence of ethic or culture compliance
system, involvement of senior management and existence of corporate communication
system positively influence the IT governance effectiveness.
Simonsson et al. (2010) conducted a case study research to investigate the effect of IT
governance maturity on its performance at 35 European organizations. The results indicated
that definition of the organization and quality management showed a strong correlation with
Page 63
48
IT governance performance. However, processes like problem management, define and
manage service levels showed no correlation.
Prasad et al. (2010) developed an integrative model in order to obtain an in-depth
understanding of IT governance effectiveness. The model was tested through a field study.
The results revealed that IT steering committee enables good IT-related capabilities. The
good IT-related capabilities improve internal process performance. The improved internal
process performance assists in customer service improvement and overall organizational
performance improvement.
Oyemade (2012) argued that an organization can manage IT-related risks effectively through
an IT governance framework. This framework can be enabled through three lines of defense:
risk identification, management and monitoring. IT governance framework could be
strengthened by implementing COBIT and Risk IT within three lines of defense.
Bunten et al. (2014) examined the impact of COBIT and VALIT maturity on IT governance
disclosure. The results showed that overall maturity in COBIT and VALIT have a positive
impact on IT governance disclosure. The study further mentioned that COBIT maturity and
most of its domains have positive impact on disclosure whereas VALIT maturity has mostly
insignificant impact.
Hiekkanen (2015) explored the effect of IT governance on strategic alignment at strategic and
tactical levels. The results confirmed a positive relationship between IT governance and
strategic alignment. The study further suggested eight key IT governance practices to
enhance strategic alignment in the organizations.
Zhang et al. (2016) examined the impact of IT governance and IT capability on firm
performance. Based on resource-based and strategic choice theories and using secondary
data, they empirically validated that IT governance is a pre-requisite of IT capability which in
turn improves firm performance.
Park et al. (2017) tested the effect of three alignments between internal and external IT
governance (hierarchy, market and network) on firm performance using data from 213
Korean firms. The results revealed that hierarchy-based alignment enhances the operational
efficiency, market-based alignment improves market growth and a network-based alignment
increases innovation performance.
Page 64
49
2.8.2 Previous IT Governance Research in Public Sector Organizations
Previous IT governance research in PSOs mainly deals with IT governance modes or
approaches, factors that influence these modes or approaches, and mechanisms for effective
IT governance. A short overview of previous IT governance research in PSOs is presented
here.
Weill and Ross (2004) specifically analyzed the PSOs among others in their study of more
than 250 organizations. This study investigated the factors that influenced the approach that
organizations selected to make successful IT decisions. The structure, industry, size,
governance experience, strategic goals, performance goals and geographical location were
among those factors. The results revealed that IT governance performance in the PSOs was
lower than their private counterparts by a factor of 10%. The researchers argued that this low
IT governance performance was due to the difficulties in setting goals and assessing
performance in the PSOs which already mentioned by Moore (1997) in his value framework
study.
Liu and Ridley (2005) conducted a study to assess the maturity of IT processes of COBIT
framework in the PSOs of Australia. They used COBIT‟s maturity model to assess 15 IT
processes that were already identified as most important IT processes (Guldentops et al.,
2002). They compared these IT processes by benchmarking them with other nations. The
study revealed that Australian PSOs performed better than the other nations. Among other
things, this was due to the differences in awareness. The study also suggested the need to
improve shared understanding about IT governance importance in both (Australia and other
nations).
Warland and Ridley (2005) conducted a case study research in three PSOs of Australia to
investigate the awareness and perception about the value of IT governance frameworks. The
study revealed that even though some practices were present in these organizations but the
awareness and perception about the value of IT governance frameworks appeared to be low.
The study suggested the need to increase such awareness in these organizations. The study
also indicated the need for further investigation about the effective mechanisms that enhance
the value of IT governance frameworks in these organizations.
Marais and Kruger (2005) conducted a study to understand the human issues regarding the
implementation of an information system in a bureaucratic environment (public sector).The
findings of the study revealed that user resistance and lack of user involvement were the most
Page 65
50
dominant and challenges issues in this environment. The study also revealed that user training
significantly influenced the acceptance of the system. However, they argued that although
user training and involvement could help to reduce the resistance in this environment, but for
this, a favorable environment would be needed before the training could assist the change
process.
Lawry et al. (2007) conducted a study in PSOs to investigate IT governance mechanisms in
terms of structures. These mechanisms were roles, responsibilities and futures of CIOs. The
study revealed that although there were some similarities but also important differences due
to the context in which the PSOs operated. These differences included low autonomy for
managers and dependency on rules and procedures. Based on these differences, a model to
identify CIOs particularly for PSOs was proposed.
Ali and Green (2007) investigated IT governance mechanisms that influenced IT governance
effectiveness in the PSOs of Australia. The results indicated that IT strategy committee and
corporate communication systems significantly correlated with IT governance effectiveness.
Hoch and Payan (2008) investigated IT governance in the PSOs of Germany. They developed
a framework with five dimensions to recognize the design model by organizations which can
be more suitable for their environments. The framework can also be used to create a baseline
for calculating the value of IT.
Campbell et al. (2010) conducted a study to examine the difference between public and
private sector organizations. The study revealed that regardless of many similarities, many
inherent differences were also present. The study advised that when studying the two sectors,
one size fits for all approach is not suitable. Moreover, the study suggested more research on
IT governance approaches suitable for the context of PSOs by acknowledging the lack of
empirical research on this topic. However, no study investigated IT governance in PakPSOs
in the perspective of a developing country.
Nfuka and Rusu (2011) tested the effect of IT governance CSFs on IT governance
performance in Tanzanian PSOs. The results showed that the CSF “involve and get support
of senior management” was at top of the list whereas the CSF “consolidate, standardize and
manage IT infrastructure and application to optimize costs and information flow across the
organization” was at bottom of the list. Other CSFs showed moderate to strong effect on IT
governance performance.
Allassani (2013) conducted a case study research of “Ghana Rural Bank Computerization and
Inter-connectivity Project”. The study concluded that project management principles,
although supportive, do not guarantee the success of the project. IT projects should need to be
Page 66
51
brought within the principles of IT governance for their success. The study further added that
a well-defined governance structure is a pre-condition for the implementation success of a
project.
Nfuka and Rusu (2013) have developed a CSFs based IT governance framework (CEITG
framework) for Tanzanian PSOs in the perspective of a developing country using design
science research approach. By adopting a holistic approach, they have categorized their CSFs
into five focus areas of IT governance. They have also identified activities, roles and IT
resources to implement each CSF in Tanzanian PSOs. The results revealed that the CEITG is
useful for Tanzanian PSOs. However, they have not covered the three perspectives of IT-
business alignment to provide more holistic view of IT governance.
Razak and Zakaria (2014) conducted an exploratory study to identify, validate and refine
CSFs in the PSOs of Malaysia. The results showed that the identified CSFs reflect the focus
areas that need to be considered strategically to strengthen IT governance implementation and
to ensure business success in this environment. They further categorized the CSFs into five
areas: cost reduction, innovation, agility, customer satisfaction and compliance.
Al Qassimi and Rusu (2015) conducted an interpretive case study in a public sector
organization of a develping country using primary and secondary data The results conculded
that there was an unintentional IT governance implementation in the organization. They
further suggested that IT governance structures, processes and relational mechanisms should
be improved to promote accountability of IT projects in the organization.
Dawson et al, (2016) examined effective IT governance in public sector of U.S using the
legal view of agency theory. They extended the theory to examine the combination of roles
that lead to effective performance for the state versus those required for the IT department.
The results revealed that the most important practices may be transferable between the public
and private sector despite highly differing structures of the two sectors.
Wiedenhoft et al. (2017) identified and validated a list of mechanisms that meet the
objectives and principles of IT governance in PSOs through exploratory and descriptive
cross-sectional research using qualitative and quantitative data. The results showed that 11
mechanisms meet the objectives and principles of IT governance in PSOs. These mechanisms
were mainly IT governance arrangements (structure mechanisms) and practices (process
mechanisms) and combination of arrangements and practices (relational mechanisms).
Page 67
52
2.9 Research Gaps
After the critical review of the relevant literature, the following research gaps have been
identified for this study:
Lack of investigation of existing state of IT governance in PakPSOs and its
comparison with others for learning, benchmarking and embracing best practices.
Lack of identification of critical areas in PakPSOs where focus can be given for
success.
Lack of examination of relative importance of effective IT governance practices for
IT outcomes i.e. desirable behavior in PakPSOs for prioritizing available IT resources.
Lack of a substitute IT governance implementation framework to complement the
inherent shortcomings of the existing frameworks towards the context of PakPSOs.
2.10 Chapter Summary
The following themes are emerged after the comprehensive review of literature.
IT governance is relatively a new discipline. It is a structure and process through
which organizations make right IT investments to ensure that the resulting activities
(programs, projects & operations) are performed properly and desired benefits are
achieved and preserved.
IT governance is implemented at organizational level and affects the culture of the
entire organization. It deals with both managerial and cultural aspects for selecting,
adopting and using IT and is a holistic approach for managing IT in organizations.
IT governance provides many benefits to organizations including reduced costs and
risks, increased security, enhanced IT-business alignment, organizational
competitiveness, increased profit or value for shareholders and improved services and
customer satisfaction.
IT governance is an integral part or subset of corporate governance and different to IT
management.
One way to measure IT governance success is the maturity measurement.
Page 68
53
CSFs are limited numbers of areas where focus can be given for success. CSFs may
be different for different contexts.
IT outcomes in PSOs can be considered in terms of strategic IT projects
implementation success.
A number of general standards and frameworks exist which are considered to be as
best practices to implement IT governance in organizations. However, these are too
complex, generic and expensive due to which organizations may deem the practice
daunting and unattainable. Moreover, these suggest one size fits for all approach for
all organizations in all situations. However, specific context of the organization and
its geographical situation is crucial for implementing IT governance.
PSOs are different to their private counterparts due to the contextual differences
between the two sectors and the implementation of IT governance in PSOs is more
complex than their private counterparts.
The IT context of PSOs in developing countries is generally characterized by low
human development, limited IT resources, inadequate related knowledge and
constraints on culture. Therefore, the implementation of IT governance in these
organizations is even more difficult due to low institutional capacity, limited
involvement of stakeholders, high level of corruption and high level of informality
which obstruct their decision-making, control and accountability.
Previous IT governance research in PSOs mainly focused on developed countries but
little IT governance research has been conducted in the context of PSOs in developing
countries especially PakPSOs remained unexplored.
Generic IT governance implementation frameworks posses some inherent weaknesses
towards the context of PakPSOs.
The literature review about the topic and the context of the study ascertain the gap for
the objectives of this study and its research questions.
The literature review has emphasized the need for further research to investigate IT
governance through contextualized research in PakPSOs, previously unexplored and
develop and evaluate a framework for effective IT governance implementation in
PakPSOs.
Page 69
54
3 Research Methodology
3.1 Chapter Objectives
This chapter provides the research methodology and research process of this study. It begins
with the research methodology applied to conduct this research. This study is carried out into
four phases. The overview of research phases, research philosophy, research methods,
sampling techniques & sample size, data collection techniques and data analysis approaches
are discussed in the sub-sections of methodology. The third section describes the research
process applied to conduct this research. The separate research process of each research phase
is discussed in detail in the related sub-sections. The fourth section discusses the issues of
validity and reliability followed by the ethical standards applied to conduct this research. The
last section summarizes the most important points of this chapter.
3.2 Methodology
Research methodology deals with careful investigation of research problems and systematic
approach of knowledge contribution into existing knowledge base (Kothari, 2004). Different
frameworks are developed through different methodologies. For example, COBIT framework
is developed by collecting and integrating well-known standards and frameworks such as
ISO/IEC 38500, TOGAF, PRINCE2, PMBOK, ITIL, ISO/IEC 20000, ISO/IEC 27000,
ISO/IEC 31000 and CMMI. ITIL is developed by collecting and integrating best practices of
IT service management from more than 1400 organizations of different industries. CMMI is
developed by harmonizing best practices of management from more than 600 organizations
belonging to various industries.
In this study, mixed method research approach has been applied. Mixed method research is a
combination of qualitative and quantitative methodologies to study the same phenomenon
with multiple viewpoints (Bryman, 2006). Rohner (1977) believes that mixed method
research approach neutralizes the weaknesses and exploits the strengths of each method.
Consistent results from mixed method approach increase the validity of results (Bouchard,
Page 70
55
1976). Campbell and Fiske (1959) argue that mixed method approach ensures that consistent
results are due to the traits of variables and not due to any specific method of research.
Creswell (2009) advocates the usage of mixed research method to attain better accuracy,
precision and confidence in the results. Jick (1979) proposes that qualitative research should
be used to explore the meaning and understanding of constructs whereas quantitative research
should be used to assess the magnitude and frequency of constructs.
In this study, after having a detailed understanding of existing state of IT governance in
PakPSOs in terms of maturity, the relevant IT governance practices in terms of CSFs are
exploratory and qualitatively identified in PakPSOs through systematic literature review
process complemented with multi-case study. Subsequently, these identified practices are
confirmatory and quantitatively validated in PakPSOs using survey research method. The set
of validated practices are then used as basic building blocks or components of the proposed
framework. Consequently, the proposed framework is iteratively developed and evaluated
using design science research approach which is also a combination of qualitative and
quantitative approaches (McKay & Marshall, 2007). In this way, this research study is carried
out into four phases. A brief overview of each phase and its corresponding research question
is given in the following section. This approach is conceptually similar to the exploratory
design described by Creswell (2009), to the triangulation design of Morse (1991) and to the
mixed method approach of Teddlie and Yu (2007). It is also similar to the design science
research approach of Peffers el al. (2008) and Hevner et al. (2004) and design science IT
artifact development and evaluation approach used by Nfuka and Rusu (2013).
3.2.1 Research Phases
This study is carried out into four phases. A brief overview of each phase is given here.
Phase 1- The context of organizations is crucial to implement IT governance (Ribbers, et al,
2002). Therefore, it is paramount to understand the relevant IT governance context of
PakPSOs before moving forward. IT governance context depends on many contingency
factors including organizational culture & structure, strategy, maturity, size, industry, trust,
ethical and regional differences (Pereira & Silva, 2012). One way to understand the relevant
context is to assess the state of IT governance through the use of maturity measurements
(Nfuka & Rusu, 2010). This phase assesses the existing state of IT governance in PakPSOs in
terms of maturity and compares it with a developed country (Australia), a developing country
Page 71
56
(Tanzania) and the international public sector benchmark for learning, benchmarking and
embracing best practices. This is paramount to understand the relevant IT governance context
of PakPSOs to identify weak areas for improvement. However, the results and findings of this
phase are not used in the proposed IT governance implementation framework development
and/or evaluation process which is the subject of successive research phases. The only
purpose of this phase is to have an idea and understanding of IT governance implementation
status in PakPSOs, previously unidentified. This is crucial to understand the context of
PakPSOs to conduct further research activities in this area. It addresses the first research
question of this study, RQ1: What is the existing state of IT governance in PakPSOs? The
detailed results of research phase 1 are given in chapter 4.
Phase 2- Although, the research phase 1 provides an in-depth understanding of the existing
state of IT governance in PakPSOs in terms of maturity and its comparison with other
countries but it is based on COBIT framework IT processes. No doubt, COBIT framework
contains an inclusive set of processes for complete IT investment lifecycle but it is very
generic, complex, costly and difficult to implement. However, industry specific practices are
more crucial than generic practices and address the ground realities more wisely. Therefore, it
is paramount to identify CSFs of IT governance relevant to PakPSOs. This phase identifies
the relevant IT governance practices in PakPSOs in terms of CSFs through systematic
literature review complemented with multi-case study. The purpose of this phase is to
identify what is being happened in PakPSOs and which practices are more relevant. It
addresses the second research question of this study, RQ2: Which IT governance practices
are relevant to PakPSOs? The detailed results of research phase 2 are given in chapter 5.
Phase 3- The identified practices of phase 2 are further tested and analyzed in phase 3 to see
their effectiveness towards IT outcomes i.e. desirable behavior in PakPSOs. This phase tests
and analyzes the effect of the identified IT governance practices of phase 2 on IT outcomes in
PakPSOs. The purpose of this phase is to validate a statistical relationship between the
identified practices of phase 2 and IT outcomes throughout PakPSOs. It addresses the third
research question of this study, RQ3: What is the effect of relevant IT governance practices
on IT outcomes in PakPSOs? The detailed results of research phase 3 are given in chapter 6.
Phase 4- The validated set of IT governance practices of phase 3 only provides a high level
view. It does not provide any guidance on how to implement these practices in PakPSOs.
This phase addresses this issue by proposing an IT governance implementation framework
based on validated set of practices of phase 3. In this phase, an IT governance
implementation framework is iteratively developed and evaluated in PakPSOs using design
Page 72
57
science research approach. It addresses the fourth research question of this study, RQ4: How
can effective IT governance practices be implemented in PakPSOs? The detailed results of
research phase 4 are given in chapters 7 & 8. The stair-case diagram of research phases is
shown in Figure 3.1.
Page 73
58
RO3: To test and
analyze the effect of
relevant IT governance practices
on IT outcomes in
PakPSOs.
RO1: To determine and analyze the existing state of IT governance in
PakPSOs in terms of maturity.
RO2: To identify and analyze the relevant IT governance practices in PakPSOs in terms of
CSFs.
RO4: To develop
and evaluate a
framework for
effective IT
governance
implementation in
PakPSOs.
RQ1: What is the existing state
of IT governance in PakPSOs?
RQ2: Which IT governance
practices are relevant to PakPSOs?
RQ3: What is the effect of
relevant IT governance practices on IT outcomes in
PakPSOs?
RQ4: How can effective IT governance practices be
implemented in PakPSOs?
Phase 1
Phase 2
Phase 3
Phase 4
IT g
overn
ance im
plem
entatio
n fram
ework
for P
akP
SO
s
Figure 3.1: Stair-case diagram of research phases
Page 74
59
3.2.2 Research Philosophy
Based on fundamental epistemology (knowledge that guides the research and how it can be
obtained), a research study can be conducted under three philosophical paradigms:
interpretive, positivist and critical research (Myers, 2008). However, due to the nature of this
study, the researcher has focused on interpretive and positivist research. The critical research
which deals with social critique of current conditions and assumes that reality is socially
constructed (Alvesson & Deetz, 2000) is not the focus of this study.
Interpretive research- It explores a research topic and emphasizes on meanings in context
without predefining independent and dependent variables (Kaplan & Maxwell, 1994). As
interpretive research is used to explore and understand the context within which decisions
and actions are performed, therefore, this philosophical paradigm is applied in research
phases 1, 2 & 4 due to their interpretive nature.
Positivist research- It tests falsifiable theories and increases the predictive understanding of
phenomena using independent and dependent variables and their relations (Straub et al.,
2005). As positivist research is used for numerical analysis of theoretical constructs and their
interpretations, therefore, this philosophical paradigm is applied in research phase 3 due to its
positivist nature.
Moreover, interpretive research has been considered due to exploratory nature of research
phases 1, 2 & 4 and positivist research has been considered due to confirmatory nature of
research phase 3. Furthermore, interpretive research is applied due to qualitative nature of
research phases 1, 2 & 4 whereas positivist research is applied due to quantitative nature of
research phase 3.
Qualitative approach is applied to studies in natural settings usually case studies (Yin, 2003)
whereas quantitative approach is applied for testing and understanding hypothesized relations
through numerical analysis (Straub et al., 2005). Qualitative research is conducted under
interpretive, positivist and critical research and uses qualitative & quantitative data whereas
quantitative research is conducted under positivist research and uses quantitative data only as
shown in Figure 3.2.
Page 75
60
3.2.3 Research Methods
A research method is a strategy of the enquiry (Myers, 2008). Two research methods are
selected for this study: case study; and survey research. The said research methods are
selected based on the nature of research problem, questions and guidelines for selecting a
research method proposed by Royer and Zarlowaski (1999).
Case study research- It is a method of empirical enquiry (Yin, 2003). In this study, it is
applied from an interpretive research philosophical paradigm point of view. According to Yin
(2003), a case study “investigates a contemporary phenomenon within its real-life context,
especially when the boundaries between phenomenon and context are not clearly evident”. A
case study also “relies on multiple sources of evidence and benefits from the prior
development of theoretical propositions to guide data collection and analysis” (Yin, 2003).
Various researchers argue that case study research method is more appropriate to conduct
information systems research (Oates, 2006; Benbasat et al., 1987). Generally, it is not easy to
separate the IT governance phenomenon from its environment i.e. PakPSOs. Therefore, case
Quantitative
research
Interpretive
research
Positivist
research
Critical
research
Philosophical paradigms
of this study
Qualitative
research
Qualitative
data
Quantitative
data
Figure 3.2: Research philosophical paradigms adapted from Myers (2008) and Straub et al. (2005)
Page 76
61
study research method is applied in research phases 1, 2 & 4 due to their interpretive and
qualitative nature.
Survey research- It is a method of studying a sample from a population and determining the
possibility of generalizing it to the population (Fowler, 2002). In this study, it is applied from
a positivist research philosophical paradigm point of view. Survey research argues that reality
can be represented through measurable properties and testing of theory (Straub et al., 2005).
Survey research is often used to investigate variables with quantitative and confirmatory
point of view. Therefore, survey research method is applied in research phase 3 due to its
positivist and quantitative nature.
3.2.4 Sampling Techniques and Sample Size
Two types of sampling techniques are commonly used in research studies: purposive
sampling; and probability sampling (Teddlie & Yu, 2007). Purposive sampling techniques are
mostly applied in qualitative research to increase replication and transferability of results
whereas probability sampling techniques are mainly applied in quantitative research to
increase generalisability of results (Teddlie & Yu, 2007). However, purposive sampling
technique can also be applied in quantitative research for selecting right respondents and
obtaining meaningful data where probability sampling is not feasible or costly (Black, 2010).
In purposive sampling techniques, individuals, groups and organizations are purposely
selected from a population to obtain particular information to answer the research questions
of the study (Maxwell, 1998). In probability sampling techniques, units and cases are
randomly selected from a population (Teddlie & Yu, 2007) with assumption that all
respondents are equally knowledgeable and well-aware of the phenomenon under study
which is a major drawback of this technique regarding the context and nature of this study.
Therefore, purposive/non-probability sampling techniques are more suitable in situations
where data sources are limited (Black, 2010).
In this study, the researcher has adopted theoretical sampling technique under sequential
sampling strategy in purposive sampling technique for case study research in research phases
1, 2 & 4. However, the researcher has adopted a mix of purposive sampling technique and
simple random sampling technique under probability sampling for survey research in
research phase 3 due to the context and nature of the study.
Page 77
62
For sample size, the research has adopted various theoretical guidelines. For multi-case study
research, Eisenhardt (1989) recommends four to seven organizations. Therefore, six
organizations have been selected in research phase 1, eight have been selected in research
phase 2 and 29 have been selected in research phase 4 for framework development process
and one for framework evaluation process.
Creswell (2009) recommends at least 2-3 participants for case study research. Therefore, 28
participants have been selected in research phase 1, 18 have been selected in research phase 2
and 81 have been selected in research phase 4 during framework development process and 27
have been selected during framework evaluation process.
For focus groups, a typical focus group contains 3-12 participants (Brandtner et al., 2015).
However, when complex issues or problems are the focus of the study then size of the focus
group should not exceed more than seven participants (Brandtner et al., 2015). Therefore, 5-7
participants have been formed the focus groups in research phases 1 & 4.
For survey research in phase 3, the researcher has adopted the guidelines provided by
Marcoulides and Saunders (2006). For a typical research with 5% significance level, 80%
statistical power and R2 ≥ 0.25, Marcoulides and Saunders (2006) suggest a minimum sample
size as shown in Table 3.1. In our case, the maximum number of arrows pointing at a latent
variable is 7. This results in a minimum required sample size of 80. This is also in line with
Urbach and Ahlemann (2010) who recommends a range from 30 to 100 cases. Therefore, a
total of 200 questionnaires were distributed in PakPSOs out of which 104 were returned.
Table 3.1: Minimum sample size for a typical research (Marcoulides & Saunders, 2006)
Minimum sample size required Maximum number of arrows pointing at a latent variable in the model
52 2
59 3
65 4
70 5
75 6
80 7
84 8
88 9
91 10
Page 78
63
3.2.5 Data Collection Techniques
To gather relevant data, three data collection techniques have mainly applied in this study
depending on research methods. These include interviews, focus groups and survey
questionnaires.
Interviews- These can be structured, semi-structured or unstructured (Yin, 2003). Interviews
are used to comprehend the ideas, beliefs and experiences of respondents in their natural
settings. Semi-structured interviews are commonly used in social sciences (Myers, 2008).
Therefore, semi-structured interviews are partly applied in research phase 1 and mainly
applied in research phases 2 & 4.
Focus groups- These are generally healthy in generating ideas and consensus (Kleiber,
2004). Marshall and Rossman (1999) argue that focus groups have high apparent reliability
and validity. With group interaction, the researcher assures views on the defined topic
(Myers, 2008). Therefore, focus groups are mainly applied in research phase 1 and partly
applied in research phase 4.
Survey questionnaires- These are used to collect meaningful data (Yin, 2003; Fowler, 2002).
Survey questionnaires are mainly applied in research phase 3 and partly applied in research
phase 4.
3.2.6 Data Analysis Approaches
Various data analysis approaches are applied in this study depending on research methods
and data collection techniques.
Exploratory Data Analysis (EDA)- It is an approach for analyzing data sets through
statistical tools to comprehend their important characteristics (Fowler, 2002). One of the
purposes of EDA is to increase insights into data sets to extract important information e.g.
ranked lists. Measures pertaining to relative location such as ranking and measures pertaining
to centre such as means can be addressed through EDA. EDA is applied in research phases 1,
2 & 4 for analyzing quantitative data in these phases.
Content Analysis (CA)- It is a technique for qualitative data analysis through which
structures and patterns regularities are searched in texts and inferences are made based on
these regularities (Myers, 2008). In CA, qualitative data gathered through interviews and/or
Page 79
64
documents are examined step-wise by dividing them into content analytical units, also known
as theoretical categories, which provide foundation for organizing qualitative data and
making interpretations in line with research questions of study (Payne & Payne, 2004). These
theoretical categories and sometimes their hierarchies can be created deductively through
previous literature (theories and frameworks) and/or are achieved inductively through data
analysis process. CA is mainly applied in research phase 2 and party applied in research
phase 4.
Structural Equation Modeling (SEM)- It is capable for developing and testing hypotheses
with falsifiable implications (Bollen & Long, 1993). SEM is mainly applied in research phase
3 to test correlated effect of IT governance practices on IT outcomes. A variance based SEM
technique known as Partial Least Squares (PLS) has been specifically applied. The PLS is a
variance-based structural equation modeling technique useful for testing relationships within
a structural model to ensure statistical conclusion validity (Fornell & Larcker, 1981). The
PLS is particularly appropriate for assessing predictive relationships or analysis designed to
build theory (Wold, 1985) and suitable for small sample size without normal distribution
(Peng & Lai, 2012). Due to ease of use and readily available support, the researcher
specifically prefers Smart PLS flavor.
A quick view of research phases and their corresponding research questions & objectives,
philosophical paradigms, type of study, research methods, sampling techniques & sample
size, data collection techniques, data analysis approaches and empirical sources is shown in
Table 3.2.
Page 80
65
Table 3.2: A quick view of the research methodology
Phase 1 Phase 2 Phase 3 Phase 4
Research question
RQ1: What is the existing state of IT governance in PakPSOs
and how?
RQ2: Which IT governance practices are relevant to
PakPSOs?
RQ3: What is the effect of relevant IT governance practices
on IT outcomes in PakPSOs?
RQ4: How can effective IT governance practices be implemented
in PakPSOs?
Objective To determine & analyze the
existing state of IT governance
in PakPSOs in terms of maturity
To determine & analyze the
relevant IT governance
practices in PakPSOs in terms of CSFs
To test and analyze the effect of
relevant IT governance practices
on IT outcomes in PakPSOs
To develop and evaluate a framework
for effective IT governance
implementation in PakPSOs
Philosophical
paradigm
Interpretive
Positivist Interpretive
Type of study Exploratory Confirmatory Exploratory
Sampling technique &
sample size
Purposive sampling,
Organizations: 6 Participants: 28
Purposive sampling
Organizations: 8 Participants: 18
A mix of purposive sampling &
probability sampling Participants: 104
Purposive sampling
First Iteration (development)
Organizations: 6, Participants: 35
Second Iteration (development)
Organizations: 23, Participants: 46
Third Iteration (evaluation)
Organization: 1, Participants: 27
Research
method
Case study research Survey research Case study research
Data collection technique
Focus groups & interviews
Interviews Survey questionnaires Interviews, focus groups & survey questionnaires
Data analysis
approach
Exploratory data analysis Content analysis &
exploratory data analysis
Structural equation modeling Content analysis & exploratory data
analysis
Empirical
source
Literature & case study organizations
Literature & sample from
PakPSOs
Literature & case study organizations
Page 81
66
3.3 Research Process
This section describes the detailed research process of this study. As previously mentioned,
this research study is conducted into four phases. Therefore, the separate research process for
each research phase is given in the following sub-sections.
3.3.1 Phase 1: Assessing the Existing State of IT Governance in PakPSOs
The main purpose of this phase was to determine and analyze the existing state of IT
governance in PakPSOs in terms of maturity, previously unidentified and compare it with a
developed country, a developing country and the international public sector benchmark for
learning, benchmarking and embracing best practices which were paramount to understand
the relevant IT governance context of PakPSOs. This was in response to the first research
question of this study, RQ1: “What is the existing state of IT governance in PakPSOs?” This
was achieved by assessing IT governance maturity in the selected six PakPSOs based on the
15 most important and public sector relevant IT processes of COBIT framework.
3.3.1.1 Rationale for Selecting COBIT Framework’s Processes
After a comprehensive literature review of IT governance related frameworks and maturity
models, the researcher found that COBIT framework provides a complete set of guidelines to
measure IT governance maturity in organizations (ITGI, 2007) and is a useful tool to
establish a baseline for process maturity (Van Grembergen et al., 2004). COBIT is a high
level framework based on other well known IT standards and frameworks and provides best
practices in business and process perspectives (ITGI, 2007). It contains an inclusive set of 34
processes for complete IT investment lifecycle ranging from strategic planning to day-to-day
operations (Debreceny & Gray, 2009) which makes it universally applicable. It has become a
de-facto standard in the field of IT governance (Simonsson & Johnson, 2008). The current
version of the framework is COBIT 5 launched in 2012. However, COBIT 4.1 was applied
for this study because a few of the PakPSOs use this version to some extent and have not
migrated to COBIT 5. This was also applied because a reference maturity benchmark is
Page 82
67
available for this version. Out of 34 processes of COBIT 4.1, 15 are most important processes
(Guldentops et al., 2002) and more relevant to PSOs (Nfuka & Rusu, 2010; Liu & Ridley.
2005). Thirty four IT processes of COBIT framework scattered into four domains are given
Appendix-I. Fifteen most important and more relevant public sector IT processes of COBIT
framework are given in Appendix-II. Generic maturity model of COBIT framework is given
in Appendix-III. The researcher selected 15 IT processes of COBIT to assess IT governance
maturity in PakPSOs‟ context due to the following reasons:
1. These are most important and more relevant to PSOs.
2. A reference benchmark is available for these processes to fulfill the study‟s need for
comparing the PakPSOs with the PSOs of a developed country (Australia), a
developing country (Tanzania) and the international public sector benchmark.
3.3.1.2 Phase Methodology
Generally, it is not easy to separate the IT governance phenomenon from its business setting
or environment i.e. PakPSOs. Therefore, case study research method was selected. Case
study is a more appropriate research method for information system research (Oates, 2006;
Benbasat et al., 1987). Due to the diversity of PakPSOs, a multi-case study approach was also
necessary to enhance the confidence in the results and possible replication (Myers, 2008; Yin,
2003) because evidence and findings from multiple case studies are more convincing than
one case study (Oates, 2006). We selected six Federal level PakPSOs based on many aspects
including existence of IT organization or function, relatively better IT processes, level of IT
infrastructure and applications, experienced business and IT management and IT based
services for the public and themselves. Other PakPSOs were not at the level of sufficient IT
deployment and/or dependent on some of the selected PakPSOs for consultancy, policy
formulation and implementation, project planning, preparation and execution and support and
training in their IT related matters so those were excluded. As COBIT framework covers a
complete sphere of activities that a typical IT organization would likely to execute
(Debreceny & Gray, 2009), therefore, COBIT deployment was not necessary for the
organizations to join this study.
The main data collection technique was the focus groups. However, separate interviews of
senior managers were also conducted to get their judgments on maturity levels of the IT
processes in their respective PakPSOs where focus groups were not feasible or denied. The
Page 83
68
data collection process was started in December, 2014. Persons at the level equivalent to
CIOs in the organizations assisted to arrange the focus groups. The distribution of the
respondents in the six studied PakPSOs is shown in Table 4.1 of chapter 4. There were five to
seven members in each focus group representing both business and IT management in order
to discuss and make consensus on maturity level of each of the IT process to provide realistic
and credible results. In case of interviews, data were collected from more than one person by
ensuring the presence of both business and IT management and finally their arithmetic means
were taken. This also provided triangulation i.e. getting data from more than one source to
increase reliability (Yin, 2003). In both cases, respondents were mainly directors, managers,
section heads, superintendents and IT administrators etc.
A case study protocol was developed based on the guidelines provided by Yin (2003). The
researcher gave a brief presentation to the focus groups members and each interviewee about
the research project and interview protocol at the start. A copy of study questionnaire was
provided to them. The questionnaire was based on COBIT‟s maturity assessment tool. The
focus group members and interviewees were asked to assess each statement on a four point
Likert scale i.e. How much do you agree: “Not at all (0)”; “A little (0.33)”; “To some extent
(0.66)”; “Or Completely (1)”. More than 20 statements were assessed per process. An
example of the statement was “IT projects are monitored, with defined and updated
milestones, schedules, budget and performance measurements”. The validity of the data was
assured by inspecting organizational documents such as IT-related policies, strategies, plans,
procedures, structures, frameworks, SLAs, annual and performance reports etc. The
researcher gathered those documents whichever were available before the focus groups
sessions and interviews with the help of the persons at the level equivalent to CIOs of the
organizations and/or from their respective websites. The researcher closely observed the
focus group sessions and intervened when necessary. When higher maturity level was
assessed for a process but the associated document did not support it then the researcher
quoted, explained and discussed the document with the respondents and asked them to enter
the real score according to the practices on ground. For example, for process “ME1-Monitor
and evaluate IT performance”, the researcher confirmed the presence of the singed
performance report in the organization. The same technique was adopted in case of
interviews.
Majority of the respondents well understood the processes, their associated statements and
maturity levels but some were initially confused. The misunderstandings were resolved
Page 84
69
through explanations, examples and analogies. Each focus group and interviewee took 4-5
hours on average in multiple sessions.
Data were analyzed using maturity assessment tool, generic maturity definitions, process-
specific maturity definitions of COBIT and MS-Excel. MS-Excel was used due to its
capability of exploratory data analysis and plotting results in the forms of figures, tables and
graphs. The results of the research phase 1 along with discussion are given in chapter 4.
3.3.2 Phase 2: Identifying the Relevant IT Governance Practices in PakPSOs
The main purpose of this phase was to identify and analyze the relevant IT governance
practices in PakPSOs in terms of CSFs, previously unidentified. This was in response to the
second research question of this study, RQ2: “Which IT governance practices are relevant to
PakPSOs?” This was achieved by identifying IT governance CSFs through systematic
literature review and operationalizing them through multi-case study approach in the selected
eight PakPSOs.
3.3.2.1 Rationale for Adopting Critical Success Factor Approach
IT governance implementation in PSOs is more complex than their private counterparts
(Weill & Ross, 2004) and situation is even challenging in PSOs of developing countries
(Nfuka & Rusu, 2011). The IT context of PSOs in developing countries is generally
characterized by low human development, limited IT resources, inadequate related
knowledge & competencies and cultural constraints (Nfuka & Rusu, 2011). Therefore, it is
not easy and feasible to implement generic IT governance practices in PSOs of developing
countries because such practices have been designed with major focus on private sector
organizations. The problem is even enlarged in PakPSOs due to the shortage of previous
research and non-availability of relevant data in this environment. Existing standards and
frameworks have many limitations in this environment including their complex nature, high
cost of implementation and lack of required competencies. However, CSFs are “the limited
number of areas in which results, if they are satisfactory, will ensure successful competitive
performance for the organization” (Rockart, 1979). These factors are used to direct the focus
on key areas central to the organizations‟ objectives where they invest their resources for
Page 85
70
success (Ward & Peppard, 2002). Due to their importance, such factors are applied in various
perspectives from a single project to the whole organization (Esteves, 2004). Therefore,
based on the context and nature of the study, CSFs approach is selected to identify right IT
governance practices in PakPSOs.
The researcher adopted CSFs approach to identify relevant IT governance practices in
PakPSOs due to the following reasons:
1) Lack of previous IT governance research on CSFs in PakPSOs.
2) CSFs are limited number of areas where focus can be given for success.
3.3.2.2 Systematic Literature Review
Systematic Literature Review (SRL) is a process of searching, evaluating, and interpreting
relevant papers/studies related to specific research question(s), area of interest and topic of
interest (Kitchenham, 2004). It has been considered as a leading method for collecting and
analyzing existing search work when nothing is available to a particular context. Various
researchers suggested various stages/steps for conducting systematic literature review. For
example, Kitchenham (2004) proposed three main stages: 1) review planning; 2) execution of
the review; 3) and reporting the results. At review planning stage, a review protocol is
developed containing the research question, search terms, criteria of paper/study selection
and strategy of data extraction. At execution of the review stage, a search of databases is
performed, executed stages are documented and papers/studies are selected based on the
evidence related to the research question. Moreover, quality of papers/studies is evaluated
and data within the papers are extracted, monitored and synthesized. At reporting the results
stage, a report is written based on the results and findings. Khan et al. (2003) proposed five
stages for conducting systematic literature review: 1) framing questions for a review; 2)
identifying relevant work; 3) assessing the quality of studies; 4) summarizing the evidence; 5)
and interpreting the findings. At framing questions for a review stage, the research question
and related terms are clearly defined before the commencement of actual literature review. At
identifying relevant work stage, the resources for the relevant literature are carefully
identified. At assessing the quality of studies stage, the discovered papers/studies are filtered
based on some quality measures. At summarizing the evidence stage, the discovered
evidences related to research question(s) are gathered and summarized for next step which is
actually data analysis and interpretation of results. At interpreting the findings stage, the
Page 86
71
results from the previous stages are analyzed and conclusions are made. However, the
researcher adopted five stages process proposed by Khan et al. (2003) for conducting
systematic literature review in this research phase due to its comprehensiveness and well
recognition in the literature.
3.3.2.3 Phase Methodology
The researcher has adopted five stages process proposed by Khan et al. (2003) for conducting
systematic literature review. The detail of actions taken by the researcher is as follows.
Stage 1: Framing question(s) for a review
At this stage, the research question and related terms are clearly defined before the
commencement of actual literature review. Therefore, the following research question was
formulated for this research phase: Which IT governance practices are relevant to PakPSOs?
The researcher selected following key words & terms to search related papers/studies and
publications: IT governance CSFs; IT governance performance & success factors, IT-
business alignment success factors, IT governance implementation minimum baselines,
factors affecting IT governance success etc.
Stage 2: Identifying relevant work
At this stage, the resources for the relevant literature are carefully identified. For this, the
researcher used Google scholar, ResearchGate network and Scopus database. These resources
wrap all the prominent journals in this field such as MIS journals, AIS journals and senior
scholar basket of journals etc. Moreover, the researcher searched papers from eminent
conferences in the area of IT governance such as “International Conferences on System
Sciences”, “Hawaii International Conference on System Sciences”, Mediterranean, Pacific
Asia, European and Australian conferences etc. Furthermore, the researcher used repositories
of IT Governance Institute (ITGI) which conducts IT governance research globally. A total of
55 papers/studies were identified and reviewed at this stage.
Page 87
72
Stage 3: Assessing the quality of papers/studies
At this stage, the discovered papers/studies are filtered out based on some quality measures.
The researcher applied the following quality measures to the discovered papers/studies: 1) the
paper/study is clearly related to the research question; 2) The paper/study has a clear
methodology; 3) the paper/study comes from some trusted resource and/or journal; 4) the
publication year of the paper/study should be 1995 or above because the phenomenon of IT
governance emerged in the literature in the late 1990s. The papers/studies that not met the
aforesaid quality criteria were rejected. In this way, a total of 18 papers/studies out of 55 were
finalized at this stage which is shown in Table 5.1 of chapter 5.
Stage 4: Summarizing the evidence
At this stage, the discovered evidences related to research question(s) are gathered and
summarized. Based on this explanation, 18 articles were investigated thoroughly in order to
determine their relevance with the research question of the study. For this, the researcher
selected those papers/studies in which IT governance CSFs have positive impact on IT
outcomes in terms of IT governance performance, IT-business alignment, IT effectiveness, IT
performance or strategic IT projects‟ success etc. Fortunately, all 18 papers well fitted to this
criterion. The focus was also given to papers/studies in PSOs especially of developing
countries. A total of 23 CSFs were logically harmonized from the aforesaid studies with the
consultation of research advisor and one public sector IT expert according to the context of
PakPSOs which are shown in Table 5.2 of chapter 5. These 23 CSFs were further
operationalised in PakPSOs through multi-case study approach. Quantitative and qualitative
responses of 18 senior managers in eight PakPSOs were sought through filling out
questionnaires and face-to-face interviews respectively. The distribution of the respondents in
the eight studied PakPSOs is shown in Table 5.3 of chapter 5. Purposive sampling technique
was used due to its simplicity. The unit of analysis was the organization. At least two
participants (one from business and other from IT) in each organization participated in the
interview process. A case study protocol was developed as suggested by Yin (2003). The
major interview questions are given in Appendix-IV. In step 1, the respondents were
requested to rate the “effectiveness” of each of the 23 CSFs on a scale from 1 (not effective)
to 5 (very effective) in their business settings. The purpose of step 1 was to drop the
irrelevant CSFs. The CSFs with 80% score or above were selected as IT governance CSFs for
Page 88
73
further analysis and the rest were dropped. In step 2, semi-structured interviews were
conducted of the respondents. The respondents were asked to choose the most relevant CSFs
from the list with comments/justification and/or enter their own as per their business settings.
When a theme started reoccurring, the interview process stopped. Archival records were also
checked to verify the responses. The interviews were tape-recorded and conducted into
national language which later converted into English language.
Stage 5: Interpreting the findings
At this stage, the results from the previous stages are analyzed and conclusions are made.
Content analysis was applied to extract themes from the data. NVIVO-10 was used for this
purpose. As a result, a total of 12 IT governance CSFs were found to be relevant for
PakPSOs. The results of the research phase 2 along with interpretation/discussion are given in
chapter 5.
3.3.3 Phase 3: Investigating the Effect of IT Governance Practices on IT Outcomes in
PakPSOs
The main purpose of this phase was to test and analyze the statistical effect of the identified
IT governance practices of research phase 2 on IT outcomes in PakPSOs. For this study, IT
outcomes are referred to as strategic IT projects‟ success attributes (task, organizational and
public outcomes) because most IT initiatives in this environment are undertaken in the form
of e-government projects which are usually strategic IT projects. Therefore, the focus of this
phase is on strategic IT projects‟ success attributes instead of overall IT spending. This was in
response to the third research question of this study, RQ3: “What is the effect of relevant IT
governance practices on IT outcomes in PakPSOs?” This was achieved by developing a
research model based on the CSFs finalized in the research phase 2 and applying PLS-based
structural equation modeling using sample data from PakPSOs. However, the main research
question was broken into the following three sub-questions.
RQ3.1: What is the effect of IT governance practices on IT projects‟ task outcomes?
RQ3.2: What is the effect of IT governance practices on IT projects‟ organizational
outcomes?
Page 89
74
RQ3.3: What is the effect of IT governance practices on IT projects‟ public outcomes?
3.3.3.1 Rationale for Investigating IT Governance at Strategic Projects’ Level
Prior research investigated IT governance arrangements at organizational level
(organizational context variables) but later research extended it to business unit level
(business unit context variables). At business unit level, differentiated IT governance
arrangements were identified where some business units of the same organization had
centralized IT decisions and others had decentralized (Brown, 1997). The context of the
business unit affects the selection of IT governance arrangement (Brown & Magil, 1998). It
means that the concept of IT governance has been evolved from organizational level to
business unit level with possibility of several IT governance arrangements in the same
organization. This trend can be carried on and extended from business unit level to projects‟
level because IT governance improves accountability of projects (Al Qassimi & Rusu, 2015).
The researcher investigated the effect of identified practices of research phase 2 on IT
projects‟ outcomes due to the following reasons:
1) Most IT initiatives in PakPSOs are undertaken in the form of e-government projects
which are usually strategic IT projects. Therefore, most of the data is available on
strategic IT projects in this environment instead of overall IT spending.
2) Most of IT success/failure is accounted at strategic IT projects‟ level in this
environment.
3) Strategic IT projects‟ success is an effective indicator of good IT governance (Van
Grembergen & De Haes, 2005).
4) One of the objectives of IT governance is the strategic alignment of major IT projects
with organizational goals (Hiekkanen, 2015; ITGI, 2007).
3.3.3.2 Phase Methodology
Development of Research Model and Hypotheses
The research model of this phase is shown in Figure 3.3. It consists of 12 CSFs as
independent variables and IT projects‟ task, organizational and public outcomes as dependent
Page 90
75
variables. It is reasonable to believe that 12 CSFs significantly influence task, organizational
and public outcomes of strategic IT projects. The description of each variable of the research
model with necessary support from existing literature for hypotheses development is
provided below.
V1. IT leadership
V2. Senior management
involvement and support
V3. IT/business communication
& partnership
V4. Engagement of key stakeholders
V5. Defined, aligned and cascaded
IT and business strategies
V6. IT structures for
responsiveness and accountability
V7. Policies and guidelines for optimal acquisition and use of IT
V9. Standardized and managed IT
infrastructure and applications
V10. IT governance awareness
and training
V11. Competitive IT professionals
V12. Performance measures and benchmarks
V8. Risk identification and
mitigation mechanism
+
DV1. Task Outcomes
DV2. Organizational Outcomes
DV3. Public Outcomes
IT Outcomes
IT Governance Practices
Figure 3.3: Research Model
Page 91
76
IT Leadership- The literature on strategic use of IT demonstrates the importance of IT
leadership for success (De Haes & Van Grembergen, 2009; Ewusi-Mensah, 1997; Beath,
1991). It refers to the ability of CIO or similar position to articulate a vision for the IT‟s role
in the organization and ensure that the vision is clearly understood by managers throughout
the organization (De Haes & Van Grembergen, 2009). The practice is crucial to manage and
lead IT and transformation program which is often executed in the form of IT projects in
PSOs. IT leadership looks into the potential & contribution of IT projects and demonstrates
viable IT value proposition for organization and general public. This practice is influential in
tabling relevant IT projects‟ plans for the management and ensuring necessary support and
intervention. IT leadership actively communicates IT project vision to the project team and
obtains support from stakeholders (Ewusi-Mensah, 1997) and strives for removing hurdles at
project approval and implementation stages. It possesses competencies to inspire, influence
and guide IT strategic integration (Luftman et al., 1999). Hence, it is reasonable to believe
that IT leadership greatly influences on IT projects‟ task, organizational and public outcomes
success: Therefore:
H1a: The degree to which IT leadership is demonstrated in organization significantly affects
task outcomes.
H1b: The degree to which IT leadership is demonstrated in organization significantly affects
organizational outcomes.
H1c: The degree to which IT leadership is demonstrated in organization significantly affects
public outcomes.
Senior Management Involvement and Support- This practice refers to the engagement of
executive and senior management in IT-related decision-making and monitoring processes
for favorable results (Huang et al., 2010). It also refers to the commitment of top management
to provide required resources and authority for project success to achieve desired outcomes
(Pinto & Slevin, 1989). Top management involvement and support is imperative for effective
management and use of IT because IT is a key enabler for organizational strategy and related
processes (Weill & Ross, 2004). The need is enlarged in the context of developing countries
which requires strong political support for strategic use and management of IT (Nfuka &
Rusu, 2010). Moreover, top management commitment and practices get great deal of
attention among users (Tan et al., 2009). Top management involvement can enhance the
possibility of IT projects‟ efficiency and quality (Ravichandran & Rai, 2000), oranizational
Page 92
77
outcomes (Aladwani, 2001) and benefits in terms of transparancy and e-democarcy (Ndou,
2004). This leads towards the following hypothesis:
H2a: The degree to which senior management is involved and supports IT activities
significantly affects task outcomes.
H2b: The degree to which senior management is involved and supports IT activities
significantly affects organizational outcomes.
H2c: The degree to which senior management is involved and supports IT activities
significantly affects public outcomes.
IT/Business Communication and Partnership- The literature on IT-business alignment
highlights the importance of involvement of business people into IT activities and IT people
into business processes (De Haes & Van Grembergen, 2009). The business people IT
knowledge and IT people business knowledge is crucial for IT governance (De Maere &
Kutzschenbach, 2017). Responsibilities of IT projects are shared among IT and business
people in higher performing organizations (Avital & Vandenbosch, 2002). Equally important
is the communication and partnership between them (Luftman et al., 1999). This practice is
vital for the success of IT projects‟ task outcomes (Pinto & Slevin, 1989), organizational
outcomes (Weill & Ross, 2004) and public outcomes (Moore, 1997). Thus:
H3a: The degree to which IT/business communication and partnership is encouraged and
supported in organization significantly affects task outcomes.
H3b: The degree to which IT/business communication and partnership is encouraged and
supported in organization significantly affects organizational outcomes.
H3c: The degree to which IT/business communication and partnership is encouraged and
supported in organization significantly affects public outcomes.
Engagement of Key Stakeholders- This practice refers to the engagement of key stakeholders
with clear roles, goals and shared understanding of common agenda and success criteria
(Belassi & Tukel, 1996). The need is enlarged in PSOs due to the presence of numerous
stakeholders with competing needs than their private counterparts (Dawes et al., 2004). More
the organization involves key stakeholders, more the success of IT investment or project
(Weill & Ross, 2004). Shared understanding among key stakeholders is a critical success
factor for IT projects‟ task outcomes (Belassi & Tukel, 1996). Moreover, this practice is
Page 93
78
crucial for organizational outcomes of IT investment or projects (Nfuka & Rusu, 2011,
Ribbers et al., 2002). Furthermore, Moore (1997) highlights the importance of this practice
for public outcomes in his public value framework. Hence:
H4a: The degree to which key stakeholders are engaged in IT activities significantly affects
task outcomes.
H4b: The degree to which key stakeholders are engaged in IT activities significantly affects
organizational outcomes.
H4c: The degree to which key stakeholders are engaged in IT activities significantly affects
public outcomes.
Defined, Aligned and Cascaded IT and Business Strategies- One of the goals of IT
governance is the strategic alignment i.e. alignment between IT and business (De Haes &
Van Grembergen, 2009). One way to achieve strategic alignment is to define, align and
implement IT strategy in line with organizational strategy and communicate it down in an
organization (Nfuka and Rusu, 2011; Luftman et al., 1999). Moreover, one of the measures of
strategic alignment is the strategic match of major IT projects with organizational objectives
(Van Grembergen & De Haes, 2005) and strategic alignment is crucial to control and oversee
IT activities that lead towards IT projects‟ implementation success with desired benefits. It is
reasonable to believe that properly defined, aligned and cascaded IT and business strategies
with clear goals and targets lead towards IT projects‟ task, organizational and public
outcomes success. Thus:
H5a: The degree to which IT and business strategies are defined, aligned and cascaded in
organization significantly affects task outcomes.
H5b: The degree to which IT and business strategies are defined, aligned and cascaded in
organization significantly affects organizational outcomes.
H5c: The degree to which IT and business strategies are defined, aligned and cascaded in
organization significantly affects public outcomes.
IT Structures for Responsiveness and Accountability- Governance is about accountability and
responsiveness. IT structure refers to the presence of responsible functions and clear roles &
responsibilities for IT decision-making (De Haes & Van Grembergen, 2006). It also involves
various committees to prioritize and oversee IT projects/investments (De Haes & Van
Page 94
79
Grembergen, 2008; Bowen et al., 2007; Weill, 2004) which are crucial for ensuring
responsiveness and accountability. IT steering committee is a key determinant for IT project
implementation success (Allassani, 2013) and IT project steering committee is among the top
10 most important IT governance practices (De Haes & Van Grembergen, 2008). This
practice has direct impact on IT projects‟ task, organizational and public outcomes. Hence, it
is proposed:
H6a: The degree to which IT structures for responsiveness and accountability are present in
organization significantly affects task outcomes.
H6b: The degree to which IT structures for responsiveness and accountability are present in
organization significantly affects organizational outcomes.
H6c: The degree to which IT structures for responsiveness and accountability are present in
organization significantly affects public outcomes.
Policies & Guidelines for Optimal Acquisition and Use of IT- This practice is crucial to
institute and enforce best practices throughout the organization for clear processes, methods
and frameworks to encourage desirable behavior and create and preserve optimal value of IT
(Tan et al., 2009; Weill, 2004). Many generic standards and framework such as COBIT, ITIL,
PRINCE2 and PMBOK etc. are available but which framework is suitable for an organization
depends on the context and priority of the organization (Bowen et al., 2007). Some
organizations have designed their own frameworks. The literature on best practices revealed
that embedding best practices in organizational context increase the likelihood of IT projects‟
implementation success. It is reasonable to believe that adherence to organizational policies
guidelines for optimal acquisition and use of IT increases the success of IT projects‟ task,
organizational and public outcomes. This leads to the following hypothesis:
H7a: The degree to which policies and guidelines for optimal acquisition and use of IT are
exercised in organization significantly affects task outcomes.
H7b: The degree to which policies and guidelines for optimal acquisition and use of IT are
exercised in organization significantly affects organizational outcomes.
H7c: The degree to which policies and guidelines for optimal acquisition and use of IT are
exercised in organization significantly affects public outcomes.
Page 95
80
Risk Identification and Mitigation Mechanism- This practice involves analyzing and
assessing IT risks, monitoring efficiency of internal controls and implementing necessary
mechanisms to minimize risks. It also deals with procedures to ensure transparency about
significant risks and a proactive risk management approach to create competitive advantage.
It ensures information security against various threats and insists in embedding risk
management in the operation of the organization. One of the reasons of an IT investment or
project failure is the inability to identify and mitigate risks until it is too late or costly to make
corrections. Proponents of IT project risk management argue that identifying and mitigating
threats to success decrease the chances of the project failure (Boehm, 1991). Usually, three
types of risks are involved in IT projects: technology; resource; and business (Keil et al.,
1998). This leads to the following hypothesis:
H8a: The degree to which IT risks are identified and mitigated in organization significantly
affects task outcomes.
H8b: The degree to which IT risks are identified and mitigated in organization significantly
affects organizational outcomes.
H8c: The degree to which IT risks are identified and mitigated in organization significantly
affects public outcomes.
Standardized and Managed IT Infrastructure and Applications- This practice refers to the
provision and management of a standardized and reliable IT infrastructure and applications
(Peterson, 2004). In IT projects‟ context, it refers to the support technologies. Henderson and
Cooprider (1990) describe three dimensions of support technologies: production;
coordination; and organizational. Production technologies are used to describe information
requirements; to analyze information flows and data relationships; and to transform program
views into program codes. Coordination technologies enable control and cooperative
activities. Organizational technologies deal with support and infrastructure functionalities.
Post et al. (1999) argue that development tools and equipment are crucial in determining the
success or failure of IT projects. Support technologies not only enhance the
programmers/analysts abilities but also reduce the delivery cycle (Henderson & Cooprider,
1990). Standardized and managed IT infrastructure and applications not only facilitates IT
projects‟ task outcomes but also organizational and public outcomes. Thus, we propose:
Page 96
81
H9a: The degree to which IT infrastructure and applications are standardized and managed in
organization significantly affects task outcomes.
H9b: The degree to which IT infrastructure and applications are standardized and managed in
organization significantly affects organizational outcomes.
H9c: The degree to which IT infrastructure and applications are standardized and managed in
organization significantly affects public outcomes.
IT Governance Awareness and Training- This practice refers to the campaigns to clarify the
need of IT governance to business and IT people (De Haes & Van Grembergen, 2009). In the
context of lower IT knowledge and culture, Nfuka and Rusu (2010) refer this practice as
mindset change and competency improvement. It is reasonable to believe that provision of IT
governance awareness and training throughout the organization on IT projects‟ contribution
and resulting benefits facilitates the success of IT projects „tasks, organizational and public
outcomes. Hence:
H10a: The degree to which IT governance awareness and training is provided in organization
significantly affects task outcomes.
H10b: The degree to which IT governance awareness and training is provided in organization
significantly affects organizational outcomes.
H10c: The degree to which IT governance awareness and training is provided in organization
significantly affects public outcomes.
Competitive IT Professionals- This practice refers to the human resources‟ knowledge, skills,
competencies and acquaintance with organizational goals and public expectations. It is an
engine of innovation, optimization and performance (Peterson, 2004). Prior literature reveals
that knowledge and experience and resulting acquaintance with problem faced is an essential
determinant of IT projects‟ implementation success (Aladwani, 2002). Since, a large portion
of IT projects involves repeated problems (Swanson et al., 1991) and experienced members
are more likely to have faced the similar problems (Prietula & Simon, 1989) so experienced
members are expected to show higher performance than inexperienced members. Expertise of
team members is a critical success factor for IT projects‟ implementation success (Wateridge,
1995; Pinto & Slevin, 1989). The same is true for the acquaintance of team members with IT
projects‟ contribution towards organizational goals and public service delivery. Thus, it is
Page 97
82
reasonable to believe that attracting, developing and retaining competitive IT professionals
lead towards better task, organizational and public outcomes of IT projects:
H11a: The degree to which competitive IT professionals are attracted, developed and retained
in organization significantly affects task outcomes.
H11b: The degree to which competitive IT professionals are attracted, developed and retained
in organization significantly affects organizational outcomes.
H11c: The degree to which competitive IT professionals are attracted, developed and retained
in organization significantly affects public outcomes.
Performance Measures & Benchmarks- This practice refers to measuring and reporting IT
projects‟ efficiency & effectiveness and their contribution towards the organizational goals. It
involves tracking and monitoring IT projects & operations and IT strategy. It also deals with
the performance of processes, resources and public service delivery. One of the examples of
performance measurement is the use of Balanced Scorecard (BSC) that translates strategies &
policies into action to achieve measurable goals from four perspectives: organizational,
customer/general public, operations and innovation/skills. This practice is considered as an
integral part of effective IT governance (Peterson, 2004; Weill, 2004). Prior literature
highlights the importance of performance monitoring and feedback for IT projects‟
implementation success (Muller & Turner, 2005). Hence, it is proposed:
H12a: The degree to which active performance measures and benchmarks are applied in
organization significantly affects task outcomes.
H12b: The degree to which active performance measures and benchmarks are applied in
organization significantly affects organizational outcomes.
H12c: The degree to which active performance measures and benchmarks are applied in
organization significantly affects public outcomes.
The Population and Sample
The study population contained fully or partially completed IT projects in Ministries,
Departments & Agencies (MDAs). The projects were mainly public datacenters, database and
registration systems; e-filing, e-tax and e-billing systems; driving licensing and vehicle
registration systems; land record management systems; hospital management systems;
Page 98
83
disaster management systems; monitoring and evaluation related e-systems; e-
recruitment/procurement systems; online education systems and other academia related e-
systems. The sampling frame was the Public Sector Development Programs (PSDPs) of last
12 years at federal and provincial levels. Due to the context of the study, purposive sampling
technique was applied to select right projects and respondents. The unit of analysis was
individuals, mainly IT executives, IT and project directors, managers and coordinators
knowledgeable and well-versed in managing public sector IT projects. It also included key
project users in some cases who remained involved in project implementation phase and
shifted in operation phase after projects‟ completion. The sample characteristics are shown in
Table 6.1 of chapter 6. A total of 200 questionnaires were distributed by hand and through
emails. The data collection process was commenced in December, 2015.
Operational Measures
Whenever possible, we used existing and previously validated scales. However, some
questions were slightly modified. All the scales were discussed with two IT experts having
rich experience in managing public sector IT projects. Their recommendations were
incorporated in the final questionnaire. The items of scale for 12 IT governance practices
were adopted from Nfuka and Rusu (2011) and Keil et al. (1998) and measured on five point
Likert scale, 1 (strongly disagree) to 5 (strongly agree). The items of scale for task outcomes
were borrowed from Henderson and Lee (1992) and measured on seven-point Likert scale, 1
(extremely low) to 7 (extremely high). The items of scales for organizational and public
outcomes were used from the existing literature and resulted in self-constructed scales. The
items of both scales were measured on seven-point Likert scales, 1 (strongly disagree) to 7
(strongly agree). The items and their sources are given in Appendix-V.
Data Analysis
The analysis was based on the research model (Figure 3.3) and PLS-based structural equation
modeling. The PLS is a variance-based structural equation modeling technique useful for
testing relationships within a structural model to ensure statistical conclusion validity (Fornell
& Larcker, 1981). The results of the research phase 3 along with discussion are given in
chapter 6.
Page 99
84
3.3.4 Phase 4: Developing and Evaluating the Proposed IT Governance Framework
The main purpose of this phase was to develop and evaluate a framework for effective IT
governance implementation in PakPSOs. This was in response to the fourth research question
of this study, RQ4: “How can effective IT governance practices be implemented in
PakPSOs?” This was achieved by developing and evaluating IT governance implementation
framework using design science research approach.
3.3.4.1 Rationale for Selecting Design Science Research Approach
Design activities have been playing an important role in many applied science disciplines.
There is a long history of design science research in various fields such as engineering,
architecture, education, fine arts and psychology (Cross, 2001). Majority of the research on
design science has recognized the seminal contribution of work of Simon (1969) who wrote
the book “The Sciences of the Artificial”. Many design science ideas, concepts and methods
originated from other disciplines have been applying to information systems. However,
information systems inherently face various distinctive and challenging design problems due
to the frequent advancements in this discipline which require fresh and innovative ideas.
Design science research demonstrates high relevancy with information system research as it
apparently deals with two of the central issues of this discipline: artifact‟s role in information
system research; the perceived lack of professional relevance of information system research
(Benbasat & Zmud, 2003). One important characteristic of design science is that it provides
explicit prescriptions (guidelines or principles) for constructing an artifact (Gregor & Jones,
2007). Therefore, design theory is normative or prescriptive type of theory. Other important
characteristic that distinguishes design science from natural sciences is that its outcomes are
evaluated against the criteria of utility whereas theories of natural sciences are evaluated
against the criteria of truth (March & Smith, 1995). Within the management literature, design
science has been advocating as an approach to mitigate the serious utilization problem or
relevance problem of traditional description driven research (Van Aken, 2004). Peffers et al.
(2008) advocate that design science research is highly associated with behavioral science
research.
Page 100
85
Through design science research, a new IT artifact can be developed and evaluated to solve
known problems in organizations (Hevner et al., 2004). These artifacts are not only computer
and computer systems but also a complex and changing combination of people, technology
and organization (Dahlbom, 1996). An IT artifact can be a construct, model, instantiation or
method (Hevner et al., 2004). A method can be used as a framework because a framework is
an outline of interconnected elements that supports a particular approach to a specific
objective and serves as a guide that can be modified when and where required by adding or
deleting elements (Business Dictionary, 2012). Moreover, a framework can be based on
theoretical and/or practical experiences that provide recommendations to help practitioners
and academicians in the same way.
Many researchers consider design science itself as a paradigm (Peffers et al., 2008; Vaishnavi
& Kuechler, 2007; Hevner et al., 2004; Gregg et al, 2001). However, McKay and Marshall
(2007) consider design science as a body of knowledge that can be developed through the
application of a variety of methods based on the existing interpretive and positivist
paradigms.
Various researchers proposed various comprehensive methodologies and processes to
conduct design science research (Peffers et al., 2008; Vaishnavi & Kuechler, 2007; McKay &
Marshall, 2005; Hevner et al., 2004; Walls et al., 1992). However, these methodologies and
processes share in common the two core activities identified by Hevner et al. (2004) in their
framework of information systems. These two core activities are: develop/build the artifact;
justify/evaluate the artifact. Hevner et al. (2004)‟s framework is shown in Figure 3.4.
Page 101
86
A brief description of the framework is provided here.
The environment consists of people, organization and technology. Goals, tasks, problems and
opportunities that create the business needs of the organization lie in the environment.
Business needs are realized by the people of the organization depending on their roles,
capabilities and characteristics. Strategies, structure, culture and business processes of the
organization are used to assess and evaluate business needs. Existing and planned
technological infrastructure, applications, communication architectures and development
capabilities shape the strategies, structure, culture and business processes of the organization.
In this way, people, organization and technology altogether define the business needs or
problem. The research relevance is ascertained when research activities are formulated to
address the business needs.
The IS research is conducted into two complementary phases for such an articulated business
needs (Hevner et al., 2004). Behavior science research builds and justifies theories to describe
or forecast phenomenon relevant to the known business needs whereas design science
People
Roles
Capabilities
Characteristics
Organization
Strategies
Structure and
culture
Processes
Technology
Infrastructure
Applications
Communication
architecture
Development
capabilities
Foundations
Theories
Frameworks
Instruments
Constructs
Models
Methods
Instantiations
Methodologies
Data analysis
techniques
Formalisms
Measures
Validation
criteria
Business
Needs
Applicable
Knowledge
Environment IS Research Knowledge Base Relevance Rigor
Develop / Build
Theories
Artifacts
Justify / Evaluate
Analytical
Case study
Experimental
Field study
Simulation
Assess
Refine
Application to the appropriate environment Additions to the knowledge base
Figure 3.4: Information Systems research framework (Hevner et al., 2004)
Page 102
87
research builds and evaluates artifacts to fulfill the known business needs. Both types of
research use justify/evaluate activities to discover weaknesses in the theory and artifact.
Therefore, refinement and reassessment is needed. Future research directions are typically
addressed in refinement and reassessment process.
The knowledge base consists of foundations and methodologies to provide raw material to
conduct information system research. Theories, frameworks, instruments, constructs, models,
methods and instantiations from the previous information system research and related
disciplines are used for develop/build phase of the research. Guidelines for justify/evaluate
phase are provided by methodologies. Through the proper utilization of prior foundations and
methodologies, the rigor is accomplished. Methodologies are mainly used in behavior
science research for data collection and empirical analysis whereas mathematical and
computational techniques are mainly applied in design science research to evaluate the
artifacts. In design science, empirical techniques can also be used.
The researcher adopted design science research approach in line with Hevner et al. (2004) to
develop and evaluate IT governance implementation framework for PakPSOs due to the
following reasons:
1) Design science research is capable for developing and evaluating IT artifacts to solve
known problems in organizations.
2) Design science research is highly associated with behavioral science research.
3.3.4.2 Phase Methodology
According to design science research, a framework is iteratively built in two phases: develop;
and evaluate (Hevner et al., 2004). Therefore, two iterations were performed in the
development phase and one in the evaluation phase. In iteration 1, the initial IT governance
implementation framework (initial version) was built based on the results of research phase 3,
existing knowledge base and focus groups‟ opinion in PakPSOs. In iteration 2, the initial
version of the framework was extended and enhanced through interview and survey research
using empirical data from the heads of IT and business units having experience on the
strategic management of IT in PakPSOs. This resulted in an enhanced IT governance
implementation framework (first version). In iteration 3, the enhanced framework was
evaluated in a real business environment in one of the PakPSOs. This resulted in the proposed
IT governance implementation framework (second version). In this way, the methodology of
Page 103
88
this phase which is framework development and evaluation process has been adopted from
Nfuka and Rusu, (2013). They have already applied this methodology in their study of
framework development and evaluation process.
The framework development and evaluation process is shown in Figure 3.5.
Iteration 1: Developing Initial Version of the Framework
The initial version of the framework was developed based on the results of research phase 3
and extended with the existing knowledge base and focus groups‟ opinion in PakPSOs. The
basic building blocks of the initial version were the IT governance practices identified and
validated in research phases 2 & 3 respectively. In research phase 2, the most influential and
relevant IT governance practices in terms of CSFs were identified and operationalised in
PakPSOs. In research phase 3, the identified practices were validated through survey-based
Build and Extend the
Framework
(Initial Version)
Initially based on the
results of research phase
3
Extended with existing
knowledge base and focus groups‟ opinion of
35 IT and management
personnel in 6 PakPSOs
Enhance the Framework
(First Version)
Based on interviews of
46 heads of IT and
business in 23 PakPSOs
having rich experience in strategic management of
IT and business
Complemented by
interviews of 5 related
industry/academic
experts
Evaluate the Framework
(Second Version)
Based on case study in
one of the PakPSOs
Complemented with
qualitative and
quantitative opinion of
27 IT and management personnel
Development Phase Evaluation Phase
Iteration 1 Iteration 2 Iteration 3
Figure 3.5: Framework development and evaluation process
Page 104
89
quantitative research in PakPSOs. As a result, a total of 11 IT governance practices found to
be relevant and effective to this environment i.e. PakPSOs.
However, the validated set of IT governance practices provided only the high level view. It
provided no guidance on how to implement the relevant actions for each guiding IT
governance practice to meet the claimed objective of the framework. In order to ensure the
relevant actions to be employed for each guiding IT governance practice, activities
(checkpoints) were introduced in the initial version. Due to the scarcity of this kind of
previous research in PakPSOs, the researcher adopted these activities from the existing
literature. The activities were adopted mainly from the studies of Alreemy et al. (2016),
Razak and Zakaria (2014), Nfuka and Rusu (2013), Aggarwal (2010); Tan et al. (2009), Lee
et al. (2008), De Haes and Van Grembergen (2008), Hoch and Payan (2008), Lawry et al.
(2007), Bowen et al. (2007), PwC and ITGI (2006), Guldentops (2004), Weill and Ross
(2004), Weill (2004), ITGI (2003), Ribbers et al. (2002), Luftman et al. (1999) and Teo and
Ang (1999) etc. A total of 62 activities were adopted from the existing literature for 11 IT
governance practices (four to eight activities for each practice) and operationalised them in
PakPSOs through focus groups‟ opinion for the purpose to develop the initial version.
The role for each activity was also incorporated into the initial version due to the relegating
IT issues and lack of IT ownership in the PSOs of developing countries and their overall less
effective governance (Nfuka & Rusu, 2013). A role is a set of duties, rights, norms and
behavior that an individual or group of individuals has to face and accomplish (Hindin,
2007). The suitable role for each activity was adopted from the existing literature. COBIT
framework suggests 19 roles. However, these roles are complex and exhaustive and all
organizations do not employ all these roles (Simonsson & Johnson, 2008). They arranged 19
roles of COBIT into five categories which resulted in five roles: executives; business; IT
management; IT operations; and compliance, audit, risk and security. Therefore, the
researcher adopted five roles from the study of Simonsson and Johnson (2008) and
operationalised them in PakPSOs through focus groups‟ opinion for the purpose to develop
the initial version.
The existing literature on IT governance and related frameworks also highlights the need of
effective management and use of IT resources for success (ITGI, 2007; Peterson, 2004). The
need is even enlarged in this study environment due to the scarcity of adequate IT, developed
human and sufficient financial resources. ITGI (2007) classified IT resources into four types:
applications; information; infrastructure; and people; and. Therefore, four IT resources to
Page 105
90
perform each activity were adopted from ITGI (2007) for the purpose to develop the initial
version.
The environment is also accounted as an important element of any framework. Due to the
operating culture of PakPSOs and state of IT in these organizations and overall in the
country, the environment was incorporated as another element of the framework. Although
the environment lies outside the system‟s control but some aspects of the system‟s
performance are influenced by the environment (Schoderbek et al., 1990). As the matter for
the current study, the researcher operationalised the environment as national level IT-related
strategies & policies (Digital Pakistan Policy, 2017 and National IT Policy and Action Plan,
2001), E-government strategies, policies, regulation & infrastructure (E-government Strategy
and Five Years Plan for Federal Government, 2005, E-government strategy, 2012, E-
government strategy, 2015) and IT governance standards and best practices (COBIT, ITIL,
ISO/IEC 38500 etc.) implemented to some extent in some of the PakPSOs.
Another important element of the framework is the organization in which it is implemented.
Although things may vary based on the type and nature of the organization and especially the
services that it provides to the public but a framework is generally supposed to be aligned and
interacted with its strategies & policies, structures & systems and objectives & goals.
Therefore, the researcher operationalised the organization as organizational strategies &
policies, organizational structures & systems and organizational objectives & goals for
sustainable success.
As aforesaid, an initial list of activities, roles and IT resources was developed from the
relevant literature as shown in Table 7.1, Table 7.2 and Table 7.3 respectively of chapter 7. A
case study protocol was developed as proposed by Yin (2003). The major questions asked are
given in Appendix-VI & VII. The data collection process was commenced in March, 2016. A
total of six focus groups were formed in six PakPSOs i.e. one focus group in one of the
PakPSOs. The respondents were mainly consisted of IT/business directors, deputy directors
and IT project directors well-versed in managing public sector IT related matters. Persons at
the level equivalent to CIOs in the organizations assisted to arrange the focus groups. A total
of 35 personnel participated in the focus groups. The distribution of the respondents in the six
studied PakPSOs is shown in Table 7.4 of chapter 7. There were five to seven members in
each focus group representing both IT and business management in order to discuss and
develop consensus on each activity, its suitable role and its appropriate IT resource. The
focus groups were conducted in two rounds. In the first round, the respondents were
requested to provide feedback on each activity, assign a suitable role to each activity and
Page 106
91
choose an appropriate IT resource for each activity as shown in Appendix VI. They were
allowed to add, delete and change activities, roles and IT resources as per their business
settings. No other feedback was solicited at this stage. The purpose was to operationalize the
predefined list of activities, roles and IT resources in PakPSOs. The interview notes were
used to record the responses. Content analysis was applied for data analysis. In the second
round, the respondents were requested to rate each activity for its “perceived effectiveness”
on a scale from 1 (not effective) to 5 (very effective) and its “perceived ease of
implementation” on a scale form 1 (not easy) to 5 (very easy) as shown in Appendix VII.
EDA was applied for data analysis. The activities with scores equal to or above 60% on both
perceived effectiveness and ease of implementation were selected for the initial version.
Consequently, the initial version of the framework was built with all of the aforesaid
components i.e. activities, roles, IT resources, environment and organizational strategies,
structures & systems and goals. The initial version of the IT governance implementation
framework is shown in Figure 7.2 of chapter 7.
Iteration 2: Developing First Version of the Framework
In iteration 2, the initial version of the framework was enhanced through the interviews of 46
personnel in 23 PakPSOs mainly heads of IT and business having rich experience in strategic
management of IT and business. This was also complemented by the interviews of 5 related
industry experts. The respondents profile is shown in Table 7.7 of Chapter 7. The purpose
was the general enhancement of the framework through new or improved activities,
suitability of the assigned roles and IT resources. A case study protocol was developed as
proposed by Yin (2003). Semi-structured interviews were conducted using a questionnaire
developed based on the components of the initial version. The major questions asked are
given in Appendix-VIII. The interviews were tape-recorded and conducted in national
language which later converted into English language. The collected data were analyzed
using content analysis through which structures and patterns regularities are searched in the
text and inferences are made based on these regularities (Myers, 2008). The analyzed data
then categorized and incorporated into the framework. The process resulted in the first
version of the framework. The first version of the IT governance implementation framework
is shown in Figure 7.3 of chapter 7.
Page 107
92
Iteration 3: Finalizing Second Version of the Framework
The purpose of iteration 3 was to evaluate the first version of the framework in one of the
PakPSOs ending up in the second version. However, little work in the design science research
arena has addressed the choice of strategies for evaluation (Pries-Heje et al., 2008). Here is
brief overview of some of the studies. Walls et al. (1992) introduce the notion of discrete
testable hypotheses for explicitly evaluating two components of information system design
theories: the design process; and the design product (meta-design) in their ability to achieve
meta-requirements. However, they provide no guidance on how to evaluate but the
presumption seems to be a positivist approach. March and Smith (1995) emphasize
evaluation as one of the two activities in design science: build and evaluate. They argue that
evaluation regards the development of criteria and the assessment of the artifact‟s
performance in comparison to the criteria. Among their seven guidelines, Hevner et al. (2004)
require researchers to rigorously evaluate design artifacts. They summarize five kinds of
evaluation methods (analytical, case study, experimental, field study and simulation).
However, they do not provide much guidance in choosing among extant evaluation methods.
Venable (2006) classified design science research evaluation approaches into two primary
forms: naturalistic and artificial evaluation. They argue that naturalistic evaluation explores
the performance of a solution technology in its real environment i.e. within the organization,
whereas artificial evaluation evaluates a solution technology in a contrived and nonrealistic
way. Sun and Kantor (2006) makes distinction between naturalistic and artificial evaluation.
They argue that naturalistic evaluation relates closely to natural setting which involves real
users using real systems to solve real problems i.e. to accomplish real tasks in real settings,
whereas artificial evaluation is unreal in some way or ways such as unreal users, unreal
systems, and especially unreal problems. Naturalistic evaluation methods include case
studies, field studies, surveys, ethnography, phenomenology, hermeneutic methods, and
action research, whereas artificial evaluation methods include laboratory experiments, field
experiments, simulations, criteria-based analysis, theoretical arguments, and mathematical
proofs (Pries-Heje et al., 2008). Naturalistic evaluation is always empirical and may be
interpretive, positivist, and/or critical, whereas artificial evaluation may be empirical or non-
empirical (Walls et al., 1992). Pries-Heje et al. (2008) describe that naturalistic evaluation
embraces all of the complexities of human practice in real organizations and may be difficult
and costly because it must discern the effects of many confounding variables in the real
Page 108
93
world. They argue that, to the extent that naturalistic evaluation is affected by confounding
variables or misinterpretation, evaluation results may not be precise or even truthful about an
artifact‟s utility or efficacy in real use. Klecun and Cornford (2005) described two
perspectives of information system evaluation: ex ante and ex post evaluation. They argued
that in the ex ante perspective, candidate systems or technologies are evaluated before they
are chosen and acquired or implemented, whereas in the ex post perspective, a chosen system
or technology is evaluated after it is acquired or implemented. Pries-Heje et al. (2013)
propose ex anti perspective for artificial evaluation and ex post perspective for naturalistic
evaluation. However, they claim that more naturalistic forms of ex ante evaluation are also
possible. Venable (2006) uses ex post perspective largely in his study but he also
accommodates ex ante perspective. Purao and Storey (2008) propose that the Technology
Acceptance Model (Davis, 1989) can be used as a predictive theory (Gregor, 2006) to
evaluate whether a design science research artifact is likely to be adopted in practice or
otherwise.
In this study, the researcher adopted Hevner et al. (2004) approach of evaluation as it covers
both naturalistic and artificial evaluation. Hevner et al. (2004) proposed five approaches for
evaluation of a developed artifact against the utility it provides in the business environment.
These five approaches are: analytical, case study, experimental, field study and simulation.
However, the case study approach was selected because of the context of the framework and
the need for a real business environment within which PakPSOs operate. Therefore, the
researcher selected one of the PakPSOs (refers to as organization M in this study) to evaluate
the proposed framework. The selection of the organization was based on its relatively mature
IT structures, processes and experienced IT/management personnel. All these were
considered for valuable inputs to evaluate the framework.
A case study protocol was developed as suggested by Yin (2003) based on the studies of
Walford (1990) and Clementi and Carvalho (2006) to measure the effectiveness of the
framework. Semi-structured interviews of 27 IT and business personnel from top
management to operational management were conducted in organization M. The
respondents‟ profile in case study for evaluating the framework is shown in Table 8.4 of
chapter 8.
A questionnaire was handed over to the respondents and considerable time was granted them
to review it and answer the questions. The major questions asked during the evaluation of the
framework are given in Appendix-IX. The validity was assured by inspecting organizational
documents such as IT-related policies, strategies, plans, procedures, structures, frameworks,
Page 109
94
annual and performance reports etc to triangulate with the respondents‟ views. The researcher
gathered those documents before the interviews with the help of the person equivalent to CIO
of the organization.
The following evaluation criteria were applied:
(1) Formal description to meet the need for no ambiguity
(2) Definable activities through understandability of the framework
(3) Completeness of the framework to ensure no additional activities are needed
(4) Activities to be capable of implementation
Two more evaluation criteria were applied as suggested by Hevner et al. (2004).
(5) Usability via measuring ease of use
(6) Fit by measuring the usefulness of the framework in the organization
Each evaluation criterion was assessed quantitatively on a five-point Likert scale ranging
from 1 (strongly disagree) and 7 (strongly agree). EDA was applied for data analysis.
Qualitative opinion was also sought for the further improvement of the framework which was
tape-recorded originally in national language and later converted into English language. The
said evaluation criteria were also applied by Nfuka & Rusu (2013). The process resulted in
the second version of the framework. The second version of the IT governance
implementation framework is shown in Figure 8.5 of chapter 8.
3.4 Validity and Reliability
In social science methods, the most applied aspects to meet research quality are construct
validity, internal validity, external validity and reliability (Yin, 2003). Therefore, this study
only focuses on construct validity, internal validity, external validity and reliability. Other
types of validities such as face validity, content validity and criterion validity etc. is not the
focus of this study.
3.4.1 Construct Validity
It deals with the exact operational measures for the concepts and how these concepts are
operationalised for credible interpretations of collected data (Yin, 2003). For case study
Page 110
95
research in phases 1, 2 & 4, the construct validity was assured by applying the three tactics
suggested by Yin (2003) which are: use of multiple sources of evidence; use of chain of
evidence; and a review of the case study report by the key informants. The interviews, focus
groups and questionnaires were used to provide multiple sources of evidence. This allows
triangulation which helps in developing convergent line of enquiry (Patton, 1987). It also
minimizes the bias created by interview/respondent dialogues. A derivation of evidence from
the initial research questions to conclusion was the part of the research design to provide
chain of evidence. A draft report was sent back to the organization for assessment by the key
informants and asked them to provide a review of the case study report for increasing the
quality of results. The detail is given in corresponding chapters 4, 5, 7 & 8.
For survey research in phase 3, statistical construct validity was assured through convergent
and discriminant validity as proposed by Hair et al., (2006) for correct operational measures.
The detail is given in corresponding chapter 6.
3.4.2 Internal Validity
It deals with the internal design of the research and establishes the rigor with which research
is conducted (Brewer, 2000). Due to exploratory and confirmatory nature of this study,
strategies were developed to collect and analyze data that guided towards the conclusions.
For exploratory study in phases 1, 2 & 4, all relevant evidence were provided and used to
reach the conclusions. Well-established theoretical categories and subcategories from the
relevant literature were used for content analysis. Emerging subcategories during the process
of data analysis were also applied. The detail is given in corresponding chapters 4, 5, 7 & 8.
For confirmatory research in phase 3, a research model was developed to test the correlating
effect of IT governance practices on IT outcomes. The detail is given in corresponding
chapter 6.
3.4.3 External Validity
External validity is the generalisability of a study (Yin, 2003). For case study research in
phases 1, 2 & 4, external validity was assured through the use of considerable number of
Page 111
96
respondents at various management levels that are both IT and business personnel. The detail
is given in corresponding chapters 4, 5, 7 & 8.
For survey research in phase 3, external validity was assured through statistical generalization
i.e. using representative sample from the population. The detail is given in corresponding
chapter 6.
3.4.4 Reliability
Reliability is the consistency of the measurement (Trochim & Donnelly, 2007). For case
study research in phases 1, 2 & 4, the researcher applied case study protocols and databases
as suggested by Yin (2003) to increase the reliability. Important procedures for case design
were outlined and documented. In advance, the research prepared case study overviews,
instruments for data collection, list of evidence and a guide for the report. A case study
database for linking case study notes and documents was established. Moreover, the
interview protocols were developed and used in such a way that these provided same format
and sequence of the questions so that each respondent can understand them in the same way.
The detail is given in corresponding chapters 4, 5, 7 & 8.
For survey research in phase 3, the correctness of the questionnaire was first checked by the
two experts in PakPSOs and then its reliability was checked through pilot study and actual
study as proposed by Fowler (2002). Average variance, Cronbach‟s alpha and composite
reliability measures were used to estimate internal consistency in both cases. The detail is
given in corresponding chapter 6.
3.5 Research Ethics
The purpose of complying ethics in research is to make sure that no one is suffered by the
adverse consequences from the research activities (Cooper & Schindler, 2006). The ethical
standards for doing research were strictly followed by the researcher during the course of this
research study. The obligation of the researcher was not only professional but also ethical to
make wise judgment and use discretion where required to solve the ethical issues as
suggested by Lancaster (2005). The respondents who participated in this research study were
Page 112
97
assured by the researcher that their privacy would be kept intact at all time during and after
the research. The researcher also ensured the conformance of this research study in
accordance to the ethical code of practice in research of Center for Advanced Studies in
Engineering (CASE). A formal application for ethics approval was sent to the respondents
before the data collection phase. Consent of the respondents for their willingness to
participate in the study was sought by the researcher on consent form. An option was given to
each respondent on consent form to withdraw from the data collection phase at any time at
his/her own discretion.
3.6 Chapter Summary
In this chapter, the research methodology applied to conduct this research has been described
in detail. The overall research process undertaken to conduct this research and issues of
validity and reliability have been discussed. The summary of important points of this chapter
is as under:
The main objective of the study was to develop and evaluate an IT governance
implementation framework for PakPSOs using design science research approach. In
order to achieve this objective, the study was broken into four research phases i.e.
research phases 1, 2, 3 & 4. Mixed methods research approach was applied to conduct
this research.
The main purpose of research phase 1 was to assess the existing state of IT
governance in PakPSOs in terms of maturity, previously unidentified, and compare it
with a developed country, a developing country and the international public sector
benchmark for learning, benchmarking and embracing best practices. A multi-case
study approach was applied under interpretive research paradigm to serve this
purpose.
The main purpose of research phase 2 was to identify the relevant IT governance
practices in PakPSOs in terms of CSFs. Systematic literature review process
complemented with multi-case study approach under interpretive research paradigm
was applied to achieve this purpose.
The main purpose of research phase 3 was to investigate the statistical effect of
identified IT governance practices of research phase 2 on IT outcomes in PakPSOs.
Page 113
98
Survey research method under positivist research paradigm was applied to fulfill this
purpose.
The main purpose of research phase 4 was to develop and evaluate an IT governance
implementation framework for PakPSOs. Design science research approach was
applied to accomplish this task. The basic building blocks of the framework were the
IT governance practices identified in research phase 2 and further validated in
research phase 3. The framework was iteratively built. Two iterations were performed
in the development phase and one in the evaluation phase. A multi-case study
approach was applied in the development phase and single case study approach was
applied in the evaluation phase.
The validity and reliability issues in qualitative research in research phases 1, 2 & 4
were addressed through the guidelines provided by (Yin, 2003) i.e. the use of multiple
sources of evidence; use of chain of evidence; and a review of case study report by the
key informants in case of validity and use of case study protocols and databases in
case of reliability.
The validity and reliability issues in quantitative research in research phase 3 were
addressed through convergent and discriminant validity.
This research was undertaken following the ethical standards.
Page 114
99
4 Existing State of IT Governance in Public Sector Organizations of
Pakistan
4.1 Chapter Objectives
This chapter provides the results of research phase 1, discussion on the results and conclusion
made based on the results. The main purpose of research phase 1 was to determine and
analyze the existing state of IT governance in PakPSOs in terms of maturity, previously
unexplored and compare it with a developed country (Australia), a developing country
(Tanzania) and the international public sector benchmark for learning, benchmarking and
embracing best practices. This was paramount to understand the relevant IT governance
context of PakPSOs and explore further research activities in these organizations. This was in
response to the first research question of this study, RQ1: “What is the existing state of IT
governance in PakPSOs?” This was achieved by assessing IT governance maturity in the
selected six PakPSOs based on the 15 most important and public sector relevant IT processes
of COBIT framework. The detailed methodology and research process of this phase is given
in section 3.3.1of chapter 3. The results indicated that PakPSOs performed better than the
developing country (Australia) but poorer than the developed country (Tanzania) and the
international benchmark. Moreover, the weak areas in PakPSOs were also identified for
improvement. The rest of the chapter proceeds as follows. In the second section, data
analysis, results and discussion are provided. The conclusion and further research directions
are given in the third section. Last section provides the summary of important points of this
chapter.
4.2 Results and Discussion
4.2.1 Distribution of the Respondents in the Six Studied PakPSOs
The researcher visited six PakPSOs. A total of 28 respondents participated in the focus group
sessions and interviews. The distribution of the respondents in each studied organization with
mode of data collection is shown in Table 4.1.
Page 115
100
Table 4.1 shows that in each studied PakPSOs, both IT and business management personnel
were among the respondents which provided triangulation i.e. use of data from multiple
sources to increase confidence in the results. A total of 16 IT management and 12 business
management personnel were among the respondents in the six studied PakPSOs. Table 4.1
also shows that focus groups were applied in three PakPSOs only because focus groups were
not feasible or simply denied in other three PakPSOs. Therefore, interviews were conducted
in the remaining three PakPSOs. Five to seven personnel representing both IT and business
management participated in the focus groups and three to five personnel participated in the
interviews in the studied PakPSOs.
Table 4.1: Distribution of the respondents in the six studied PakPSOs
NADRA
Interviews
HEC
Focus group
NTC
Focus group
FBR
Interviews
NITB
Focus group
AGPR
Interviews
Total
IT Management 2 3 3 2 4 2 16
Business Management 1 2 2 1 3 3 12
Total 3 5 5 3 7 5 28
4.2.2 IT Governance Maturity of the Studied PakPSOs
The average maturity levels of the 15 IT processes across the six studied PakPSOs is shown
in Table 4.2. This shows that the average maturity of the six studied PakPSOs was 2.24
ranged from 1.65 to 3.05 and majority of the processes (10 out of 15 or 67%) were above the
maturity level 2. The bottom side was at maturity level 1 (Initial/Ad-Hoc) which represents
that organizations recognized the existence of issues which need to be solved. However, the
issues were not solved through standardized processes but through ad-hoc approaches which
were adopted on individual or case-by-case basis. The top side was at maturity level 2
(Repeatable but Intuitive) (with an exception of the process “DS11- Manage Data” with
maturity level 3.05) which represents that processes had built-up to the extent where different
people executing same tasks pursued similar procedures but revealed the absence of formal
training and communications of standard procedures. A great dependence was on individuals‟
knowledge and errors were expected to be occurred. In conclusion, in order to improve the IT
governance maturity in the PakPSOs and consequently IT governance performance, these
concerns need to be addressed.
Page 116
101
Table 4.2: Average maturity levels of the 15 IT processes across the six studied PakPSOs
IT Process Average Maturity
Level
PO1-Define a Strategic IT Plan 2.42
PO3-Determine Technological Direction 2.31
PO4-Define the IT Process, Organization and Relationships 2.33
PO5-Manage the IT Investment 2.65
PO6-Commuincate Management Aims and Direction 1.65
PO9-Assess and Manage IT Risks 1.80
PO10-Manage Projects 2.40
AI1-Identify Automated Solutions 2.45
AI2-Acquire and Maintain Application Software 1.82
AI6-Manage Changes 1.94
DS1-Define and Manage Service Levels 2.34
DS4-Ensure Continuous Service 2.18
DS5-Ensure System Security 2.36
DS11-Manage Data 3.05
ME1-Monitor and Evaluate IT Performance 1.91
Average maturity levels of 15 IT processes across the six studied
organizations
2.24
4.2.3 Process Level Comparison
Different processes demonstrated different maturity levels and some performed better than
the others.
The process,”DS11-Mange data” performed better than the others. This might be due to the
extra efforts that the government made since a decade to store and preserve government data
and citizens‟ record electronically for better decision making regarding menace of terrorism,
revenue and taxation, higher education and other economic matters. This finding was
consistent with the previous study of a developing country (Nfuka & Rusu, 2010). The other
process that performed relatively better than the others was “PO5- Manage the IT
investment”. This was not a surprising result because in the most studied PakPSOs, almost all
Page 117
102
the IT initiatives are executed in the form of projects through development budget from
Ministry of Planning, Development and Reforms. The ministry also has its own budgetary
mechanism and procedures regarding scrutiny and evaluation. This finding was consistent
with the previous study of a developed country (Liu & Ridley, 2005). Other processes that
performed at or above maturity level 2 were “DS5- Ensure systems security”, “DS1- Define
and manage service levels”, “PO10-Manage projects”, “PO4- Define the IT processes,
organization and relationships”, ”PO1- Define a strategic IT plan”, “AI1- Identify automated
solutions”, “PO3- Determine technological direction”, “DS4- Ensure continuous service”,
“AI6 Manage changes”.
The process,”PO6-Communicate management aims and direction” performed poorly than the
others. This was due to the lack of proper mechanisms for dissemination of information,
control and quality management environment to rest of the organization. Policies, procedures
and standards are inconsistent and restricted to only top management and communicated to
concerned individuals only on ad-hoc basis through informal channels. This finding is almost
consistent with the previous study of a developed country (Liu & Ridley, 2005). Other
process that performed relatively poorer than the others was “PO9-Assess and manage IT
risks”. The reason could be associated with the fact that IT risks are considered through ad-
hoc approaches and depend on project to project basis. Risks are usually defined in project
plan and not assigned to specific individual. Even IT risks such as security, availability and
integrity are not defined in project plan. Day-to-day operations are not discussed in
management meetings. This finding is almost consistent with the previous study of a
developing country (Nfuka & Rusu, 2010). Other processes that performed below maturity
level 2 were “AI2- Acquire and maintain application software” and “M1- Monitor and
evaluate IT performance”.
4.2.4 Domain Level Comparison
Different domains demonstrated different maturity levels and some showed higher maturity
than the others. The domain wise average maturity of the 15 IT processes across the six
studied PakPSOs is shown in Figure 4.1.
We can see that that the domain “Deliver and Support (DS)” showed highest maturity than
the others. This finding is inconsistent to the previous study which revealed that public sector
showed higher maturity in planning domain due to presence of policies and regulations
Page 118
103
(Guldentops et al., 2002). However, the domain “Planning and Organize (PO)” showed
second highest maturity level. It means the PakPSOs were relatively weak in planning than
support. The domain “Monitor and Evaluate (ME)” showed lowest maturity than the others
which means the PakPSOs were weak in performance measurement which was also evident
from a previous study which revealed that PSOs were weak in performance measurement
(Weill & Ross, 2004).
Figure 4.1: Domain wise average maturity of the 15 IT processes in the six studied PakPSOs
4.2.5 Organizational Level Comparison
Different organizations demonstrated different maturity levels and some performed better
than the others. shows the maturity level of each of the six studied PakPSOs based on the 15
IT processes.
Page 119
104
Figure 4.2: Maturity levels of the six studied PakPSOs for the 15 IT processes
We can see from the Figure 4.2 that NADRA showed highest maturity as compared to the
other organizations. This was due to the higher maturity levels of majority of the processes.
The processes “DS11-Manage Data” and “DS5-Ensure System Security” were more mature
than the others. On the other hand, the processes “AI6- Manage Changes” and “AI2- Acquire
and Maintain Application Software” were less mature than the others. The possible reason of
those higher mature processes might be that NADRA has the mandate of national database
and registration. Managing data and related activities are among the core functions of
NADRA. It has a world class system to acquire, store and preserve data related to national
identity as claimed by the sources in NADRA. However change management in NADRA was
less mature which is also a common practice in PSOs due to complex decision making
structures (Sethibe et al., 2007) but low maturity for the process “AI2- Acquire and Maintain
Application Software” was a surprised result. The second mature organization was HEC. The
processes “DS11- Manage Data” and “AI1-Identify Automated Solutions” were more mature
than the others. This might be due to the mandate of HEC to acquire and preserve data of
Page 120
105
universities/institutes of higher education across the country regarding enrolment, degree
verification and attestation, scholarship schemes, digital library etc. and provision of
consultancy about IT based services to universities/institutes. On the other hand, the
processes “DS4-Ensure Continuous Service” and “AI2-Acquire and Maintain Application
Software” were less mature and need to be improved. The average maturity of NTC was 2.33.
The processes “DS11-Manage Data” and “PO10-Manage Projects” were more mature than
the others. This could be due to the mandate of NTC for the provision of data, web hosting
facility and Internet services to all PakPSOs. On the other hand, the processes “DS4-Ensure
Continuous Service” and “AI6-Manage Changes” were less mature. FBR exhibited average
maturity level of 2.08. The processes “DS11-Manage Data” and “DS4- Ensure Continuous
Service” were more mature than the others. This might be due to the mandate of FBR for
provision of revenue and taxation related IT based services. On the other hand, the processes
“PO6- Communicate Management Aims and Direction” and “AI2-Acquire and Maintain
Application Software” were less mature. NITB was restricted to an average maturity level of
1.96. The processes “PO10- Manage Projects” and “PO1-Define a Strategic IT Plan” were
more mature than the others. This could be due to the mandate of NITB to execute IT projects
in PakPSOs as per National Action Plan and the provision of IT consultancy to PakPSOs and
training to government employees. On the other hand, the processes “AI2-Acquire and
Maintain Application Software” and “PO6-Communicate Management Aims and Direction”
were less mature. AGPR performed lowest than the other organizations. The processes
“DS11-Manage Data” and “DS4- Ensure Continuous Service” were more mature than the
others. On the other hand, the processes “PO6- Communicate Management Aims and
Direction” and “PO10- Manage Projects” were less mature. In conclusion, all the studied
PakPSOs except NITB were more mature in managing data but majority of them were less
mature in acquiring and maintaining application software.
4.2.6 Comparison of PakPSOs with Others
Finally, the average maturity of the 15 IT processes across the six studied PakPSOs was
compared with the similar study of the selected PSOs of a developed country (Australia), a
developing country (Tanzania) and internationally across a range of nations. The average
maturity levels of the same 15 IT processes were already measured in the selected Australian
PSOs, Tanzanian PSOs and the public sector across a range of nations by Liu & Ridley
Page 121
106
(2005), (Nfuka & Rusu, 2010) and Guldentops et al. (2002) respectively. As the data for the
studied Australian PSOs is from a 2005 publication, for the studied Tanzanian PSOs is from a
2010 publication and for the studied international public sector benchmark is from a 2002
publication and none of the study used a representative sample of the PSOs of its respective
country, therefore, the numerical comparison could not be made. However, a qualitative
discussion was made for the purpose of comparison of the studied PakPSOs with these three
benchmarks to have an insight into the existing state of IT governance in PakPSOs. The
results of comparison indicated that majority of the processes in the six studied PakPSOs
performed lower than the studied Australian PSOs. However, the process “DS11-Manage
Data” performed similar to the studied Australian PSOs. It means that the studied PakPSOs
are relatively well in managing data and related activities. For other processes, the studied
PakPSOs should learn from the studied Australian PSOs and improve lower performed
processes. Moreover, majority of the processes in the six studied PakPSOs performed lower
than the studied international public sector benchmark. It means that the studied PakPSOs
were still poorer than the studied international public sector benchmark despite a long time
span between the two studies. Therefore, there is an urgent need to improve lower performed
processes in the studied PakPSOs. Two processes “DS11- Manage Data” and “PO5- Manage
the IT Investment” performed better than the studied international benchmark. However, the
process “PO1-Define a Strategic IT Plan” performed similar to the studied international
public sector benchmark. Furthermore, most of the processes in the studied PakPSOs
performed better than the studied Tanzanian PSOs. Among other things, this might also be
due to the time span between the two studies. However, four processes performed lower than
the studied Tanzanian PSOs. Also, the processes “ME1-Monitor and Evaluate IT
Performance” performed similar to the studied Tanzanian PSOs. It means the studied
PakPSOs must pay special focus to lower performed processes because these are less mature
even than a developing country. In conclusion, the studied PakPSOs performed better than
the studied Tanzanian PSOs whereas poorer than the studied Australian PSOs and the studied
international public sector benchmark.
4.3 Conclusion and Further Research
The objective of research phase 1 was “To determine and analyze the existing state of IT
governance in PakPSOs in terms of maturity”. This was achieved by assessing IT governance
Page 122
107
maturity of the selected six PakPSOs in the perspective of a developing country through case
study research method and comparing it with similar studied of a developed country
(Australia), a developing country (Tanzania) and internationally across a range of nations
against a similar benchmark for learning and embracing best practices. The results revealed
that the average maturity levels of the 15 IT processes across the six studied PakPSOs was
2.24 ranged from 1.65 to 3.05 and majority of the processes (10 out of 15 or 67%) were
above the maturity level 2. Majority of the PakPSOs were more mature in managing data but
less mature in acquiring and maintaining application software. The studied PakPSOs
performed poorer than the studied Australian PSOs and the mixed international studied public
sector organizations. However, these performed better than the studied Tanzanian PSOs.
Many processes were identified where public managers in the PakPSOs should focus to
improve IT governance maturity and consequently IT governance performance. This helped
to achieve the first objective of this study i.e. RO1: “To determine and analyze the existing
state of IT governance in PakPSOs in terms of maturity”.
This research phase also provides important implications for both practitioners and academia.
From practitioners‟ point of view, the study provides guidance for decision-makers in
PakPSOs to optimize their IT-related plans and use of scarce resources by directing focus on
weak areas and ultimate improvement in public service delivery. By understanding the
relative importance of IT processes, public managers can prioritize limited resources
accordingly. Moreover, the study provides a reference benchmark of maturity levels of IT
processes in public sector of Pakistan which was previously unavailable. For academia, the
results may be used to broaden the scope of IT processes for successful implementation of IT
governance in the context of PSOs of developing countries.
This study was restricted to only six PakPSOs because others were not at the level of
sufficient IT deployment and hence away from the concept of knowledge-based
organizations. The research can be extended in future by including more PakPSOs because E-
Office suit is being deployed throughout the federal government ministries/divisions.
Moreover, the study is limited to the PSOs of Federal government. This can be extended to
provincial governments‟ organizations because IT investments are also increasingly being
made in these organizations.
Page 123
108
4.4 Chapter Summary
In this chapter, the results of research phase 1 with discussion and conclusion have been
provided in detail. The summary of important points of this chapter is as under:
The average maturity levels of the 15 IT processes of COBIT framework across the
six studied PakPSOs is 2.24 ranging from 1.65 to 3.05 with majority of the processes
above the maturity level 2 which shows that PakPSOs are at repeatable but intuitive
stage.
The process,”DS11-Mange data” performed better than the others whereas he
process,”PO6-Communicate management aims and direction” performed poorer than
the others. This means PakPSOs are better in managing data but poorer in
communicating IT-related plans and strategies.
The domain “Deliver and Support (DS)” showed highest maturity than the others
whereas the domain “Monitor and Evaluate (ME)” showed lowest maturity than the
others. This means PakPSOs are better in delivery and support of IT-related services
but poorer in performance measurement and evaluation.
The average maturity of the 15 IT processes in the studied PakPSOs is lower than the
studied Australian PSOs as a developed country and the studied international public
sector benchmark as well. However, it is higher than the studied Tanzania PSOs as a
developing country. This shows the studied PakPSOs performed poorer than the
studied PSOs of a developed country and international public sector benchmark.
However, these performed better than the studied PSOs of a developing country.
The aforesaid findings of the study not only provide an in-depth understanding of IT
governance context of PakPSOs but also the need for further researcher to implement
effective IT governance in this environment.
Page 124
109
5 IT Governance Practices in Public Sector Organizations of Pakistan
5.1 Chapter Objectives
This chapter provides the results of research phase 2. The main purpose of this phase was to
identify and analyze the relevant IT governance practices in PakPSOs in terms of CSFs,
previously unidentified. This was in response to the second research question of this study,
RQ2: “Which IT governance practices are relevant to PakPSOs?” This was achieved by
identifying IT governance CSFs through systematic literature review complemented with
multi-case study in the selected eight PakPSOs. The detailed methodology and research
process of this phase is given in section 3.3.2 of chapter 3. The results indicated that 12 IT
governance practices in terms of CSFs were found to be relevant to PakPSOs. The rest of the
chapter proceeds as follows. In the second section, the results of systematic literature review
are presented. In the third section, IT governance practices are operationalised in PakPSOs.
The fourth section describes the categorization of identified IT governance practices.
Discussion is made in the fifth section. Conclusion is given in the sixth section. Last section
provides the summary of important points of this chapter.
5.2 Results of Systematic Literature Review
5.2.1 Accepted CSFs Related Articles
A total of 55 CSFs related articles were identified from the relevant literature based on the
criteria provided in stages 1 & 2 of section 3.3.2.3. Subsequently, the identified articles were
carefully reviewed based on the quality criteria described in stage 4 of section 3.3.2.3. As a
result, 18 CSFs related articles were found to be more relevant and hence accepted for this
study. Table 5.1 shows the accepted CSFs related articles.
Page 125
110
Table 5.1: The accepted CSFs related articles
Title No. of CSFs
Author(s) Years
Journal/Conference/Website
Enablers and Inhibitors of Business-IT Alignment 6 Luftman et al. (1999) Communications of the Association for Information Systems
Critical Success Factors in the Alignment of IS Plans with Business Plans 18 Teo and Ang (1999) International Journal of Information Management
Designing Information Technology Governance Processes: Diagnosing
Contemporary Practices and Competing Theories
4 Ribbers et al. (2002) Proceedings of the 35th Hawaii International Conference on
System Sciences
Board Briefing on IT Governance 11 ITGI (2003) https://www.oecd.org/site/ictworkshops/year/2006/37599342.pdf
Key Success Factors for Implementing IT Governance: Let's Not Wait for
Regulators to Tell Us What to Do
5 Guldentops (2004) Information Systems Control Journal
Don't Just Lead, Govern: How Top-Performing Firms Govern IT 8 Weill (2004) MIS Quarterly Executive
IT Governance in Practice: Insight from Leading CIOs 6 PwC and ITGI
(2006)
http://www.pwc.com/ca/en/technology/publications/it-
governance-in-practice-2006-en.pdf
Implementing Centralized IT Service
Management: Drawing Lessons from the Public Sector
10 Tan et al. (2007) 18th Australasian Conference on
Information Systems
Enhancing IT Governance Practices: A Model and Case Study of an
Organization's Efforts
4 Bowen et al. (2007) International Journal of Accounting
Information Systems
An Exploratory Study into the Design of an IT Governance Minimum Baseline through Delphi Research
10 De Haes and Van Grembergen (2008)
Communications of the Association of the Information Systems
Establishing Good IT Governance in the Public Sector 5 Hoch and Payan
(2008)
http://www.mckinsey.de/downloads/publikation/transforming_go
vernment/2008/0803_TG_it_governance.pdf
Justifications, strategies, and critical success factors in successful ITIL
implementations in U.S. and Australian companies: An exploratory study
9 Pollard and Cater-
Steel (2009)
Information Systems Management
Critical Success Factors for Effective IT Governance in the Public Sector
Organizations in a Developing Country: The Case of Tanzania
11 Nfuka and Rusu
(2010)
18th European Conference on Information Systems
Critical Success Factors in IT Alignment in Public Sector Petroleum
Industry of India
9 Aggarwal (2010) International Journal of Innovation, Management and
Technology
Critical Success Factors for ITIL Best Practices Usage 12 Nenickova (2011) Economics and Management
Critical Success Factors for Business – IT Alignment: A Review of Current
Research
10 Kurti et al. (2013) Romanian Economic and Business Review
The Critical Success Factors for Effective ICT Governance in Malaysian
Public Sector: A Delphi Study
27 Razak and Zakaria
(2014)
International Journal of Social, Behavioral, Educational,
Economic, Business and Industrial Engineering
Critical success factors (CSFs) or information technology governance (ITG)
15 Alreemy et al. (2016) International Journal of Information Management
Page 126
111
5.2.2 Harmonization of CSFs from the Accepted Articles
The CSFs in the 18 finalized papers were logically harmonized based on the criteria provided
in stage 4 of section 3.3.2.3. This resulted in a list of 23 CSFs. Table 5.2 shows the list of 23
CSFs with their reference studies from which these have been extracted.
Page 127
112
Table 5.2: Harmonization of CSFs from the accepted articles
Alr
eem
y e
t al
.
(20
16)
Raz
ak a
nd Z
akar
ia
(20
14)
Ku
rti
et a
l. (
20
13)
Nen
ick
ova
(20
11
)
Ag
gar
wal
(2
01
0)
Nfu
ka
and R
usu
(20
10)
Po
llar
d a
nd C
ater
-
Ste
el (
20
09)
Ho
ch a
nd P
ayan
(20
08
)
De
Hae
s an
d V
an
Gre
mber
gen
(2
00
8)
Bo
wen
et al
.
(20
07
)
Tan
et
al.
(20
07)
Pw
C a
nd I
TG
I
(20
06)
Wei
ll (
20
04
)
Gu
lden
top
s (2
00
4)
ITG
I (2
00
3)
Rib
ber
s et
al.
(20
02)
Teo
and
Ang
(19
99)
Lu
ftm
an e
t al
.
(19
99)
Top management support X X X X X X X X X X
Alignment between IT and business strategy X X X X X X X X
IT demonstrates leadership X X X X X X X X X
Adequate stakeholders involvement X X X X X X X
Effective communication between IT and business X X X X X X X X X
Regulatory environment and compliance requirements X X X
Existing governance and transparency X X X X X
Organizational culture X X
Financial support X X
Adequate IT skills and staff X X X X X X X X
Performance measurement and aligned incentives X X X X X X X X X X X
Change management and exception handling X X X X X X X
Well prioritized IT Projects X X X X
Clear IT strategy, principles & policies X X X X X X X X X
Clear roles and responsibilities X X X
IT governance awareness and understanding X X X X X
IT structures to ensure accountability and flexibility to the IT
organizational needs
X X X X X X X X X X X
Risk identification and mitigation process X X X
Standardized and managed IT infrastructure & applications
to optimize costs and information flow
X X X X X X X
IT skills and knowledge of business executives/personnel X X X X X
Business skills and knowledge of IT executives/personnel X X X X
Mutual trust and respect between business and IT
executives/personnel
X X X
Shared understanding between business and IT executives/personnel
X X X X
Note: an “X” indicates that the factor is present in the mentioned article
Page 128
113
5.3 Operationalization of CSFs in PakPSOs
5.3.1 Distribution of the Respondents in the Eight Studied PakPSOs
The researcher visited eight PakPSOs. A total of 18 senior managers participated in the
interview process. The respondents were mainly heads of IT and business units, directors and
deputy directors of IT and business. Both IT and business management personnel were
among the respondents which provided triangulation i.e. use of data from multiple sources to
increase confidence in the results. The distribution of the respondents in each studied
organization is shown in Table 5.3. A total of 10 IT management and 8 business management
personnel participated from the eight studied PakPSOs.
Table 5.3: Distribution of the respondents in the eight studied PakPSOs
Org. A Org. B Org. C Org. D Org. E Org. F Org. G Org. H Total
IT Management 2 2 1 1 1 1 1 1 10
Business Management 1 1 1 1 1 1 1 1 8
Total 3 3 2 2 2 2 2 2 18
5.3.2 Quantitative Response
The results of the quantitative response of the interviewees are shown in Figure 5.1. It shows
that 16 practices had scores equal to or above 80 percent which made them critical in this
environment. The rest of the practices had scores below 80 percent which made them not so
much critical. Therefore, these practices were dropped. The results also shows that the
practice “IT demonstrates leadership” with score 95 percent is at top of the list followed by
“effective communication between IT and business” with score 94 percent and “adequate
stakeholder involvement” with score 93 percent. However, the practice “shared
understanding between business and IT executives and personnel” with score 81 percent is at
bottom of the list. The seven practices showed scores less than 80 percent which means
majority of the respondents were not in the favor of these practices as considering them CSFs
Page 129
114
and hence these practices were dropped from the study. One possible reason might be the fact
that these practices are not relevant to PakPSOs or not implemented in this environment.
Figure 5.1: IT governance practices based on the quantitative response of the interviewees in the eight
studied PakPSOs
81
81
82
83
83
85
86
88
90
90
91
91
92
93
94
95
70 75 80 85 90 95 100
Business skills and knowledge of IT executives/personnel
Shared understanding between business and IT executives/personnel
Regulatory environment and compliance requirements
Well prioritized IT projects
IT structures to ensure accountability and flexibility to the IT organizational needs
Risk identification and mitigation process
Clear IT strategy, principles & policies
Adequate IT skills and staff
Alignment between IT and business strategy
Standardized and managed IT infrastructure & applications to optimize costs and …
IT governance awareness and understanding
Top management support
Performance measurement and aligned incentives
Adequate stakeholders involvement
Effective communication between IT and business
IT demonstrates leadership
Page 130
115
5.3.3 Qualitative Response
The qualitative response of the interviewees was then sought through face-to-face interviews
on the IT governance practices list of Figure 5.1. The analysis was made through content
analysis. After the process, three practices have dropped from the list, two have merged into a
new one and 11 have adjusted/updated as per their contextual arrangements. Here is a brief
description of interviewees‟ response.
One of the respondents responded that “the practice „IT demonstrates leadership‟ should be
updated by „IT leadership‟. In this way, the term becomes more understandable and self-
explanatory in our environment. In our organization, this practice is more crucial due to
bureaucratic environment and lack of IT knowledge and understanding of IT contribution by
the top civil servants. I think „IT leadership‟ matters much in our organizational setting and
we have gained a lot due to our new IT leadership”. The similar response was given by
another respondent. Three more respondents declared this practice useful in their
organizational settings.
Three respondents expressed their concerns that the practices “effective communication between
IT and business” and “shared understanding between business and IT executives/personnel” seem to
be identical or at least their purpose seems to be identical. Therefore, these practices were merged into
a new one named “IT/business communication and partnership” and same was approved by the said
respondents. Majority of the respondents declared this practice extremely crucial in their business
settings.
One respondent argued that “the practices „adequate stakeholders involvement‟ should be updated by
„engagement of key stakeholders‟ because there are numerous stakeholders in public sector and it is
almost impossible to involve all of these stakeholders. Moreover, their engagement is important than
involvement”. This was also verified by another respondent. Almost all of the respondents declared
this practice inevitable for success of IT in their respective organizations and same was confirmed by
their archival records.
One of the heads of business said that “the practice „performance measurement and aligned
incentives‟ is not suitable because there is no concept of providing incentives like promotions and
increments in salaries on performance basis in PakPSOs as per Constitution rather it is on seniority
basis. So, incentive is a broad and confusing word. The practice should be like this „performance
measures and benchmarks‟”. However, he confirmed that this practice is very much important for
success of IT in his organization. Three more respondents also confirmed the presence of this practice
in their respective organizations which were also verified by their archival records.
Page 131
116
The practice “IT governance awareness and understanding” was replaced by “IT governance
awareness and training” on the intimation of one of the respondents. However, only two
respondents confirmed the presence of this practice in their respective organizations. The
same was evident from their archival records.
One of the heads of IT said “not only „top management support‟ is critical but their active
involvement in IT-related matters is also important for success”. He suggested that this
practice should be like this “senior management involvement and support”. He agreed that
without this practice, their IT initiatives could not be materialized. This was also confirmed
by three more respondents.
One of the respondents replied the interviewer that the practice “alignment between IT and
business strategy” should be replaced by “defined, aligned and cascaded IT and business
strategies” because some of the PakPSOs even not have IT strategy. If they have, then they
do not communicate it down to the organization. However, he said that this practice is active
in his organization which was also confirmed by the archival records of the organization.
Four more respondents confirmed that this practice is exercised in their respective
organizations.
One of the directors IT suggested that “the practice „standardized and managed IT infrastructure &
applications to optimize costs and information flow‟ should be restricted up to „standardized and
managed IT infrastructure & applications‟ because the purpose of this practice is obvious which is to
optimize costs and information flow‟. Therefore, there is no need to explain it further”. He also
confirmed that his organization is striving for this practice. Three more respondents revealed that their
organizations are also very keen in focusing on this practice.
Majority of the respondents declared that the practice “adequate IT skills and staff” is a need of the
hour in their respective organizations. One of the respondents added that retaining of IT skills and
staff is an inherent problem in government sector due to good salaries in private sector. He further
added that although cloud computing has solved the issue of IT services and support to some extent
but PakPSOs are still in early stages in this regard. Another respondent suggested that practice should
be “competitive IT professionals” to provide the more clear meaning to the term. Therefore, the
practice was replaced by “competitive IT professionals”.
Many respondents showed their concerns on the name of the practice “clear IT strategy, principles &
policies“. They agreed that the name of the practice should be “policies and guidelines for optimal
acquisition and use of IT”. However, all respondents confirmed the presence of this practice in their
respective organizations which was also evident from their archival records. All PakPSOs follow
Public Procurement Regulatory Authority (PPRA) guidelines for this purpose.
Page 132
117
One of the respondents argued that the practice “risk identification and mitigation process” should be
updated by “risk identification and mitigation mechanism” because this practice is hardly
implemented in PakPSOs in the form of proper process. However, he confirmed the presence of this
mechanism in his organization which was also verified from archival records of his organization. Two
more respondents confirmed this practice in their respective organization to some extent.
The practice “IT structures to ensure accountability and flexibility to the IT organizational
needs” was updated by “IT structures for responsiveness and accountability” on the
suggestion of one of the respondents. Five respondents were satisfied by the existing IT
structures in their respective organizations but three were unsatisfied. However, all the
respondents agreed that this practice is crucial for implementing effective IT governance in
PakPSOs.
No respondent confirmed the presence of “well prioritized IT projects”, “business skills and
knowledge of IT executives/personnel” and “regulatory environment and compliance requirements”
in their respective organization or declared them crucial for implementing IT governance in
their operating environment. It is worthy to mention that no new practice has been emerged in
PakPSOs because the specific practices in some of the PakPSOs also fall under the aforesaid
studied practices. However, PakPSOs use these practices with different names. The results of
the summarized qualitative response of the interviewees after content analysis are shown in
Table 5.4.
Page 133
118
Table 5.4: The summarized qualitative response of the interviewees
Contextualized practice No. of studied PakPSOs in which the practice is
implemented
IT leadership 5 (B, C, D, F, H)
IT/business communication and partnership 6 (A, B, C, F, G, H)
Engagement of key stake holders 7 (A, B, C, D, F, G, H)
Performance measures and benchmarks 4 (B, C, D, F)
IT governance awareness and training 2 (B, H)
Senior management involvement and support 4 (A, B, E, G)
Defined, aligned and cascaded IT and business
strategies
5 (A, B, D, E, H)
Standardized and managed IT infrastructure &
applications
4 (B, C, D, E)
Competitive IT professionals 6 (A, B, D, E, F, H)
Policies and guidelines for optimal acquisition
and use of IT
8 (A, B, C, D, E, F, G, H)
Risk identification and mitigation mechanism 3 (B, E, G)
IT structures for responsiveness and
accountability
5 (A, B, D, E, F)
5.4 Classification of the Identified IT Governance Practices
After having a comprehensive literature review, the reseacher found many categorization
schemes for CSFs arrangement. The simplest scheme contained only two dimensions i.e.
internal and external (Zahedi, 1987), qualitative and quantitative (Keen & Scot Morton,
1978), and controllable and uncontrollable (Ein-Dor & Segev, 1978). The simplicity of two
dimensional scheme was then improved by some researchers and resulted in three
dimensional scheme i.e. quality of implementation, user-system fit and organizational fit
(Ginzberg, 1980), inherent, developmental and functional (Dickinson et al., 1984). Later on,
more complex categorization schemes were introduced by other researchers i.e. system, task,
user and environment factors (Liang, 1986), and information system, task characteristics,
decision maker, organizational context (Lee, 1989). However, Nfuka and Rusu (2010)
categorized the CSFs for effective IT governance into five focus areas of ITGI (2007),
adopting a holistic approach, which are: strategic alignment, value delivery, risk
Page 134
119
management, resource management, and performance measurement. Moreover, Schlosser et
al. (2012) introduced three dimensions of IT-business alignment which are: human, social,
and intellectual. The human perspective deals with the characteristics of individuals such as
knowledge, skills, leadership and attitude. The social perspective deals with relational,
informal and cultural aspects. The intellectual perspective deals with the end products and
deliverables resulting from the work of individual and group of people.
This study adopts the categorization schemes of Nfuka and Rusu (2013) and Schlosser et al.
(2012) simultaneously. The practices (CSFs) of this study are arranged in such a way that on
one hand they cover the five focus areas of ITGI (2007) and on the other hand they cover the
three IT-business alignment perspectives described by Schlosser et al. (2012). In this way, the
practices provide a holistic view of IT governance. The arrangement of practices in five focus
areas of IT governance and three perspectives of IT-business alignment is shown in Table
5.5.
Table 5.5: Classification of the identified practices into five focus areas and three perspectives of IT-
business alignment
IT-business alignment
perspective IT governance
focus area
Human perspective Social perspective Intellectual
perspective
Strategic alignment IT leadership
IT/business
communication and partnership
Defined, aligned and
cascaded IT and business
strategies
Senior management
involvement and support
Engagement of key
stakeholders
IT structures for
responsiveness and accountability
Value delivery &
risk management
Policies and
guidelines for optimal
acquisition and use of IT
Risk identification
and mitigation mechanism
Resource management IT governance
awareness and training
Standardized and
managed IT
infrastructure and applications
Competitive IT
professionals
Performance measurement Performance
measures and
benchmarks
Page 135
120
5.5 Discussion
The identified 12 IT governance practices in PakPSOs are discussed along three IT-business
alignment perspectives i.e. human, social and intellectual perspectives.
5.5.1 Practices Related to Human Perspective
IT Leadership
This practice showed 95 percent score in the quantitative response which indicates that the
practice is vital in the study environment. The results of qualitative response also showed that
the practice is crucial and exercised in five PakPSOs. De Haes and Van Grembergen, (2008)
declared this practice among the top 10 minimum baselines practices for effective IT
governance. The practice is crucial to lead IT and manage transformation program. Among
many other things, IT leadership looks into the potential & contribution of IT and
demonstrates viable IT value proposition to the executive management and politicians.
Senior Management Involvement and Support
The respondents provided 91 percent score to this practice in the quantitative response which
indicates its importance in the study environment. This is also supported by the qualitative
response where the practice declared essential and exercised in four studied PakPSOs. The
use of this practice is also supported by many previous studies (Alqahtani, 2017; Nfuka &
Rusu, 2010; Tan et al., 2009; Ndou, 2004). The need is even enlarged in the context of
developing countries which requires strong political support for strategic use and
management of IT (Nfuka & Rusu, 2010). Tan et al. (2009) argued that top management
commitment and practices also get great deal of attention among users.
Page 136
121
IT Governance Awareness and Training
This practice gained 91 percent score in the quantitative response. The results of qualitative
response also mentioned its importance in the study environment. However, this practice is
exercised in the two studied PakPSOs only which indicates the urgent need for provision of
IT governance awareness and training in this environment. PakPSOs should focus on this
practice to achieve success. The practice is also supported by the study of Nfuka and Rusu
(2010) where this practice referred to as the mindset change and competency improvement.
Competitive IT Professionals
The respondents granted 88 percent score in the quantitative response and agreed on its
importance in the qualitative response as well. The results indicated that this practice is
exercised in six PakPSOs. This practice is also supported by the study of Peterson (2004)
where it referred to as the engine of innovation, optimization and performance.
5.5.2 Practices Related to Social Perspective
IT/business Communication and Partnership
This practice acquired 94 percent score in the quantitative response and its criticality also
confirmed in the qualitative response. The results indicated that the practice is vital in the
study environment and is exercised in six PakPSOs. This practice is also supported and
declared crucial and imperative by Luftman et al. (1999).
Engagement of Key Stakeholders
This practice showed 93 percent score in the quantitative response and also declared
imperative by the qualitative response in the study environment. The results revealed that the
practice is exercised in seven studied PakPSOs. The need of this practice is even enlarged in
Page 137
122
PSOs due to the presence of numerous stakeholders with competing needs than their private
counterparts (Dawes et al., 2004).
5.5.3 Practices Related to Intellectual Perspective
Defined, Aligned and Cascaded IT and Business Strategies
This practice acquired 90 percent score in the quantitative response which indicates its
importance in this environment. The results of qualitative response showed that the practice is
crucial and exercised in five PakPSOs. It is also supported by a previous study (Nfuka &
Rusu, 2011) which revealed that defined, aligned and well-communicated IT and business
strategies down into the organization have positive effect on successful IT governance
implementation.
IT Structures for Responsiveness and Accountability
IT structure refers to the presence of responsible functions and clear roles & responsibilities
for IT decision-making (De Haes & Van Grembergen, 2006). This practice showed 83
percent score in the quantitative response which indicates its criticality in the study
environment. The results of qualitative response also showed that the practice is crucial and
exercised in five PakPSOs.
Risk Identification and Mitigation Mechanism
This practice involves analyzing and assessing IT risks, monitoring efficiency of internal
controls and implementing necessary mechanisms to minimize risks. The respondents granted
85 percent score to this practice in the quantitative response which shows its importance in
the study environment. However, the results of qualitative response showed that although the
practice is crucial but exercised in three PakPSOs only. This shows that PakPSOs are weak in
identifying and mitigating risks. PakPSOs should improve this area for better results
regarding successful implementation of effective IT governance.
Page 138
123
Policies and Guidelines for Optimal Acquisition and Use of IT
This practice gained 86 percent score in the quantitative response and its criticality also
established in the qualitative response in the study environment. The results indicated that
this practice is exercised in all of the studied PakPSOs. The same is reflected in another study
by Weill (2004) in which he argued that this practice is crucial to institute and enforce best
practices throughout the organization for clear processes, methods and frameworks to
encourage desirable behavior and create and preserve optimal value of IT.
Standardized and Managed IT Infrastructure & Applications
This practice showed 90 percent score in the quantitative response which indicates that the
practice is vital in the study environment. The results of qualitative response also showed that
the practice is crucial and exercised in four PakPSOs. This practice is also declared
imperative by Peterson (2004) who argued that the provision and management of a
standardized and reliable IT infrastructure and applications lead towards successful IT
governance implementation.
Performance Measures and Benchmarks
This practice gained 92 percent score in the quantitative response which revealed its
importance in implementing effective IT governance in the study environment. Moreover, the
qualitative response showed that the practice is imperative and exercised in four PakPSOs.
This practice is considered as an integral part of effective IT governance (Weill, 2004).
Among other things, this practice deals with the performance of processes, resources and
public service delivery. One way to implement this practice is the use of BSC.
5.6 Conclusion
The objective of research phase 2 was “To identify and analyze the relevant IT governance
practices in PakPSOs in terms of CSFs”. This was achieved by identifying and analyzing IT
Page 139
124
governance practices in terms of CSFs relevant to PakPSOs through systematic literature
review complemented with multi-case study in the selected eight PakPSOs. A total of 55
research articles were reviewed out of which 18 found to be fitted to the study‟s quality
criteria and hence accepted. The CSFs of the accepted articles were logically harmonized into
a list of 23 CSFs. Further, the list 23 CSFs was operationalised in the eight selected PakPSOs
through case study research. After the data analysis, it was found that the studied PakPSOs
mainly exercise 12 CSFs in their operating environment. Specific practices with different
names in some of the studied PakPSOs also fall under these 12 CSFs. The finalized set of
CSFs then categorized into five focus areas of IT governance i.e. strategic alignment, value
delivery, risk management, resource management and performance measurement and three
perspectives of IT-business alignment i.e. human, social and intellectual perspectives to
provide a holistic view of IT governance. The results indicated that majority of the practices
fall under strategic alignment focus area of IT governance and intellectual perspective of IT-
business alignment. This shows that PakPSOs have more concerns in these areas. This
research phase sheds light on contextualized practices for implementing effective IT
governance in PakPSOs. The results indicated that all of the studied PakPSOs exercise these
practices or a set of these practices in their operating environment and consider these
practices effective for success of IT. The results also revealed that the identified CSFs are
slightly different to the existing studies i.e. studies in developed countries and private sector.
This shows that IT governance is a contextual phenomenon. This helped to achieve the
second research objective of this study i.e. RO2: “To identify and analyze the relevant IT
governance practices in PakPSOs in terms of CSFs”.
This research phase also contributes to the practice and existing body of knowledge in a
several ways. Public managers in PakPSOs and similar environment can use the results of
this study to recognize critical areas where focus can be given for success. Ultimately, they
can invest their resources and time to improve areas which are central to the organizational
success and successful public service delivery. Theoretically, the study has broadened the
scope of IT governance practices in terms of CSFs in the PSOs of a developing country. The
study was restricted to one country and eight organizations. Future researchers can extend it
to more countries and more organizations to enhance the replicability of results. Moreover,
they can test and analyze the effect of these practices on their specific IT outcomes i.e.
desirable behavior.
Page 140
125
5.7 Chapter Summary
In this chapter, the results of research phase 2 with discussion and conclusion have been
provided in detail. The summary of important points of this chapter is as under:
23 IT governance practices in terms of CSFs from the relevant literature have been
operationalised and validated in eight PakPSOs.
12 IT governance practices with some modifications found to be relevant to PakPSOs.
The practice “Policies and guidelines for optimal acquisition and use of IT” is vital for and
exercised in all of the studied PakPSOs.
The practice “Risk identification and mitigation mechanism” is vital for but exercised
only in three studied PakPSOs.
Specific IT governance practices in PakPSOs are exercised with different names.
However, each of these practices fall under one of the studied practices.
The identified practices can be categorized into five focus areas of IT governance i.e.
strategic alignment, value delivery, risk management, resource management and
performance measurement and three perspectives of IT-business alignment i.e.
human, social and intellectual perspectives.
Categorization of practices into IT governance focus areas and IT-business alignment
perspectives provides a holistic view of IT governance.
Six practices belong to strategic alignment and human, social and intellectual
perspectives.
Two practices belong to value delivery & risk management and intellectual
perspective.
Three practices belong to resource management and human perspective whereas one
belongs to resource management and intellectual perspective.
One practice belongs to performance measurement and intellectual perspective.
Public managers in PakPSOs and similar environment can use the results of this study
to recognize critical areas where focus can be given for success.
Page 141
126
6 Effect of IT Governance Practices on IT Outcomes in Public Sector
Organizations of Pakistan
6.1 Chapter Objectives
This chapter presents the results of research phase 3. The main purpose of this phase was to
test and analyze the effect of relevant IT governance practices in terms of CSFs on IT
outcomes in terms of task, organizational and public outcomes of strategic IT projects in
PakPSOs. This was in response to the third research question of this study, RQ3: “What is the
effect of relevant IT governance practices on IT outcomes in PakPSOs?” This was achieved
by developing a research model based on the CSFs identified in the research phase 2 and
applying PLS-based structural equation modeling using sample data from PakPSOs. The
detailed methodology and research process of this phase is given in section 3.3.2 of chapter 3.
The results indicated that the identified practices have small to moderate effect on IT
projects‟ outcomes. The practice “IT/business communication and partnership” found to be
the most effective whereas the practice, “IT structures for responsiveness and
accountability” proved to be the least effective. The rest of the chapter proceeds as follows.
In the second section, results are presented. In the third sections, discussion is made.
Conclusion is provided in the fourth section. Last section provides a summary of the
important points of this chapter.
6.2 Results
6.2.1 Sample Characteristics
A total of 104 completed questionnaires were returned by the respondents out of 200 sent out.
This also included those that were received after sending two reminders to the non-
respondents of first and second rounds. In this way, the response rate is 52 percent. The
distribution of respondents based on their role, experience & qualification is given in Table
6.1. It shows that 18 were senior IT executives, 30 were Directors/Deputy Directors (IT), 40
Page 142
127
were Project Directors/Managers/Coordinators and 16 were key project users. Table 6.1 also
shows the respondents‟ experience in using and managing IT which was above five years on
average and familiarity with IT governance was at level four on a five point Likert scale. As
for as academic qualification of the respondents is concerned, 66 were master degree holder,
30 had bachelor degree and 8 were below the bachelor degree. The non-response bias was
tested by comparing early and late responses against key sample characteristics i.e.
respondents‟ demographics (academic qualification, role in the organization, and experience
in managing IT and IT projects and familiarity with IT governance). The results indicated no
significant differences.
Table 6.1: Sample characteristics
Frequency Percentage
Role in organization (n=104)
Senior IT executives 18 17.30
Directors/Deputy Directors (IT) 30 28.85
Project Directors/Managers/Coordinators 40 38.46
Key project users 16 15.39
Experience* Median
Experience of managing IT in general 5
Experience of managing IT projects 5
Familiarity with ITG 4
Qualification
Master degree 66
Bachelor degree 30
Others 8
* On a five-point Likert scale (1 – not at all, 5 – beyond five years); (1 – not at all, 5 – to a great
extent).
6.2.2 Testing the Measurement Model
The measurement model was tested through convergent and discriminant validity.
Convergent validity is tested through indicator reliability (item loading), internal consistency
reliability (composite reliability), AVE, Cronbach‟s alpha coefficient and t-value of outer
loading. Table 6.2 shows the values of these measurements emerged from the data. The
Page 143
128
lowest item loading is 0.638 which is above the minimum required value of 0.4 (Hair et al.,
2006). The composite reliability is in range 0.818-0.952, AVE is in range 0.531-0.848 and
Cronbach‟s alpha is in range 0.718-0.937 which all are above the minimum thresholds of 0.5,
0.5 and 0.7 respectively (Gefen & Straub, 2005). The t-values of outer loading for all
indicators are also greater than 1.96 at 5% significant levels.
Discriminant validity was tested in two steps. In the first step, the items cross loading was
examined on other constructs. Discriminant validity is established when items cross loading
are lower than the loading on their own constructs (Gefen & Straub, 2005). In our case, items
cross loading were lower than the loading on their own constructs as given in Appendix-X. In
the second step, discriminant validity was tested through the criteria provided by Fornell and
Larcker (1981) i.e. square root of AVE between constructs and its measures is ≥ to other
constructs. Table 6.3 shows that discriminant validity was established because the square root
of AVE between constructs and its measures was greater than the corresponding inter-
correlations.
Table 6.2: Measurement of constructs and indicators (with reliabilities)
Latent construct Indicators Factor loading
(t-values)
Composite
Reliability
AVE Cronbach‟s
alpha
V1 (3 items) V1.1 0.892 (89.897) 0.911 0.774 0.854
V1.2 0.907 (89.335)
V1.3 0.838 (36.897
V2 (4 items) V2.1 0.740 (17.745) 0.854 0.593 0.777
V2.2 0.785 (37.693)
V2.3 0.782 (26.008)
V2.4 0.774 (31.081)
V3 (5 items) V3.1 0.904 (77.892) 0.946 0.777 0.929
V3.2 0.880 (59.872)
V3.3 0.878 (57.016)
V3.4 0.863 (49.701)
V3.5 0.882 (57.725)
V4 (3 items) V4.1 0.918 (108.453) 0.941 0.842 0.907
V4.2 0.920 (99.258)
V4.3 0.915 (88.766)
V5 (5 items) V5.1 0.912 (93.543) 0.951 0.795 0.936
V5.2 0.880 (62.578
V5.3 0.883 (67.285)
V5.4 0.882 (66.569)
V5.5 0.902 (73.700)
V6 (5 items) V6.1 0.898 (72.025) 0.950 0.791 0.934
V6.2 0.885 (51.946)
V6.3 0.892 (46.904)
V6.4 0.908 (78.937)
V6.5 0.865 (45.072)
Page 144
129
Table 6.2 Continued…
Latent construct Indicators Factor loading
(t-values)
Composite
Reliability
AVE Cronbach‟s
alpha
V7 (5 items) V7.1 0.916 (88.251) 0.952 0.799 0.937
V7.2 0.889 (68.767)
V7.3 0.876 (61.672)
V7.4 0.884 (68.158)
V7.5 0.902 (81.334)
V8 (3 items) V8.1 0.886 (76.048) 0.911 0.774 0.854
V8.2 0.885 (57.282)
V8.3 0.868 (49.730)
V9 (3 items) V9.1 0.923 (102.718) 0.926 0.806 0.879
V9.2 0.894 (75.511)
V9.3 0.875 (63.872)
V10 (3 items) V10.1 0.914 (91.550) 0.944 0.848 0.911
V10.2 0.928 (101.355)
V10.3 0.921 (113.733)
V11 (3 items) V11.1 0.896 (68.887) 0.908 0.767 0.848
V11.2 0.876 (77.528)
V11.3 0.854 (47.999)
V12 (4 items) V12.1 0.692 (17.620) 0.818
0.531
0.718
V12.2 0.638 (11.524)
V12.3 0.772 (17.240)
V12.4 0.800 (21.692)
Task outcomes (7items)
TO1 0.716 (17.191) 0.890 0.536 0.856
TO2 0.739 (23.849)
TO3 0.751 (26.503)
TO4 0.780 (30.314)
TO5 0.733 (19.263)
TO6 0.732 (19.287)
TO7 0.671 (15.142)
Organizational outcomes
(6 items)
OO1 0.755 (21.151) 0.912 0.635 0.884
OO2 0.821 (34.546)
OO3 0.819 (32.449)
OO4 0.864 (50.963)
OO5 0.809 (29.338)
OO6 0.704 (16.413)
Public outcomes
(5 items)
PO1 0.709 (17.475) 0.885 0.607 0.836
PO2 0.757 (23.575)
PO3 0.856 (42.450)
PO4 0.796 (32.002)
PO5 0.756 (23.109)
Criteria Loading > 0.40 t > 1.96 at 5%
significance level
>0.50 >0.50 >0.70
Page 145
130
Table 6.3: Inter-correlation of constructs and the corresponding square root of AVE
V1 V2 V3 V4 V5 V6 V7 V8 V9 V10 V11 V12
V1 0.880
V2 0.581 0.770
V3 0.217 0.425 0.881
V4 0.655 0.603 0.358 0.918
V5 0.431 0.482 0.359 0.470 0.892
V6 0.333 0.346 0.121 0.434 0.412 0.889
V7 0.390 0.396 0.189 0.508 0.366 0.253 0.894
V8 0.506 0.546 0.290 0.611 0.503 0.378 0.511 0.880
V9 0.524 0.576 0.438 0.622 0.490 0.450 0.549 0.530 0.898
V10 0.528 0.557 0.575 0.613 0.451 0.356 0.479 0.537 0.591 0.921
V11 0.503 0.531 0.419 0.606 0.612 0.494 0.505 0.600 0.638 0.563 0.876
V12 0.565 0.502 0.265 0.528 0.421 0.567 0.336 0.344 0.486 0.433 0.458 0.729
6.2.3 Testing the Structural Model and Hypotheses
The structural model is used for hypotheses test. It is tested through variance (R2) and path
coefficients and their significance. We calculated the effect of 12 IT governance practices on
task, organizational and public outcomes in one step instead of three separate steps. The
variance (R2) and strength & significance of path coefficients are shown in Table 6.4. As
given in Table 6.4, 83.5 percent variance in task outcomes, 56.6 percent variance in
organizational outcomes and 81.1 percent variance in public outcomes can be explained by
12 IT governance practices which are above the cutoff value of 50 percent (Hair et al., 2006).
The path coefficient strength (γ) and significance (t-value) generated by Smart PLS
bootstrapping with 5000 samples are given in Table 6.4.
The practice with most positive effective is “IT/business communication and partnership”. It
demonstrates positive support for all three success attributes i.e. task outcomes (γ = 0.263, t =
6.049), organizational outcomes (γ = 0.211, t = 2.973) and public outcomes (γ = 0.315, t =
5.646). Therefore, H3a, H3b and H3c are supported. Two more practices with relatively
higher positive effect are “engagement of key stakeholders” and “IT leadership”. The former
indicates positive support for task outcomes (γ = 0.245, t = 5.363) and public outcomes (γ =
0.233, t = 4.678). Hence, H4a and H4c are supported. The latter also indicates positive
Page 146
131
support for task outcomes (γ = 0.244, t = 5.531) and public outcomes (γ = 0.249, t = 4.178).
Therefore, H1a and H1c are also supported.
The practice “senior management involvement and support” indicates small positive support
for task outcomes (γ = 0.187, t = 4.247) but its higher significance shows its importance.
Hence, H2a is supported. However, “competitive IT professionals” indicates smallest support
for task outcomes (γ = 0.120, t = 2.622). Hence, H11a is weakly supported.
Moreover, the practices “defined, aligned and cascaded IT and business strategies” and
“policies and guidelines for optimal acquisition and use of IT” show positive support for
organizational outcomes (γ = 0.226, t = 3.397 and γ = 0.209, t = 4.170 respectively). In this
way, H5b and H7b are supported.
Furthermore, “IT structures for responsiveness and accountability”, “IT governance
awareness and training” and “performance measures and benchmarks” reveal small positive
support for organizational outcomes (γ = 0.162, t = 2.659, γ = 0.173, t = 2.174 and γ = 0.154,
t = 2.125 respectively). Hence, H6b, H10b and H12b are weakly supported.
The practice “standardized and managed IT infrastructure and applications” show positive
support for public outcomes (γ = 0.256, t = 4.697). Therefore, H9c is supported. However,
“risk identification and mitigation mechanism” indicates no significant support for any of the
success attributes in the study environment.
Page 147
132
Table 6.4: Strengths and significance of path coefficients
Task outcomes (R2 = 0.835) Organizational outcomes (R
2 = 0.566) Public outcomes (R
2 = 0.811)
Constructs Path coeff.
(γ)
t-values
(t)
Hypothesis
Support
Path coeff.
(γ)
t-values
(t)
Hypothesis
Support
Path coeff.
(γ)
t-values
(t)
Hypothesis
support
V1 0.244 5.531 Supported -0.028 0.378 Not supported 0.249 4.178 Supported
V2 0.187 4.247 Supported -0.059 0.995 Not supported 0.034 0.876 Not supported
V3 0.263 6.049 Supported 0.211 2.973 Supported 0.315 5.646 Supported
V4 0.245 5.363 Supported 0.049 0.577 Not supported 0.233 4.678 Supported
V5 0.023 0.535 Not supported 0.226 3.397 Supported 0.019 0.409 Not supported
V6 0.097 2.448 Not supported 0.162 2.659 Supported 0.060 1.523 Not supported
V7 0.057 1.582 Not supported 0.209 4.170 Supported 0.050 1.472 Not supported
V8 0.067 1.445 Not supported -0.013 0.213 Not supported 0.076 1.737 Not supported
V9 0.006 0.156 Not supported -0.049 0.823 Not supported 0.256 4.697 Supported
V10 -0.012 0.309 Not supported 0.173 2.174 Supported -0.033 0.578 Not supported
V11 0.120 2.622 Supported 0.044 0.697 Not supported 0.019 0.510 Not supported
V12 -0.045 1.169 Not supported 0.154 2.125 Supported -0.063 1.262 Not supported
Note: Path coefficients (γ) ≥ 0.1 small support, ≥ 0.3 moderate support, ≥ 0.5 strong support (Cohen, 1988).
Page 148
133
6.3 Discussion
The results presented in the previous section indicate that majority of the studied IT
governance practices (11 out of 12) had small to moderate effect on either task,
organizational and/or public outcomes. The practice “IT/business communication and
partnership” is the most important in the whole study. It showed positive effect on task,
organizational and public outcomes. This might be due to the fact that most PakPSOs have IT
project steering committees with a balanced representation of both business and IT personnel
besides a central IT steering committee at their respective planning sector organizations.
They have also newly established cross-training and communication mechanisms in place to
encourage this practice at employees‟ level.
The practice “IT leadership” showed positive effect on task and public outcomes. However,
this practice showed no support for organizational outcomes. It means PakPSOs are still
lacking in providing leadership structures and related competencies for organizational
outcomes. One possible reason might be the fact that PSOs are usually weak in setting goals
and measuring performance at organizational level (Weill & Ross, 2004) and possibly IT
leadership in PakPSOs undertakes IT projects in isolation i.e. without properly aligning them
with organizational objectives.
The practice “senior management involvement and support” indicated positive effect on task
outcomes. This practice is also important because the role of senior management is crucial in
resource prioritization, provision of additional resources and support to the project in crisis.
The need is enlarged in the context of a developing country due to limited resources,
competing needs and strong political influence. However, this practice provided no support
for organizational and public outcomes which is a surprising result of this study.
The practice “engagement of key stakeholders” indicated positive effect on task and public
outcomes. This finding is consistent with stakeholder theory that emphasizes the need of
involving inside and outside stakeholders for success (Freeman, 1994). However, this
practice showed no effect on organizational outcomes in the study environment which shows
a major weakness of PakPSOs.
The practices “defined, aligned and cascaded IT and business strategies” and “IT structures
for responsiveness and accountability” indicated positive effect on organizational outcomes.
The former is consistent with the study of Bowen et al. (2007) in which this practice found to
be an effective indicator for IT outcomes success. The later is consistent with the study of De
Page 149
134
Haes and Van Grembergen (2008) which highlights the need of IT structures for success.
However, these practices indicated no effect on task and public outcomes. One possible
reason might be the ineffectiveness and absence of IT strategies and policies in most of the
PakPSOs. The poor strategic alignment is another reason for this to happen.
Similarly, the practices “policies and guidelines for optimal acquisition and use of IT”, “IT
governance awareness and training” and “performance measures and benchmarks” showed
positive effect on organizational outcomes. However, these practices indicated no effect on
task and public outcomes. This indicates that these practices are more important for
organizational context and should be implemented in organizational context mainly rather
than projects‟ context.
The practice “competitive IT professionals” indicated positive effect on task outcomes.
However, this practice indicated no effect on organizational and public outcomes. This shows
that PakPSOs mainly emphasize on IT professionals for task outcomes rather than
organizational and public outcomes. Most of the time, IT professionals are hired on contract
basis till the duration of the project. Attracting and retaining IT professionals is also a
problem in PakPSOs due to higher salaries in multinational and private organizations.
The practice “standardized and managed IT infrastructure and applications” showed
positive on public outcomes. However, this practice indicated no effect on task and
organizational outcomes. This shows that this practice is more critical to deliver an improved
quality of public service delivery in the study environment.
The most studied IT governance practices demonstrated positive effect on strategic IT
projects‟ outcomes in PakPSOs which shows their importance in this environment. However,
various practices demonstrated support for various attributes of IT projects. Some indicated
support for task outcomes and some indicated support for organizational and public outcomes
with varying degree of effect. Due to the relative importance of these practices, public
managers and decision-makers in PakPSOs and similar environment can improve their IT-
related plans, optimize limited resources and consequently, improve & sustain public service
deliver.
6.4 Conclusion
The objective of research phase 3 was “To test and analyze the effect of relevant IT
governance practices on IT outcomes in PakPSOs”. This was achieved by investigating the
Page 150
135
effect of IT governance practices in terms of CSFs on IT outcomes in terms of task,
organizational and public outcomes of strategic IT projects in the PSOs of a developing
country i.e. Pakistan. A research model was developed and tested statistically using sample
data from PakPSOs. Based on the data analysis approach i.e. PLS-based structural equation
modeling, the most studied IT governance practices demonstrated small to moderate effect on
IT projects‟ outcomes. It happened even in the context of a developing country with low
human development, limited resources, insufficient related knowledge & competencies and
constraints on cultural. The major findings emerged from the study are as under:
“IT/business communication and partnership” proved to be an effective practice for
IT projects‟ task, organizational and public outcomes.
“IT leadership” and “engagement of key stakeholders” found to be effective
practices for IT projects‟ task and public outcomes.
“Senior management involvement and support” and “competitive IT professionals”
revealed as effective practices for IT projects‟ task outcomes
“Defined, aligned and cascaded IT and business strategies”, “IT structures for
responsiveness and accountability”, “policies and guidelines for optimal acquisition
and use of IT” and “IT governance awareness and training” found to be effective
practices for IT projects‟ organizational outcomes.
“Standardized and managed IT infrastructure and applications” proved to an
effective practice for IT projects‟ public outcomes.
The IT governance practices which were not significant on other IT projects‟ attributes
perhaps do not stand alone rather they are interdependent so such practices altogether could
not be ignored. This helped to achieve the third research objective of this study i.e. RO3: “To
test and analyze the effect of relevant IT governance practices on IT outcomes in PakPSOs”.
This research phase also provides important implications for both practitioners and academia.
From practitioners‟ point of view, it provides guidance for decision-makers in PSOs of a
developing country to optimize their IT-related plans and use of limited resources by
directing focus on limited areas that have significant effect on IT outcomes. By understanding
the relative importance of IT governance practices, public managers can prioritize limited
resources accordingly. By involving senior management, engaging key stakeholders and
building IT/business collaboration, they can prioritize IT resources and ensure optimal use of
Page 151
136
IT in this environment. By aligning IT strategies with business strategies and enabling
structures, they can incorporate and integrate IT into related public sector reforms to improve
public service delivery. By consolidating and communicating IT governance related policies
and guidelines, they can change, control and enforce policies, strategies and decisions to
perform IT enabled functions more effectively. By providing IT governance awareness and
attracting, developing and retaining competitive IT professionals and IT leadership, they can
strengthen and sustain required IT competencies to standardize and harmonize IT
infrastructure and applications cost-effectively in this environment. By setting IT and
business oriented performance measures and benchmarks, they can demonstrate success and
enable IT contribution for continuous business improvement. Moreover, in addition to
focusing on traditional criteria of project outcomes (time, cost & quality), public managers
can adopt a holistic approach to look into the values that IT projects deliver to the
organization and public (citizens, business & employees).
This study also contributes to the existing body of knowledge from academicians‟ point of
view. The results may be used to broaden the scope of effective IT governance practices in
the context of PSOs of developing countries. The research theoretically enhances the
understanding of organizational and public value of IT projects. The results may also be used
to strengthen the existing IT governance frameworks like COBIT and ITIL etc.
6.5 Chapter Summary
In this chapter, the results of research phase 1 with discussion and conclusion have been
provided in detail. The summary of important points of this chapter is as under:
11 IT governance practices out of 12 showed small to moderate effect on either on
task, organizational or public outcomes in PakPSOs. Some practices showed positive
effect on task outcomes and some showed on organizational and public outcomes of
strategic IT projects in PakPSOs.
The practice “IT/business Communication and Partnership” found to be the most
effective whereas the practice, “IT Structures for Responsiveness and Accountability”
proved to be the least effective.
The practice “Risk Identification and Mitigation Mechanism” showed no effect on
either of the success attribute.
Page 152
137
Due to the relative importance of IT governance practices (CSFs) for IT projects‟
success attributes (task, organizational and public outcomes), public managers can
prioritize limited resources and consequently, improve & sustain public service
delivery in this environment.
The validated set of IT governance practices of this research phase can also be used to
develop an IT governance implementation framework for this environment i.e.
PakPSOs.
Page 153
138
7 The Framework: Development Phase
7.1 Chapter Objectives
This chapter and the next chapter 8 provide the results of research phase 4. The main purpose
of research phase 4 was to develop and evaluate an IT governance implementation
framework for PakPSOs. This was in response to the fourth research question of this study,
RQ4: “How can effective IT governance practices be implemented in PakPSOs?” This was
achieved by developing and evaluating an IT governance implementation framework using
design science research approach. The detailed methodology and research process of phase 4
is given in section 3.3.4 of chapter 3. This chapter provides the results of development phase
of the framework. The results of the first two iterations (iterations 1 & 2) are presented in this
chapter. In iteration 1, the initial version of the framework is developed whereas in iteration
2, the first version of the framework is developed based on the results. The two versions are
given in this chapter. The rest of the chapter proceeds as follows. In the second section, the
initial version is developed based on the results. In third section, the first version is developed
based on the results. Discussion and conclusion are provided in the fourth section. Last
section provides the summary of important points of this chapter.
7.2 The Initial Version of the Framework: Results of Iteration 1
7.2.1 Background
The basic building blocks of the initial version of the proposed framework are the 11 IT
governance practices validated in research phase 3 (refer to as” guiding practices” onward in
this study). However, the validated set of these guiding practices provides only the high level
view of the framework. It provides no guidance on how to implement the relevant actions for
each guiding practice to meet the claimed objective of the framework. Therefore, the first
concern is what relevant actions are to be employed for each guiding practice to ensure its
successful implementation. For this, activities (checkpoints) have been introduced in the
Page 154
139
initial version. Due to the scarcity of this kind of previous research in PakPSOs, the
researcher adopted these activities from the existing literature and operationalised them in
PakPSOs through focus groups‟ opinion for the purpose to develop the initial version. The
initial list of activities for each guiding practice with their reference studies is shown in Table
7.1. There are four to eight activities for each guiding practice.
Page 155
140
Table 7.1: The initial list of activities for each practice extracted from the existing literature
Guiding practice Proposed activities Cross-reference from the literature
1. IT/business communication
and partnership
1.1 Establish viable IT/business communication and partnership practice (Nfuka & Rusu, 2013; Aggarwal, 2010;
Lee et al., 2008; Bowen et al., 2007;
ITGI, 2003; Peterson, 2001; Luftman et
al., 1999; Teo & Ang, 1999)
1.2 Involve business personnel in IT initiatives and IT personnel in business imperatives
1.3 Develop shared understanding among IT/business personnel on IT/business goals
and imperatives
1.4 Make IT related decisions with the same criteria used by the business
1.5 Educate business management regarding the importance of partnering with IT
1.6 Assure active conflict resolution
2. Engagement of key
stakeholders
2.1 Identify key stakeholders with clear roles and responsibilities (Alreemy et al., 2016; Razak & Zakaria,
2014; Nfuka & Rusu, 2013; Weill &
Ross, 2004; ITGI, 2003; Ribbers et al.,
2002)
2.2 Consult and involve key stakeholders in IT plan preparation and implementation
2.3 Create shared understanding among key stakeholders on shared IT/business goals
and imperatives
2.4 Provide assurance to satisfy stakeholder concerns
2.5 Analyze the potential contribution of key stakeholders
3. IT leadership 3.1 Provide a clear and top level mandate to lead and manage IT and transformation
program
(Nfuka & Rusu, 2013; Aggarwal, 2010;
De Haes & Van Grembergen, 2008; Hoch
& Payan, 2008; Lawry et al., 2007;
Luftman et al., 1999; Teo & Ang, 1999) 3.2 Persuade IT leadership on articulation a vision for the role of IT in organization
3.3 Encourage IT leadership on business imperatives and viable IT intervention
3.4 Convince business management on IT potential and contribution
3.5 Develop confidence of senior management in IT leadership
3.6 Develop focused IT leadership competencies
4. Senior management
involvement and support
4.1 Establish senior management role in IT decision-making and monitoring processes (Nfuka & Rusu, 2013; Aggarwal, 2010;
Tan et al., 2009; Weill & Ross, 2004;
Luftman et al., 1999; Teo & Ang, 1999) 4.2 Demonstrate viable business value proposition from IT for senior management,
board and politicians‟ support
4.3 Convince senior management on delegating viable authority for decision-making and
control over resources
4.4 Convince senior management for additional resources in crisis
4.5 Motivate senior management to use IT actively
5. Defined, aligned and cascaded
IT and business strategies
5.1 Involve IT/business personnel in IT/business strategic planning (Alreemy et al., 2016; Nfuka & Rusu,
2013; De Haes & Van Grembergen, 2009;
Bowen et al., 2007; Guldentops, 2004;
Weill & Ross, 2004; ITGI, 2003; Ribbers
et al., 2002; Luftman et al., 1999)
5.2 Define and align IT goals with business goals
5.3 Establish business aligned IT strategy, resources and operations
5.4 Prioritize, harmonize and establish IT projects cost-effectively
5.5 Integrate IT effectively into related public sector reforms
5.6 Cascade IT strategy down to all levels of organization
Page 156
141
Table 7.1 Continued…
Guiding practice Proposed activities Cross-reference from the literature
6. IT structures for
responsiveness and
accountability
6.1 Establish clear and appropriate IT roles and responsibilities (Nfuka & Rusu, 2013; Tan et al., 2009;
De Haes & Van Grembergen, 2008;
Hoch & Payan, 2008; Bowen et al.,
2007; Guldentops, 2004; Weill, 2004)
6.2 Establish the role of CIO or IT head to report directly to executive head
6.3 Establish IT steering committee with balanced representation of IT/business
6.4 Establish IT project steering committee to prioritize and manage IT projects
6.5 Ensure shared understanding and active participation of committees
7. Policies and guidelines for
optimal acquisition and use of
IT
7.1 Establish needed IT processes and governance framework (Alreemy et al., 2016; Razak & Zakaria,
2014; Nfuka & Rusu, 2013; Tan et al.,
2009; De Haes & Van Grembergen,
2008; PwC & ITGI, 2006; Guldentops,
2004; Weill, 2004; ITGI, 2003)
7.2 Establish clear mechanism for IT budget control and reporting
7.3 Ensure optimized IT investment, procurement and operational cost
7.4 Establish cost-effective and responsible use of IT resources
7.5 Establish ownership and efficient use of IT applications
7.6 Establish IT governance policies & guidelines for IT value creation and preservation
7.7.Determine and implement required change management
7.8 Cascade and enforce IT policies & guidelines at all levels
8. IT governance awareness and
training
8.1 Determine drivers and state of IT governance practices (Razak & Zakaria, 2014; Nfuka & Rusu,
2013; Pollard and Cater-Steel, 2009; De
Haes & Van Grembergen, 2008) 8.2 Determine required mindset change and best practices
8.3 Adopt and undertake IT governance awareness and training for IT/business personnel
8.4 Establish knowledge management mechanism
8.5 Reduce employees resistance
9. Competitive IT professionals 9.1 Attract, develop and retain skilled IT personnel for IT/business success (Alreemy et al., 2016; Razak & Zakaria,
2014; Nfuka & Rusu, 2013; Aggarwal,
2010; Tan et al., 2009; Warland &
Ridley, 2005; Peterson, 2004)
9.2 Develop broad IT competencies to manage IT resources
9.3 Establish and motivate aligned IT innovation and practices
9.4 Treat skilled IT professionals as working capital
10. Standardized and managed
IT infrastructure and
applications
10.1 Provide and leverage IT facilities rationally (Razak & Zakaria, 2014; Nfuka & Rusu,
2013; Aggarwal, 2010; Peterson, 2004;
ITGI, 2003; Teo & Ang, 1999) 10.2 Standardize and share IT infrastructure effectively
10.3 Standardize, integrate and manage IT applications prudently
10.4 Determine and actively manage services offered by the third parties
10.5 Benchmark and provide efficient IT services in and across organizations
10.6 Establish research activities for new and innovative IT services
11. Performance measures and
benchmarks
11.1 Perform adequate analysis and evaluation of current and future use of IT (Alreemy et al., 2016; Nfuka & Rusu,
2013; Campbell et al., 2010; Tan et al.,
2009; Hoch & Payan, 2008; Ali &
Green, 2007; ; PwC & ITGI, 2006;
Peterson 2004; Weill, 2004; ITGI, 2003)
11.2 Establish effective performance management strategy
11.3 Set and monitor IT/business oriented performance measures
11.4 Evaluate and demonstrate business value of IT
11.5 Assess IT governance performance and continually improve
11.6 Establish performance aligned rewards and penalties
Page 157
142
The next concern was who will execute each activity or set of activities? For this, the role for
each activity was incorporated into the initial version. COBIT framework suggests 19 roles.
However, these roles are complex and exhaustive and all organizations do not employ all
these roles (Simonsson & Johnson, 2008). Simonsson and Johnson (2008) arranged 19 roles
of COBIT into five roles. The researcher adopted five roles suggested by Simonsson and
Johnson (2008) and operationalised them in PakPSOs through focus groups‟ opinion for the
purpose to develop the initial version. The relationship of 19 roles of COBIT with five roles
of Simonsson and Johnson (2008) is shown in Table 7.2.
Table 7.2: Relationship of 19 roles of COBIT with five roles of Simonsson and Johnson (2008)
Roles suggested by COBIT Roles suggested by Simonsson and Johnson (2008)
The Board Executives
Chief Executive Officer
Chief Financial Officer
Business Executive Business
Business Process Owner
Business Senior Management
Chief Information Officer IT management
Chief Architect
Head Development
Program Management Officer
Head Operations IT operations
Deployment Team
Head IT Administration
Training Department
Service Managers
Service Desk/Incident Manager
Configuration Manager
Problem Manager
Compliance, audit, risk and security Compliance, audit, risk and security
Another concern was that what IT resources are required to execute each activity or set of
activities. ITGI (2007) classified IT resources into four types. The researcher adopted four
types of IT resources suggested by ITGI (2007) and operationalised them in PakPSOs
Page 158
143
through focus groups‟ opinion for the purpose to develop the initial version. Four types of IT
resources classified by ITGI (2007) are shown in Table 7.3.
Table 7.3: Four types of IT resources classified by ITGI (2007)
IT resources Definition
Applications The automated user systems and manual procedures that process the information
Information The data in all their forms, input, processed and output by the information
systems in whatever form is used by the business.
Infrastructure The technology and facilities (i.e., hardware, operating systems, database
management systems, networking, multimedia, and the environment that houses
and supports them) that enables the processing of the applications.
People The personnel required to plan, organize, acquire, implement, deliver, support,
monitor and evaluate the information systems and services. They may be
internal, outsourced or contracted as required.
An important building block of the proposed framework should be the environment in which
these practices would be implemented. Due to the operating culture of PakPSOs and state of
IT in these organizations and overall in the country, the environment was incorporated as an
element into the framework. The researcher operationalised the environment as national level
IT-related strategies & policies, E-government strategies, policies, regulation & infrastructure
and IT governance standards and best practices.
Another important building block of the framework is the organization in which it is
implemented. Although things may vary based on the type and nature of the organization and
especially the services that it provides to the public but a framework is generally supposed to
be aligned and interacted with its strategies & policies, structures & systems and objectives &
goals. Therefore, the researcher operationalised the organization as organizational strategies
& policies, organizational structures & systems and organizational objectives & goals for
sustainable success.
7.2.2 Results
A total of six focus groups participated from six PakPSOs i.e. one focus group from one of
the PakPSOs. A total of 35 personnel participated in the focus groups. There were five to
seven members in each focus group representing both IT and business management in order
Page 159
144
to discuss and develop consensus for credible results. The respondents were mainly
IT/business directors, deputy directors and IT project directors well-versed in managing
public sector IT related matters. The distribution of the respondents in each focus group in
each studied organization is shown in Table 7.4.
Table 7.4: Distribution of the respondents in the six studied PakPSOs
Org. U Org. V Org. W Org. X Org. Y Org. Z Total
IT management 3 3 4 3 3 4 20
Business management 2 3 2 3 2 3 15
Total 5 6 6 6 5 7 35
The focus groups were conducted in two rounds. In the first round, the respondents were
requested to provide feedback on each activity of Table 7.1, assign a suitable role to each
activity from Table 7.2 and choose an appropriate IT resource for each activity from Table
7.3. They were allowed to add, delete and change activities, roles and IT resources as per
their business settings. No other feedback was solicited at this stage. The purpose was to
operationalise the predefined list of activities, roles and IT resources in PakPSOs.
The summarized qualitative response of the focus groups after content analysis is given in
Table 7.5. The results show that nine activities have removed, one added, 20 updated and 32
remained unchanged after the focus group interaction. Table 7.5 also shows the suitable role
for each activity and IT resource required to execute each activity.
Page 160
145
Table 7.5: The summarized qualitative response of the focus groups after content analysis
Proposed activities from the relevant literature Improved activities after focus groups‟ interaction R* S
**
1.1 Establish viable IT/business communication and partnership practice
1.1 Formalize viable IT/business communication and partnership
practice
B IN
1.2 Involve business personnel in IT initiatives and IT personnel in business imperatives
1.2 Train/involve business personnel in IT initiatives and IT personnel in business imperatives
B PP
1.3 Develop shared understanding among IT/business personnel on
IT/business goals and imperatives
1.3 No change E IN
1.4 Make IT related decisions with the same criteria used by the business 1.4 Removed ---- ----
1.5 Educate business management regarding the importance of partnering
with IT
1.4 Convince business management on IT/business partnership B IN
1.6 Assure active conflict resolution Removed ---- ----
2.1 Identify key stakeholders with clear roles and responsibilities 2.1 Identify key stakeholders and establish appropriate roles & responsibilities
B PP
2.2 Consult and involve key stakeholders in IT plan preparation and
implementation
2.2 Involve key stakeholders in IT/business plans preparation and
implementation
E PP
2.3 Create shared understanding among key stakeholders on shared IT/business goals and imperatives
2.3 No change E IN
2.4 Provide assurance to satisfy stakeholder concerns 2.4 Removed ---- ----
2.5 Analyze the potential contribution of key stakeholders 2.4 Analyze and report the potential contribution of key stakeholders B IN
3.1 Provide a clear and top level mandate to lead and manage IT and transformation program
3.1 Formalize a clear and top level mandate to lead and manage overall transformation program
E PP
3.2 Persuade IT leadership on articulation a vision for the role of IT in
organization
3.2 Removed ---- ----
3.3 Encourage IT leadership on business imperatives and viable IT intervention
3.2 No change E PP
3.4 Convince business management on IT potential and contribution 3.3 No change ITM PP
3.5 Develop confidence of senior management in IT leadership 3.4 No change ITM PP
3.6 Develop focused IT leadership competencies 3.5 No change E PP
*Role (R) - Executives (E), Business (B), IT Management (ITM), IT Operations (ITO), Compliance, audit, risk and security (CARS)
**IT Resource (S) - Applications (AP), Information (IN), Infrastructure (IF), People (PP)
Page 161
146
Table 7.5 Continued…
Proposed activities from the relevant literature Improved activities after focus groups‟ interaction R* S
**
4.1 Establish senior management role in IT decision-making and
monitoring processes
4.1 Establish senior management role in strategic IT decision-
making, resource prioritization and monitoring processes
E PP
4.2 Demonstrate viable business value proposition from IT for senior management, board and politicians‟ support
4.2 Demonstrate viable business value proposition of IT to get support of senior management, politicians and sponsor
ITM IN
4.3 Convince senior management on delegating viable authority for
decision-making and control over resources
4.3 Convince senior management to delegate viable authority over
resources
ITM PP
4.4 Convince senior management for additional resources in crisis
4.4 Convince senior management to provide required resources for IT/business success
ITM PP
4.5 Motivate senior management to use IT actively 4.5 No change ITM PP
5.1 Involve IT/business personnel in IT/business strategic planning 5.1 Involve IT/business personnel in strategic IT/business planning E PP
5.2 Define and align IT goals with business goals 5.2 No change ITM IN
5.3 Establish business aligned IT strategy, resources and operations 5.3 No change ITM IN
5.4 Prioritize, harmonize and establish IT projects cost-effectively
5.4 Prioritize and align IT projects with business goals and
imperatives
B AP
5.5 Integrate IT effectively into related public sector reforms 5.5 Incorporate IT effectively into required public sector reforms B AP
5.6 Cascade IT strategy down to all levels of organization 5.6 No change E IN
6.1 Establish clear and appropriate IT roles and responsibilities 6.1 No change B PP
6.2 Establish the role of CIO or IT head to report directly to the executive
head
6.2 No change E PP
6.3 Establish IT steering committee with balanced representation of IT/business
6.3 Establish IT steering committee with balanced representation of IT/business executives
E PP
6.4 Establish IT project steering committee to prioritize and manage IT
projects
6.4 No change B PP
6.5 Ensure shared understanding and active participation of committees 6.5 No change E PP
*Role (R) - Executives (E), Business (B), IT Management (ITM), IT Operations (ITO), Compliance, audit, risk and security (CARS)
**IT Resource (S) - Applications (AP), Information (IN), Infrastructure (IF), People (PP)
Page 162
147
Table 7.5 Continued…
Proposed activities from the relevant literature Improved activities after focus groups‟ interaction R* S
**
7.1 Establish needed IT processes and governance framework 7.1 No change CARS IN
7.2 Establish clear mechanism for IT budget control and reporting 7.2 Establish transparent IT/business budget control and reporting CARS IN
7.3 Ensure optimized IT investment, procurement and operational cost 7.3 No change ITM IF
7.4 Establish cost-effective and responsible use of IT resources 7.4 Removed ---- ----
7.5 Establish ownership and efficient use of IT applications 7.4 Establish ownership and ensure effective use of IT infrastructure
& applications
B IF
7.6 Establish IT governance policies & guidelines for IT value creation and preservation
7.5 No change ITM IF
7.7 Determine and implement required change management 7.6 No change B PP
7.8 Cascade and enforce IT policies & guidelines at all levels 7.7 No change E IN
8.1 Determine drivers and state of IT governance practices 8.1 No change ITM PP
8.2 Determine and fix required mindset change and best practices 8.2 No change ITM PP
8.3 Adopt and undertake IT governance awareness and training for
IT/business personnel
8.3 No change ITM PP
8.4 Establish knowledge management mechanism 8.4 Removed ---- ----
8.5 Reduce employees resistance 8.5 Removed Added: 8.4 Create IT governance awareness among employees
through top management announcements
E PP
9.1 Attract, develop and retain skilled IT personnel for IT/business success 9.1 No change B PP
9.2 Develop broad IT competencies to manage IT resources 9.2 No change ITM PP
9.3 Establish and motivate aligned IT innovation and practices 9.3 Establish and motivate aligned IT/business innovation and
practices
ITM IN
9.4 Treat skilled IT professionals as working capital 9.4 No change B PP
*Role (R) - Executives (E), Business (B), IT Management (ITM), IT Operations (ITO), Compliance, audit, risk and security (CARS) **IT Resource (S) - Applications (AP), Information (IN), Infrastructure (IF), People (PP)
Page 163
148
Table 7.5 Continued…
Proposed activities from the relevant literature Improved activities after focus groups‟ interaction R* S
**
10.1 Provide and leverage IT facilities rationally 10.1 Removed ---- ----
10.2 Standardize and share IT infrastructure effectively 10.1 No change ITO IF
10.3 Standardize, integrate and manage IT applications effectively 10.2 No change ITO AP
10.4 Determine and actively manage services offered by the third parties 10.3 Define and manage SLAs effectively ITM IF
10.5 Benchmark and provide efficient IT facilities in and across
organizations
10.4 Benchmark and provide efficient IT facilities in and across
organizations
ITM AP
10.6 Encourage research activities for new and innovative IT services 10.5 No change ITM IN
11.1 Perform adequate analysis and evaluation of current and future use of IT
11.1 No change ITM IN
11.2 Establish effective performance management strategy 11.2 No change B IN
11.3 Set and monitor IT/business oriented performance measures 11.3 No change B IN
11.4 Evaluate and demonstrate business value of IT 11.4 Evaluate and demonstrate business value proposition of IT ITM IN
11.5 Assess IT governance performance and continually improve 11.5 No change ITM IN
11.6 Establish performance aligned rewards and penalties 11.6 Removed ---- ----
*Role (R) - Executives (E), Business (B), IT Management (ITM), IT Operations (ITO), Compliance, audit, risk and security (CARS)
**IT Resource (S) - Applications (AP), Information (IN), Infrastructure (IF), People (PP)
Page 164
149
In the second round, the quantitative response of the focus groups was sought on “perceived
effectiveness” and “ease of implementation” of improved activities in their business settings.
The respondents were requested to rate each improved activity for its “perceived
effectiveness” on a scale from 1 (not effective) to 5 (very effective) and its “perceived ease of
implementation” on a scale from 1 (not easy) to 5 (very easy). The purpose was to acquire an
effective list of activities which are easy to implement in the study environment i.e. PakPSOs.
The activities with cut-off scores equal to or above 60% on both perceived effectiveness and
ease of implementation were selected for the initial version of the framework. After the
process of data analysis, it was found that all the improved activities had scores equal to or
above 60% on both perceived effectiveness and ease of implementation as shown in Figure
7.1. Therefore, all the improved activities were selected for the initial version of the
framework.
The results indicate that majority of the improved activities have higher scores for
effectiveness than ease of implementation. This shows that although improved activities are
effective but their implementation in PakPSOs is not as easy. Some possible reasons among
others may be the insufficient IT resources, inadequate related knowledge & competencies,
and prevailing culture of PakPSOs.
Page 165
150
0.0%
10.0%
20.0%
30.0%
40.0%
50.0%
60.0%
70.0%
80.0%
90.0%
Activity 1.1Activity 1.2Activity 1.3
Activity 1.4Activity 2.1
Activity 2.2
Activity 2.3
Activity 2.4
Activity 3.1
Activity 3.2
Activity 3.3
Activity 3.4
Activity 3.5
Activity 4.1
Activity 4.2
Activity 4.3
Activity 4.4
Activity 4.5
Activity 5.1
Activity 5.2
Activity 5.3
Activity 5.4
Activity 5.5Activity 5.6
Activity 6.1Activity 6.2Activity 6.3
Activity 6.4Activity 6.5Activity 7.1
Activity 7.2Activity 7.3
Activity 7.4
Activity 7.5
Activity 7.6
Activity 7.7
Activity 8.1
Activity 8.2
Activity 8.3
Activity 8.4
Activity 9.1
Activity 9.2
Activity 9.3
Activity 9.4
Activity 10.1
Activity 10.2
Activity 10.3
Activity 10.4
Activity 10.5
Activity 11.1Activity 11.2
Activity 11.3Activity 11.4Activity 11.5
Effectiveness
Ease of Implementation
Figure 7.1: Quantitative response of the focus groups on perceived effectiveness and ease of implementation of improved activities
Page 166
151
Now, we have all the required elements and sub-elements for the intinal version of the
framework. These elements and sub-elements have been validated and/or operationalised in
the PakPSOs. The intial version of the framework consists of the guiding practices, activities
to implement these parctices, suitable roles to execute the activities, approperiate IT resources
required for the activities, the organizational strategies & policies, structures & systems,
objectives & goals and the environment in which it is implemneted. All these said elements
and sub-elements have been discussed, validated and/or operationalised in the PakPSO. The
intial verstion of the proposed IT governance implementation framework is shown in Figure
7.2 and the activities detail for the practices are shown in Table 7.6.
Page 167
152
Figure 7.2: The initial version of the proposed framework
Page 168
153
Table 7.6: Activities for guiding practices with roles and IT resources
Guiding practice Activities R* S
**
1. IT/business communication
and partnership
1.1 Formalize viable IT/business communication and partnership practice B IN
1.2 Train/involve business personnel in IT initiatives and IT personnel in business imperative B PP
1.3 Develop shared understanding among IT/business personnel on IT/business goals and imperatives E IN
1.4 Convince business management on IT/business partnership B IN
2. Engagement of key
stakeholders
2.1 Identify key stakeholders and establish appropriate roles & responsibilities B PP
2.2 Involve key stakeholders in IT/business plans preparation and implementation E PP
2.3 Create shared understanding among key stakeholders on shared IT/business goals and imperatives E IN
2.4 Analyze and report the potential contribution of key stakeholders B IN
3. IT leadership 3.1 Establish clear and top level mandate to lead and manage overall transformation program E PP
3.2 Encourage IT leadership on business imperatives and viable IT intervention E PP
3.3 Convince business management on IT potential and contribution ITM PP
3.4 Develop confidence of senior management in IT leadership ITM PP
3.5 Develop focused IT leadership competencies E PP
4. Senior management
involvement and support
4.1 Establish senior management role in strategic IT decision-making, resource prioritization and monitoring processes E PP
4.2 Demonstrate viable business value proposition of IT to get support of senior management, politicians and sponsor ITM IN
4.3 Convince senior management to delegate viable authority over resources ITM PP
4.4 Convince senior management to provide required resources for IT/business success ITM PP
4.5 Motivate senior management to use IT actively ITM PP
*Role (R) - Executives (E), Business (B), IT Management (ITM), IT Operations (ITO), Compliance, audit, risk and security (CARS)
**IT Resource (S) - Applications (AP), Information (IN), Infrastructure (IF), People (PP)
Page 169
154
Table 7.6 Continued…
Guiding practice Activities R* S
**
5. Defined, aligned and
cascaded IT and business
strategies
5.1 Involve IT/business personnel in strategic IT/business planning E PP
5.2 Define and align IT goals with business goals ITM IN
5.3 Establish business aligned IT strategy, resources and operations ITM IN
5.4 Prioritize and align IT projects with business goals and imperatives B AP
5.5 Incorporate IT effectively into required public sector reforms B AP
5.6 Cascade IT strategy down to all levels of organization E IN
6. IT structures for
responsiveness and
accountability
6.1 Establish clear and appropriate IT roles and responsibilities B PP
6.2 Establish the role of CIO or IT head to report directly to the executive head E PP
6.3 Establish IT steering committee with balanced representation of IT/business executives E PP
6.4 Establish IT project steering committee to prioritize and manage IT projects B PP
6.5 Ensure shared understanding and active participation of committees E PP
7. Policies and guidelines for
optimal acquisition and use of
IT
7.1 Establish needed IT processes and governance framework CARS IN
7.2 Establish transparent IT/business budget control and reporting CARS IN
7.3 Ensure optimized IT investment, procurement and operational cost ITM IF
7.4 Establish ownership and ensure effective use of IT infrastructure & applications B IF
7.5 Establish IT governance policies & guidelines for IT value creation and preservation ITM IF
7.6 Determine and implement required change management B PP
7.7 Cascade and enforce IT policies & guidelines at all levels E IN
8. IT governance awareness and
training
8.1 Determine drivers and state of IT governance practices ITM PP
8.2 Determine and fix required mindset change and best practices ITM PP
8.3 Adopt and undertake IT governance awareness and training for IT/business personnel ITM PP
8.4 Create IT governance awareness among employees through top management announcements E PP
*Role (R) - Executives (E), Business (B), IT Management (ITM), IT Operations (ITO), Compliance, audit, risk and security (CARS)
**IT Resource (S) - Applications (AP), Information (IN), Infrastructure (IF), People (PP)
Page 170
155
Table 7.6 Continued…
Guiding practice Activities R* S
**
9. Competitive IT professionals 9.1 Attract, develop and retain skilled IT personnel for IT/business success B PP
9.2 Develop broad IT competencies to manage IT resources ITM PP
9.3 Establish and motivate aligned IT/business innovation and practices ITM IN
9.4 Treat skilled IT professionals as working capital B PP
10. Standardized and managed
IT infrastructure and
applications
10.1 Standardize and share IT infrastructure effectively ITO IF
10.2 Standardize, integrate and manage IT applications effectively ITO AP
10.3 Define and manage SLAs effectively ITM IF
10.4 Benchmark and provide efficient IT facilities in and across organizations ITM AP
10.5 Encourage research activities for new and innovative IT services ITM IN
11. Performance measures and
benchmarks
11.1 Perform adequate analysis and evaluation of current and future use of IT ITM IN
11.2 Establish effective performance management strategy B IN
11.3 Set and monitor IT/business oriented performance measures B IN
11.4 Evaluate and demonstrate business value proposition of IT ITM IN
11.5 Assess IT governance performance and continually improve ITM IN
*Role (R) - Executives (E), Business (B), IT Management (ITM), IT Operations (ITO), Compliance, audit, risk and security (CARS)
**IT Resource (S) - Applications (AP), Information (IN), Infrastructure (IF), People (PP)
Page 171
156
7.3 The First Version of the Framework: Results of Iteration 2
7.3.1 Background
In iteration 2, the initial version of the framework is enhanced through the interviews of
senior IT and business management personnel in PakPSOs. This is also complemented by the
interviews of related industry experts. The purpose is the general enhancement of the
framework through new or improved activities, suitability of the assigned roles and IT
resources. The collected data are then analyzed using content analysis. Consequently, the
analyzed data are categorized and incorporated into the framework ending up in the first
version.
7.3.2 Results
A total of 46 personnel from 23 PakPSOs participated in the interview process. Twenty six
personnel were from IT side and 20 from business side. Five personnel participated from
industry. The respondents‟ profile and their summarized suggestions after content analysis
are shown in Table 7.7. The results indicate that nine activities have updated, the positions of
four activities have changed, two activities have merged resulting into one new activity, one
activity has added and one activity has removed. All the generic roles have been replaced by
the specific roles. As for as the IT resources concern, there was no change in any of the IT
resources. All the summarized suggestions have incorporated into the framework ending up
in the first version. The first version of the framework is shown in Figure 7.3 and the
activities detail is shown in Table 7.8.
Page 172
157
Table 7.7: Respondents‟ profile and their summarized suggestions
Respondents‟ profile Summarized suggestions
IT management
Director Generals - 3
Executive Directors - 1
Directors/Deputy Directors - 22
Total - 26
Business Management
Director Generals - 2
General Managers/Managing Directors -
4
Directors - 14
Total – 20
Activities
Update activity 1.4 “Convince business management on IT/business partnership” by “Convince IT/business management on
IT/business partnership”.
Interchange the positions of activities 1.2 and 1.4.
Update activity 3.1 “Establish clear and top level mandate to lead and manage overall transformation program” by “Establish
clear and top level mandate to lead IT transformation program”.
Interchange the positions of activities 3.4 and 3.5.
Update activity 4.3 “Convince senior management to delegate viable authority over resources” by “Convince senior
management to delegate viable negotiating authority”.
Remove activity 7.1.
Update activity 7.4 “Establish ownership and ensure effective use of IT infrastructure & applications” by “Ensure effective
& efficient use of IT infrastructure & applications”.
Update activity 7.5 “Establish IT governance policies & guidelines for IT value creation and preservation” by “Establish
policies & guidelines for IT value creation and preservation”.
Update activity 8.1 “Determine drivers and state of IT governance practices” by “Determine state and drivers of IT
governance practices”.
Update activity 8.2 “Determine and fix required mindset change and best practices” by “Determine and implement best
practices for mindset change”.
Merge activities 10.1 & 10.2 into one activity i.e. “Standardize, share and manage IT infrastructure & applications cost-
effectively.
Update activity 10.4 “Benchmark and provide efficient IT facilities in and across organizations” by “Benchmark and provide
effective & efficient IT facilities in and across organizations”.
Update activity 10.5 “Encourage research activities for new and innovative IT services” by “Encourage aligned research
activities for innovative IT services”.
Page 173
158
Table 7.7 Continued…
Respondents‟ profile Summarized suggestions
Roles/IT resources
Replace the generic roles by the specific roles due to ambiguity and need of explanation of these roles. The generic roles are against the
true spirit of governance where roles should be clear to ensure responsibility & accountability. Replace Executives by Executive Head
(EH), Business by Business Head (BH) and Business Team (BT), IT management by IT Head (ITH). IT operations by IT Team (ITT),
and Compliance, audit, risk and security by Regulations Head (RH).
Change role of activity 7.4 from Business Head to IT Head.
All the proposed IT resources are appropriate.
Environmental and organizational components are OK.
Other comments
It is impractical to implement this framework in all PakPSOs because required IT facilities are not available in some of the PakPSOs.
Researcher‟s relevant point of view: The issue has been addressed by activity 10.3 “Benchmark and provide effective & efficient IT
facilities in and across organizations.
The framework provides no activity to receive public feedback for decision-making and improvement of quality of government
services because public including citizens, businesses and employees are important stakeholders in public sector.
Researcher‟s relevant point of view: A new activity 2.5 “Formalize virtual connection between IT and business practices and
communities”, adopted from Peterson (2001), is added to the framework.
It is hard to measure and demonstrate business value of IT in public sector because most organizations in this sector are non-profit
based. Moreover, it is difficult to convert intangible benefits into monetary value because the main purpose of this sector is to serve
and facilitate the nation.
Researcher‟s relevant point of view: The business value of IT in public sector can be viewed in terms of cost reduction and efficiency
gain, improved quality of decision-making & services and employees‟ productivity etc.
The framework is a useful tool to govern strategic IT projects.
The framework is a suitable tool for improving and sustaining public service delivery.
Page 174
159
Table 7.7 Continued…
Respondents‟ profile Summarized suggestions
Industry
Heads of lT Management -3
Governance related services- 2
Total – 5
Activities/Roles/IT resources
Update activity 8.4 “Create IT governance awareness among employees through top management announcements” by “Ensure compliance
among employees through top management announcements”.
Other comments
The framework has not mentioned the possibility of using emerging trend of cloud computing that provides many benefits to
organization in terms of cost reduction, increased collaboration, enhanced security, disaster recovery etc.
Researcher‟s relevant point of view: The concept of cloud computing is at very early stages in PakPSOs. No cloud computing facility has
been fully established for PakPSOs so far and private cloud computing facility could not be used for classified government data &
information for security reasons. However, this has been implicitly covered in activity 10.1 “Standardize, share and manage IT
infrastructure & applications cost-effectively”.
The framework has not discussed the opportunity of providing public services through mobile phones i.e. emerging trend of m-
government.
Researcher‟s relevant point of view: This has been implicitly addressed by activity 10.4 “Encourage aligned research activities for
innovative IT services”.
The framework is silent on risk management.
Researcher‟s relevant point of view: The practice “Risk Identification and Mitigation Mechanism” has not been validated statistically in
PakPSOs. However, it is implicitly addressed by activity 7.4 “Formalize policies & guidelines for IT value creation and preservation”.
Cover IT governance practices with environmental and organizational components. Remove IT governance focus areas box, IT-
business alignment box, IT outcomes box and all arrows because all these things are self-explanatory and superfluous.
Researcher‟s relevant point of view: The framework is amended as per aforesaid comments/suggestions.
The framework is useful for IT governance awareness, IT management and service delivery in public sector.
Linkage to environmental and organizational elements is nice and all elements are sophisticated.
Coverage in five IT governance focus areas and three IT-business alignment perspectives is the novelty of the framework.
Page 175
160
Figure 7.3: First version of the framework
Page 176
161
Table 7.8: Activities for practices with roles and IT resources
Guiding practice Activities R* S
**
1. IT/business communication
and partnership
1.1 Formalize viable IT/business communication and partnership practice BT IN
1.2 Convince IT/business management on IT/business partnership EH PP
1.3 Develop shared understanding among IT/business personnel on IT/business goals and imperatives EH IN
1.4 Train/involve business personnel in IT initiatives and IT personnel in business imperatives BH IN
2. Engagement of key
stakeholders
2.1 Identify key stakeholders and establish appropriate roles & responsibilities BH PP
2.2 Involve key stakeholders in IT/business plans preparation and implementation EH PP
2.3 Create shared understanding among key stakeholders on shared IT/business goals and imperatives EH IN
2.4 Analyze and report the potential contribution of key stakeholders BT IN
2.5 Formalize virtual connection between IT and business practices and communities EH IN
3. IT leadership 3.1 Establish clear and top level mandate to lead IT transformation program EH PP
3.2 Encourage IT leadership on business imperatives and viable IT intervention EH PP
3.3 Convince business management on IT potential and contribution ITH PP
3.4 Develop focused IT leadership competencies EH PP
3.5 Develop confidence of senior management in IT leadership ITH PP
4. Senior management
involvement and support
4.1 Establish senior management role in strategic IT decision-making, resource prioritization and monitoring processes EH PP
4.2 Demonstrate viable business value proposition of IT to get support of senior management, politicians and sponsor ITH IN
4.3 Convince senior management to delegate viable negotiating authority ITH PP
4.4 Convince senior management to provide required resources for IT/business success ITH PP
4.5 Motivate senior management to use IT actively ITH PP
*Role (R) – Executive Head (EH), Business Head (BH), Business Team (BT), IT Head (ITH), IT Team (ITT), Regulations Head (RH)
**IT Resource (S) - Applications (AP), Information (IN), Infrastructure (IF), People (PP)
Page 177
162
Table 7.8 Continued…
Guiding practice Activities R* S
**
5. Defined, aligned and
cascaded IT and business
strategies
5.1 Involve IT/business personnel in strategic IT/business planning EH PP
5.2 Define and align IT goals with business goals ITH IN
5.3 Establish business aligned IT strategy, resources and operations ITH IN
5.4 Prioritize and align IT projects with business goals and imperatives BT AP
5.5 Incorporate IT effectively into required public sector reforms BT AP
5.6 Cascade IT strategy down to all levels of organization EH IN
6. IT structures for
responsiveness and
accountability
6.1 Establish clear and appropriate IT roles and responsibilities BH PP
6.2 Establish the role of CIO or IT head to report directly to the executive head EH PP
6.3 Establish IT steering committee with balanced representation of IT/business executives EH PP
6.4 Establish IT project steering committee to prioritize and manage IT projects BH PP
6.5 Ensure shared understanding and active participation of committees EH PP
7. Policies and guidelines for
optimal acquisition and use of
IT
7.1 Establish transparent IT/business budget control and reporting RH IN
7.2 Ensure optimized IT investment, procurement and operational cost ITH IF
7.3 Ensure effective & efficient use of IT infrastructure & applications ITH IF
7.4 Formalize policies & guidelines for IT value creation and preservation ITH IF
7.5 Determine and implement required change management BH PP
7.6 Cascade and enforce IT policies & guidelines at all levels EH IN
8. IT governance awareness and
training
8.1 Determine state and drivers of IT governance practices ITH PP
8.2 Determine and implement best practices for mindset change ITH PP
8.3 Adopt and undertake IT governance awareness and training for IT/business personnel ITH PP
8.4 Ensure compliance among employees through top management announcements EH PP
*Role (R) – Executive Head (EH), Business Head (BH), Business Team (BT), IT Head (ITH), IT Team (ITT), Regulations Head (RH)
**IT Resource (S) - Applications (AP), Information (IN), Infrastructure (IF), People (PP)
Page 178
163
Table 7.8 Continued…
Guiding practice Activities R* S
**
9. Competitive IT professionals 9.1 Attract, develop and retain skilled IT personnel for IT/business success BH PP
9.2 Develop broad IT competencies to manage IT resources ITH PP
9.3 Establish and motivate aligned IT/business innovation and practices ITH IN
9.4 Treat skilled IT professionals as working capital BH PP
10. Standardized and managed
IT infrastructure and
applications
10.1 Standardize, share and manage IT infrastructure & applications cost-effectively ITT IF
10.2 Define and manage SLAs effectively ITH IF
10.3 Benchmark and provide effective & efficient IT facilities in and across organizations ITH AP
10.4 Encourage aligned research activities for innovative IT services ITH IN
11. Performance measures and
benchmarks
11.1 Perform adequate analysis and evaluation of current and future use of IT ITH IN
11.2 Establish effective performance management strategy BT IN
11.3 Set and monitor IT/business oriented performance measures BT IN
11.4 Evaluate and demonstrate business value proposition of IT ITH IN
11.5 Assess IT governance performance and continually improve ITH IN
*Role (R) – Executive Head (EH), Business Head (BH), Business Team (BT), IT Head (ITH), IT Team (ITT), Regulations Head (RH)
**IT Resource (S) - Applications (AP), Information (IN), Infrastructure (IF), People (PP)
Page 179
164
7.4 Discussion and Conclusion
The results presented above deals with the development phase of the proposed framework.
According to design science research, a framework is iteratively developed and evaluated.
Therefore, two iterations have been performed in the development phase. In iteration 1, the
initial version of the framework has developed and in iteration 2, the first version of the
framework has developed. The initial version has developed based on the results of research
phases 2 & 3, existing knowledge base and focus groups‟ opinion of 35 IT and management
personnel in 6 PakPSOs. The initial list of activities has been adopted from the existing
literature and then operationalised in PakPSOs. Similarly, generic roles and IT resources have
also been adopted from the existing literature and operationalised in PakPSOs. The results
indicated that nine activities were removed, one added, 20 updated and 32 remained
unchanged after the focus group interaction on the initial list. One possible reason of the
deleted activities might be the fact that these are not relevant to PakPSOs. The other reason
might be the fact that these are hardly to implement due to the lack of related knowledge &
competencies in this environment. The results also indicated that the activities are more
effective than ease of implementation. This might be due to the low human development,
limited IT resources, inadequate related knowledge & competencies and operating culture of
PakPSOs. The initial version of the framework is not an ultimate solution because it is based
on the opinions in limited number of PakPSOs. Therefore, the initial version has been further
enhanced through the interviews of 46 heads of IT and business in 23 PakPSOs having rich
experience in strategic management of IT and business. It is also complemented by the
interviews of 5 related industry experts. This resulted into the first version of the framework.
The results indicated that nine activities have updated, two activities have merged resulting
into one new activity, one activity has added and one activity has removed and four changed
their positions. All the generic roles have replaced by the specific roles. As for as the IT
resources concern, there was no change in any of the IT resources. The results of the first
version are more credible than the initial version because they are based on the opinions of
senior managers having rich experience in strategic management of IT and business and
representing more PakPSOs. Therefore, the first version is considered for evaluation in a case
study organization which is a subject of chapter 8. Another important aspect of the proposed
framework is that the practices are grouped into two categories i.e. IT governance focus areas
and IT-business alignment perspectives. This provides two views of the framework. On one
Page 180
165
hand, the framework covers five focus areas of IT governance and on other hand it covers
three perspectives of IT-business alignment. In this way, the proposed framework provides a
holistic view of IT governance. This helped to partially achieve the fourth objective of this
study i.e. RQ4: “To develop and evaluate a framework for effective IT governance
implementation in PakPSOs”. The development of the framework has been covered in this
chapter whereas the evaluation of the framework is covered in chapter 8.
7.5 Chapter Summary
In this chapter, the results of the development phase of the proposed framework with
discussion and conclusion have been provided in detail. The summary of important points of
this chapter is as under:
The framework has developed using design science research approach. According to
design science, a framework is developed and evaluated in iterations. This chapter
deals with the development phase of the framework and evaluation phase is not the
subject of this chapter.
The framework has developed in two iterations. In iteration 1, the initial version of
the framework has developed whereas in iteration 2, the first version of the
framework has developed.
The basic building blocks of the framework are the guiding practices, the activities to
implement these practices, suitable roles and appropriate IT resources to execute the
activities, the organizational strategies & policies, structures & systems, objectives &
goals and the environment in which it is implemented.
The initial version of the framework consists of 11 guiding practices, 54 activities
(checkpoints), five generic roles and four types of IT resources. All the said elements
and sub-elements have been validated and/or operationalised in PakPSOs.
The initial version has developed based on the results of research phases 2 & 3,
existing knowledge base and focus groups‟ opinion of 35 IT and management
personnel in 6 PakPSOs.
The initial version has enhanced based on the interviews of 46 heads of IT and
business in 23 PakPSOs having rich experience in strategic management of IT and
business. It is also complemented by interviews of 5 related industry experts. This
resulted into the first version of the framework.
Page 181
166
The first version of the framework is the updated version of the initial version. It
consists of 11 guiding practices, 53 activities, six specific roles and four types of IT
resources.
The framework not only covers the five focus areas of IT governance but also covers
the three perspectives of IT-business alignment. In this way, the framework provides a
holistic view of IT governance.
Page 182
167
8 The Framework: Evaluation Phase
8.1 Chapter Objectives
This chapter provides the results of the evaluation phase (iteration 3) of the proposed
framework. As already discussed, the framework has been developed and evaluated in three
iterations. In iterations 1 & 2, the framework has been developed ending up in the initial
version and the first version respectively. In iteration 3, the first version of the framework is
evaluated in one of the PakPSOs using case study research approach ending up in the second
version which is also the final version of this study. The purpose of iteration 3 is to evaluate
the framework in a real business setting. The detailed methodology and research process of
the evaluation phase is given in section 3.3.4.1 of chapter 3. The results indicated that after
incorporating suggested improvements, the second version of the proposed framework is the
useful for implementing effective IT governance in PakPSO. The rest of the chapter proceeds
as follows. In the second section, a brief introduction of the case is provided. In the third
section, IT governance in organization M is described in detail. In the fourth section, the
proposed framework is harmonized with organization M. The fifth section provides the
results of the case study. In the sixth section, the second version of the framework is given.
Discussion and conclusion are provided in the seventh section. Last section provides the
summary of important points of this chapter.
8.2 Introduction to the Case
The organization M is a service sector organization involved in the implementation of e-
government projects in the country. It is entrusted with responsibility of capacity building
particularly in the field of IT in government sector. Currently, it provides IT and
infrastructure services to more than 100 government departments including health, education,
agriculture, police, transport, excise & taxation, land & revenue and law & justice etc. Most
of its projects are government funded. However, the organization also explores funding
opportunities from private sector, national and international donor agencies. It is an
Page 183
168
autonomous body having a board of directors and considers as the best class public sector IT
organization in the country.
The major objectives of the organization M are: 1) to introduce IT at all levels of the
government to improve efficiency, transparency and quality of services, 2) to provide a
reliable and scalable IT infrastructure up to districts level 3) to formulate and implement
policies & guidelines for automation and business process re-engineering, 4) to enhance
foreign and domestic IT investment through collaboration with renowned international firms,
and 5) to develop human resources through IT training of incubators, professionals and
government employees.
8.3 IT Governance in Organization M
As mentioned above, the organization M is striving for implementing e-government projects
in the country which are usually strategic IT projects. Therefore, the organization M views IT
governance as the governance of its strategic IT projects.
The relationship among five IT governance decisions i.e. IT principles (IT strategy), IT
architecture, IT infrastructure, IT applications and IT investment & prioritization (Weill &
Ross, 2004), five focus areas of IT governance i.e. strategic alignment, value delivery, risk
management, resource management and performance measurement (ITGI, 2007) and five
phases of the project management life cycle i.e. initiating, planning, executing, monitoring &
controlling and closing (PMI, 2004) in the organization M can be explained by Figure 8.1.
Page 184
169
Figure 8.1: The relationship among IT governance decisions and focus areas and project management
life cycle phases.
As shown in Figure 8.1, all decisions are interlinked with each other. IT strategy covers other
four decisions. IT architecture is designed for IT infrastructure and IT applications. IT
infrastructure is prepared for IT applications. IT investment & prioritization is made for IT
infrastructure and applications.
Each decision is related with one or more phases of project management life cycle but the
relation is not one to one rather a fusion exists among them (Pelt, 2009). However, IT
strategy is more related to initiating phase, IT architecture is more related to planning phase,
IT infrastructure is more related to executing phase, IT applications are more related to
monitoring & controlling phase and IT investment & prioritization is more related to closing
phase. Figure 8.1 maps each decision with most appropriate phase of project management life
cycle.
Page 185
170
Similarly, each phase is related to more than one focus areas. Initiating phase is more related
to strategic alignment and value delivery. Planning phase is more related to risk management
and resource management. Executing phase is more related to risk management, resource
management and performance measurement. Monitoring & controlling phase is more related
to performance measurement and value delivery. Closing phase is more related to value
delivery and strategic alignment. Figure 8.1 maps each phase with most appropriate focus
areas of IT governance.
Hence, each phase of the project management life cycle from start to end can be evaluated
against both IT governance and project management best practices to ensure that project
remains on track and delivers what promised. It is reasonable to believe that organizations
with good IT governance are also good in successful projects‟ implementation.
Therefore, IT governance exercised in the organization M at each phase of the project
management life cycle can be described based on Figure 8.1. The description of each of the
phases is as follows.
Initiating
In the organization M, IT projects are usually identified/selected by the Board of Directors
with consultation of the Planning and Development Department (P & D) based on their
relevance with provincial plans/vision, sectoral analysis, current situation and/or special
policy directives of the government. In some cases, national and international donor agencies
are also participated in the process of project identification. The project proposal is prepared
in the form of PC-I (Planning Commission-1) Proforma by the Director General (E-
Governance) and submitted to the P & D for appraisal. The P & D has developed its own
guidelines based on international best practices to conduct ex-ante evaluation. The Chairman
of the organization M is the member of the board of P & D and the Chairman of P & D is the
member of the board of the organization M. After the successful appraisal, the PC-I is
submitted to the PDWP (Provincial Development Working Party) for approval. After the
approval, the project is handed over to the organization M for implementation and funds are
released as per formal mechanism. The IT strategy is formulated by the Director General (IT)
with consultation of internal and external stakeholders. The organization has comprehensive
IT strategy document as an integral part of the organizational strategy which focuses on
implementing IT projects as part of an integrated approach rather than as silos. It also
emphasizes on top level ownership without which successful implementation of
Page 186
171
programs/projects is not possible. The strategic alignment (alignment of IT projects with
organizational objectives) is assured against the organizational strategy which is updated time
to time. The value delivery expected from an IT project is explicitly described in the Section
B of the PC-I form mostly in terms of non financial benefits.
Planning
The organization M follows project management methodology PMBOK which is supported
by the Chairman of the organization. Primavera P-V software is used for planning purpose.
After the approval by the competent forum, the project proposal turns into project charter.
Before the start of the project, stakeholders meetings are arranged. All the potential
stakeholders are invited and formal presentation is given to them about the project and its
purpose. Matters related to the client organization and its work processes, standardization and
integration, project architecture/design, and potential risks are discussed and finalized based
on the inputs from the stakeholders. Necessary resources for the project such as human,
financial and physical are discussed. Usually, the organization M is equipped with skilled
human resources. However, in case of lack of skilled human resources, the post is advertized
in the newspapers. In the team building process, the responsibility and communication mode
is identified. A detailed project plan is finalized based on the inputs from the technical staff
and stakeholders. Project activities are shaped and necessary resources are estimated. A
baseline plan is formulated against which the project progress is measured during successive
phases. The IT architecture/design is decided by the Director (Software Eng.) based on the
work processes of the client government department and their own guidelines for
standardization and integration. The risk management and resource management plans are
explicitly described in the Sections B & C respectively of the PC-I form.
Executing
The organization M is responsible for the execution of its IT projects. After the detailed
project plan is formulated, the tendering process starts. A bidding process is performed and
project is awarded based on quality and cost. International contractors can also participate in
the bidding process. To avoid the issue of inflation, the contracts are awarded on lump-sum
basis. Procurement activities are performed in line with the rules and guidelines of Public
Procurement Regulatory Authority (PPRA). Funds are released on quarterly basis by the P &
Page 187
172
D. Contractors submit weakly progress reports to the project director in a specified format.
Weekly meetings with the contractors are arranged to discuss and address issues encountered
during the course of the project execution. Other communication tools like email, telephone
and fax are also used to ensure smooth functioning of project activities. Weekly meetings
with contractors are arranged to discuss and address issues during the course of project.
The IT infrastructure is decided by the Joint Director (Infrastructure). It is developed by
contractors/vendors according to the project architecture/design and scope. During execution,
contractors/vendors provide, install and configure IT infrastructure such as LAN/WAN,
routers/switches, servers/computers, operating systems, databases, ERP systems and
accounting systems etc as per the architecture/design and scope of the project. The risk
management in terms of issues faced, resource management in terms of funds utilized and
performance measurement in terms of milestones achieved are conveyed in the form of PC-
III on monthly and quarterly basis to the P & D. The project evaluation during executing
phase is called interim evaluation.
Monitoring & Controlling
The organization M uses Primavera P-V software for monitoring & controlling. Earned Value
Analysis Technique (EVA) is used for this purpose. Basic EVA is performed to convey the
performance of the project to the higher level of decision makers. Contractors submit weekly
reports to the project director on the project performance in a prescribed format. Quarterly
meetings with stakeholders are arranged to review the performance of the project.
The IT applications are decided by the Joint Director (e-gov. applications) in the organization
M. The organization has in house development facility. When a project is near to complete,
IT applications (developed or purchased) are tested on the developed IT infrastructure in a
real business environment against key performance indicators (performance measurement)
and projected benefits (value delivery). These measures are communicated to the P & D in
the form of PC-III on quarterly basis. Any change request or issues faced by the client
government department are addressed accordingly.
Closing
When a project is completed; the organization M submits a close out report in the form of
PC-IV to the P & D. It is also required to submit a report in the form of PC-V for the next
Page 188
173
five years. The Directorate General Monitoring & Evaluation (DGME) of P & D is
responsible for terminal and ex-post evaluation. The DGME evaluates the report to review
the implementation process and achievement of results with main focus on efficiency,
effectiveness and sustainability. The purpose is to see whether the project has been
successfully completed and if so then to what extent. The report also suggests the
requirements of project follow up. A team of experts is constituted to evaluate the project in a
meeting held at DGME with roles and responsibilities based on the expertise in the domain of
the project i.e. IT, data collection & analysis and interpretation. The team physically visits the
sites, conducts interviews of the key stakeholders and makes expert observations. The
assessment tools and techniques used in the evaluation process are: PC-I & PC-IV reports;
assessment report by the sponsor; JICA‟s evaluation tool to judge as objectively as possible
the relevance and effectiveness at four levels: ex-ante, mid-term, terminal, and ex-post
evaluation; Program Assessment Tool (PART) designed by the US office of Management and
Budget and Federal agencies to evaluate the program‟s purpose, design, planning,
management, results and accountability to determine its overall effectiveness; and DGME
evaluation guidelines.
The IT investment & prioritization is made by the Director General (IT). However, it is
usually not made based on the lesson learned from the previous projects. The value delivery
is measured in terms of the proposed benefits provided in the project plan and impact on the
target groups. However, there is no mechanism to assess strategic alignment in the
organization after closing the project. The organization M should address these weak areas.
The decision-making structure of the organization M at the level of IT projects regarding key
IT governance decisions and decisions review is shown in Table 8.1. The Table 8.2 shows
how are IT governance focus areas addressed in the organization M.
Page 189
174
Table 8.1: Decision-making structure of the organization M
IT governance decisions Phases involved Decision-making and reviewing authority
IT strategy Initiating Decision made by Decision reviewed by
Director General (IT) Board of Directors
IT architecture Planning Decision made by Decision reviewed by
Director (Software
Eng.)
Director General (IT
Solutions)
IT infrastructure Executing Decision made by Decision reviewed by
Joint Director
(Infrastructure)
Director General (IT)
IT applications Monitoring &
controlling
Decision made by Decision reviewed by
Joint Director (e-gov.
applications)
Director General (e-
governance)
IT investment &
prioritization
Closing Decision made by Decision reviewed by
Director General (IT) Board of Directors
Table 8.2: How are IT governance focus areas addressed in the organization M
Phases involved Mechanism used Evaluation type
Strategic alignment Initiating IT strategy Nil
Closing Nil Nil
Value delivery Initialing PC-I Ex-ante
Monitoring &
Controlling
PC-III Interim
Closing PC-IV & V Terminal & Ex-post
Risk management Planning PC-I Ex-ante
Executing PC-III Interim
Resource management Planning PC-I Ex-ante
Executing PC-III Interim
Performance
measurement
Executing PC-III Interim
Monitoring &
controlling
PC-III Interim
Page 190
175
8.4 Relevancy of the Proposed IT Governance Framework with the
Organization M
This section describes the relevancy of the proposed framework‟s practices (basic building
blocks) with the organization M. Table 8.3 shows the relevancy of the proposed framework‟s
practices with the organization M.
Table 8.3: Relevancy of the proposed framework‟s practices with the organization M
The guiding practice Relevancy with the organization M
IT/business communication
and partnership
This practice is considered as the most important practice in the
organization M because most of its IT projects are executed in other
government departments where IT/business communication and
partnership is crucial for the success of these projects. The organization
is also involved in provision of IT training to business personnel of
other government departments in addition to its own employees.
Engagement of key
stakeholders
In the organization M, the key stakeholders are involved in IT
initiatives with clear roles and responsibilities. Service sector, planning
sector and consultant & contractors sector organizations are also
among these key stakeholders. When a project is started, the
organization arranges stakeholders meetings. All the key stakeholders
are invited and formal presentation is given to them about the project
and its purpose. Key stakeholders are engaged throughout the project
management life cycle in the organization.
IT leadership IT leadership of the organization M is highly capable and experienced
in managing strategic use of IT in public/private sector organizations. It
has articulated the vision of the organization as “to develop IT as a
major sphere of economic activity, and promote its use in the public
and private sectors to increase efficiency and competitiveness”. IT
leadership has played an important role for the success of the
organization and currently it is considered as best class organization in
the country. Most of its IT projects are declared successful by the
Directorate General of Monitoring and Evaluation (DGME) which is a
principle body for monitoring and evaluating public sector projects.
Most IT initiatives of the organization M have also been appreciated by
national and international dignitaries and forums. The organization has
won many international awards in this respect.
Page 191
176
Table 8.3 Continued…
The guiding practice Relevancy with the organization M
Senior management
involvement and support
The senior management of the organization M is actively involved in
strategic IT decision-making, resource prioritization and monitoring
processes. IT projects in the organization M are selected in the board of
directors‟ meeting with the consultation of P & D which is a principle
body for approving public sector projects. The chairman of the
organization M is a member of the board of P & D and the chairman of
P & D is a member of the board of the organization M.
Defined, aligned and
cascaded IT and business
strategies
The organization M has a comprehensive IT strategy document which
mainly focuses on implementing IT projects as part of an integrated
approach rather than as silos. It focuses on top level ownership without
which successful implementation of programs/projects is not possible.
It also focuses on basic IT infrastructure & applications and human
resource development due to lack of such resources in this
environment. IT strategy of the organization M is an integral part of
business strategy. It is communicated through web portal and senior
management announcements.
IT structure for
responsiveness and
accountability
The organization M has a consolidated structure. It has IT project
steering committees. However, it has no IT steering committee.
Policies and guidelines for
optimal acquisition and use
of IT
The organization M has a comprehensive policy and guidelines for cost
effective acquisition and use of IT. The organization uses project
management methodology PMBOK. After the detailed IT project plan
is formulated, the tendering process starts. A bidding process is
performed and project is awarded based on quality and cost.
International contractors can also participate in the bidding process.
Procurement activities are performed in line with the rules and
guidelines of Public Procurement Regulatory Authority (PPRA).
IT governance awareness
and training
Although, the organization M has institutionalized employees training
and career development path but it lacks on provision of IT governance
awareness and training to IT and business personnel for optimal use of
IT. Most of the training contents emphasize on IT and project
management knowledge & skills and job related activities. The
organization needs to harmonize these contents with IT governance
awareness and training for optimal use of IT.
Page 192
177
Table 8.3 Continued…
The guiding practice Relevancy with the organization M
Competitive IT
professionals
The organization M is equipped with skilled human resources and has
a central pool of competitive IT professionals. However, in case of
shortage of skilled IT professionals, the post is advertized in the
newspapers. The recruitment is made in a transparent and competitive
manner. Formal training mechanism for developing broad
competencies on IT and project management knowledge & skills is
present in the organization.
Standardized and managed
IT infrastructure and
applications
IT infrastructure and applications in PakPSOs are implemented by the
organization M. Contractors/vendors provide, install and configure IT
infrastructure & applications as per the architecture/design in the
project plan. When the project is about to complete, IT applications are
tested on the developed infrastructure in a real business environment to
determine the adequacy of the applications and infrastructure in
fulfilling the organizational needs. Monthly reports are submitted by
the client government department to the organization M on the issues
faced and any change request regarding the configuration of IT
applications and infrastructure.
Performance measures and
benchmarks
The organization M currently uses Key Performance Indicators (KPIs)
approach to evaluate the performance of IT strategy, operations and
major IT projects. As the major focus of the organization M is on
implementing IT projects in PakPSOs so, performance measures and
benchmarks to track and demonstrate success are mainly related to IT
projects & operations instead of IT and business strategy in
organizational context. However, the organization needs to improve
this area by extending this practice to organizational context.
8.5 Evaluation of the Framework
The framework was evaluated using the evaluation criteria described in section 3.3.4.1 of
chapter 3. The qualitative and quantitative response of the respondents was sought on six
criteria: 1) formal description to meet the need for no ambiguity, 2) definable activities
through understandability of the framework, 3) completeness of the framework to ensure no
additional activities are needed, 4) activities to be capable of implementation, 5) usability via
Page 193
178
measuring ease of use, and 6) fit by measuring the usefulness of the framework in the
organization. The said criteria are considered to be useful to measure the effectiveness of the
framework (Nfuka & Rusu, 2013).
8.5.1 Respondents’ Profile in the Case Study
A total of 27 respondents participated in the interview process. The respondents‟ profile in
the case study for evaluating the proposed framework is shown in Table 8.4. Table 8.4 shows
that 20 respondents participated from IT management side and seven participated from
business management side. The representation of the respondents was also from three levels
of hierarchy: top management, middle management, and operational management. Seven
respondents represented top management, 11 represented middle management and nine
represented operational management. The representation of the respondents from different
groups and hierarchy levels provides triangulation which is considered imperative to reduce
bias for credible results.
Table 8.4: Respondents‟ profile in case study for evaluating the framework
Top management Middle management Operational management
IT management Director General – 2
Joint Directors – 3
Program Managers – 8 Program Officers – 4
Project Coordinator - 1
Database Administrator - 1
Software Eng. – 1
Business management Director/Joint
Director – 2
Assistant Director – 2
Audit Officer – 1
HR Officer/Coordinator- 2
8.5.2 Results of Qualitative Response
Qualitative response was sought through the interviews. The interview responses were
analyzed using content analysis and summarized suggestions were incorporated into the
proposed framework. Table 8.5 shows the summarized interview response and resultant
improvements in the proposed framework.
Page 194
179
Table 8.5: The summary of interview response on evaluation criteria and resultant improvements into the framework
Evaluation criteria Summarized interview response Resultant improvements into the framework
Formal description Majority of the respondents declared the framework description nice. However, some
argued that the framework layout should be changed to make it simpler. They
suggested that the framework layout should be changed from grid form to circular
form just like many other frameworks in the relevant literature.
The framework layout has been changed from grid form to
circular form.
Understandability Majority of the respondents agreed that the framework is understandable. However,
some indicated that guidelines should be provided for the use of the framework.
Guidelines for the use of the framework have been incorporated
as shown in Figure 9.2 of chapter 9.
Completeness of
the framework
Majority of the respondents agreed that the framework is complete by all means. The
guiding practices, activities, roles and IT resources are appropriate for the study
environment. However, some emphasized that the framework should be subjected to
continuous improvement.
The framework has been made subject to continuous
improvement as indicated in Figure 9.2 of chapter 9.
Ease of use of the
framework
Many respondents said that the framework is easy to use. However, some especially
from business side highlighted the need to make it more user-friendly.
The framework has been made user-friendly by taking all
possible measures as indicated above.
Usefulness of the
framework
Most of the respondents declared the framework very useful because it provides high
level tool for implementing, monitoring and evaluating IT governance initiatives in
PakPSOs.
The framework proved to be useful for claimed objective but
further motivation is required for its use in PakPSOs.
Implementable
actions
Most of the respondents agreed that the framework is implementable. However, a few
expressed their concerns regarding related knowledge, skills & competencies,
management support, commitment of IT and business personnel and lack of IT
facilities in some of the PakPSOs to implement it.
These concerns have been addressed through the practices and
activities such as
Competitive IT professionals & IT governance awareness &
training
Senior management involvement and support.
IT/business communication and partnership.
Benchmark and provide effective & efficient IT facilities in
and across organizations.
Page 195
180
8.5.3 Results of Quantitative Response
The quantitative response was also sought on a five point Likert scale ranging from 1
(strongly disagree) and 5 (strongly agree). The mean score of the respondents against each
evaluation criteria is shown in Figure 8.2. The results show that the mean score is highest for
usefulness followed by formal description and understandability. The mean score is also
higher for implementable action. However, the mean score is relatively lower on ease of use.
This shows that the framework well satisfies five criteria of effectiveness out of six.
However, its ease of use in the study environment is not as feasible as other criteria.
Figure 8.2: Quantitative response on evaluation criteria
8.5.4 Quantitative Response on Implementation Aspects
Additionally, quantitative response was solicited on implementation aspects especially on
generality, complexity, required skills, ease of implementation, perceived cost of
implementation and applicability to public sector. The results are shown in Figure 8.3. The
results show that the mean score is higher for applicability to public sector followed by ease
of implementation. Moreover, the mean score is lower for perceived cost of implementation
Page 196
181
followed by complexity and required skills. This shows that the proposed framework is
highly applicable to public sector with low perceived cost of implementation.
Figure 8.3: Quantitative response on implementation aspects
8.5.5 Accomplishment of the Seven Guidelines of Design Science Research
The proposed framework also satisfies the seven design science research guidelines
suggested by Hevner et al. (2004).
Guideline 1: Design as an artifact
This guideline has been followed by developing a method in the form of a framework to
facilitate effective IT governance implementation in PakPSOs. With this artifact, business/IT
management personnel could be able to recognize their roles and plan, apply and continually
improve IT governance implementation in their environment.
Page 197
182
Guideline 2: Problem relevance
This guideline has implemented by carefully identifying the research problem i.e. IT
governance in PakPSOs is ineffective and providing a technology-based solution of this
problem in the form of a framework.
Guideline 3: Design evaluation
This guideline has been regarded by evaluating the framework in a case study organization.
This evaluation results indicated that the framework is relevant, valuable and usable thus it
could facilitate effective IT governance implementation in PakPSOs.
Guideline 4: Research contribution
This guideline has been adopted by providing the research contributions of this study.
Contributions of this research to practice and theory are given in chapter 9.
Guideline 5: Research rigor
This guideline has been satisfied by applying various research methods and data collection
and analysis techniques. This has also applied to the literature review to gain theoretical
insights and the interaction with the business environment for solution requirements.
Guideline 6: Design as a research process
This guideline has been fulfilled by using available means while satisfying applicable laws
such as getting credentials to the study cases. Three iterations and the respective methods,
empirical sources and data collection and analysis approaches have been applied
systematically during the research process.
Page 198
183
Guideline 7: Communication of research
This guideline has been fulfilled by publishing the results of this research study in reputable
international journals. Three research papers have been published and currently are online
and one more has been submitted.
8.6 The Second Version of the Framework
The second version of the proposed framework after incorporating the resultant
improvements suggested by the interviewees is shown in Figure 8.4. The associated set of
activities, roles and IT resources to implement the practices are shown in Table 8.6.
Page 199
184
Figure 8.4: Second version of the Framework
Page 200
185
Table 8.6: Activities for practices with roles and IT resources
Guiding practice Activities R* S
**
1. IT/business
communication and
partnership
1.1 Formalize viable IT/business communication and partnership practice BT IN
1.2 Convince IT/business management on IT/business partnership EH PP
1.3 Develop shared understanding among IT/business personnel on IT/business goals and imperatives EH IN
1.4 Train/involve business personnel in IT initiatives and IT personnel in business imperatives BH IN
2. Engagement of key
stakeholders
2.1 Identify key stakeholders and establish appropriate roles & responsibilities BH PP
2.2 Involve key stakeholders in IT/business plans preparation and implementation EH PP
2.3 Create shared understanding among key stakeholders on shared IT/business goals and imperatives EH IN
2.4 Analyze and report the potential contribution of key stakeholders BT IN
2.5 Formalize virtual connection between IT and business practices and communities EH IN
3. IT leadership 3.1 Establish clear and top level mandate to lead IT transformation program EH PP
3.2 Encourage IT leadership on business imperatives and viable IT intervention EH PP
3.3 Convince business management on IT potential and contribution ITH PP
3.4 Develop focused IT leadership competencies EH PP
3.5 Develop confidence of senior management in IT leadership ITH PP
4. Senior management
involvement and support
4.1 Establish senior management role in strategic IT decision-making, resource prioritization and monitoring processes EH PP
4.2 Demonstrate viable business value proposition of IT to get support of senior management, politicians and sponsor ITH IN
4.3 Convince senior management to delegate viable negotiating authority ITH PP
4.4 Convince senior management to provide required resources for IT/business success ITH PP
4.5 Motivate senior management to use IT actively ITH PP
5. Defined, aligned and
cascaded IT and business
strategies
5.1 Involve IT/business personnel in strategic IT/business planning EH PP
5.2 Define and align IT goals with business goals ITH IN
5.3 Establish business aligned IT strategy, resources and operations ITH IN
5.4 Prioritize and align IT projects with business goals and imperatives BT AP
5.5 Incorporate IT effectively into required public sector reforms BT AP
5.6 Cascade IT strategy down to all levels of organization EH IN
6. IT Structures for
responsiveness and
accountability
6.1 Establish clear and appropriate IT roles and responsibilities BH PP
6.2 Establish the role of CIO or IT head to report directly to the executive head EH PP
6.3 Establish IT steering committee with balanced representation of IT/business executives EH PP
6.4 Establish IT project steering committee to prioritize and manage IT projects BH PP
6.5 Ensure shared understanding and active participation of committees EH PP
*Role (R) – Executive Head (EH), Business Head (BH), Business Team (BT), IT Head (ITH), IT Team (ITT), Regulations Head (RH)
**IT Resource (S) - Applications (AP), Information (IN), Infrastructure (IF), People (PP)
Page 201
186
Table 8.6 Continued…
Guiding practice Activities R* S
**
7. Policies and guidelines
for optimal acquisition
and use of IT
7.1 Establish transparent IT/business budget control and reporting RH IN
7.2 Ensure optimized IT investment, procurement and operational cost ITH IF
7.3 Ensure effective & efficient use of IT infrastructure & applications ITH IF
7.4 Formalize policies & guidelines for IT value creation and preservation ITH IF
7.5 Determine and implement required change management BH PP
7.6 Cascade and enforce IT policies & guidelines at all levels EH IN
8. IT governance
awareness and training
8.1 Determine state and drivers of IT governance practices ITH PP
8.2 Determine and implement best practices for mindset change ITH PP
8.3 Adopt and undertake IT governance awareness and training for IT/business personnel ITH PP
8.4 Ensure compliance among employees through top management announcements EH PP
9. Competitive IT
professionals
9.1 Attract, develop and retain skilled IT personnel for IT/business success BH PP
9.2 Develop broad IT competencies to manage IT resources ITH PP
9.3 Establish and motivate aligned IT/business innovation and practices ITH IN
9.4 Treat skilled IT professionals as working capital BH PP
10. Standardized and
managed IT infrastructure
and applications
10.1 Standardize, share and manage IT infrastructure & applications cost-effectively ITT IF
10.2 Define and manage SLAs effectively ITH IF
10.3 Benchmark and provide effective & efficient IT facilities in and across organizations ITH AP
10.4 Establish aligned research activities for innovative IT services ITH IN
11. Performance
measures and benchmarks
11.1 Perform adequate analysis and evaluation of current and future use of IT ITH IN
11.2 Establish effective performance management strategy BT IN
11.3 Set and monitor IT/business oriented performance measures BT IN
11.4 Evaluate and demonstrate business value proposition of IT ITH IN
11.5 Assess IT governance performance and continually improve ITH IN
*Role (R) – Executive Head (EH), Business Head (BH), Business Team (BT), IT Head (ITH), IT Team (ITT), Regulations Head (RH)
**IT Resource (S) - Applications (AP), Information (IN), Infrastructure (IF), People (PP)
Page 202
187
8.7 Discussion and Conclusion
The results presented in this chapter deals with the evaluation phase of the proposed
framework. The first version of the proposed framework has been evaluated in one of the
PakPSOs as a case study using design science research approach. The purpose was to
evaluate the framework in a real business setting. The quantitative and qualitative responses
have gathered from the case study organization against the pre-test evaluation criteria. The
results indicated that framework is useful for the study environment. However, qualitative
response also suggested some improvements into the first version of the framework.
Consequently, these improvements have incorporated into the framework resulting into the
second version of the framework. The second version of the framework is the final version of
this study. However, further iterations and improvements could be introduced in the second
version in future because a framework is always subject to continuous improvement.
Using design science elements and comprising effective IT governance practices and
corresponding activities, roles and kind of IT resources, the framework demonstrates a
comprehensive view of IT governance. Both IT and business management personnel in
PakPSOs are the intended users of the proposed framework. The proposed framework could
enable effective IT governance implementation in PakPSOs which lead to augment IT
outcomes and ultimately improve public service delivery in this environment. This helped to
partially achieve the fourth objective of this study i.e. RQ4: “To develop and evaluate a
framework for effective IT governance implementation in PakPSOs”. The evaluation of the
framework has been covered in this chapter whereas the development of the framework has
been covered in chapter 7.
8.8 Chapter Summary
In this chapter, the results of the evaluation phase of the proposed framework with discussion
and conclusion have been provided in detail. The summary of important points of this chapter
is as under:
The proposed framework has evaluated in one of the PakPSOs as a case study using
design science research approach against the pre-set evaluation criterion.
The quantitative response indicated that the framework is useful.
Page 203
188
The qualitative response suggested minor improvements in the framework.
Consequently, these improvements have incorporated into the framework resulting
into the second version.
The framework is well-harmonized with the working processes of the case study
organization.
The framework also satisfies the seven guidelines of the design science research.
IT and business management personnel in PakPSOs can use this framework to
recognize their roles and to plan, apply and continually improve IT governance
implementation in their environment.
Page 204
189
9 Conclusions, Contributions, Limitations and Recommendations
9.1 Chapter Objectives
This chapter provides the conclusions, contributions, limitations and recommendations of this
study. It begins with the summary of the study. In the third section, the proposed IT
governance implementation framework is described along with its key components. The
fourth section compares the proposed framework with other frameworks in relevant literature
and points out how it is different and better than the other frameworks. The fifth section
provides the contributions of this study. The limitations and recommendations are given in
the last section.
9.2 Summary of the Study
This research study has attempted to propose a framework to solve the problem of IT
governance ineffectiveness in PakPSOs. The aims of the study are to determine and analyze
the existing state of IT governance and to develop and evaluate a framework for effective IT
governance implementation in PakPSOs. The objective is to augment the IT outcomes i.e.
desirable behavior in PakPSOs. The research journey of this study has been completed into
four phases after investigating the four research questions and achieving their four linked
sub-objectives. The linkage of research problem, questions and objective is shown in Figure
1.1 of Chapter 1.
In research phase 1, the study has determined and analyzed the existing state of IT
governance in the selected six PakPSOs in terms of maturity based on 15 most important and
relevant IT processes of COBIT framework and compared it with a developed country
(Australia), a developing country (Tanzania) and the international public sector benchmark
for learning, benchmarking and embracing best practices. The findings indicate that the
average IT governance maturity of the studied PakPSOs is 2.24. The bottom side is at
maturity level 1 (Initial/Ad-Hoc) which represents that PakPSOs recognize the existence of
issues which need to be solved. However, the issues are not solved through standardized
processes but through ad-hoc approaches which are adopted on individual or case-by-case
Page 205
190
basis. The top side is at maturity level 2 (Repeatable but Intuitive) (with the exception of data
management) which represents that processes are built-up to the extent where different
people while executing same tasks pursue similar procedures. It reveals the absence of formal
training and communications of standard procedures in PakPSOs. A great dependence is on
individuals‟ knowledge. Therefore, errors are expected to be occurred. The findings also
indicated that PakPSOs are relatively better in managing data, IT investment, IT projects and
defining strategic IT plans but poorer in communicating management aims and directions,
assessing and managing IT risks, monitoring and evaluating IT governance, acquiring and
maintaining application software and managing changes. When PakPSOs compared with
other countries, the findings indicated that PakPSOs performed poorer than the developed
country (Australia) and the international public sector benchmark. However, PakPSOs
performed better than the developing country (Tanzania). This benchmark and other findings
of this research phase could be useful for public managers in PakPSOs and similar
environment to identify and improve weak areas and ultimately improve and sustain public
service delivery. However, the purpose of this research phase is to have an idea and
understanding of IT governance implementation status in PakPSOs, previously unidentified.
This is crucial to understand the context of PakPSOs to conduct further research activities in
this area. However, the results and findings of this phase are not used in the proposed IT
governance implementation framework development and/or evaluation process which is
actually the subject of the subsequent phases. The research phase 1 answered the first
research question of this study and achieved its linked objective.
In research phase 2, the study has identified and analyzed the relevant IT governance
practices in PakPSOs in terms of CSFs through systematic literature review complemented
with multi-case study approach in the selected eight PakPSOs. The findings indicate that 12
IT governance practices are founded to be relevant for PakPSOs. The identified practices are
then logically harmonized into five focus areas of IT governance ITGI (2007) and three
perspectives of IT-business alignment (Schlosser et al., 2012) to provide a holistic view of IT
governance. Public managers in PakPSOs and similar environment can use the findings of
this research phase to identify limited areas where focus can be given for success. The
research phase 2 answered the second research question of this study and achieved its linked
objective.
In research phase 3, the statistical effect of the identified practices of research phase 2 are
then tested and analyzed on IT outcomes in PakPSOs by taking sample data from 104
personnel in PakPSOs and applying PLS-based SEM. The findings indicate that 11 IT
Page 206
191
governance practices out of 12 showed small to moderate positive significant effect on one or
more IT outcomes. The practice “IT/business communication and partnership” found to be
the most effective whereas the practice, “IT structures for responsiveness and
accountability” proved to be the least effective. Due to the relative importance of these
practices, the public managers in PakPSOs and similar environment can use the findings of
this research phase to prioritize limited resources to improve their IT related plans and
ultimately improve and sustain public service delivery. The purpose of this phase is to
validate the list of the practices for the basic building blocks of the proposed framework. The
research phase 3 answered the third research question of this study and achieved its linked
objective.
In research phase 4, the proposed IT governance implementation framework was developed
and evaluated based on the validated set of practices of research phase 3.The framework was
developed and evaluated using design science research approach. The detail of the framework
is given in the next section. The research phase 4 answered the fourth research question of
this study and achieved its linked objective as well as the main objective of the study.
9.3 The Framework
In this section, the proposed framework with its elements is described in detail.
9.3.1 Background
This study has investigated IT governance in the PSOs of a developing country with
relatively low human development, limited IT resources, inadequate related knowledge &
competencies and underlying cultural constraints and proposed a framework for effective IT
governance implementation in this environment i.e. PakPSOs. The framework has been
developed and evaluated using design science research approach. The design science research
approach is selected due to its association with behavioral science (Peffers et al., 2008). The
design science research is used to develop and evaluate IT artifacts to solve known problems
in organizations (Hevner et al., 2004). An IT artifact can be a construct, model, instantiation
or method (Hevner et al., 2004). The researcher has selected method in the form of
framework because a framework is an interconnected outline of specific elements that adopts
a meticulous approach to attain a desired objective and is used as a guide which can be
Page 207
192
modified by adding and deleting elements when required (Business Dictionary, 2010).
According to design science research approach, a framework is iteratively built in two phases
(Hevner et al., 2004): develop and evaluate. In iterations 1 & 2, the framework has been
developed whereas in iteration 3, the framework evaluated. The results indicate that the
framework is useful and fulfils its claimed objectives.
The proposed IT governance implementation framework consists of the practices in terms of
CSFs, activities (check points) to implement these practices, suitable roles and appropriate IT
resources to execute the activities, the organizational strategies & policies, structures &
systems, objectives & goals and the environment in which it ought to be implemented. As
compared to the other frameworks from the relevant literature, the proposed framework
covers not only the five focus areas of IT governance i.e. strategic alignment, value delivery,
risk management, resource management and performance measurement but also the three
perspectives of IT-business alignment i.e. human, social and intellectual perspectives. Both
IT and business personnel in PakPSOs are the intended users of the framework. They can use
this framework to identify their role for planning, implementing and continuously improving
IT governance in their environment i.e. PakPSOs.
9.3.2 Elements of the Framework
The proposed framework consists of the following elements:
Environment
Organization
IT governance focus areas and IT-business alignment perspectives
Guiding practices
Activities, roles and IT resources
9.3.2.1 Environment
The first element of the proposed framework is the environment. The environment is
accounted as an important element of the framework because IT governance implementation
depends on the context of the organizations and their geographical situation (Ribbers et al.,
2002). As the matter for the current study, the researcher operationalised the environment as
national level IT-related strategies & policies (Digital Pakistan Policy, 2017 and National IT
Page 208
193
Policy and Action Plan, 2001), E-government strategies, policies, regulation & infrastructure
(E-government Strategy and Five Years Plan for Federal Government, 2005, E-government
strategy, 2012, E-government strategy, 2015) and IT governance standards and best practices
(COBIT, ITIL, ISO/IEC 38500 etc.) implemented to some extent in some of the PakPSOs.
9.3.2.2 Organization
The second element of the proposed framework is the organization in which it is evaluated.
Although things may vary based on the type and nature of the organization and especially the
services that it provides to the public but the framework is generally supposed to be aligned
and interacted with its policies & strategies, goals, structures & systems for sustainable
success. Therefore, as the matter of current study, the researcher operationalised the
organization as organizational policies & strategies, goals and structures & systems.
9.3.2.3 IT Governance Focus Areas and IT-business Alignment Perspectives
ITGI (2007) proposed five focus areas of IT governance i.e. strategic alignment, value
delivery, risk management, resource management and performance measurement. Similarly,
Schlosser et al. (2012) proposed three perspectives of IT-business alignment i.e. human,
social and intellectual perspectives. Here is a brief description of each of the focus areas and
IT-business alignment perspectives and their related guiding practices in the context of
PakPSOs.
IT Governance Focus areas and related Guiding Practices
Strategic alignment- It is synonymous to IT strategy (ITGI, 2005). Strategic alignment
ensures that IT strategy is aligned with organizational strategy, IT delivers against the
strategy and IT investments are made in line with organizational objectives. It also ensures
strategic match of IT investments or projects with organizational objectives. The main focus
of strategic alignment is on linking the organizational and IT strategy with services and
projects. In the perspective of a developing country, PakPSOs have many concerns in this
focus area. The practices to address these concerns include IT/business communication and
partnership, engagement of key stakeholders, IT leadership, senior management involvement
Page 209
194
and support, defined, aligned and cascaded IT and business strategies and IT structures for
accountability and responsiveness.
Value delivery and risk management- It ensures IT investment for significant return and
adequate benefits from IT services. It also ensures the completeness, quality and security of
IT services and IT plans proceed on schedule. The main focus of value delivery is on
optimizing costs and generating value of IT throughout the delivery cycle. Risk management
involves analyzing and assessing IT risks, monitoring efficiency of internal controls and
implementing necessary mechanisms to minimize risks. It also deals with procedures to
ensure the transparency about the significant risks to the organization and proactive risk
management approach to create competitive advantage. It ensures information security
against various threats. It insists on embedding risk management in the operation of the
organization. The main focus of risk management is on embedding accountability to mitigate
significant risks. PakPSOs have several concerns in these focus areas. The practices to
address these concerns include policies, guidelines and processes to create and preserve IT
value for cost-effective acquisition and use of IT across the organization.
Resource management- It involves high level direction for sourcing and management of IT
resources. In the perspective of IT governance, resource management focuses on allocating
and optimizing IT resources in association with organizational priorities. The major focus of
resource management is on optimizing knowledge and infrastructure. PakPSOs have many
concerns in this focus area. The practices to address these concerns include IT governance
awareness and training, attracting, developing and retaining competitive IT professionals and
standardized IT and managed IT infrastructure and applications.
Performance measurement- It is related to determine whether the IT organization have
achieved the goals set by the top management. It deals with tracking and monitoring the
implementation of IT strategies & policies and IT projects. It also involves the performance
of processes, resources and service delivery. The major focus of performance measurement is
on measuring IT performance through metrics. PakPSOs have many concerns in this focus
area. The practices to address these concerns include tracking and demonstrating IT success
and contribution to the business.
IT-business Alignment Perspectives and related Guiding Practices
Human Perspective- It deals with the characteristics of individuals such as knowledge, skills,
leadership and attitude (Schlosser et al., 2012). PakPSOs have many concerns in this
Page 210
195
perspective. The practices to address these concerns include IT leadership, senior
management involvement and support, IT governance awareness and training and
competitive IT professionals. By focusing on these concerns and implementing related
activities, PakPSOs can exploit and enhance human competencies and capabilities in their
environment which are crucial for IT governance implementation success.
Social Perspective - It deals with relational, informal and cultural aspects (Schlosser et al.,
2012). PakPSOs have many concerns in this perspective. The practices to address these
concerns include IT/business communication and partnership and engagement of key
stakeholders. By emphasizing on these concerns and implementing related activities,
PakPSOs can address and develop relational, informal and cultural constraints in their
environment which are paramount for IT governance implementation success.
Intellectual Perspective - It deals with the end products and deliverables resulting from the
work of individual and group of people (Schlosser et al., 2012). PakPSOs have many
concerns in this perspective. The practices to address these concerns include defined, aligned
and cascaded IT and business strategies, IT structures for responsiveness and accountability,
policies and guidelines for cost effective acquisition and use of IT, standardized and managed
IT infrastructure and applications and performance measures and bench marks. By
concentrating on these practices and implementing related activities, PakPSOs can utilize and
improve intellectual capabilities and potential in their environment regarding structures,
processes, knowledge management and core competencies etc.
9.3.2.4 Guiding Practices
The framework consists of 11 guiding practices. The description of each practice is given as
follows.
Practice 1: IT/business Communication and Partnership
This practice deals with the strategic alignment focus area of IT governance and social
perspective of IT-business alignment. This practice can be implemented through four
activities i.e. 1.1 “Formalize viable IT/business communication and partnership practice”, 1.2
“Convince IT/business management on IT/business partnership”, 1.3 “Develop shared
understanding among IT/business personnel on IT/business goals and imperatives”, and 1.4
Page 211
196
“Train/involve business personnel in IT initiatives and IT personnel in business imperatives”.
The activity 1.1 is a more effective way to implement IT governance such as formal meetings
between IT and business personnel and job-rotation i.e. involving IT people into business
tasks and business people into IT tasks. The activity 1.2 can be implemented through the
viable intervention of the senior management and job co-location i.e. physically sitting IT and
business people close to each other. The activity 1.3 can be implemented by arranging formal
and informal meetings among IT and business personnel and related workshops on achieving
business objectives. The activity 1.4 can be implemented through cross training i.e. IT
training of business personnel and business training of IT personnel.
Practice 2: Engagement of Key Stakeholders
This practice also deals with the strategic alignment focus area of IT governance and social
perspective of IT-business alignment. This practice can be implemented through five
activities i.e. 2.1 “Identify key stakeholders and establish appropriate roles &
responsibilities”, 2.2 “Involve key stakeholders in IT/business plans preparation and
implementation”, 2.3 “Create shared understanding among key stakeholders on shared
IT/business goals and imperatives”, 2.4 “Analyze and report the potential contribution of key
stakeholders” and 2.5 “Formalize virtual connection between IT and business practices and
communities”. The activity 2.1 can be implemented by performing a stakeholders‟ analysis
with respect to their roles & responsibilities and needs & demands. This is also in accordance
with stakeholder theory (Freeman, 1994) which emphasizes the need of engaging inside and
outside stakeholders. The activity 2.5 can be implemented by getting public feedback
including citizens, business and employees‟ feedback through website, email and/or emerging
trend of social media.
Practice 3: IT Leadership
This practice deals with the strategic alignment focus area of IT governance and human
perspective of IT-business alignment. This practice can be implemented through five
activities i.e. 3.1 “Establish clear and top level mandate to lead IT transformation program”,
3.2 “Encourage IT leadership on business imperatives and viable IT intervention”. 3.3
“Convince business management on IT potential and contribution”, 3.4 “Develop focused IT
leadership competencies” and 3.5 “Develop confidence of senior management in IT
Page 212
197
leadership”. As the competency is a mixture of knowledge, skills and behaviors for enabling
an individual to perform effectively in a job or circumstance (Kraiger et al., 1993), therefore,
IT leadership competency must involve both IT and business competencies. These
competencies are also required for awareness of IT potential and contribution from existing
usage and new opportunities (Nfuka & Rusu, 2013). The activity 3.1 is more crucial and can
be implemented by granting viable authority and control to IT leadership.
Practice 4: Senior Management Involvement and Support
This practice also deals with the strategic alignment focus area of IT governance and human
perspective of IT-business alignment. This practice can be implemented through five
activities i.e. 4.1 “Establish senior management role in strategic IT decision-making, resource
prioritization and monitoring processes”, 4.2 “Demonstrate viable business value proposition
of IT to get support of senior management, politicians and sponsor”, 4.3 “Convince senior
management to delegate viable negotiating authority”, 4.4 “Convince senior management to
provide required resources for IT/business success” and 4.5 “Motivate senior management to
use IT actively”. The activity 4.1 can be implemented by incorporating five key IT
governance decisions suggested by Weill and Ross (2004) including IT investment and
prioritization. The activity 4.2 is mainly related to public service delivery improvement and
cost reduction due to the non-profit nature of the public sector. However, in some PakPSOs,
activity 4.2 is also related to revenue generation.
Practice 5: Defined, Aligned and Cascaded IT and Business Strategies
This practice deals with the strategic alignment focus area of IT governance and intellectual
perspective of IT-business alignment. This practice can be implemented through six activities
i.e. 5.1 “Involve IT/business personnel in strategic IT/business planning”, 5.2 “Define and
align IT goals with business goals”, 5.3 “Establish business aligned IT strategy, resources and
operations”, 5.4 “Prioritize and align IT projects with business goals and imperatives”, 5.5
“Incorporate IT effectively into required public sector reforms”, and 5.6 “Cascade IT strategy
down to all levels of organization”. The activity 5.2 can be materialized through the use of
existing IT and business goals cascading map of COBIT (ITGI, 2007). The activity 5.6 can be
implemented through the use of web portals and senior management announcements. Senior
Page 213
198
management announcements usually receive a great deal of attention throughout the
organization.
Practice 6: IT Structures for Responsiveness and Accountability
This practice also deals with the strategic alignment focus area of IT governance and
intellectual perspective of IT-business alignment. This practice can be implemented through
five activities i.e. 6.1 “Establish clear and appropriate IT roles and responsibilities”, 6.2
“Establish the role of CIO or IT head to report directly to the executive head”, 6.3 “Establish
IT steering committee with balanced representation of IT/business executives”, 6.4 “Establish
IT project steering committee to prioritize and manage IT projects” and 6.5 “Ensure shared
understanding and active participation of committees”. The activity 6.3 can be materialized
by involving both IT and business personnel in IT steering committee. IT steering committee
should be chaired by the executive head. Similarly, for activity 6.4, IT project committee
should be chaired by the relevant business head. This results in responsive and accountable
IT structures to promote IT enabled business applications‟ acceptance and sustainability.
Practice 7: Policies and Guidelines for Optimal Acquisition and Use of IT
This practice deals with the value delivery and risk management focus areas of IT governance
and intellectual perspective of IT-business alignment. This practice can be implemented
through six activities i.e. 7.1 “Establish transparent IT/business budget control and
reporting”, 7.2 “Ensure optimized IT investment, procurement and operational cost”, 7.3
“Ensure effective & efficient use of IT infrastructure & applications”, 7.4 “Formalize policies
& guidelines for IT value creation and preservation”, 7.5 “Determine and implement required
change management”, and 7.6 “Cascade and enforce IT policies & guidelines at all levels”.
The activity 7.2 can be materialized by paying special attention to optimize procurement and
acquisition in line with PPRA rules and sharing IT resources effectively. The activity 7.4 can
be implemented by concentrating not only on value creation but also preservation i.e.
embedding accountability to mitigate risks.
Page 214
199
Practice 8: IT Governance Awareness and Training
This practice deals with the resource management focus areas of IT governance and human
perspective of IT-business alignment. This practice can be implemented through four
activities i.e. 8.1 “Determine state and drivers of IT governance practices”, 8.2 “Determine
and implement best practices for mindset change”, 8.3 “Adopt and undertake IT governance
awareness and training for IT/business personnel” and 8.4 “Ensure compliance among
employees through top management announcements”. Due to existing state of IT governance
in PakPSOs, the activity 8.1 provides more focused awareness and training. Hence, it
provides more contribution for improving IT governance in this environment. The activity 8.2
is more critical in a bureaucratic environment. The same can be implemented by
demonstrating IT contribution especially to business personnel.
Practice 9: Competitive IT Professionals
This practice also deals with the resource management focus areas of IT governance and
human perspective of IT-business alignment. This practice can be implemented through four
activities i.e. 9.1 “Attract, develop and retain skilled IT personnel for IT/business success”,
9.2 “Develop broad IT competencies to manage IT resources”, 9.3 “Establish and motivate
aligned IT/business innovation and practices”, and 9.4 “Treat skilled IT professionals as
working capital”. The activity 9.1 can be implemented by providing competitive market-
based salaries and other incentives to IT professionals. The activity 9.2 can be materialized
through successful IT business strategies considering both IT and business related
competencies.
Practice 10: Standardized and Managed IT Infrastructure and Applications
This practice deals with the resource management focus areas of IT governance and
intellectual perspective of IT-business alignment. This practice can be implemented through
four activities i.e. 10.1 “Standardize, share and manage IT infrastructure & applications cost-
effectively”, 10.2 “Define and manage SLAs effectively”, 10.3 “Benchmark and provide
effective & efficient services in and across organizations” and 10.4 “Establish aligned
research activities for innovative IT services”. The activity 10.1 is crucial due to the
expanding IT infrastructure and increased number of IT applications in PakPSOs. The same
Page 215
200
should be implemented by establishing cloud computing opportunity for PakPSOs. The
activity 10.3 can be implemented using innovative web and/or mobile-based applications due
to the escalating use of Internet and mobile throughout the country.
Practice 11: Performance Measures and Benchmarks
This practice deals with the performance measurement focus areas of IT governance and
intellectual perspective of IT-business alignment. This practice can be implemented through
five activities i.e. 11.1 “Perform adequate analysis and evaluation of current and future use of
IT”, 11.2 “Establish effective performance management strategy”, 11.3 “Set and monitor
IT/business oriented performance measures”, 11.4 “Evaluate and demonstrate business value
proposition of IT”, and 11.5 “Assess IT governance performance and continually improve”.
The activity 11.1 can be materialized by performing requirement/need analysis and setting
targets. The activity 11.3 can be materialized through the use of BSC that measures
performance beyond the conventional accounting measures and focuses on four perspectives:
corporate contribution, customer, internal processes and skills & innovation. The BSC
approach is more suitable for PSOs due to the “best” value nature of public sector instead of
“profit” nature. The activity 11.4 can be applied in the perspective of cost reduction and
public service delivery improvement and activity 11.5 can be materialized through the use of
Weill and Ross (2004) method that measures IT governance using four items or KPIs of
strategic IT projects.
9.3.2.5 The Activities, Roles and IT Resources
The practices provide only the high level view of IT governance. These provide no guidance
on how to implement the relevant actions to meet the claimed objective of the framework. In
order to ensure the relevant actions to be implemented, activities (checkpoints) have been
introduced in the proposed framework. Each practice is implemented through a set of
activities. There are 53 activities for 11 guiding practices (four to six activities for each
practice). Each activity is executed by a suitable role and used appropriate IT resource. There
are six roles and four types of IT resources. Roles include Executive Head (EH), Business
Head (BH), Business Team (BT), IT Head (ITH), IT Team (ITT), Regulations Head (RH)
and IT resources include Applications (AP), Information (IN), Infrastructure (IF), People
Page 216
201
(PP). The proposed framework provides a suitable role to perform each activity and IT
resources to execute each activity.
9.4 Implementation Considerations
This section provides the guidelines to use the framework i.e. where to start and end up? A
supplementary survey was conducted in iteration 2 during the development phase. The
respondents were requested to rank 11 guiding practices with respect to their implementation
order based on the state and application of IT governance in their respective organizations.
The results suggested that “IT leadership” should be implemented first and “performance
measures and benchmarks” to be at last. The results are shown in Figure 9.1. Some guiding
practices were ranked equally. In conclusion, the process resulted in six steps as priority
consideration in using the framework.
These steps are as under:
1. Demonstrate IT leadership
2. Establish IT structures
3. Define, align and cascade IT and business strategies
4. Establish policies and guidelines for optimal IT acquisition and use of IT
5. Standardize and manage IT infrastructure and applications
6. Develop benchmarks, measure and monitor performance and ensure continuous
improvement.
These steps were also supported by the qualitative responses. For instance, first step was
supported due to need of IT leadership in bureaucratic environment in PakPSOs. The six
steps were also made part of the evaluation process in iteration 3 in which the respondents
generally confirmed them as being the right priority steps in implementation. The six step
process for priority consideration in using the framework is shown in Figure 9.2.
Page 217
202
Figure 9.1: Ranked guiding IT governance practices (1st and last)
Fre
quen
cy
1st Last 11
th
Page 218
203
Figure 9.2: Priority consideration in using the framework
Page 219
204
9.5 Comparison of the Proposed IT Governance Framework with Generic
Frameworks
Table 9.1 shows the comparison of the proposed framework with the other frameworks in the
relevant literature. The comparison is made on implementation aspects. The comparison
shows that the proposed framework is a better choice among the others especially in the
aspects of generality which is low, complexity which is low, required skills for implementing
the framework which are low, ease of implementation which is high, perceived cost of
implementation which is low, focus on CSFs which is high and applicability to public sector
which is high. This shows that the proposed framework is a good substitute of generic
frameworks especially in an environment with limited resources and related competencies.
Page 220
205
Table 9.1: Comparison of the proposed framework with generic frameworks
Framework
Implement- ation Aspect
COBIT ITOMAT ITIL ISO/IEC 38500 dFogIT SAM BSC The proposed
framework
Major Focus
IT control &
Audit
IT control &
Audit
IT service
management
Evaluate-Direct-
Monitor the use of
IT
Evaluate-
Direct-
Monitor the use of IT
Strategic
alignment
Corporate
performance
Augment the IT
outcomes
Composition
5 domains
and 37 processes
4 domains and
34 processes
5 phases 6 principles 4 Layers 4 domains 4 perspectives 11 CSFs
Governance
Strong link Strong link Weak link Strong link Strong link Moderate link Moderate link Strong link
Strategic use of
IT
High support Medium support Low support High support High support High support High support High support
Generality
High High High High High High Medium
Low
Complexity High Medium
Medium High High Medium Medium Low
Required Skills
High Low
Medium High High High Medium Low
Ease of
implementation
Low Low
Medium Low Low Low Medium High
Perceived cost of
implementation
High Medium
Medium Medium Medium Medium Medium Low
Focus on CSFs Limited
No Limited No No No No High
Applicability to
public sector
Low Medium
Medium Low High Low Low High
Page 221
206
9.6 Application of the Framework in the Context of PSOs in a Developing
Country
The IT context of public sector organizations (PSOs) in a developing country is generally
characterized by low human development, limited IT resources, inadequate related
knowledge & competencies and cultural constraints. Many process-based IT governance
standards and frameworks such as COBIT, ISO/IEC38500 and deFogIT are available and
considered to be as the best practices to implement IT governance in organizations. However,
these frameworks are very generic, complex and expensive due to which organizations may
deem the practice daunting and unattainable (Zhang & Le Fever, 2013). Therefore, a
framework which is less complex, inexpensive and easy to use for both IT and management
personnel is required in this environment.
The proposed framework has been developed based on the critical success factors (CSFs)
which are limited number of areas where focus can be given for success due to limited
resources and other constraints mentioned above. The CSFs approach is comparatively less
complex and less expensive than the process-based approach but has more contextual
relevancy and suits to the PSOs in a developing country (Nfuka & Rusu, 2013). The CSFs
were first operationalised in eight Pakistani public sector organizations (PakPSOs) through
multi case study approach which made them context specific and then validated by taking
sample data throughout the PakPSOs. Moreover, the activities for each of the CSFs, the roles
to implement the activities and the IT resources to execute the activities were also
operationalised in PakPSOs through qualitative and quantitative opinions in PakPSOs which
also made them context specific. In this way, the framework is contextual in nature and
highly relevant to the context of the PSOs in a developing country. However, due to many
underlying similarities and commonalties among the structures & systems and working
procedures of PSOs in developing countries and developed countries, the framework may
also be useful for PSOs in developed countries. This can be considered as the strength of this
framework. In other words, specifically, the proposed framework has contextual relevance to
the PSOs in a developing country and generically, its application can be extended to the PSOs
of developed countries.
In the perspective of IT governance, there are several areas where the PSOs in developing
countries are generally considered poorer than the PSOs in developed countries. However,
the proposed framework contributes to the improvement of mainly five areas in the PSOs in a
Page 222
207
developing country: better decision-making, enhancing IT projects efficiency & effectiveness
(IT project management), improving public service delivery, creating IT governance
awareness, and increasing accountability and transparency.
Decision-making- The PSOs in a developing country is usually poor in decision-making and
mutual understanding between business management and IT personnel to plan, implement
and monitor IT enabled business applications and infrastructure (Qaisar & khan, 2010; Kundi
et al., 2008). The proposed framework provides a suitable specific role (person accountable
and responsible for decision-making) to each activity of the guiding IT governance practices.
In this way, the proposed framework enables better decision-making throughout the IT
investment life cycle in these organizations. This is evident from role (R) column of Table
8.6.
IT Project Management- Most of the IT initiatives in the PSOs of a developing country are
implemented in the form of e-government projects which are usually strategic IT projects.
However, these IT projects often face the risks of being over budgeted, behind scheduled or
even being abandoned. The proposed framework enables these projects to be prioritized and
aligned with business goals and imperatives and to remain on track with concrete IT value
and deliverables. This is evident from activity 5.4 of Table 8.6
Public Service Delivery- Public service delivery in the PSOs of a developing country is
usually poor in terms of quality and method of delivery as compared to the PSOs in
developed countries. The proposed framework helps to improve public service delivery and
recommends new and innovative ways of public service delivery in these organizations. This
is evident from activities 10.3 and 10.4 of Table 8.6.
IT Governance Awareness- This practice refers to the campaigns to clarify the need of IT
governance to business and IT people (De Haes & Van Grembergen, 2009). In the context of
lower IT knowledge and culture (a developing country), Nfuka and Rusu (2010) refer this
practice as mindset change and competency improvement. This practice is more crucial in the
PSOs of a developing country due to political influence and bureaucratic hurdles in this
environment. The proposed framework helps to create IT governance awareness which is
evident from activities 8.1 to 8.4 of Table 8.6.
Accountability and Transparency- The PSOs in developing countries are often affected by
low institutional capacity, limited involvement of stakeholders, high level of corruption and
high level of informality which obstruct their decision-making, control and accountability
(Mimba et al., 2007). The proposed framework assists these organizations to enhance
Page 223
208
accountability and transparency in their environment which is one of the objectives of IT
governance (IGTI, 2007). This is evident from activity 7.1 of Table 8.6.
9.7 Contributions
The outcomes of this research contribute to the practice and theory in several ways. The
major contribution of the research is the original investigation of IT governance in PakPSOs,
previously unexplored, in the perspective of a developing country. Based on this
investigation, the study develops and evaluates a framework for effective IT governance
implementation in PakPSOs. The guiding practices of the framework could help the public
managers in PakPSOs and similar environment in a number of ways. By involving senior
management, engaging key stakeholders and building IT/business collaboration, they can
prioritize IT resources and ensure optimal use of IT in an environment with scarce resources.
By aligning IT strategies with business strategies and enabling structures, they can
incorporate and integrate IT into PakPSOs to improve public service delivery. By
consolidating and communicating IT governance related policies and guidelines, they can
change, control and enforce policies, strategies and decisions to perform IT enabled functions
more effectively. By providing IT governance awareness and attracting, developing and
retaining competitive IT professionals and IT leadership, they can strengthen and sustain
required IT competencies to standardize and harmonize IT infrastructure and applications
cost-effectively. By setting IT and business oriented performance measures and benchmarks,
they can demonstrate success and enable IT contribution for continuous business
improvement. Theoretically, the study adds much into the existing body of knowledge and
provides several implications for academicians and future researchers.
9.7.1 Contribution to Practice
This study makes a number of contributions from practitioners‟ point of view. First, the study
benchmarks PakPSOs with a developed country (Australia), a developing country (Tanzania)
and the international public sector benchmark. This benchmark can help the public managers
in PakPSOs to identify and improve weak areas and ultimately improve and sustain public
service delivery. Second, the study presents a comprehensive examination of effective IT
governance practices in terms of CSFs. These CSFs can help the public managers in
Page 224
209
PakPSOs and similar environment to use limited areas where focus can be given for success.
Third, the studies validates a statistical effect of IT governance CSFs on IT outcomes in
PakPSOs in terms of tasks, organizational and public outcomes of strategic IT projects. By
understanding the relative importance of CSFs, public managers and decision-makers in
PakPSOs and other developing countries can improve their IT-related plans and prioritize
limited resources accordingly to improve and sustain public service delivery in their
respective organizations. The study also develops an understanding of organizational and
public value of strategic IT projects and suggests that the public managers should look into
the meaningful benefits that these projects provide to various stakeholders in addition to
timely and within budget delivery of these projects. Fourth contribution of the study is the IT
governance implementation framework. Using design science elements and comprising of
effective IT governance practices and corresponding activities, roles and kind of IT resources,
the framework demonstrates a comprehensive view of IT governance by enabling both IT and
business management personnel to recognize the effective practices and individual roles for
planning, implementation and continuous improvement of IT governance. The framework not
only covers the five focus areas of IT governance but also covers the three perspectives of IT-
business alignment which lack in the previous studies. This research also creates and
enhances the awareness of IT governance in PakPSOs. The findings of this research study
could also be used by the policymakers to improve the ongoing strategies for successful
incorporation and integration of IT into PakPSOs.
9.7.2 Contribution to Theory
This study also contributes to the existing body of knowledge from theoretical and
academicians‟ point of view. First, the study fills the theoretical gap in the literature by
explaining IT governance in the perspective of CSFs approach proposed by Rockart (1979)
instead of traditional approach of structures, processes and relational mechanisms (De Haes
& Van Grembergen, 2009). Previously, CSFs approach has been adopted in various
management fields but in the field of IT governance, only few studies have used this
approach to identify and validate the discrete lists of CSFs. However, no study has adopted a
holistic approach to investigate CSFs in five focus areas of IT governance and three
perspectives of IT-business alignment simultaneously. This study provides a holistic view of
IT governance by not only focusing on five focus areas of IT governance and also covering
Page 225
210
the three aspects of IT-business alignment. Second, the study adds a validated list of effective
IT governance practices in terms of CSFs in the context of PSOs in a developing country to
the exiting knowledge base. In this way, the study enhances the scope of IT governance
practices in the context of PSOs in a developing country. Third, the study contributes into the
existing literature through a new way of measuring strategic IT projects success in terms of
task outcomes, organizational outcomes and public outcomes instead of traditional measures
of project success (scope, time and quality criteria). No previous study has applied this
holistic and meaningful criterion to assess strategic IT projects success. Fourth, the proposed
framework as a novelty of this research is a new addition in the existing knowledge base.
Using design science research approach for framework development and evaluation process,
the study provides a new IT artifact in the form of framework that can be further investigated
by the future researchers for continuous improvement. The findings of the study also
strengthen the existing IT governance frameworks like COBIT, ITIL and ISO/IEC 38500 etc.
Using the findings of this study, the generic framework can also be updated and amended for
special versions for the PSOs in developing countries. Therefore, the knowledge developed
from this study advances the theories of IT management and information system
management. The study also provides new avenues for future researchers. Future researchers
can explore new IT governance practices or use the existing framework for its statistical
validation. They can include more organizations and more countries to enhance the
generalisability of the research findings of this study.
9.8 Limitations and Recommendations
Even though the research has been carried out carefully and professionally but there are a
number of limitations which are important to mention at this stage. These limitations may be
addressed through future research. These limitations and corresponding recommendations for
future research are as under:
IT governance practices- As mentioned in this study, IT governance practices are confined to
the CSFs of effective IT governance. There could be many more IT governance practices that
lead towards effective IT governance implementation, for example, portfolio management,
knowledge management and benefit management & reporting etc. However, it is not possible
to include all such practices in one study. Therefore, one should be careful while interpreting
the term “IT governance practices”. Thus, there is much scope for more research with more
Page 226
211
IT governance practices. Future research may extend the scope of IT governance practices in
the perspective of developing countries and may involve, test and validate more practices
depending on their study environment.
Sample size and frame- This study used a reasonable sample size in its various research
phases but confined to one developing country (Pakistan) and one sector (public sector). A
number of studies used even small sample size than this study and also confined to one
country and one sector. Although, this does not affect the reliability of the results but the
scope can always be extended by including more countries and larger sample size. Future
researchers should involve more countries and greater sample size because such
considerations will increase the generalisability of results to PSOs of developing countries
and resultantly improve the framework.
Validation of results- This study has been conducted into four phases. The research phase 3
is mainly quantitative and confirmatory in nature. Therefore, the results of research phase 3
have been validated through statistical tests. The research phase 4 is related to the
development and evaluation of the proposed framework using design science research
approach. It has been developed based on the results of research phases 2 & 3, relevant
literature consultation and qualitative and quantitative opinions and experiences of the
respondents in PakPSOs. Therefore, this has not been validated statistically due to the design
of the research. Moreover, the time to conduct the required research to validate the proposed
framework could be more than five years. Thus, this longer time period is a strong hindrance
for the researcher. Future researchers could consider this aspect and validate the framework
in the PSOs of developing countries while carrying out research on IT governance
implementation in these organizations.
Page 227
212
References
Aasi, P., Rusu, L., & Han, S. (2014). Culture Influence on IT Governance: What We have
Learned? International Journal of IT/Business Alignment and Governance , 5 (1), 34-49.
Agarwal, N., & Rathod, U. (2006). Defining „Success‟ for Software Projects: An Exploratory
Revelation. International Journal of Project Management , 24, 358-370.
Agerfalk, P. J., & B. F. (2006). Flexible and Distributed Software Processes: Old Petunias in
New Bowls? Communications of the ACM , 49 (10), 26-34.
Aggarwal, H. (2010). Critical Success Factors in IT Alignment in Public Sector Petroleum
Industry of India. International Journal of Innovation, Management and Technology , 1
(1), 56-63.
Al Qassimi, N., & Rusu, L. (2015). IT Governance in a Public Organization in a Developing
Country: A Case Study of a Governmental Organization. Procedia Computer Science ,
64, 450-56.
Aladwani, A. M. (2002). An Integrated Performance Model of Information Systems Projects.
Journal of Management Information Systems , 19 (1), 187-212.
Ali, S., & Green, P. (2009). Effective Information Technology (IT) Governance Mechanisms:
An IT Outsourcing Perspective. Information Systems Frontiers , 14 (2), 179-193.
Ali, S., & Green, P. (2007). IT Governance Mechanisms in Public Sector Organisations: An
Australian Context. Journal of Global Information Management , 15 (4), 41-63.
Allassani, W. (2013). The Impact of IT Governance onIT Projects: The Case of the Ghana
Rural Bank Computerization and Inter-connectivity Project. Journal of Information
Systems and Technology Management , 10 (2), 271-286.
Alqahtani, A. S. (2017). Critical Success Factors In Implementing ITIL in the Ministry of
Education in Saudi Arabia: An Exploratory Study. International Journal of Advanced
Computer Science and Applications , 8 (4), 230-240.
Alreemy, Z., Chang, V., Walters, R., & Wills, G. (2016). Critical Success Factors (CSFs) for
Information Technology Governance (ITG). International Journal of Information
Management , 36 (6), 907-916.
Alvesson, M., & Deetz, S. (2000). Doing Critical Management Research. London: SAGE
PUBLICATIONS.
Anand, M., Sahay, B. S., & Saha, S. (2005). Balanced Scorecard in Indian Companies.
VIKALPA , 30 (2), 11-25.
Page 228
213
Andersen, K. N., Henriksen, H. Z., Medaglia, R., Danziger, J. N., Sannarnes, M. K., &
Enemærke, M. (2010). Fads and Facts of E-Government: A Review of Impacts of E-
government (2003–2009). International Journal of Public Administration , 33 (11), 564-
579.
Antony, J., & Fergusson, C. (2004). Six Sigma in the Software Industry: Results from a Pilot
Study. Managerial Auditing Journal , 19 (8), 1025-1032.
Avison, D., Jones, J., Powell, P., & Wilson, D. (2004). Using and Validating the Strategic
Alignment Model. The Journal of Strategic Information Systems , 13 (3), 223-246.
Avital, M., & Vandenbosch, B. (2002). Ownership Interaction: A Key Ingredient of
Information Technology Performance," Sprouts: Working Papers on Information
Environments, Systems andOrganizations, Case Western Reserve.
Bakari, J. K. (2007). A Holistic Approach for Managing ICT Security in Non-Commercial
Organizations: A Case in a Developing Country. Unpublished Doctoral Thesis.
Stockholm University.
Beath, C. (1991). Supporting the Information Technology Champion. MIS Quarterly , 15 (3),
355-373.
Beaumaster, S. (2002). Local Government IT Implementation Issues: A Challenge for Public
Administration. Proceedings of the 35th Hawaii International Conference on System
Sciences.
Belassi, W., & Tukel, O. I. (1996). A New Framework for Determining Critical
Success/failure Factors in Projects. International Journal of Project Management , 14 (3),
141-152.
Benbasat, I., & Zmud, R. W. (2003). The Identity Crisis within the IS Discipline: Defining
and Communicating the Discipline's Core Properties. MIS Quarterly , 27 (2), 183-194.
Benbasat, I., Goldstein, D. K., & Mead, M. (1987). The Case Research Strategy in Studies of
Information Systems. MIS Quarterly , 11 (3), 369-386.
Bermejo, P. H., Tonelli, A. O., Zambalde, A. L., Santos, P. A., & Zuppo, L. (2014).
Evaluating IT governance practices and business and IT outcomes: A quantitative
exploratory study in Brazilian companies. Procedia Technology , 16, 849-857.
Bharadwaj, A. (2000). A Resource-based Perspective on Information Technology Capability
and Firm Performance: An Empirical Investigation. MIS Quarterly , 24 (1), 69-96.
Bianchi, I. S., & Sousa, R. D. (2016). IT Governance Mechanisms in Higher Education.
Procedia Computer Science , 100, 941-946.
Page 229
214
Bird, F. (2001). Good Governance: A Philosophical Discussion of the Responsibilities and
Practices of Organizational Governors. Canadian Journal of Administrative Sciences , 18
(4), 298-312.
Black, K. (2010). Business Statistics: Contemporary Decision Making (6 ed.). John Wiley &
Sons.
Boehm, B. (1991). Software Risk Management: Principles and Practices. IEEE Software , 8
(1), 32-41.
Bollen, K. A., & Long, J. S. (1993). Testing Structural Equation Models (1 ed.). SAGE
PUBLICATIONS.
Bouchard, T. J. (1976). Unobtrusive Measures: An Inventory of Uses. Sociological Methods
& Research , 4 (3), 267-300.
Bowen, P. L., Cheung, M.-Y. D., & Rohde, F. H. (2007). Enhancing IT Governance
Practices: A Model and Case Study of an Organization's Efforts. International Journal of
Accounting Information Systems , 8, 191-221.
Boyne, G. A. (2002). Public and Private Management : What's the Difference? Journal of
Management Studies , 39, 97-122.
Brandtner, P., Helfert, M., Auingera, A., & Gaubinger, K. (2015). Conducting Focus Froup
Research in a Design Science Project: Application in Developing a Process Model for the
Front End of Innovation. Systems, Signs & Actions , 9 (1), 26-55.
Brewer, M. (2000). Research Design and Issues of Validity. In H. T. Reis, & C. M. Judd,
Handbook of Research Methods in Social and Personality Psychology. Cambridge
University Press.
Brown, A. E., & Grant, G. G. (2005). Framing the Frameworks: A Review of IT Governance
Research. Communications of the Association for Information Systems , 15, 696-712.
Brown, C. V. (1997). Examining the Emergence of Hybrid IS governance Solutions:
Evidence from a Single Case Site. Information Systems Research , 8 (1), 69-95.
Brown, C. V., & Magil, S. L. (1998). Reconceptualizing the Context-Design Issue for the
Information Systems Function. Organization Science , 9 (2), 176-194.
Bryman, A. (2006). Qualitative Research , 6 (1), 97-113.
Bünten, S., Josh, A. i., De Haes, S., & Van Grembergen, W. (2014). Understanding the
Association between IT Governance Maturity and IT Governance Disclosure.
International Journal of IT/Business Alignment and Governance (IJITBAG) , 5 (1), 16-33
Caiden, N., & Wildavsky, A. B. (1980). Planning and Budgeting in Poor Countries.
Transaction Publisher.
Page 230
215
Campbell, D. T., & Fiske, D. W. (1959). Convergent and Discriminant Validation by the
Multitrait-multimethod Matrix. Psychol Bull , 56 (2), 81-105.
Campbell, J., McDonald, C., & Sethibe, T. (2010). Public and Private Sector IT Governance:
Identifying Contextual Differences. Australasian Journal of Information Systems , 16 (2).
Cartlidge, A. C., Hanna, A. H., Rudd, C., Macfarlane, I., Windebank, J., & Rance, S. (2007).
An Introductory Overview of ITIL V3. The UK Chapter of the itSMF.
Caudle, S. L., Gorr, W. L., & Newcomer, K. E. (1991). Key Information Systems
Management Issues for the Public Sector. MIS Quarterly , 15 (2), 171-188.
Chen, D. Q., Mocker, M., Preston, D. S., & Teubner, A. (2010). Information System
Strategy: Reconceptualization, Measurement, and Implications. MIS Quarterly , 34 (2),
233-259.
ChePa, N., Jnr, B. A., Haizan Nor, R. N., & Masrah, M. A. (2015). Risk Assessment of IT
Governance: A Systematic Literature Review. Journal of Theoretical and Applied
Information Technology , 71 (2), 18-193.
CIPFA and IFAC. (2013). Good Governance in the Public Sector-Consultation Draft for an
International Framework. Retrieved from
http://www.ifac.org/system/files/publications/files/Good-Governance-in-the-Public-
Sector.pdf
Clementi, S., & Carvalho, T. C. (2006). Methodology for IT Governance Assessment and
Design. In R. Suomi, R. Cabral, J. F. Hampe, A. Heikkilä, J. Järveläinen, & E.
Koskivaara (Eds.), Project E-Society: Building Bricks (Vol. 226, pp. 189-202). IFIP
Advances in Information and Communication Technology.
Cohen, J. (1988). Statistical Power Analysis for the Behavioural Sciences (2 ed.). Lawrence
Erlbaum Associates.
Coltman, T., Tallon, P., Sharma, R., & Queiroz, M. (2015). Strategic IT Alignment: Twenty-
five Years on. Journal of Information Technology , 30 (2), 91-100.
Cook, T. D., & Campbell, D. (1979). Quasi-experimentation: Design and Analysis Issues for
Field Settings. Chicago: Rand McNally College Publishing Company.
Cooper, D. R., & Schindler, P. S. (2006). Marketing Research. New York:
McGrawHill/Irwin.
Creswell, J. W. (2009). Research Design: Qualitative, quantitative and Mixed Methods
Research Approaches (3 ed.). SAGE Publications.
Cross, N. (2001). Designerly Ways of Knowing: Design Discipline versus Design Science.
Design Issues , 17 (3), 49-55.
Page 231
216
Csaszar, F., & Clemons, E. (2006). Governance of the IT Function: Valuing Agility and
Quality of Training, Cooperation and Communications. In Proceedings of the 39th
Hawaii International Conference on System Sciences.
Dahlberg, T., & Lahdelma, P. (2007). IT Governance Maturity and IT Outsourcing Degree:
An Exploratory Study. In Proceedings of the 40th Annual Hawaii International
Conference on System Sciences.
Dahlbom, B. (1996). The New Informatics. Scandinavian Journal of Information Systems , 8
(2), 29-48.
Davis, F. D. (1989). Perceived Usefulness, Perceived Ease of Use, and User Acceptance of
Information Technology. MIS Quarterly , 13 (3), 319-340.
Dawes, S. S., Pardo, T. A., Simon, S., Cresswell, A. M., LaVigne, M. F., Andersen, D. F., et
al. (2004). Making Smart IT Choices: Understanding Value and Risk in Government IT
Investments (2 ed.). Center for Technology in Government.
Dawson, G. S., Denford, J. S., Williams, C. K., Preston, D., & Desouza, K. (2016). An
Examination of Effective IT Governance in the Public Sector Using the Legal View of
Agency Theory. Journal of Management Information Systems , 33 (4), 1180-1208.
De Haes, S., & Van Grembergen, W. (2009). An Exploratory Study into IT Governance
Implementations and its Impact on Business/IT Alignment. Information Systems
Management , 26 (2), 123-137.
De Haes, S., & Van Grembergen, W. (2008). An Exploratory Study into the Design of an IT
Governance Minimum Baseline through Delphi Research. Communications of the
Association of the Information Systems , 22 (24), 443-458.
De Haes, S., & Van Grembergen, W. (2006). Information Technology Governance Best
Practices in Belgian Organisations. Proceedings of the 39th Hawaii International
Conference on System Sciences.
De Maere, K., & Kutzschenbach, M. v. (2017). CIO Perspectives on Organizational Learning
within the Context of IT Governance. International Journal of IT/Business Alignment and
Governance (IJITBAG) , 8 (1), 32-47.
Debreceny, R., & Gray, G. L. (2009). IT Governance and Process Maturity: A Field Study.
Proceedings of the 42nd Hawaii International Conference on System Sciences.
Dickinson, R. A., Ferguson, C. R., & Sircar, S. (1984). Critical Success Factors and Small
Business. American Journal of Small Business , 8 (3), 49-57.
Dintrans, P., Anand, A., Ponnuveetil, M., & Vijayakrishnan, J. (2013). Maximizing Business
Value Through Effective IT Governance. Retrieved 12 31, 2013, from
Page 232
217
http://www.cognizant.com: http://www.cognizant.com/InsightsWhitepapers/Maximizing-
Business-Value-Through-Effective-IT-Governance.pdf
EGD. (2005). E-Government Strategy and 5-Year Plan for the Federal Government.
Retrieved 05 10, 2011, from http://202.83.164.28:9080/egdsite05/downloads/E-
Government%20Strategy%20and%205-Year%20Plan%20(19[1].06.2005).pdf
Ein-Dor, P., & Segev, E. (1978). Organizational Context and the Success of Management
Information Systems. Management Science , 24 (10), 1064-1077.
Eisenhardt, K. M. (1989). Building Theories from Case Study Research. Academy of
Management Review , 14 (4), 532-550.
Elephant, P. (2008). The Benefits of ITIL. Retrieved August 12, 2012, from
http://www.pinkelephant.com/articles/TheBenefitsOfITILv26.pdf
Esteves, J. (2004). Definition and Analysis of Critical Success Factors for ERP
Implementation Projects. Doctoral Thesis, Universitat Polite`cnica de Catalunya,
Barcelona.
Ewusi-Mensah, K. (1997). Critical Issues in Abandoned Information Systems Development
Projects. Communications for ACM , 40 (9), 74-80.
Fornell, C., & Larcker, D. (1981). Structural Equation Models with Unobservable Variables
and Measurement Error. Journal of Marketing Research , 18 (1), 39-50.
Fowler, F. J. (2002). Survey Research Methods. SAGE PUBLICATIONS.
Freeman, R. E. (1994). Strategic Management: A Stakeholder Approach. Pitman, Boston,
MA.
Garrity, J. T. (1963). Top Management and Computer Profits. Harvard Business Review , 41
(4), 6-13.
Gefen, D., & Straub, D. (2005). A Practical Guide to Factorial Validity Using PLS-Graph:
Tutorial and Annotated Example. Communications of the Association for Information
Systems , 16 (25), 91-109.
Gheorghe, M. (2011). Risk Management in IT Governance Framework. Economia Seria
Management , 14 (2), 545-552.
Gilbert, D., Balestrini, P., & Littleboy, D. (2004). Barriers and Benefits in the Adoption of E-
government. International Journal of Public Sector Management , 17 (4), 286-301.
Ginzberg, M. J. (1980). An Organizational Contingencies View of Accounting and
Information Systems Implementation. Accounting, Organizations and Society , 5 (4), 369-
382.
Page 233
218
Gómez, B., Bermejo, B., & Juiz, C. (2017). IT Governance and Its Implementation Based on
a Detailed Framework of IT Governance (dFogIT) in Public Enterprises. In L. i. Rusu, &
G. Viscus (Eds.), Information Technology Governance in Public Organizations (Vol. 38,
pp. 133-155). Springer International Publishing.
Gregg, D. G., Kulkarni, U. R., & Vinz´e, A. S. (2001). Understanding the Philosophical
Underpinnings of Software Engineering Research in Information Systems. Information
Systems Frontiers , 3 (2), 169-183.
Gregor, S., & Jones, D. (2007). The Anatomy of a Design Theory. Journal of the Association
for Information Systems , 8 (5), 312-335.
Gregor, S., Martin, M., Fernandez, W., Stern, S., & Vitale, M. (2006). The Transformational
Dimension in the Realization of Business Value from Information Technology. The
Journal of Strategic Information Systems , 15 (3), 249-270.
Guldentops, E. (2004). Key Success Factors for Implementing IT Governance: Let's Not Wait
for Regulators to Tell Us What to Do. Information Systems Control Journal , 2.
Guldentops, E., Van Grembergen, W., & De Haes, S. (2002). Control and Governance
Maturity Survey: Establishing a Reference Benchmark and a Self-assessment Tool.
Information Systems Control Journal.
Haider, Z., Shuwen, C., & Bux Bur, M. (2016). E-Government Project Obstacles in Pakistan.
International Journal of Computer Theory and Engineering , 8 (5), 362-371.
Hair, J. F., Black, B., Babin, B., Anderson, R. E., & Tatham, R. L. (2006). Multivariate Data
Analysis (6 ed.). Prentice Hall.
Han, W. M., & Huang, S. J. (2007). An Empirical Analysis of Risk Components and
Performance on Software Projects. The Journal of Systems and Software , 80, 42-50.
Henderson, J. C., & Cooprider, J. G. (1990). Dimensions of I/S Planning and Design Aids: A
Functional Model of CASE Technology. Information Systems Research , 1 (3), 227-254.
Henderson, J. C., & Lee, S. (1992). Managing I/S Design Teams: A Control Theories
Perspective. 38 (6), 757-777.
Henderson, J. C., & Venkatraman, N. (1993). Strategic Alignment: Leveraging Information
Technology for Transforming Organizations. IBM Systems Journal , 32 (1), 4-16.
Heras-Saizarbitoria, I., & Boiral, O. (2013). ISO 9001 and ISO 14001: Towards a Research
Agenda on Management System Standards. 15 (1), 47-65.
Hevner, A. R., March, S. T., Park, J., & Ram, S. (2004). Design Science in Information
Systems Research. MIS Quarterly , 28 (1), 75-105.
Page 234
219
Hiekkanen, K. (2015). The Impact of IT Governance Practices on Strategic Alignment.
International Journal of IT/Business Alignment and Governance , 6 (2), 1-13.
Hinde, S. (2005). Why Do So Many Major IT Projects Fail? Computer Fraud & Security ,
2005 (1), 15-17.
Hindin, M. J. (2007). Role Theory. In G. Ritzer, Blackwell Encyclopedia of Sociology (pp.
3959-3962). Blackwell Publishing.
Hoch, D., & Payan, M. (2008). Establishing Good IT Governance in the Public Sector.
Retrieved 5 5, 2011, from McKinsey and Company:
http://www.mckinsey.de/downloads/publikation/transforming_government/2008/0803_T
G_it_governance.pdf
Huang, R., Zmud, R. W., & Price, R. L. (2010). Influencing the Effectiveness of IT
governance through Steering Committees and Communication Policies. European
Journal of Information Systems , 19 (3), 288-302.
Hudson, M., Smart, A., & Bourne, M. (2001). Theory and Practice in SME Performance
Measurement Systems. International Journal of operations & Production Management ,
21 (8), 1096-1115.
Irani, Z., & Love, P. E. (2001). The Propagation of Technology Management Taxonomies for
Evaluating Information Systems. Journal of Management Information Systems , 17 (3),
161-177.
ISACA. (2012). COBIT 5 for Information Security. Retrieved 9 1, 2012, from
www.isaca.org: https://www.isaca.org/COBIT/Documents/COBIT-5-for-Information-
Security-Introduction.pdf
ISO/IEC 38500:2015. (2015). Information technology -- Governance of IT for the
organization. Retrieved 2 25, 2017, from International Organization for Standardization:
https://www.iso.org/standard/62816.html
ITGI. (2003). Board Briefing on IT Governance (2 ed.).
ITGI. (2007). Exective Summary Framework. Retrieved May 20, 2011, from www.isaca.org:
http://www.isaca.org/Knowledge-Center/cobit/Documents/COBIT4.pdf
ITGI. (2005). IT Governance Using COBIT and Val IT: Student Book. IT Governance
Institute.
ITGI. (2009). ITGI Enables IS0/IEC 38500:2008 Adoption. Retrieved December 18, 2012,
from http://www.galegale.com.br/downloads/2009-
ITGI%20Enables%20ISOIEC%2038500-2008%20Adoption.pdf
Page 235
220
ITIL. (2007). Information Technology Infrastructure Library (ITIL) Guide. Retrieved 3 14,
2013, from http://www.itinfo.am/eng/information-technology-infrastructure-library-
guide/#chapter4
Ives, B., & Jarvenpaa, S. L. (1991). Applications of Global Information Technology: Key
Issues for Management. MIS Quarterly , 15 (1), 33-49.
Jick, T. D. (1979). Mixing Qualitative and Quantitative Methods: Triangulation in Action.
Administrative Science Quarterly , 24 (4), 602-611.
Johnson, J. (1995). Chaos: The Dollar Drain of IT Project Failures. Applic. Dev. Trends , 2
(1), 41-47.
Juiz, C., Guerrero, C., & Lera, I. (2014). Implementing GoodGovernance Principles for the
Public Sector in Information Technology Governance Frameworks. Open Journal of
Accounting , 3, 9-27.
Jun, L., Qiuzhen, W., & Qingguo, M. (2011). The Effects of Project Uncertainty and Risk
Management on IS Development Project Performance: A Vendor Perspective.
International Journal of Project Management , 29, 923-933.
Kaplan, B., & Maxwell, J. A. (1994). Qualitative Research Methods for Evaluating Computer
Information Systems. In J. G. Anderson, C. E. Aydin, & S. J. Jay (Eds.), Evaluating
Health Care Information Systems: Methods and Applications. SAGE PUBLICATIONS.
Keen, P. G., & Scott Morton, M. S. (1978). Decision Support Systems: An Organizational
Perspective. Massachusetts: Addison-Wesley Series on Decision Support.
Keil, M., Cule, P., Lyytinen, K., & Schmidt, R. (1998). A Framework for Identifying
Software Project Risks. Communication ACM , 14 (2), 76-83.
Khan, K. S., Kunz, R., Kleijnen, J., & Antes, G. (2003). Five Steps to Conducting a
Systematic Review. Journal of the Royal Society of Medicine , 96 (3), 118-121.
King. (1983). Centralized vs Decentralized Computing: Organizational Considerations and
Management Options. ACM Computing Surveys.
King, W. R. (1978). Strategic Planning for Management Information Systems. MIS Quarterly
, 2 (1), 27-37.
Kitchenham, B. (2004). Procedures for Performing Systematic Reviews. Retrieved 11 30,
2012, from http://www.inf.ufsc.br/~aldo.vw/kitchenham.pdf
Klecun, E., & Cornford, T. (2005). A Critical Approach to Evaluation. European Journal of
Information Systems , 14, 229-243.
Page 236
221
Kleiber, P. B. (2004). Focus Groups: More than a Method of Qualitative Inquiry. In K. B.
deMarrais, & S. D. Lapan (Eds.), Foundations of Research: Methods of Inquiry in
Education and the Social Sciences (pp. 87-102). London: Lawrence Erlbaum.
Kolsaker, A., & Lee-Kelley, L. (2008). Citizens‟ Attitudes towards E-government and E-
governance: A UK Study. International Journal of Public Sector Management , 21 (7),
723-738.
Kothari, C. R. (2004). Research Methodology: Methods and Techniques. New Delhi: New
Age Publications.
Kraiger, K., Ford, I., & Salas, E. (1993). Application of Cognitive, Skill-based, and Affective
Theories of Learning Outcomes to New Methods of Training Evaluation. Journal
ofApplied Psychology , 78, 311-328.
Kruger, C. J., & Snyman, M. M. (2002). Interdependency between Strategic Management and
the Formulation of an Information and Communication Technology Strategy. South
African Journal of Information Management , 4 (2).
Kundi, G. M., Shah, B., & Nawaz, A. (2008). Digital Pakistan: opportunities & challenges.
Journal of Information Systems and Technology Management , 5 (2), 365-390.
Kurti, I., Baroll, E., & Sevran, K. i. (2013). Critical Success Factors for Business – IT
Alignment: A Review of Current Research. Romanian Economic and Business Review , 8
(3), 79-97.
Lancaster, G. (2005). Research Methods in Management: A Concise Introduction to Research
in Management and Business Consultancy. Burlington: Elsevier Butterworth-Heinemann.
Lane, J.-E. (2000). The Public Sector: Concepts, Models and Approaches (3 ed.). SAGE
PUBLICATIONS.
Larsen, M. H., Pedersen, M. K., & Viborg, A. K. (2006). IT Governance: Reviewing 17 IT
Governance Tools and Analysing the Case of Novozymes A/S. Proceedings of the 39th
Hawaii International Conference on System Sciences.
Lawry, R., Waddell, D., & Singh, M. (2007). Roles,Responsibilities and Futures of Chief
Information Officers (CIOs) in the Public Sector. Proceedings of European and
Mediterranean Conference on Information Systems.
Lazic, M., Heinzl, A., & Neff, A. (2011). IT Governance Impact Model: How Mature IT
Governance Affects Business Performance. Retrieved 2012, from sprouts.aisnet.org:
http://sprouts.aisnet.org/11-147
Page 237
222
Lee, C.-H., Lee, J.-H., Park, J.-S., & Jeong, K.-Y. (2008). A Study of the Causal Relationship
Between IT Governance Inhibitors and Its Success in Korea Enterprises. Proceedings of
the 41st Hawaii International Conference on System Sciences.
Liu, Q., & Ridley, G. (2005). IT Control in the Australian Public Sector: An International
Comparison. Thirteenth European Conference on Information Systems.
Luftman, J. (2000). Assessing Business-IT Alignment Maturity. Communications of the
Association for Information Systems , 4, 1-50.
Luftman, J. N., Papp, R., & Brier, T. (1999). Enablers and Inhibitors of Business-IT
Alignment. Communications of the Association for Information Systems , 1 (11), 1-33.
Marais, W. J., & Kruger, C. J. (2005). Implementation of an Information System Within a
Bureaucratic Environment: An Understanding of the Human Issues. South African
Journal of Information Management , 7 (1).
March, S. T., & Smith, G. F. (1995). Design and Natural Science Research on Information
Technology. Decision Support Systems , 15, 251-266.
Marcoulides, G. A., & Saunders, C. (2006). Editor‟s Comments – PLS: A Silver Bullet? MIS
Quarterly , 30 (2), iii-ix.
Marshall, C., & Rossman, G. B. (1999). Designing Qualitative Research (3 ed.). London:
SAGE PUBLICATIONS.
Maxwell, J. A. (2013). Qualitative Research Design: An Interactive Approach (Applied
Social Research Methods) (3 ed.). SAGE Publications.
McFarlan, F. W., & McKenney, J. L. (1983). Corporate Information Systems Management:
The Issues Facing Senior Executives. IRWIN.
McKay, J., & Marshall, P. (2005). A Review of Design Science in Information Systems. 16th
Australasian Conference on Information Systems. Sydney.
McKay, J., & Marshall, P. (2007). Science, Design, and Design Science: Seeking Clarity to
Move Design Science Research Forward in Information Systems. 18th Australasian
Conference on Information Systems. Toowoomba.
Meijer, M., & Smalley, M. (2010). ISO/IEC 38500 – BiSL – ASL: A Comparison. Retrieved 5
13, 11, from http://aslbislfoundation.org/en/?wpfb_dl=650
Mimba, N., Helden, G., & Tillema, S. (2007). Public Sector Performance Measurement in
Developing Countries. Journal of Accounting and Organisational Change , 3, 192-208.
MOIT. (2017). Digital Paksiatn Policy 2017. Retrieved May 10, 2017, from
http://moit.gov.pk/policies/DPP-2017v5.pdf
Page 238
223
Moore, M. H. (1997). Creating Public Value: Strategic Management in Government. Harvard
University Press.
Moore, M. H. (1995). Creating Public Value: Strategic Management in Government. Harvard
University Press.
Morse, J. M. (1991). Approaches to Qualitative-Quantitative Methodological Triangulation.
Nursing Research , 40 (2), 120-123.
MOST. (2000). IT Policy and Action Plan. Retrieved February 10, 2010, from Ministry of
Information Technology website:
http://www.moit.gov.pk/gop/index.php?q=aHR0cDovLzE5Mi4xNjguNzAuMTM2L21va
XQvdXNlcmZpbGVzMS9maWxlL3BvbGljaWVzL1Bha2lzdGFuJTIwSVQlMjBQb2xp
Y3klMjAlMjBBY3Rpb24lMjBQbGFuJTIwMjAwMC5wZGY%3D
Muller, R., & Turner, J. (2005). The Project Manager‟s Leadership Style as a Success Factor
on Projects: A Literature Review. Project Management Journal , 36 (2), 49-61.
Mutagahywa, B., Kinyeki, C., & Ulanga, J. (2007). A Review of E-Government Related
Interventions in PSRP Phase I and Advice on a Strategy Framework Towards PSRP II.
Myers, M. D. (2008). Qualitative Research in Business and Management. London: SAGE
PUBLICATIONS.
Nadvi, K., & Waltring, F. (2004). Making Sense of Global Standards. In H. Schmitz, Local
Enterprises in the Global Economy: Issues of Governance and Upgrading.
Ndou, V. (2004). E-governance for Develpoing Countries: Opportunities and Challenges. The
Electronic Journal on Information Systems in Developing Countries , 18 (1), 1-24.
Nenickova, H. (2011). Critical Success Factors for ITIL Best Practices Usage. Economics
and Management.
Nfuka, E. N., & Rusu, L. (2010). Critical Success Factors for Effective IT Governance in the
Public Sector Organizations in a Developing Country: The Case of Tanzania. 18th
European Conference on Information Systems.
Nfuka, E. N., & Rusu, L. (2013). Critical Success Framework for Implementing Effective IT
Governance in Tanzanian Public Sector Organizations. Journal of Global Information
Technology Management , 16 (3), 53-77.
Nfuka, E. N., & Rusu, L. (2011). The Effect of Critical Success Factors on IT governance
Performance. Industrial Management and Data Systems , 111 (9), 1418-1448.
Nfuka, E. N., Rusu, L., Johannesson, P., & Mutagahywa, B. (2009). The State of IT
Governance in Organizations from the Public Sector in a Developing Country. 42nd
Hawaii International Conference on System Sciences, (pp. 1-12).
Page 239
224
Nicoll, P. (2005). What Lies Ahead for Public Sector Governance? (Applied Corporate
Governance). Keeping Good Companies , 57, 19-26.
Norreklit, H. (2000). The Balance on the Balanced Scorecard a Critical Analysis of Some of
Its Assumptions. Management Accounting Research , 11 (1), 65-88.
Norris, D. F., & Moon, M. J. (2005). Advancing E-Government at the Grassroots: Tortoise or
Hare? Public Administration Review , 65 (1), 64–75.
Oates, B. J. (2006). Researching Information Systems and Computing. New Delhi: Sage
Publications.
O'Donohue, B., Pye, G., & Warren, M. J. (2006). Improving ICT Governance in Australian
Companies. 17th Australasian Conference on Information Systems.
Olve, N.-G., Petri, C.-J., Roy, J., & Roy, S. (2003). Making Scorecards Actionable:
Balancing Strategy and Control. New York: John Wiley & Sons.
Otley, D. (1999). Performance Management: A Framework for Management Control Systems
Research. Management Accounting Research , 10 (4), 363-382.
Oyemade, R. (2012). Effective IT Governance Through the Three Lines of Defense, Risk IT
and COBIT. ISACA Journal , 1.
Pandey, I. M. (2005). Balanced Scorecard: Myth and Reality. VIKALPA , 30 (1), 51-66.
Pang, M.-S., Lee, G., & DeLone, W. H. (2014). IT Resources, Organizational Capabilities,
and Value Creation in Public-sector Organizations: A Public-value Management
Perspective. Journal of Information Technology , 29 (3), 187-205.
Parent, M., & Reich, B. H. (2009). Governing Information Technology Risk. California
Management Review , 51 (3), 134-152.
Park, J., Lee, J.-N., Lee, O.-K. D., & Koo, Y. (2017). Alignment Between Internal and
External IT Governance and Its Effects on Distinctive Firm Performance: An Extended
Resource-Based View. IEEE Transactions on Engineering Management , 64 (3), 351-
364.
Patton, M. Q. (1987). How to Use Qualitative Methods in Evaluation. SAGE
PUBLICATIONS.
Payne, G., & Payne, J. (2004). Key Concepts in Social Research. SAGE PUBLICATIONS.
Peffers, K., Tuunanen, T., Rothenberger, M. A., & Chatterjee, S. (2008). A Design Science
Research Methodology for Information Systems Research. Journal of Management
Information Systems , 24 (3), 45-78.
Pelt, M. V. (2009). IT Governance in Federal Project Management. Retrieved 3 2, 2012,
from
Page 240
225
http://s3.amazonaws.com/chssweb/documents/1057/original/Van_Pelt_final.pdf?1304691
548
Peng, D. X., & Lai, F. (2012). Using Partial Least Squares in Operations Management
Research: A Practical Guideline and Summary of Past Research. Journal of Operations
Management , 30, 467-480.
Pereira, R., & Silva, M. M. (2012). A Literature Review: Gudielines and Contingency Factors
for IT Governance. European, Mediterranean & Middle Eastern Conference on
Information Systems.
Peterson, R. R. (2001). Configurations and Coordination for Golobal Information
TechnologyGovernance: Complex Designs in a Transactional European Context.
Proceedings of the 34th Hawaii International Conference on System Sciences.
Peterson, R. R. (2004). Crafting Information Technology Governance for Today‟s Turbulent
Environment. Information Systems Management , 21 (4), 7-21.
Pinto, J., & Slevin, P. (1989). Critical Success Factors in R & D Projects. Research
Technology Management , 32 (1), 31-36.
PMI. (2004). A Guide to the Project Management Body of Knowledge (PMBOK Guide) (4
ed.). Newtown Square, Pennsylvania: Project Management Institute, Inc.
Pollard, C. E., & Cater-Steel, A. (2009). Justifications, Strategies, and Critical Success
Factors in Successful ITIL Implementations in U.S. and Australian Companies: An
Exploratory Study. Information Systems Management , 26 (2), 164-175.
Post, G. V., Kagan, A., & Keim, R. T. (1999). A Structural Equation Evaluation of CASE
Tools Attributes. Journal of Management Information Systems , 15 (4), 215-234.
Prasad, A., Heales, J., & Green, P. (2010). A Capabilities-based Approach to Obtaining a
Deeper Understanding of Information Technology Governance Effectiveness: Evidence
from IT Steering Committees. International Journal of Accounting Information Systems ,
11 (3), 214-232.
Pratchett, L., & Wingfield, M. (1996). Petty Bureaucracy and Woolly-Minded Liberalism? ?
The Changing Ethos of Local Government Officers. Public Administration Review , 74,
639-656.
Pries-Heje, J., Baskerville, R., & Venable, J. (2008). Strategies for Design Science Research
Evaluation. In Proceedings of the 2008 European Conference on Information Systems.
Prietula, M. J., & Simon, H. A. (1989). The Experts in Your Midst. Harvard Business Review
, 67 (1), 120–124.
Page 241
226
PTA. (2017). Telecom Indicators. Retrieved March 20, 2017, from
http://www.pta.gov.pk/index.php?option=com_content&task=view&id=269&Itemid=658
Purao, S., & Storey, V. C. (2008). Evaluating the Adoption Potential of Design Science
Efforts: The Case of APSARA. Decision Support Systems , 44 (2), 369-381.
PwC & ITGI. (2006). IT Governance in Practice: Insight from Leading CIOs. Retrieved 12
18, 2012, from http://www.pwc.com/ca/en/technology-consulting/technology-
advisory/information-technology-governance.jhtml
Qaisar, N., & khan, G. A. (2010). E-Government Challenges in Public Sector: A case study
of Pakistan. International Journal of Computer Science Issues , 7 (5), 310-317.
Rai, A., & Al-Hindi, H. (2000). The Effects of Development Process Modeling and Task
Uncertainty on Development Quality Performance. Information & Management , 37 (6),
335-346.
Rai, A., Lang, S., & Welker, B. (2002). Assessing the Validity of IS Success Models: An
Empirical Test and Theoretical Analysis. Information Systems Research , 13 (1), 50-69.
Rainey, H., Backoff, R., & Levine, C. (1976). Comparing Public and Private Organizations.
Public Administration Review , 233-244.
Rau, K. G. (2004). Effective Governance of IT: Design Objectives, Roles, and Relationships.
Information Systems Management , 21 (4), 35-42.
Ravichandran, T. (1999). Software Reusability as Synchronous Innovation: A Test of Four
Theoretical Models. European Journal of Information Systems , 8 (3), 183-199.
Ravichandran, T., & Rai, A. (2000). Quality Management in Systems Development: An
Organizational System Perspective. MIS Quarterly , 24 (3), 381-416.
Razak, R. A., & Zakaria, M. S. (2014). The Critical Success Factors for Effective ICT
Governance in Malaysian Public Sector: A Delphi Study. International Journal of Social,
Behavioral, Educational, Economic, Business and Industrial Engineering , 8 (11), 3512-
3515.
Ribbers, P. M., Peterson, R. R., & Parker, M. M. (2002). Designing Information Technology
Governance Processes: Diagnosing Contemporary Practices and Competing Theories.
Proceedings of the 35th Hawaii International Conference on System Sciences.
Rocheleau, B., & Wu, L. (2002). Public Versus Private Information Systems: Do they Differ
in Important Ways? A Review and Empirical Test. The American Review of Public
Administration , 32 (4), 379-397.
Rockart, J. F. (1979). Chief Executives Define their Own Data Needs. Harvard Business
Review , 57 (2), 81-93.
Page 242
227
Rohm, H. (2006). A Balancing Act. Perform , 2 (2), 1-8.
Rohner, R. P. (1977). Advantages of the Comparative Method of Anthropology. Cross-
Cultural Research , 12 (2), 117-144.
Rouyet-Ruiz, J. (2008). COBIT as a Tool for IT Governance: Between Auditing and IT
Governance. The European Journal for the Informatics Professional , 9 (1), 40-43.
Royer, I., & Zarlowaski, P. (1999). Research design. In R.-A. Thietart, Doing management
Research: A Comprehensive Guide (pp. 111-131). London: SAGE PUBLICATIONS.
Sambamurthy, V., & Zmud, R. W. (1999). Arrangements for Information Technology
Governance: A Theory of Multiple Contingencies. MIS Quarterly , 23 (2), 261-290.
Schlosser, F., Wagner, H. T., & Coltman, T. (2012). Reconsidering the Dimensions of
Business-IT Alignment. 45th Hawaii International Conference on System Sciences.
Schoderbek, P. P., Schoderbek, C. G., & Kefalas, A. G. (1990). Management Systems:
Conceptual Considerations. Richard D Irwin.
Selig, G. J. (2008). Implementing IT Governance: A Practical Guide to Global Best Practice
in IT Management. New York: Van Haren Publishing.
Selig, G. J. (2016). IT Governance-An Integrated Framework and Roadmap: How to Plan,
Deploy and Sustain for Improved Effectiveness. Journal of International Technology and
Information Management , 25 (1), 55-76.
Serafeimidis, V., & Smithson, S. (2000). Information System Evaluation in Practice: A Case
Study of Organizational Change. Journal of Information Technology , 15 (2), 93-105.
Sethibe, T., Campbell, J., & McDonald, C. (2007). IT Governance in Public and Private
Sector Organizations: Examining the Differences and Defining Future Research
Directions. In Proceedings of 18th Australasian Conference on Information Systems.
Simon, H. A. (1969). The Sciences of the Artificial. MIT Press.
Simonsson, M., & Johnson, P. (2008). The IT Organization Modeling and Assessment Tool:
Correlating IT Governance Maturity with the Effect of IT. Hawaii International
Conference on System Sciences, Proceedings of the 41st Annual.
Simonsson, M., Johnson, P., & Ekstedt, M. (2010). The Effect of IT Governance Maturity on
IT Governance Performance. Information Systems Management , 27 (1), 10-24.
Simonsson, M., Johnson, P., & Wijkström, H. (2007). Model-Based IT Governance Maturity
Assessments with COBIT. European Conference on Information Systems.
Slevin, D. P., & Pinto, J. K. (1986). The Project Implementation Profile: New Tool for
Project Managers. Project Management Journal , 17 (4), 57-70.
Page 243
228
Spittler, J. R., & McCracken, C. J. (1996). Effective Project Management in Bureaucracies.
Transactions of AACE International , 1-10.
Standish Group. (1995). The CHAOS Report. Retrieved 3 2, 2008, from
http://www.csus.edu/indiv/v/velianitis/161/ChaosReport.pdf
Straub, D. W., David, G., & Marie-Claude, B. (2005). Quantitative Research. In D. Avison,
& J. Pries-Heje (Eds.), Research in Information Systems: A handbook for research
supervisors and their students (pp. 221-238). Amsterdam: Elsevier.
Sun, Y., & Kantor, P. B. (2006). Cross-Evaluation: A New Model for Information System
Evaluation. Journal of the American Society for Information Science and Technology , 57
(5), 614-628.
Swanson, K., McComb, D., Smith, J., & McCubbrey, D. (1991). The Application Software
Factory: Applying Total Quality Techniques to Dystems Development. MIS Quarterly ,
15 (4), 566–579.
Tan, W., Cater-Steel, A., & Toleman, M. (2009). Implementing IT Service Management: A
Case Study Focussing on CSFs. Journal of Computer Information Systems , 50 (2), 1-12.
Tan, W.-G., Cater-Steel, A., & Toleman, M. (2007). Implementing Centralised IT Service
Management: Drawing Lessons from the Public Sector. 18 th Australasian Conference on
Information Systems. Toowoomba.
Teddlie, C., & Yu, F. (2007). Mixed Methods Sampling: A Typology With Examples.
Journal of Mixed Methods Research , 1 (1), 77-100.
Teo, S., & Ang, J. (1999). Critical Success Factors in the Alignment of IS Plans with
Business Plans. International Journal of Information Management , 19, 173-185.
Teo, T. S., & King, W. R. (1996). Assessing the Impact of Integrating Business Planning and
IS Planning. Information & Management , 30 (1996), 309-321.
Trochim, W., & Donnelly, J. P. (2007). The Research Methods Knowledge Base (3 ed.).
Atomic Dog.
UNDP. (2017). Human Development Report. Retrieved March 20, 2017, from
http://hdr.undp.org/sites/default/files/2016_human_development_report.pdf
United Nation. (2001). Statistical Yearbook. New York: United Nation.
Upfold, C. T., & Sewry, D. A. (2005). An Investigation of Information Security in Small and
Medium Enterprises (SME's) in the Eastern Cape. Rhodes University.
Urbach, N., & Ahlemann, F. (2010). Structural Equation Modeling in Information Systems
Research Using Partial Least Squares. Journal of IT Theory & Application , 11 (2), 5-40.
Page 244
229
Vaishnavi, V., & Kuechler, B. (2007). Design Science Research in Information Systems.
Journal of Association for Information Systems.
Van Aken, J. E. (2004). Management Research based on the Paradigm of the Design
Sciences: The Quest for the Field Tested and Grounded Technological Rules. Journal of
Management Studies , 41 (2), 219-246.
Van Grembergen, W. (2002). Introduction to the Minitrack IT Governance and Its
Mechansims. Proceedings of the 35th Hawaii International Conference on System
Sciences (HICSS).
Van Grembergen, W., & De Haes, S. (2005). COBIT's Management Guidelines Revisited:
The KGIs/KPIs Cascade. IT Governance Institute Publication , 6.
Van Grembergen, W., & De Haes, S. (2005). Measuring and Improving Information
Technology Governance through the Balanced Scorecard. Information Systems Control
Journal , 2.
Van Grembergen, W., De Haes, S., & Guldentops, E. (2004). Structures, Processes and
Relational Mechanisms for IT Governance. In W. Van Grembergen (Ed.), Strategies for
Information Technology Governance. Hershey: IDEA GROUP PUBLISHING.
Venable, J. (2006). A Framework for Design Science Research Activities. In Proceedings of
the 2006 Information Resource Management Association Conference.
Venkatraman, N., Henderson, J. C., & Oldach, S. (1993). Continuous Strategic Alignment:
Exploiting Information Technology Capabilities for Competitive Success. European
Management Journal , 11 (2), 139-149.
Walford, R. B. (1990). Information Networks: A Design and Implementation Methodology.
Addison-Wesley.
Walls, J. G., Widmeyer, G. R., & El Sawy, O. A. (1992). Building an Information System
Design Theory for Vigilant EIS. Information Systems Research , 3 (1), 36-59.
Ward, J., & Peppard, J. (2002). Strategic Planning for Information Systems (3 ed.). Wiley,
Chichester.
Warland, C., & Ridley, G. (2005). Awareness of IT Control Frameworks in an Australian
State Government: A Qualitative Case Study. In Proceedings of the 38th Hawaii
International Conference on System Sciences.
Wateridge, J. F. (1995). IT Projects: A Basis for Success. International Journal of Project
Management , 13 (3), 169-172.
Webb, P., Pollard, C., & Ridley, G. (2006). Attempting to Define IT Governance: Wisdom or
Folly? Proceedings of the 39th Hawaii International Conference on System Sciences.
Page 245
230
Weill, P. (2004). Don't Just Lead, Govern: How Top-Performing Firms Govern IT. MIS
Quarterly Executive , 3 (1), 1-17.
Weill, P., & Broadbent, M. (1998). Leveraging the New Infrastructure: How Market Leaders
Capitalize on Information Technology. Harvard Business Review Press.
Weill, P., & Ross, J. W. (2004). IT Governance: How Top Performers Manage IT Decision
Rights for Superior Results. Boston: Harvard Business School Press.
Whittaker, B. (1999). What went Wrong? Unsuccessful Information Technology Projects.
Information Management & Computer Security , 7 (1), 23-29.
Wiedenhoft, G. C., Luciano, E. M., & Magnagnagno, O. A. (2017). Information Technology
Governance in Public Organizations: Identifying Mechanisms that Meet its Goals While
Respecting Principles. Journal of Information Systems and Technology Management , 14
(1), 69-87.
Wold, H. (1985). Partial Least Squares. In S. Kotz, & L. N. Johnson (Eds.), Encyclopedia of
Statistical Sciences (Vol. 6, pp. 581-591). New York: Wiley.
Worthen, B. (2005). ITIL Power. Retrieved April 10, 2006, from
http://www.cio.com/archive/090105/itil_frameworks.html?page=1
Xia, W., & Lee, G. (2004). Grasping the Complexity of IS Development Projects.
Communications of the ACM , 47 (5), 69-74.
Yin, R. K. (2003). Case Study Research: Design and Methods (4 ed., Vol. 5). SAGE
PUBLICATIONS.
Zahedi, F. (1987). Reliability of Information Systems Based on Critical Suscess Factors
Formulation. MIS Quarterly , 11 (2), 187-203.
Zhang, P., Zhao, K., & Kumar, R. L. (2016). Impact of IT Governance and IT Capability on
Firm Performance. Information Systems Management , 33 (4), 357-373.
Zhang, S., & Le Fever, H. (2013). An Examination of the Practicability of COBIT
Framework and the Proposal of a COBIT-BSC Model. Journal of Economics, Business
and Management , 1 (4), 391-395.
Page 246
231
Appendices
Appendix-I
34 IT Processes of COBIT scattered into four domains
Plan and Organize (PO) PO1-Define a strategic IT plan
PO2-Define the information architecture
PO3-Determine technological direction
PO4-Define the IT processes, organization and relationships
PO5-Manage the IT investment
PO6-Communicate management aims and direction
PO7-Manage IT human resources
PO8-Manage quality
PO9-Assess and manage IT risks PO10-Manage projects
Deliver and Support (DS) DS1-Define and manage service levels
DS2-Manage third party services
DS3-Manage performance and capacity
DS4-Ensure continuous service DS5-Ensure systems security
DS6-Indentify and allocate costs
DS7-Educate and train users DS8-Manage service desk and incidents
DS9-Manage the configuration
DS10-Manage problems
DS11-Manage data DS12-Manage the physical environment
DS13-Manage operations
Acquire and Implement (AI) AI1-Identify automated solutions
AI2-Acquire and maintain application software
AI3-Acquire and maintain technology
infrastructure AI4-Enable operation and use
AI5-Procure IT resources
AI6-Manage changes AI7-Install and Accredit solutions and changes
Monitor and Evaluate (ME) ME1-Monitor and evaluate IT performance
ME2-Monitor and evaluate internal control
ME3-Ensure compliance with external
requirements ME4-Provide IT governance
Appendix-II
Fifteen most important and more relevant public sector IT processes of COBIT
Plan and Organize (PO)
PO1-Define a strategic IT plan
PO3-Determine technological direction
PO4-Define the IT processes, organization and relationships
PO5-Manage the IT investment
PO6-Communicate management aims and direction
PO9-Assess and manage IT risks
PO10-Manage projects
Deliver and Support (DS)
DS1-Define and manage service levels
DS4-Ensure continuous service
DS5-Ensure systems security DS11-Manage data
Acquire and Implement (AI) AI1-Identify automated solutions
AI2-Acquire and maintain application software
AI6-Manage changes
Monitor and Evaluate (ME) ME1-Monitor and evaluate IT performance
Page 247
232
Appendix-III
Generic maturity model of COBIT
0 Non-existent Complete lack of any recognizable processes. The enterprise has not
even recognized that there is an issue to be addressed.
1 Initial/Ad Hoc There is evidence that the enterprise has recognized that the issues
exist and need to be addressed. There are, however, no standardized
processes; instead, there are ad hoc approaches that tend to be applied
on an individual or case-by-case basis. The overall approach to
management is disorganized.
2 Repeatable but
Intuitive
Processes have developed to the stage where similar procedures are
followed by different people undertaking the same task. There is no
formal training or communication of standard procedures, and
responsibility is left to the individual. There is a high degree of
reliance on the knowledge of individuals and, therefore, errors are
likely.
3 Defined Process Procedures have been standardized and documented, and
communicated through training. It is mandated that these processes
should be followed; however, it is unlikely that deviations will be
detected. The procedures themselves are not sophisticated but are the
formalization of existing practices.
4 Managed and
Measurable
Management monitors and measures compliance with procedures and
takes action where processes appear not to be working effectively.
Processes are under constant improvement and provide good practice.
Automation and tools are used in a limited or fragmented way.
5 Optimized Processes have been refined to a level of good practice, based on the
results of continuous improvement and maturity modeling with other
enterprises. IT is used in an integrated way to automate the workflow,
providing tools to improve quality and effectiveness, making the
enterprise quick to adapt.
Page 248
233
Appendix-IV
Q1. Up to what extent, the following IT governance practices in terms of CSFs are effective in your
organization towards the strategic use of IT?
1. Not at all effective, 2. Slightly effective 3. Moderately effective, 4. Effective, 5. Very effective
IT governance practice in terms of CSF Effectiveness
(1-5)
Top management support
Alignment between IT and business strategy
IT demonstrates leadership
Adequate stakeholders involvement
Effective communication between IT and business
Regulatory environment and compliance requirements
Existing governance and transparency
Organizational culture
Financial support
Adequate IT skills and staff
Performance measurement and aligned incentives
Change management and exception handling
Well prioritized IT Projects
Clear IT strategy, principles & policies
Clear roles and responsibilities
IT governance awareness and understanding
IT structures to ensure accountability and flexibility to the IT organizational needs
Risk identification and mitigation process
Standardized and managed IT infrastructure & applications to optimize costs and
information flow
IT skills and knowledge of business executives/personnel
Business skills and knowledge of IT executives/personnel
Mutual trust and respect between business and IT executives/personnel
Shared understanding between business and IT executives/personnel
Q2. Which IT governance practices in terms of CSFs given above are actually
implemented/excercised in your organization and how? You can also add, delete and change/update
above given practices according to your business setting.
Page 249
234
Appendix-V
IT Governance Practices
On five point Likert scale, 1 (strongly disagree) to 5 (strongly agree)
Item Source
IT Leadership
Effective IT leadership competencies for managing IT projects
IT leadership‟s understanding of business goals/imperatives and
actionable IT intervention
Management team‟s understanding of IT opportunities and
contribution
(Nfuka & Rusu,
2011)
Senior Management Involvement and Support
Senior management support to strategic use of IT
Senior management action-oriented involvement in IT projects
High-level political support to strategic use of IT
IT-related resources prioritization
(Nfuka & Rusu,
2011)
IT/Business Communication and Partnership
Shared understanding of business IT goals, strategies and
imperatives
Business and IT cooperation formally/informally
IT governance mechanisms‟ transparency to managers
Business involvement in IT initiatives and vice versa
Frequent communication between business and IT
(Nfuka & Rusu,
2011)
Engagement of Key Stakeholders
Building collaborative relationships with key stakeholders
Creating shared understanding among key stakeholders on common
agenda
Stakeholders‟ active participation in IT planning and
implementation of shared resources/services
(Nfuka & Rusu,
2011)
Defined, Aligned and Cascaded IT and Business Strategies
Alignment of IT business goals, strategy and operations
A well-communicated IT strategy and policy down to all levels of
organization
Well-aligned and prioritized IT projects
Active participation of IT people in corporate strategy and business
people in IT strategy planning
Aligned IT to required reforms in public sector
(Nfuka & Rusu,
2011)
IT Structures for Responsiveness and Accountability
Participatory designed and widely communicated IT governance
mechanisms on IT structure with a focus on partnership ownership
and accountability
Having active IT steering committees that oversee IT investment,
prioritization and operations
Having IT project committee to oversee/monitor the project
activities and outcome
(Nfuka & Rusu,
2011)
Page 250
235
IT head on executive management and reporting to CEO
Clear and adequate role and responsibilities/categories
Policies and Guidelines for Optimal Acquisition and Use of IT
Effective IT processes guidelines for management and IT projects‟
staff/users
Implementing an IT governance and control framework
IT project governance/management methodologies
Clear IT budget control, reporting and responsible usage
Enforced IT-governance-related policies and guidelines
(Nfuka & Rusu,
2011)
Risk Identification and Mitigation Mechanism
Presence of comprehensive set of metrics for identification and
mitigation of business risks
Presence of comprehensive set of metrics for identification and
mitigation of resource risks
Presence of comprehensive set of metrics for identification and
mitigation of technology risks
(Keil et al., 1998)
Standardized and Managed IT Infrastructure and Applications
Effective provision and management of IT facilities
Standardized and sharable IT infrastructure and applications
Provision of efficient and reliable services to IT projects‟ staff
(Nfuka & Rusu,
2011)
IT Governance Awareness and Training
Provision of governance of IT training to IT/business management
and experts for cost effective management and optimal use of IT
projects‟ resources
Provision of governance of IT awareness to users for optimal and
cost-effective use of IT projects‟ resources
Incorporation of change management in IT governance best
practices awareness and training
(Nfuka & Rusu,
2011)
Competitive IT Professionals
A focus on attracting and retaining core IT/business competencies
related to planning, development and management of IT projects
Recognition and encouragement of IT innovations, appropriateness
and excellence
Skilled IT personnel as working capital of successful IT projects &
operations
(Nfuka & Rusu,
2011)
Performance Measures and Benchmarks
Clearly set IT projects‟ targets in organizational operations,
customer/public excellence, skills/innovation and corporate
contribution
Clearly set, active and monitored performance measures for
organizational and public value of IT projects
Demonstration of IT projects „success/contribution
Performance-aligned rewards and penalties
(Nfuka & Rusu,
2011)
Page 251
236
Task Outcomes
On seven-point Likert scale, 1 (extremely low) to 7 (extremely high)
Item Source
Efficiency of operations
Adherence to schedules
Adherence to budgets
Amount of produced work
Quality of produced work
Effectiveness of interactions with consultants
Ability to meet its goals
(Henderson & Lee,
1992)
Organizational Outcomes
On seven-point Likert scales, 1 (strongly disagree) to 7 (strongly agree)
Item Source
Cost reduction and efficiency gains (Gregor et al., 2006;
Ndou, 2004)
Improved quality of decision-making (Gregor et al., 2006;
Ndou, 2004)
Transparency, anticorruption and accountability (Bhatnagar & Singh,
2010; Ndou, 2004)
Useful links with other organizations (Gregor et al., 2006;
Ndou, 2004)
Improved quality of service delivery to businesses and customers (Ndou, 2004)
Enhanced employees‟ productivity (Gregor et al., 2006)
Public Outcomes
On seven-point Likert scales, 1 (not at all) to 7 (to a great extent)
Item Source
Cost and time saving using e-services (Gilbert et al., 2004;
Kolsaker & Lee-Kelley,
2008; Wang & Liao,
2008)
Better information, knowledgeable about government policy (Kolsaker & Lee-Kelley,
2008; Grimsley &
Meehan, 2007; Thomas
& Streib, 2003)
Efficient method of communicating with government (Kolsaker & Lee-Kelley,
2008)
Involving, exerting influence in the democratic process (Kolsaker & Lee-Kelley,
2008; Grimsley &
Meehan, 2007)
Network and community creation (Ndou, 2004)
Page 252
237
Appendix-VI
1. A proposed set of activities to implement the relevant practice in your organization is given below. Please review each activity for its
suiatbility to impelement the relevant practice in your business setting. You can also add, delete and change/update activities according to your
business setting.
2. Please also choose a suitable role and approperiate IT resource to execute each activity as per your business settings from the list given below.
Role (R) Executives (E), Business (B), IT Management (ITM), IT Operations (ITO), Compliance, audit, risk and security (CARS)
IT Resource (S)
Applications (AP), Information (IN), Infrastructure (IF), People (PP)
Guiding practice Proposed activities Improved activities R S
1. IT/business
communication and partnership
1.1 Establish viable IT/business communication and partnership practice
1.2 Involve business personnel in IT initiatives and IT personnel in business imperatives
1.3 Develop shared understanding among IT/business personnel on
IT/business goals and imperatives
1.4 Make IT related decisions with the same criteria used by the business
1.5 Educate business management regarding the importance of partnering
with IT
1.6 Assure active conflict resolution
2. Engagement of key stakeholders
2.1 Identify key stakeholders with clear roles and responsibilities
2.2 Consult and involve key stakeholders in IT plan preparation and
implementation
2.3 Create shared understanding among key stakeholders on shared
IT/business goals and imperatives
2.4 Provide assurance to satisfy stakeholder concerns
2.5 Analyse the potential contribution of key stakeholders
3. IT leadership 3.1 Provide a clear and top level mandate to lead and manage IT and
Page 253
238
transformation program
3.2 Persuade IT leadership on articulation a vision for the role of IT in
organization
3.3 Encourage IT leadership on business imperatives and viable IT
intervention
3.4 Convince business management on IT potential and contribution
3.5 Develop confidence of senior management in IT leadership
3.6 Develop focused IT leadership competencies
4. Senior management
involvement and support
4.1 Establish senior management role in IT decision-making and monitoring
processes
4.2 Demonstrate viable business value proposition from IT for senior management, board and politicians‟ support
4.3 Convince senior management on delegating viable authority for decision-
making and control over resources
4.4 Convince senior management for additional resources in crisis
4.5 Motivate senior management to use IT actively
5. Defined, aligned and
cascaded IT and business
strategies
5.1 Involve IT/business personnel in IT/business strategic planning
5.2 Define and align IT goals with business goals
5.3 Establish business aligned IT strategy, resources and operations
5.4 Prioritize, harmonize and establish IT projects cost-effectively
5.5 Integrate IT effectively into related public sector reforms
5.6 Cascade IT strategy down to all levels of organization
6. IT structures for
responsiveness and accountability
6.1 Establish clear and appropriate IT roles and responsibilities
6.2 Establish the role of CIO or IT head to report directly to executive head
6.3 Establish IT steering committee with balanced representation of IT/business
6.4 Establish IT project steering committee to prioritize and manage IT
projects
6.5 Ensure shared understanding and active participation of committees
7. Policies and guidelines for
optimal acquisition and use
of IT
7.1 Establish needed IT processes and governance framework
7.2 Establish clear mechanism for IT budget control and reporting
7.3 Ensure optimized IT investment, procurement and operational cost
7.4 Establish cost-effective and responsible use of IT resources
7.5 Establish ownership and efficient use of IT applications
Page 254
239
7.6 Establish IT governance policies & guidelines for IT value creation and
preservation
7.7.Determine and implement required change management
7.8 Cascade and enforce IT policies & guidelines at all levels
8. IT governance awareness
and training
8.1 Determine drivers and state of IT governance practices
8.2 Determine required mindset change and best practices
8.3 Adopt and undertake IT governance awareness and training for IT/business personnel
8.4 Establish knowledge management mechanism
8.5 Reduce employees resistance
9. Competitive IT professionals
9.1 Attract, develop and retain skilled IT personnel for IT/business success
9.2 Develop broad IT competencies to manage IT resources
9.3 Establish and motivate aligned IT innovation and practices
9.4 Treat skilled IT professionals as working capital
10. Standardized and
managed IT infrastructure and applications
10.1 Provide and leverage IT facilities rationally
10.2 Standardize and share IT infrastructure effectively
10.3 Standardize, integrate and manage IT applications prudently
10.4 Determine and actively manage services offered by the third parties
10.5 Benchmark and provide efficient IT services in and across organizations
10.6 Establish research activities for new and innovative IT services
11. Performance measures and benchmarks
11.1 Perform adequate analysis and evaluation of current and future use of IT
11.2 Establish effective performance management strategy
11.3 Set and monitor IT/business oriented performance measures
11.4 Evaluate and demonstrate business value of IT
11.5 Assess IT governance performance and continually improve
11.6 Establish performance aligned rewards and penalties
Page 255
240
Appendix-VII
Q. Up to what extent, do you perceive that the following improved activities are effective and easy to implement in your business setting?
1. Not at all 2. Slightly 3. Moderately, 4. Satisfactorily, 5. Very satisfactorily
Guiding practice Improved activities Perceived
effectiveness
(1-5)
Ease of
implementation
(1-5)
1. IT/business
communication and
partnership
1.1 Formalize viable IT/business communication and partnership practice
1.2 Train/involve business personnel in IT initiatives and IT personnel in business imperatives
1.3 Develop shared understanding among IT/business personnel on IT/business goals and
imperatives
1.4 Convince business management on IT/business partnership
2. Engagement of key
stakeholders
2.1 Identify key stakeholders and establish appropriate roles & responsibilities
2.2 Involve key stakeholders in IT/business plans preparation and implementation
2.3 Create shared understanding among key stakeholders on shared IT/business goals and
imperatives
2.4 Analyze and report the potential contribution of key stakeholders
3. IT leadership 3.1 Establish clear and top level mandate to lead and manage overall transformation program
3.2 Encourage IT leadership on business imperatives and viable IT intervention
3.3 Convince business management on IT potential and contribution
3.4 Develop confidence of senior management in IT leadership
3.5 Develop focused IT leadership competencies
Page 256
241
4. Senior management
involvement and support
4.1 Establish senior management role in strategic IT decision-making, resource prioritization
and monitoring processes
4.2 Demonstrate viable business value proposition of IT to get support of senior management,
politicians and sponsor
4.3 Convince senior management to delegate viable authority over resources
4.4 Convince senior management to provide required resources for IT/business success
4.5 Motivate senior management to use IT actively
5. Defined, aligned and
cascaded IT and business
strategies
5.1 Involve IT/business personnel in strategic IT/business planning
5.2 Define and align IT goals with business goals
5.3 Establish business aligned IT strategy, resources and operations
5.4 Prioritize and align IT projects with business goals and imperatives
5.5 Incorporate IT effectively into required public sector reforms
5.6 Cascade IT strategy down to all levels of organization
6. IT structures for
responsiveness and
accountability
6.1 Establish clear and appropriate IT roles and responsibilities
6.2 Establish the role of CIO or IT head to report directly to the executive head
6.3 Establish IT steering committee with balanced representation of IT/business executives
6.4 Establish IT project steering committee to prioritize and manage IT projects
6.5 Ensure shared understanding and active participation of committees
7. Policies and guidelines
for optimal acquisition
and use of IT
7.1 Establish needed IT processes and governance framework
7.2 Establish transparent IT/business budget control and reporting
7.3 Ensure optimized IT investment, procurement and operational cost
7.4 Establish ownership and ensure effective use of IT infrastructure & applications
7.5 Establish IT governance policies & guidelines for IT value creation and preservation
Page 257
242
7.6 Determine and implement required change management
7.7 Cascade and enforce IT policies & guidelines at all levels
8. IT governance
awareness and training
8.1 Determine drivers and state of IT governance practices
8.2 Determine and fix required mindset change and best practices
8.3 Adopt and undertake IT governance awareness and training for IT/business personnel
8.4 Create IT governance awareness among employees through top management
announcements
9. Competitive IT
professionals
9.1 Attract, develop and retain skilled IT personnel for IT/business success
9.2 Develop broad IT competencies to manage IT resources
9.3 Establish and motivate aligned IT/business innovation and practices
9.4 Treat skilled IT professionals as working capital
10. Standardized and
managed IT
infrastructure and
applications
10.1 Standardize and share IT infrastructure effectively
10.2 Standardize, integrate and manage IT applications effectively
10.3 Define and manage SLAs effectively
10.4 Benchmark and provide efficient IT facilities in and across organizations
10.5 Encourage research activities for new and innovative IT services
11. Performance
measures and
benchmarks
11.1 Perform adequate analysis and evaluation of current and future use of IT
11.2 Establish effective performance management strategy
11.3 Set and monitor IT/business oriented performance measures
11.4 Evaluate and demonstrate business value proposition of IT
11.5 Assess IT governance performance and continually improve
*Role (R) - Executives (E), Business (B), IT Management (ITM), IT Operations (ITO), Compliance, audit, risk and security (CARS)
**IT Resource (S) - Applications (AP), Information (IN), Infrastructure (IF), People (PP)
Page 258
243
Appendix-VIII
1. Please provide your expert opinion on the suitability of each of the following elements of the proposed framework (attached). You can add,
delete and change elements of the proposed framework according to your business setting and the context of PakPSOs.
a) Environment
b) Organization
c) Activities
d) Roles
e) IT resouces
Q2. Please also provide your comments for the further improvement of the framework.
Page 259
244
Appendix-IX
Q1. Up to what extent, the proposed framework (attached) fulfills the following evaluation criteria in your organizational setting?
Criteria for evaluation 1 2 3 4 5
Formal description to meet the need for no ambiguity Very
ambiguous
ambiguous Fair Good Very good
Definable activities through understandability of the
framework
Not at all
understandable
Slightly
understandable
Understandable Very
understandable
Extremely
understandable
Completeness of the framework to ensure no additional
activities are needed
Very poor
Poor Marginal
Good
Very good
Activities to be capable of implementation Not at all
implementable
Slightly
implementable
Implementable Very
implementable
Extremely
implementable
Usability via measuring ease of use Very difficult Difficult Easy Very easy Extremely
Easy
Fit by measuring the usefulness of the framework in the
organization
Not at all
useful
Slightly useful Useful Very useful Extremely
useful
Q2: Please also provide your opinion on each of the above stated criteria regarding the evaluation of the proposed framework in your
organization.
Page 260
245
Appendix-X
Cross Loading
V1 V2 V3 V4 V5 V6 V7 V8 V9 V10 V11 V12 Task Outcomes
Organizational Outcomes
Public Outcomes
V1.1 0.8920 0.5590 0.2359 0.6568 0.3700 0.2719 0.2853 0.1333 0.4572 0.5089 0.4522 0.4739 0.6612 0.4014 0.6193
V1.2 0.9070 0.4802 0.1852 0.5945 0.3861 0.2918 0.4353 0.2246 0.5096 0.4540 0.4289 0.4915 0.6416 0.3898 0.6368
V1.3 0.8383 0.4942 0.1427 0.4582 0.3860 0.3233 0.3040 0.1597 0.4107 0.4247 0.4506 0.5369 0.5460 0.2951 0.4932
V2.1 0.4153 0.7403 0.2643 0.4916 0.2590 0.2332 0.1895 0.2137 0.3327 0.4295 0.3553 0.2963 0.4846 0.2920 0.4630
V2.2 0.3671 0.7848 0.2758 0.4302 0.3052 0.1174 0.2860 0.1725 0.3060 0.3250 0.3396 0.2394 0.4954 0.2565 0.4172
V2.3 0.3956 0.7817 0.2416 0.3725 0.3188 0.2485 0.2607 0.1907 0.4006 0.3268 0.3175 0.4085 0.5131 0.2565 0.4352
V2.4 0.5573 0.7743 0.4619 0.5311 0.5273 0.3998 0.4276 0.3724 0.6402 0.5648 0.5539 0.5305 0.6911 0.5103 0.6311
V3.1 0.2905 0.4334 0.9043 0.3575 0.3543 0.1136 0.1962 0.3099 0.4193 0.5298 0.4091 0.2741 0.5634 0.4631 0.5717
V3.2 0.1910 0.3715 0.8797 0.3755 0.3132 0.0996 0.1344 0.2881 0.4047 0.5083 0.3780 0.2242 0.5260 0.4333 0.5845
V3.3 0.0494 0.2693 0.8784 0.1975 0.2299 0.0850 0.0887 0.2001 0.2936 0.4677 0.2736 0.1699 0.3939 0.3571 0.4501
V3.4 0.1638 0.3329 0.8629 0.2718 0.2862 0.0545 0.2030 0.2311 0.3271 0.5128 0.2943 0.1871 0.4403 0.3567 0.4663
V3.5 0.2231 0.4366 0.8818 0.3441 0.3747 0.1671 0.2016 0.2533 0.4575 0.5081 0.4593 0.2903 0.5216 0.4403 0.5255
V4.1 0.6627 0.5806 0.3718 0.9182 0.4767 0.3940 0.4399 0.3265 0.5858 0.5975 0.6029 0.4953 0.7478 0.4936 0.7076
V4.2 0.5479 0.5131 0.3228 0.9202 0.4348 0.4202 0.4821 0.3012 0.5800 0.5496 0.5367 0.5167 0.6969 0.5052 0.7076
V4.3 0.5914 0.5674 0.2896 0.9148 0.3790 0.3790 0.4780 0.3333 0.5448 0.5399 0.5266 0.4401 0.7054 0.4537 0.6614
Page 261
246
V1 V2 V3 V4 V5 V6 V7 V8 V9 V10 V11 V12 Task
Outcomes
Organizational
Outcomes
Public
Outcomes
V5.1 0.4721 0.5269 0.4200 0.4835 0.9123 0.4171 0.3152 0.3585 0.4767 0.4680 0.5942 0.4310 0.6046 0.5822 0.5582
V5.2 0.3057 0.3882 0.3190 0.3925 0.8800 0.3413 0.3008 0.3559 0.3866 0.3851 0.5305 0.3732 0.4746 0.4887 0.4528
V5.3 0.3134 0.3805 0.2854 0.3316 0.8827 0.3074 0.3240 0.2741 0.3847 0.3743 0.5049 0.2872 0.4423 0.4552 0.3957
V5.4 0.4043 0.3963 0.2022 0.3974 0.8824 0.2945 0.2872 0.2646 0.3878 0.3059 0.4652 0.3642 0.4665 0.3910 0.4287
V5.5 0.4028 0.4314 0.3352 0.4618 0.9018 0.4436 0.3931 0.3379 0.5190 0.4479 0.6049 0.3995 0.5557 0.5669 0.5441
V6.1 0.3720 0.4016 0.1545 0.4237 0.4126 0.8976 0.1640 0.3426 0.4628 0.3680 0.4709 0.5434 0.4868 0.4480 0.4381
V6.2 0.2974 0.3146 0.1751 0.4315 0.3593 0.8849 0.2069 0.3720 0.4165 0.3799 0.4572 0.5106 0.4262 0.4502 0.4128
V6.3 0.1922 0.2197 0.0374 0.3161 0.2687 0.8917 0.2789 0.2530 0.3556 0.2897 0.3924 0.4537 0.3400 0.3515 0.3145
V6.4 0.2491 0.2860 0.0713 0.3495 0.3935 0.9076 0.2602 0.2823 0.3723 0.2887 0.4268 0.5127 0.3896 0.3798 0.3228
V6.5 0.3385 0.2876 0.0714 0.3838 0.3787 0.8654 0.2375 0.2580 0.3754 0.2360 0.4331 0.4882 0.4047 0.4321 0.3526
V7.1 0.3644 0.3942 0.2002 0.5027 0.3472 0.1923 0.9164 0.3340 0.5437 0.4974 0.4993 0.2809 0.4986 0.4852 0.5002
V7.2 0.3438 0.3193 0.1724 0.4260 0.3216 0.2159 0.8893 0.3235 0.4608 0.3854 0.4093 0.3551 0.4389 0.4580 0.4398
V7.3 0.2999 0.3043 0.1628 0.3737 0.2519 0.1644 0.8761 0.2408 0.4856 0.4522 0.4003 0.2496 0.4020 0.3851 0.4031
V7.4 0.3217 0.3853 0.2120 0.5122 0.3174 0.3076 0.8843 0.2993 0.4804 0.4182 0.4363 0.3313 0.4791 0.4131 0.4751
V7.5 0.4074 0.3585 0.0936 0.4415 0.3861 0.2465 0.9023 0.2519 0.4785 0.3830 0.5039 0.2798 0.4674 0.4180 0.4626
V8.1 0.2052 0.3012 0.2329 0.3339 0.3320 0.3389 0.3036 0.8862 0.3076 0.3158 0.3314 0.2157 0.3741 0.3513 0.2905
V8.2 0.2052 0.3012 0.2329 0.3339 0.3320 0.3389 0.3036 0.8853 0.3076 0.3158 0.3314 0.2157 0.3741 0.3513 0.2905
V8.3 0.0675 0.2185 0.2983 0.1989 0.2405 0.1706 0.2089 0.8680 0.2402 0.2228 0.2220 0.0566 0.2404 0.2843 0.2601
Page 262
247
V1 V2 V3 V4 V5 V6 V7 V8 V9 V10 V11 V12 Task
Outcomes
Organizational
Outcomes
Public
Outcomes
V9.1 0.5423 0.6281 0.4017 0.6119 0.4778 0.4361 0.4932 0.3409 0.9227 0.5502 0.6439 0.4773 0.6706 0.5039 0.7187
V9.2 0.4459 0.4528 0.3440 0.5496 0.4309 0.3813 0.5020 0.2407 0.8939 0.4844 0.5406 0.4326 0.5618 0.4011 0.6603
V9.3 0.4167 0.4584 0.4310 0.5083 0.4069 0.3919 0.4847 0.3277 0.8753 0.5528 0.5265 0.3953 0.5895 0.4918 0.6490
V10.1 0.4461 0.4578 0.5633 0.5259 0.3903 0.2988 0.4166 0.3062 0.4952 0.9138 0.5109 0.3589 0.5922 0.5578 0.5799
V10.2 0.4556 0.5237 0.5330 0.5268 0.4097 0.3220 0.4177 0.3414 0.5313 0.9279 0.4713 0.3843 0.6080 0.5185 0.5868
V10.3 0.5485 0.5518 0.4951 0.6337 0.4437 0.3586 0.4834 0.2975 0.5991 0.9213 0.5683 0.4475 0.6849 0.5550 0.6788
V11.1 0.4007 0.4715 0.3084 0.5304 0.5315 0.4807 0.4288 0.2835 0.5420 0.4935 0.8962 0.3845 0.5998 0.4762 0.5620
V11.2 0.4729 0.4683 0.3483 0.5361 0.5650 0.4028 0.4349 0.3192 0.5717 0.4580 0.8761 0.3923 0.6296 0.4866 0.5975
V11.3 0.4444 0.4553 0.4389 0.5242 0.5093 0.4147 0.4622 0.3260 0.5606 0.5268 0.8543 0.4254 0.6256 0.5284 0.5800
V12.1 0.3722 0.4697 0.3502 0.3872 0.4337 0.3463 0.3560 0.2332 0.3984 0.3968 0.3837 0.6917 0.4463 0.6548 0.4190
V12.2 0.3881 0.2155 0.0025 0.3550 0.1366 0.5178 0.1205 0.0831 0.2820 0.1631 0.3480 0.6378 0.3029 0.2059 0.2665
V12.3 0.4149 0.3284 0.1697 0.3761 0.2203 0.3663 0.1788 0.0954 0.3178 0.2781 0.2241 0.7723 0.3514 0.2146 0.3320
V12.4 0.4768 0.3542 0.1278 0.4055 0.3194 0.4670 0.2285 0.1129 0.3696 0.3386 0.3414 0.8002 0.4349 0.2256 0.3954
TasOut1 0.6972 0.6525 0.2940 0.6369 0.3389 0.3054 0.2689 0.1993 0.4339 0.5410 0.4444 0.4280 0.7164 0.4507 0.5924
TasOut2 0.6947 0.6170 0.2880 0.5917 0.3807 0.2662 0.3901 0.2331 0.4626 0.4643 0.4121 0.4135 0.7391 0.4217 0.5783
TasOut3 0.5664 0.6154 0.3305 0.6741 0.4155 0.3617 0.3811 0.3001 0.5015 0.5078 0.4856 0.5257 0.7513 0.4990 0.5350
TasOut4 0.5362 0.6263 0.3676 0.7225 0.4561 0.3701 0.4873 0.3657 0.5772 0.5350 0.5297 0.4956 0.7804 0.5538 0.5786
TasOut5 0.3913 0.3885 0.4901 0.4774 0.4401 0.3988 0.4289 0.3015 0.5183 0.5022 0.6260 0.3314 0.7328 0.4092 0.7037
Page 263
248
V1 V2 V3 V4 V5 V6 V7 V8 V9 V10 V11 V12 Task
Outcomes
Organizational
Outcomes
Public
Outcomes
TasOut6 0.3628 0.4099 0.5760 0.4721 0.4874 0.3427 0.3258 0.3193 0.5223 0.4676 0.6030 0.2735 0.7316 0.4266 0.7124
TasOut7 0.3355 0.4042 0.5967 0.4058 0.4730 0.3642 0.3599 0.3296 0.4834 0.5057 0.5658 0.3182 0.671 0.4673 0.6719
OrgOut1 0.3964 0.3189 0.3130 0.4447 0.3839 0.3501 0.3533 0.2860 0.4035 0.5131 0.4625 0.3432 0.5282 0.7551 0.4438
OrgOut2 0.4319 0.3552 0.3302 0.4937 0.4189 0.3684 0.3612 0.3223 0.4097 0.4868 0.4892 0.3797 0.5589 0.8211 0.4664
OrgOut3 0.3534 0.3305 0.3626 0.3773 0.4009 0.3525 0.3503 0.3080 0.3954 0.4458 0.4321 0.3181 0.5085 0.8193 0.3893
OrgOut4 0.3000 0.3668 0.4577 0.4093 0.4824 0.3754 0.3924 0.3597 0.4108 0.4826 0.4473 0.4222 0.5500 0.8642 0.4467
OrgOut5 0.2270 0.3484 0.3931 0.3650 0.4819 0.3543 0.4460 0.2759 0.4205 0.4216 0.4678 0.4514 0.4388 0.8087 0.3901
OrgOut6 0.2963 0.4283 0.3716 0.4323 0.5117 0.4260 0.4005 0.3118 0.4404 0.4719 0.4165 0.5083 0.4251 0.7039 0.4392
PubOut1 0.7071 0.5247 0.2914 0.6929 0.4239 0.3314 0.3071 0.1501 0.4646 0.4862 0.4722 0.3988 0.6397 0.3915 0.7094
PubOut2 0.6811 0.5635 0.3263 0.7268 0.3956 0.3092 0.4449 0.1998 0.5472 0.5371 0.4797 0.4892 0.6308 0.4207 0.7570
PubOut3 0.4901 0.5571 0.5757 0.5592 0.4842 0.3837 0.4012 0.3552 0.6793 0.5531 0.5783 0.4139 0.7346 0.4318 0.8562
PubOut4 0.3868 0.4147 0.5224 0.5118 0.3722 0.2630 0.4380 0.2960 0.6371 0.5068 0.4890 0.3254 0.6405 0.4024 0.7963
PubOut5 0.3198 0.4680 0.6052 0.4350 0.4275 0.3417 0.4025 0.2868 0.6035 0.5229 0.5586 0.3280 0.6295 0.4562 0.7561