ABSTRACT

In this paper, we are showing how Information Technology (IT) governance frameworks contribute to the implementation of the key principles of the good corporate governance, particularly, in the public sector. We demonstrate that there are numerous links, explicitly and implicitly expressed through a set of IT governance instruments, matching the proposals of good governance principles with the behavioral goals of an IT governance framework implementation. We also provide a real experience of using a set of possible instruments, in our public university, through an IT governance framework based on the ISO/IEC 38500 standard. We also present the maturity of the good governance principles implementation with this set of instruments, after governing IT in our university during the period 2007-2013. We show that using an IT governance framework in a public entity mutually reinforces the key principles of good governance, especially the transparency and accountability goals for the IT assets.

1. Introduction

Public owned entities, public enterprises and public services are very important to the general governance and essential for any government. They serve as a vehicle to execute the public sector strategy. Due to their importance, good governance standards provide transparency and clear decision making, authority and responsibility structure at the public sector assets. Good governance of public assets also should include good governance on Information Technology (IT) [1]. IT governance is the organizational capacity exercised by the board, executive management and IT management to control the formulation and implementation of IT strategy and in this way, to ensure fusion with public units and department goals [2]. Also, IT governance consists of leadership, organizational structures, and processes that ensure that the organization’s IT sustains and extends the organizational strategy and objectives [3]. In the light of these definitions, it seems that IT governance is part of the good governance of the public enterprises and organizations.

Van Grembergen and De Haes [4] focus on enterprise governance of IT and define this as “an integral part of corporate governance and it addresses the definition and implementation of processes, structures and relational mechanisms in the organization that enable both business and IT people to execute their responsibilities in support of business/IT alignment and the creation of business value from IT enabled investments”. This procedural definition of IT governance facilitates the construction of IT governance frameworks [5]. However, good governance of enterprises should not be focused only on processes and structures of the organization although people responsibilities and alignment are essential for its implementation. To be able to create an understanding of how IT governance and its role within an organization, it is necessary to look at a broader view, this can be done through viewing the corporate governance. Corporate governance is defined as something that provides structure for determining organizational objectives and monitoring performance to ensure that objectives are determined. Within some nations, it is statutory to have a supervisory board, whose purpose is to protect the shareholders and other stakeholders, such as employees, customers and creditors. This board and the senior management team work with the implementation of governance principles and this makes possible to ensure effectiveness of organizational processes [1]. Corporate governance of the public sector means applying these issues to public enterprises and services. Weill and Ross [6] have built a general framework for linking corporate and IT governance. The framework only illustrates the connection between corporate governance and the company’s key assets governance in private enterprises and public organizations. The senior executive team is commissioned by the board and their assignment is to formulate strategies and desirable behaviors for the organization. Weill and Ross see a strategy as a set of choices and examples of strategies are “who are the targeted customers” and “what is the unique and valuable position targeted by the firm”. Desirable behaviors embrace the beliefs and culture of the organization and are defined through strategies, corporate value statements, mission statements, business principles, rituals, and structures. In every enterprise the desirable behaviors are different but should be clearly defined due to that they are the key to achieve effective governance. However, desirable behavior at public sector means good governance practices based on firm key principles. This behavioral definition of IT governance conducts to improve the transparency of the IT governance frameworks. This work is focused in the behavioral aspect of IT governance for the public sector.

On one hand, public sector spends public money; how this money is spent and the qualities of services provided are critically important for citizens, users and taxpayers. Therefore, we need good governance of public services to be of a high standard. Good governance leads to good management, good performance, good investment of public money, good public behavior and good outcomes [7]. There are several codes for public service governance to provide guidance across the complex and diverse world of public services, which are provided by the public sector and a range of other agencies. However, the most modern and general applicable one to public sector is [8]. At this moment this good governance in the public sector document is just a consultation draft for an international framework, but it is built on the principles proposed by the CIPFA and IFAC standards bodies. This framework defines effective governance in the public sector as those principles that encourage better decision making and the efficient use of resources and strengthens accountability for the stewardship of those resources. This standard encourages public services to review their own effectiveness, and it will provide a common framework for assessing good governance practice.

On the other hand, an Information Technology (IT) governance framework is straightforward model for helping organizations implement an IT governance standard. There were in the past several organizations claiming that they provide IT governance processes and structures, but we may conclude that there is only one standard for IT governance since 2008, the ISO/IEC 38500 [9]. Thus, when we observe the behavior in the broader sense of governing information technology use, we are referring to the way that the organization and the individuals act when dealing with situations that require something to be done, or a decision to be made in respect to Information Technology issues. Behavioral side of the IT governance defines formal and informal relationships among the different stakeholders (managers, employees, staff, customers, communities, etc.) and how they interact with the strategy of the public sector entity or service. Additionally, behavior also refers as the set of norms, rules, laws that frame these relationships and their compliance. Therefore, an IT governance framework should, at least, consider all aspects described above. In particular, we are going to use, as example of a real case, the dFogIT governance framework [10] to illustrate a way to implement the ISO/IEC 38500 standard.

In this paper, we are going to show how IT governance frameworks may contribute to the general the implementation of the principles of the good corporate governance, particularly at public sector. In the paper we will show that there are numerous links, explicitly and implicitly expressed through governance instruments, between the orientation of the good governance principles and the behavioral aspect of the IT governance framework implementation. We also provide a real implementation through the dFogIT governance framework. Thus, in Section 2, we overview the good governance principles in the public sector, in particular the consultation draft published by the IFAC and CIPFA. In next section, we introduce the IT governance objectives and the importance of its behavioral essential component. We also review the basics of the ISO/IEC 38500 standard model and one real implementation in a public sector entity based on the dFogIT governance framework. In Section 4, we point out the possible implementation of good governance principles in the dFogIT governance framework through governance instruments. We discuss how the behavioral component of IT governance is more important to good governance than the procedural or structural components, features exacerbated in some tools and methods for IT governance. Finally, we show our conclusions and open problems.

2. Good Governance in the Public Sector

Every public sector entity or public service spends public money; how this money is spent and the quality of services it provides is critically important as citizens, users and taxpayers. Therefore, we need governance of public services to be of a high standard. Good governance leads to good management, good performance, good investment of public money, good public behavior and good outcomes. The governors of public services organizations face a difficult task. They are the people responsible for governance—the leadership, direction, evaluation and monitor of the organizations they serve. Their responsibility is to ensure that they address the goals and objectives of these organizations and that they work in the public interest. They have to bring about positive outcomes for the users, as well as providing value for the taxpayers who fund these services. They have to balance the public interest with their accountability and compliance. There is clear evidence that many have difficulties in fulfilling these responsibilities [11].

There are several codes for public service governance to provide guidance across the complex and diverse world of public services, which are provided by the public sector and a range of other agencies. The Good Governance Standard for Public Services from the Independent Commission for Good Governance in Public Services [7] presents six principles of good governance that are common to all public service organizations and are intended to help all those with an interest in public governance to assess good governance practice. This issue builds on the Nolan principles [12] for the conduct of individuals in public life, by setting out six core principles of good governance for public service organizations. This standard encourages public services to review their own effectiveness, and that it will provide a common framework for assessing good governance practice. The Worldwide Governance Indicators (WGI) [13] are a research dataset summarizing the views on the quality of governance provided by a large number of enterprise, citizen and expert survey respondents in industrial and developing countries. These data are gathered from a number of survey institutes, think tanks, non-governmental organizations, international organizations, and private sector firms. The World Bank’s new Governance and Anti-Corruption Strategy [14] explicitly endorses greater use of “disaggregated and actionable governance indicators”. Actionability, in short, implies greater clarity regarding the steps governments can take to improve their scores on an indicator, i.e. if the government successfully undertakes reforms in certain areas, relevant indicator(s) will respond in a favorable direction. The study Governance in the Public Sector: A Governing Body Perspective, from the IFAC [15] focuses on governance arrangements in the public sector; specifically on the responsibilities of a governing body of a public sector controlled entity. The Institute of Directors in Southern Africa (IoDSA) formally introduced the King Code of Governance Principles and the King Report on Governance (King III) [16]. King III has been written in accordance to comply or explain principle based approach of governance, but specifically to apply or explain regime. This regime is currently in the Netherlands and in South Africa. The Australian Stock Exchange also operates on comply or explain regime for its governance rules applied to listed companies [17,18]. The OECD Guidelines are the benchmark to help governments in improving the corporate governance of Stated Owned Enterprises (SOEs) [19]. We believe that this is a fairly widespread practice, as is appropriate for a principlesbased approach to control. Addressing the State as an owner, the Guidelines establish the core elements of a good corporate governance regime. They provide standards and good practices, as well as guidance on implementation, and should be adapted to the specific circumstances of individual countries and regions. The IFAC’s International Good Practice Guidance (IGPG) [20] provides a framework and principles-based guidance for professional accountants in business and their organizations in evaluating and improving internal control as an integrated part of the organization’s governance, risk management, and internal control systems. The Role of Auditing in Public Sector Governance [21] from the IIA is intended to further clarify the importance of the public sector audit activity to effective governance and defines the key elements needed to maximize the value the audit activity provides to all levels of the public sector. The guidance is intended to point to the roles of audit (without differentiating between external and internal), methods by which those roles can be fulfilled, and the essential ingredients necessary to support an effective audit function. As such, it may not be fully applicable in every jurisdiction, particularly where public sector audit roles and responsibilities are specifically defined by governing institutes or legal mandates to exclude certain functions or assign them to other entities. The publication of the King Report I and II have given further impetus to the issues of governance not only in SOEs, but also in the full range of business entities. In 1999, the Government of South Africa affirmed the overall strategic vision of the restructuring of SOEs. Corporate governance, as embodied in the Protocol [22], is one of the cornerstones of this strategic vision.

All the initiatives, guides and protocols briefly cited above are compared against the key principles of Good Governance in the Public Sector [8] in the table [10]. The key principles of Good Governance in the Public Sector from CIPFA and IFAC recap most of the desirable accounting features of the previous works. We selected this consultation draft consultation due to its updated content and global implementation possibilities for public sector enterprises and for any asset, particularly Information Technologies.

The Good Governance in the Public Sector defines effective governance in the public sector as those principles that encourages better decision making and the efficient use of resources and strengthens accountability for the stewardship of those resources. Therefore, effective governance is characterized by robust scrutiny, which provides important pressures for improving public sector performance, gaining transparency and tackling corruption. Effective governance can improve management, leading to more effective implementation of the chosen interventions, better service delivery and operation, and, ultimately, better outcomes. We shall return to this list of improvements for the IT governance framework description. Thereby, these improvements make citizen’s lives are also improved. The framework proposed by CIPFA and IFAC includes seven principles of good governance for public service organizations. This standard encourages public services to review their own effectiveness, and that it will provide a common framework for assessing good governance practice (see Figure 1).

The key principles are based on the function of good governance in the public sector which is to ensure that entities act in the public interest at all times, i.e. acting in the public interest requires seven principles (and subdivisions) as follows:

A. Strong commitment to integrity, ethical values, and the rule of law:

A1. Demonstrating integrity;

A2. Strong commitment to ethical values;

A3. Strong commitment to the rule of law;

B. Openness and comprehensive stakeholder engagement:

B1. Openness;

B2. Engaging individual citizens and service users effectively;

B3. Engaging comprehensively with institutional stakeholders;

C. Defining outcomes in terms of sustainable economic, social, and environmental benefits:

C1. Defining outcomes;

C2. Sustainable economic, social, and environmental benefits;

D. Determining the interventions necessary to optimize the achievement of intended outcomes:

D1. Determining interventions;

D2. Planning interventions;

D3. Optimizing achievement of intended outcomes;

E. Developing the capacity of the entity, including the capability of its leadership and the individuals within it:

E1. Developing the capacity of the entity;

E2. Developing the entity’s leadership;

E3. Developing the capability of individuals within the entity;

F. Managing risks and performance through robust in-

ternal control and strong public financial management:

F1. Managing risk;

F2. Managing performance;

F3. Robust internal control;

F4. Strong financial management;

G. Implementing good practices in transparency and reporting to deliver effective accountability:

G1. Implementing good practices in transparency;

G2. Implementing good practices in reporting.

The key principles and subdivisions listed above are developed extensively in [8]. In next sections we shall compare these key principles for good governance in public enterprises with the IT governance standard and an example of implementation.

3. Good Governance in IT

Public owned enterprises and public services are very important to any government. Most serve as a vehicle for the government to execute their strategy, and less provide some dividend to the government. Due to its importance, good governance practices based on good governance principles are very important as stated in previous section. Basically, they provide transparency and clear decision making processes, authority and responsible structures, measured performance and accountability. Since, Information Technology (IT) has become an essential asset in any enterprise, including the public sector, good governance principles should be also implemented on IT governance practices [1].

Van Grembergen [2] defined IT Governance as the organizational capacity exercised by the board, executive management and IT management to control the formulation and implementation of IT strategy and in this way ensure fusion of business with IT. It consists of leadership, organizational structures, and processes that ensure that the organization’s IT sustains and extends the organizational strategy and objective. This definition still rhymes with ITGI’s [1] definition—loosely—is a part of enterprise governance that consist of leadership, organizational structures, communication mechanisms and processes that ensure that the organization’s IT sustain and extends the organization’s strategy and objectives, as a responsibility of the board of directors and executive management. In the light of these definitions, and the regulatory requirement for the public sector for good corporate governance, it seems that IT governance should be imperative for the public companies. However, both definitions are more oriented to processes, structures and strategy than the behavioral side of good governance.

Additionally, the implementation of good IT governance might be the answer to organization need to ensure IT value creation and also return on IT investments. Without good IT governance, there might be risk of inappropriate IT investment, failure of services to public/ customer and even non-compliance to regulations. Using the terminology in [23]; proper IT governance is needed to ensure that the investments in IT will generate the required business value and that risks associated with IT are mitigated. This latest consideration to value and risk are closer to the principles of good governance but it remains some procedural vision of IT governance. This vision is confirmed in [24] focus on enterprise governance of IT and define this as “an integral part of corporate governance and addresses the definition and implementation of processes, structures and relational mechanisms in the organization that enable both business and IT people to execute their responsibilities in support of business/IT alignment and the creation of business value from IT enabled investments”.

According to Weill and Ross [6], IT governance performance correlates with desired corporate performance measure. For example, companies that have better IT governance may profit 20% higher than those of other companies pursuing similar strategies and also achieve higher returns on equity. They argue that IT governance and bottom-line performance measures correlate quite well. IT Governance is necessary since the average enterprise spends a lot of money on IT. The survey, included in [6], stated that more than 4.2% of the average enterprise revenues are annually spent on IT. These 4.2% include both the IT budget and hidden IT spending outside the IT budget. Overall, IT investments account for more than 50% of an enterprise’s total capital budget [25]. Therefore, IT governance is also the strategic alignment of IT with the business such that maximum business value is achieved though the development and maintenance of effective IT control and accountability, performance management, and risk management [26].

But good corporate governance is not the unique reason for an organization to initiate IT governance. From the beginning, any IT governance terminology identifies the “stakeholder value drivers” which was the main reason of an organization embarked on IT governance practices. Pressures from stakeholders drives the need of IT governance at companies, and, maybe, some public services do not have good IT governance because they do not have the need for it, until now. The framework depicted in [6] illustrates the connection between corporate governance and the company’s key assets governance. In the Figure 2 the parts are related to IT governance are marked in blue color.

In Figure 2, on the top of the framework the board’s relationships are shown. The senior executive team is commissioned by the board and their assignment is to formulate strategies and desirable behaviors for the organization. Weill and Ross see a strategy as a set of choices and examples of strategies are “who are the tar-

geted customers” and “what is the unique and valuable position targeted by the firm”. Desirable behaviors embrace the beliefs and culture of the organization and are defined through strategies, corporate value statements, mission statements, business principles, rituals, and structures. In every enterprise the desirable behaviors are different but should be clearly defined due to that they are the key to achieve effective governance [6]. Below the strategy and desirable behaviors in the framework six key assets are illustrated. Information and IT is remarked in Figure 2. In this framework, IT governance may be defined as specifying the decision rights and accountability framework to encourage desirable behavior in the use of IT. Also the IT governance has been identified as the responsibility of executives and senior management that consists of leadership, organizational structures and processes that ensure that IT assets are supporting and extending the company objectives and strategies of the organization [27]. After all, the definition of IT governance comes from the general definition of governance. In fact, the selection of wording for the definition for governance of IT in ISO /IEC 38500 was deliberated to be aligned with the definition of corporate governance in the Cadbury report [28]. Thus, the IT governance should not be very different of governing other assets, such as financial, personnel, intellectual property, administration, facilities, etc. However, the day-by-day work at many companies seems to be quite different. It seems natural that the CIO (Chief Information Officer) to continuously justify each minor decision, which is not the case in other governance assets. That is, this continuous reevaluation does not occur in other traditional assets, where is almost impossible to think about this continuous justification of simple projects, tactic goals, IT department strategy, IT budgeting, etc. that CIO typically suffers.

Thus, this definition of IT governance aims to consider several important terms: decisions, behavior and the accountability framework. In relation to decisions, governance is who decides and what to decide. On one hand, who decides consists of people grouped into structures (committees, commissions, groups, boards, etc.). On the other hand what to decide are: principles, architecture, infrastructure, IT business applications needs and IT investments [6]. This behavioral approach to the IT governance implementation is less influenced by processes and is conducted by decisions of governance structures and their proper communication. However, when we look at behavioral side of IT governance in the broader sense, we are not only referring to the way that the organization and the individuals act when dealing with situations that require a decision to be made. If action is not taken, or the wrong action is taken, we would consider this to be bad behavior. Conversely, when the right action is taken in a timely manner, the behavior is good. The same goes for decisions—avoiding them, or intentionally making the wrong choice is bad behavior, while addressing them head-on and seeking the right choice is obviously good behavior [29]. Behavioral side of the IT governance also defines formal and informal relationships among the different stakeholders (managers, employees, staff, customers, communities, etc.), how they interact with the strategy of the public company. Additionally, behavior also refers as the set of key principles that frame these relationships and their compliance. This can be accomplished implementing an IT governance framework, for this important asset (see Figure 2), linked to the good governance principles of the public company (see Figure 1) and neither just only processes, structures and communication, nor just only the goodness in decision-making. This is the objective of this research, but first we have to overview the current situation of the IT governance standardization.

3.1. The ISO/IEC 38500 Standard

An IT governance framework is straightforward model for helping organizations implement an IT governance standard. We may conclude that there was only one standard for IT governance until 2005, corresponding to the Australian Standard AS8015 [30], on which the ISO/IEC 38500 [9] is based. ISO/IEC 38500, issued in 2008, is the first international standard that provides guidelines for governance of IT. Different organizations may adopt different approaches to ISO/IEC 38500 conformance—and the systems for governance of IT will differ in their design from one organization to another. However, with recognition that the governance system includes the management system, and understanding that both governance and management systems involve people, process, structure and technology, it should be clear that established frameworks should greatly assist in establishing the corresponding systems [31].

In fact, during a long time, a lot of organizations confused the governance with the management (and even operation) of IT. As Toomey stated in [31], the reason of this misunderstanding was because the frontiers between both may be somewhat diluted. Indeed, this error has been widely promoted by some IT management de facto standards, which tried to include some governance mechanisms. It is not the nature of this paper debating about standards, but we may conclude that COBIT 4 [32] and ITIL [33] are currently regarded IT management frameworks with some governance features. Both standards contain parts that refer to the IT governance, explicitly or implicitly, as a subset within the management of IT systems. The same applies to the standard ISO/IEC 20000 [34] which is also a management framework of IT. In Figure 3, the conceptual model for IT governance (and its relation with IT management) is simply depicted.

The informal interpretation of Figure 3 is as follows:

Ÿ  IT managers and technical staff should guarantee the development of IT projects and their corresponding operations to maintain QoS (Quality of Service) of business processes.

Ÿ  These projects should be directed from the strategic plan and policies coming from the board, in which the CIO must be included to improve communication with the business units and IT staff.

Ÿ  Thus, business units and IT units must work together to propose new projects that CIO and other governance structures should evaluate to be included in the applications portfolio that implement the strategic plan.

Ÿ  To close the virtuous cycle, once the projects become a reality and they serve to operate business, infrastructure or architecture processes, IT staff should measure their performance and conformance.

Ÿ  The CIO must monitor these values in order to have enough information to consider new proposals coming from lower IT layers again.

The ISO/IEC 38500 (based on AS8015) sets out six principles for good corporate governance of IT that express preferred behavior to guide decision making, we may overview these principles:

1.    Responsibility: Establish clearly understood responsibilities for IT;

2.    Strategy: Plan IT to best support the organization;

3.    Acquisition: Acquire IT validly;

4.    Performance: Ensure that IT performs well, whenever required;

5.    Conformance: Ensure IT conforms with formal rules;

6.    Human behavior: Ensure IT respect human factors.

Latest version of COBIT [35] included for the first time the ISO/IEC 38500 model. However, there is something quite fundamental, for the development of our research, which is the most significant difference between ISO/IEC 38500 and COBIT 5. Whereas ISO/IEC 38500 has a behavioral stance—offering guidance about behavior, COBIT 5 (and previous versions) has a process stance—offering guidance about process. Our research is not process or structurally oriented, since we believe that IT governance frameworks are insufficient to guarantee good governance because they are at risk of poor behavior. Thus, the three main activities of the ISO/IEC 38500, direct, evaluate and monitor, must be performed following the six principles (see further details of these principles at the standard documentation [9]). These principles and activities clarify the behavioral side of IT Governance, as Stachtchenko stated in [36]:

Ÿ  Stakeholders delegate accountability and stewardship to the governance body and, in exchange, expect the governance body to assume accountability for the activities necessary to meet the expectations.

Ÿ  The governance body sets direction for the management of the organization and holds them accountable for overall performance.

Ÿ  The governance body takes a stewardship role, in its traditional sense of assuming the responsible management of something entrusted to one’s care.

Therefore, an IT governance framework should, at least, consider all the behavioral aspects described above. Our framework model, called dFogIT, not only includes in its core the ISO/IEC 38500 principles and their activities, but also the essential key aspects for governance accountability. On one hand it also considers how communicate to the public and the rest of stakeholders a layered view of the value of the IT assets could be extracted from even the day-to-day operation, i.e. the decision making responsibilities about how the money of our taxes is spent. On the other hand, we present in this article, how dFogIT may implement the key principles of good governance explicitly and implicitly.

3.2. Extending ISO/IEC 38500: The dFogIT Governance Framework

The dFogIT (detailed Framework of governance for Information Technologies) corresponds to an extension based on the ISO/IEC 38500 standard [37]. The core of our framework is implemented taking into account the three activities (direct, evaluate and monitor) and reinforcing the implementation of the six principles coming from the standard [38]. The origin of the creation of our IT governance framework is due to our experience as responsible of the CIO office at the public University of the Balearic Islands [39] from 2007 until 2013, first as Delegate of the Rector and afterwards as Vice rector for IT. Before and during three years within this period, we observed several of the common errors of public organizations, when governing IT assets, due to the lack of maturity in good governance principles:

Ÿ  No IT governance processes, structure or communication;

Ÿ  Overpower of IT management in decision-making about any IT activity;

Ÿ  CIO and CTO roles are not clarified;

Ÿ  Absence of reporting, control and accountability;

Ÿ  Lack of confidence on IT assets and IT staff by the board;

Ÿ  No strategy for IT, just tactics for the short run;

Ÿ  IT investments based on cash-flow availability for infrastructure;

Ÿ  Architecture decisions based on IT staff knowledge, not in public users interests or entity strategy;

Ÿ  No consideration of compliance, different from the IT technical issues;

Ÿ  No participation of users, IT personnel, business units, board members or any stakeholder in IT decision making different from surveys at requirement phase of project management.

Ÿ  Communication with stakeholders by demand or by claim.

Thus, we suffered not only the lack of the procedural side of governance practices but mainly a complete absence of the right behavior in governing public assets if you compare the previous list against the overview of the six ISO/IEC 38500 principles above. Therefore, during the last three years (2011-2013), we implemented dFogIT (and we use it) at University of the Balearic Islands as Vice Rector for IT office [38]. Even the core of the framework is compatible with the ISO/IEC 38500 standard; we extended it with two additional layers. As Figure 4 shows, two of four layers of the dFogIT model, in particular, the IT Governance and the IT Management ones are equivalent to the international standard. So that, the ISO/IEC 38500 model is extended with two addition al layers: the Corporate Governance layer, which represents the strategic and the behavior view of the enterprise; and the IT Operation layer, which represents the

tangible IT assets. Every layer in the model represents essential actions performed by their corresponding actors and stakeholders.

Therefore, the four layers depicted in the model correspond to specific elements in the ISO/IEC 38500 model. The corporate governance layer is essentially the general context for corporate governance, depicted in ISO/IEC 38500 as the “business pressures” and “business needs” arrows. The IT Governance layer represents the triangle depicting corporate governance of IT. The IT Management layer corresponds to the IT Projects and IT Services, quite similar to the standard, and the IT Operation layer corresponds to the support of the whole IT assets through IT personnel, IT infrastructure and IT architecture.

In conclusion, the dFogIT model both re-frames and extends the ISO/IEC 38500 model. The most significant aspect of this framework is its demonstration of the guidance in ISO/IEC 38500, that each organization adopting the standard needs to design the detailed adoption approach to suit its own situation and characteristics.

The dFogIT governance framework model consists of four layers of corporate governance vision of IT assets, from bottom to the top:

Ÿ  The layer of IT Operation, including IT personnel, assets and commodities (buildings, computers, networks, outsourcing, etc.).

Ÿ  The layer of IT Management, which corresponds to the transformation of IT projects, which are made to improve business processes to daily operations, these operations include their maintenance and IT services.

Ÿ  The layer of IT Governance, which corresponds to the direction or IT Management based on the evaluation of project proposals, and monitoring the operations and services. The IT Management and IT Governance layers are identical to the standards ISO/IEC 38500 [9].

Ÿ  The layer of Corporate Strategy, which aims to get value from IT in terms of applications that are requested from governing structures in order to produce value of IT. This layer conducts the strategy and the behavior of any asset (see Figure 2).

Thus, each layer contains a transformation, as follows:

Ÿ  Commodities are transformed into IT assets through IT staff knowledge, training and motivation at the IT Operation layer.

Ÿ  IT Projects are transformed into IT Operations contributing to IT Services, when business processes are implemented at the layer of IT Management. This transformation is exactly shown as in the ISO/IEC 38500 standard.

Ÿ  Operation trends and quality of Services are monitored and evaluated, transforming these measurements into new directions at IT Governance layer. This definition is identical as the ISO/IEC 38500 standard definition.

Ÿ  Corporate Governance (not only for IT) structures at enterprise are seeking IT value by transformation of IT applications and solutions.

In order to interconnect the four layers in the model, different governance instruments may be used. In fact, any company should implement its own set of governance instruments. Our example of implementation at the University of the Balearic Islands [38] preempted the following processes and activities (from left to right in Figure 4):

Ÿ  The board and other governance structures at the enterprise establish business oriented-principles, highlevel strategic objectives, and key governance principles for any asset, particularly IT. Therefore, the CIO office must translate them into IT principles and IT strategic goals.

Ÿ  These goals are further developed into tactical goals in detailed plans and IT policies.

Ÿ  The projects should be originated from this direction plans and should need additional resources.

Ÿ  The IT staff, through their training, education and motivation, understands the business processes and catch the requirements of business units to fill out standard project formularies.

Ÿ  These standard formularies are evaluated. Thus, some of these proposals will constitute the project portfolio and the project investment priorization. The projects will be rolled out and will constitute the set of applications that the board will visualize.

Ÿ  IT infrastructure and IT architecture hold the operations and services.

Ÿ  These operations and services are monitored providing IT Management indicators and metrics. These metrics should support the IT related goal metrics, meaning of progress and advance, i.e. providing alignment and IT value.

Thus, dFogIT implementation model provide several virtuous cycles to promote the good governance for IT covering the procedural side of decision making for the IT assets, processes, structures and how communicate them at public owned enterprises, e.g. the University of the Balearic Islands. Our framework helps CIOs to communicate the IT value, not only with the rest of the company but also with IT staff which is usually reluctant to be evaluated and monitored without understanding why they should be governed. These last two features were the main reasons to extend the ISO/IEC 38500 model with two additional layers. This framework was designed to be embedded within the normal management and governance functions of any institution, including public and private owned enterprises, but encouraging more transparent governance at public institutions through the implementation of virtuous cycles through governance instruments implementation. By this “lightdesign” approach within institutional processes, structures and communication, value can be added for IT asset with relatively little additional overhead. The dFogIT framework could be also applicable to other assets different from the IT with slightly modifications.

4. Good Governance Principles for Public Sector in IT Governance Frameworks

The research hypothesis in this article, it is whether our framework also serves to contribute to the key principles of good governance, i.e. covering the behavioral side of IT governance beyond the decision-making processes. In the next section will show that there are numerous links, explicitly and implicitly shown, between the key principles of good governance for public sector [8] and their implementation in dFogIT framework [37]. First, we are going to overview where these links are located and why, and second, we shall illustrate how to implement the good governance principles through IT governance instruments, particularly in dFogIT. Additionally, we are going to score the good IT governance maturity of the University of the Balearic Islands before and after implementing some of these IT governance instruments. This score is only an approximation since not all the possible governance instruments (even we enlist more than eighty) are considered. Moreover, our scoring is subjective since the values are coming from the responsible of the IT governance during the period 2007-2013. However, this auto evaluation serves also to illustrate the way to monitor and evaluation of the improvement in the right behavior or the public entity assets, particularly in IT.

4.1. Mapping Good Governance Principles into dFogIT Framework

In Figure 5, we place the relationship among the principles of good governance (see Section 2) and the layers and their interconnections in dFogIT framework. The principles are located where their interpretation and the meaning of the framework model mainly coincide. There is no perfect match between the key principles and the framework due to the general application of the principles affecting all the governance areas, since they were developed independently. The key principles are based on the function of good governance in the public sector which is to ensure that entities act in the public interest at all times, whereas dFogIT is a layered model to implement this good governance principles, particularly for IT assets. Thus, we propose this matching between governance principles and our framework by recapping and adapting some parts of [8] in the model presented in [37] for IT governance (see Section 2 and Figure 5, respec-

tively). We briefly explain the coincidences and adaptations, as follows:

A. Strong commitment to integrity, ethical values, and the rule of law.

A1. Demonstrating integrity: The IT principles should collect the general corporate principles of the institution adapted IT assets. These IT principles must reflect public expectations about the conduct and behavior of entities, groups, and individuals who manage public IT service provision and spend public money in IT assets. The governing board should stand as a role model by keeping integrity values at the forefront of its own thinking and behavior and use them to guide IT decision making. Integrity statements must be part of the principles guiding the corporate governance layer in any IT framework. This adaptation covers also the principles definition at [6].

A2. Strong commitment to ethical values: Identically to the previous, to ensure continued integrity and avoid public concern or loss of confidence, governing body members and staff should take steps to avoid or deal with any conflicts of interest, whether real or perceived. IT user complaints should be handled and resolved efficiently, effectively, and in a timely manner to improve the IT performance of the entity and IT services. Complaints and claim management should be included as day-to-day activities.

A3. Strong commitment to the rule of law: The conformance with laws, norms and rules affecting IT asset should be monitored by the IT governance as also ISO/IEC 38500 states. Green IT issues should be considered as part of the compliance.

B. Openness and comprehensive stakeholder engagement.

B1. Openness: The overall IT framework (e.g. dFogIT) and their respective IT governance instruments should be communicated to the general public, to the staff and to all stakeholders, e.g. through the IT governance website [38]. The IT framework itself must be publicized to everyone in the entity and it should be understood by internals.

B2. Engaging individual citizens and service users effectively: The IT service catalog, published and evaluated by users, is the more direct way to engage this kind of stakeholders. Users have to be immersed in the management of the services they are utilizing and their complaints should also be managed to better serve with the quality expected. Partnership around the projects and services is the natural way to engage other units different from IT staff. Experiences with different working groups should be promoted and reported.

B3. Engaging comprehensively with institutional stakeholders: Relationships with other entities are particularly important if they serve the same users or communities or if they provide complementary or related IT services. This engagement should be guaranteed by the board by means of clear and public compromises and statements. Governance structures should include committees to engage other stakeholders belonging to other administrations and clusters. Board members should also belong to other structures in different entities to benchmark and share experiences to improve the public interest.

C. Defining outcomes in terms of sustainable economic, social, and environmental benefits.

C1. Defining outcomes: IT outcomes may be viewed as the impact of the IT services, provided by a public entity in delivering its objectives. Outcomes should be used as a basis for IT planning and other IT decisions and should contain appropriate key performance indicators (KPIs) for measurement and evaluation. KPI should emerge naturally from the value chain of the IT asset within the entity. COBIT 5 provides examples of implementation of different indexes for the general entity and the IT asset [35].

C2. Sustainable economic, social, and environmental benefits: The long-term nature of the public sector’s responsibilities means that in defining IT outcomes, the entity must ensure they can be delivered on a sustainable basis, managing the IT capacity of entities in order to ensure the delivery of IT services. The direction of IT should consider that there will often be conflicting interests between achieving economic, social, and environmental benefits against IT services capabilities. All these conflicting interests must be solved by the board. Financial and investments in IT should be planned at least once a year. KPIs should be coherent and consistent between entity and IT assets. Balance score cards are good instruments for doing it. IT governance development itself should be planned inside the governance as recursive activity.

D. Determining the interventions necessary to optimize the achievement of intended outcomes.

D1. Determining interventions: IT governing members (CIO office) should receive objective and rigorous analysis coming mainly from IT management and business units (departments and offices) of a variety of options including their projected risks and intended results. The evaluation of this analysis should clarify how the proposed intervention would contribute to the achievement of IT outcomes, considering legal and financial matters and IT governance procedures and capabilities [27]. Project portfolio procedures are essential to align the strategy of the entity and its corresponding IT activities. Investments should be prioritized following this alignment. The same applies for service continuation or discarding. Acquisition, outsourcing and cloud services should be aligned also with the strategy of the public entity.

D2. Planning interventions: Public sector entities need to plan interventions, such as IT services or IT use regulation, appropriately. This means establishing planning and control cycles covering their strategic and operational plans, priorities, and targets. Simultaneously, they must engage with both internal and external stakeholders on how such IT services and IT operations and can best be delivered. In view of wider impacts of IT activities, public service entities should prepare their IT budgets in accordance with their IT objectives, IT strategies, etc. IT governance body (CIO office) will need to ensure that there is adequate funding available to support delivery of the entity’s defined IT objectives and/or IT strategic outcomes. The public entity strategy and the corresponding alignment in IT should be explicit published and explained. The annual budget should be adapted to the IT strategic plan considering the annual variations and the performance gained. IT should produce more value than just maintain the systems in good operation and conduct to the implementation of the strategic plan.

D3. Optimizing achievement of intended outcomes: This should ensure that the IT budgets and IT service and IT project plans are aimed at achieving the intended outcomes, while making the best overall use of scarce IT resources including IT personnel. For example, the decision to perform develop in-house or to outsource depends on many factors, including policy considerations, available expertise, and cost. Therefore, public sector entities should have an adequate, all-inclusive budgeting process, taking into account the full cost of their operations in the medium and longer term, e.g. comparing the overall costs of developing open-source software or acquiring a solution from vendors. Project and investment portfolio should be oriented to achieve the intended outcomes.

E. Developing the capacity of the entity, including the capability of its leadership and the individuals within it.

E1. Developing the capacity of the entity: Deployment of new IT infrastructure, organized through IT architecture, can also pose serious risks and cause many issues when either the technical or organizational aspects of its implementation and IT operation are not properly planned and managed. The right skills will therefore be required both during and after implementation. For example, cloud services planning against in-house solutions should be considered in the long-term. IT resources, especially infrastructure, should be controlled in order to know if capacity and performance expectations may be disappointed. IT architecture of data and processes also depends on infrastructure and cloud services capacities.

E2. Developing the entity’s leadership: Good governance requires clarity over the various organizational roles including the IT governing, the IT management and the IT personnel. Their respective responsibilities also need to be communicated to stakeholders. Clarity about roles helps stakeholders understand how the governance system works and who is accountable for what and to whom. In fact, this is the leitmotiv of the creation of dFogIT and its publication means a formal statement that specifies the types of decisions that are delegated to the executive and those reserved for the governing body, among others. IT governance structures are responsible of the IT strategy through CIO Office development. CIO Office is crucial to leader the board and the public, respectively, to this strategy. CIO skills should include not only technical background but also business and public administration competences. The CIO should be part of the board or senior management structures.

E3. Developing the capability of individuals within the entity: Recruiting, motivating, and retaining IT staff are vital issues for successful public sector entities. The governing body and management team needs to provide an environment in which IT staff can perform well and deliver effective IT services by creating a positive culture that, for example, welcomes ideas and suggestions and proposals. It is important that IT staff have realistic job descriptions and training to ensure that their core responsibilities can be performed effectively. Staff motivation is the key for developing IT value. IT staff competence is the driver for transforming IT commodities into IT assets.

F. Managing risks and performance through robust internal control and strong public financial management.

F1. Managing risk: An IT governance framework should integrate the process for managing risk into the entity’s overall governance, strategy and planning, management, reporting processes, policies, values; and culture. This IT risk awareness must be specially monitored and evaluated within the new IT project proposals coming from joint business units and IT staff teams. IT risks are not trivial and the entity should continue operating in emergence situations. This should be planned on advance.

F2. Managing performance: Public sector entities should continuously monitor and periodically review whether the intended IT outcomes are still valid or whether they should be adapted to new scenarios. Additionally, the public IT service delivery activities can still effectively and efficiently achieve their outcomes. Monitoring mechanisms should provide governing body members and senior management with regular reports on progress of the approved IT service delivery plan and on progress toward outcome achievement. Reports should ideally include detailed IT performance analyses, too. IT performance monitoring should be related to IT value and entity’s outcomes. Entity performance management and IT performance management must be coherent by the use of balance scorecards or similar instruments to monitor and evaluate how entity is progressing.

F3. Robust internal control: IT governance should providing useful and reliable information to internal and external users for timely and informed decision making, whether IT services are delivered by the entity itself or are contracted out, outsourced, cloud served, etc. So that, the senior management should ensure conformance with applicable laws and regulations, as well as with the entity’s own policies, procedures, and guidelines. IT assets are crucial for the entity’s survival so that safeguarding the entity’s IT resources against loss, fraud, misuse, and damage should be preempted. Moreover, IT security management must guarantee the availability, confidentiality, and integrity of the entity’s information systems, including all IT processes. IT Audits should be considered in a regular basis.

F4. Strong financial management: IT governance should fund and allocate for the delivery of public IT projects and services including establishing financial objectives, policies and strategies, capital planning and budgeting, raising finances, and managing working capital, cash flow, and financial risk. Of course, this funding should be guaranteed in collaboration with other governing and senior management bodies coming from the financial and personnel assets in the public entity. Since funding is coming from public stakeholders mainly, the entity should be careful in acting in public interest in all investments.

G. Implementing good practices in transparency and reporting to deliver effective accountability.

G1. Implementing good practices in transparency: IT gives more opportunities and different channels for public sector entities to use to communicate with their stakeholders, including web-based information and social media. These communication channels should be formalized in the IT framework implementation. The communication should be based on the exchange of IT value for money, since public sector must ensure the public money is safeguarded at all times and used appropriately, economically, efficiently, and effectively. Transparency is the key to make the framework confident to the stakeholders. All the IT governance instruments should be published in a language understood by stakeholders. The IT governance instruments should be related with the objectives and the KPIs, if possible. Layering the IT governance framework eases the understanding for internal stakeholders and IT staff.

G2. Implementing good practices in reporting: IT governance good practices require to report publicly at least annually, so that stakeholders can understand and make judgments on issues such as how the entity is performing and whether it is delivering value for money and has sound stewardship of resources. It is also important that the process for gathering information and compiling the annual report ensures that the governing body and senior management own the results shown. The IT governance framework implementation itself, it is a way (e.g. as web portal) to communicate these reports [40].

4.2. Implementation of Good Governance Principles through IT Governance Instruments in dFogIT Framework at UIB

In order to add some degree of experimentation to the mapping of key good governance principles in the IT governance framework of a public company, we reviewed the corporate governance maturity for the IT assets at University of the Balearic Islands (UIB) during our governing periods as Delegate of the Rector for New Technologies (2007-2010) and Vice rector for Information Tecnology (2011-2013), respectively. Our IT Governance arrangements have been scored using the scoring matrix from [41] but adding the null value and slight modifications. These maturity values are not equivalent to procedural as the ones appeared in [42], which are based on COBIT 4 [32] maturity values. The scoring matrix is about the mature implementation of a set of IT governance instruments to produce the right behavior that the key principles of good governance for the public sector are promoting. Thus, the scoring matrix has to be interpreted as the following:

Using Table 1, we evaluated the maturity in the application of the principles of good governance at the UIB. To realize the implementation of these principles, we have selected a comprehensive set of instruments that are used to govern enterprises and public entities, adapted to the IT asset. Of course, most of the 85 instruments selected in Table 2, are not used in every company. More over, this set is not complete but a good example of applicability in public and private entities. From our knowledge, this set catches most of the IT governance desirable behavior to be developed in any entity if they are developed and used enough to reach to maturity. As shown in Table 2, the level of maturity in the governance of IT is relatively low during the period 2007-2010, during which there had no IT governance framework was even devised in the UIB. Thus, assuming a maximum level of excellence (scoring 6), during the initial period, UIB does not reach to average 1.5 of maturity (excluding null values). However, in the following period, from 2010 to 2013, when we put in place some of these instruments, the maturity level increases 50%. Of course this evaluation is subjective to the governing body of the UIB after both periods, and it could be subjected to debate and discussion. However, it is clear that any IT governance instrument that is implemented sure is conducting to maturity in good governance principles. Even the score is low; there are some principles of good governance that have matured more in the UIB:

Ÿ  B.1: Openness

Ÿ  C.2: Sustainable economic, social, and environmental benefits

Ÿ  D.1: Robust decision making mechanisms

Ÿ  D.2: Planning interventions

Ÿ  D.3: Optimizing achievement of intended outcomes

Ÿ  G.2: Implementing good practices in reporting This last result is consistent with the creation of dFogIT, which began with the establishment of IT strategies and plans and investment selection and portfolio of projects aligned with that strategy. This corresponds to IT governance part of the virtuous cycle: Strategic Objectives > Direction > Plans > Projects > Business > Proposals > Evaluation > Applications > Value (see Figure 5). This means that the governing body has implemented the corresponding IT governance instruments to mature, even the rest of the organization layers, i.e. management and operation did not reach to this level, yet [43].

4.3. Comparison between Governance Periods

The analysis of the maturity process between both governance periods at UIB in Table 2 suggests that the impact of the implementation of dFogIT framework (and consequently ISO/IEC 38500) was more important than the subjective scoring. In fact, any increment in any value is positive, comparing 2011-2013 period against the previous one. However, this exercise of comparison is one of very few contemporary measurements of the IT governance impact following the ISO/IEC 38500 standard. From our knowledge, this implementation demonstrates positive gain since the adoption of dFogIT. As we stated in previous section, the major improvements came from the virtuous cycle of the project portfolio selection and the investment priorization, processes in which the board intentions and behavior changes are strongly conducted by the strategic objectives and the IT plans at UIB. We had less impact in the implementation of our IT governance framework in the IT services monitorization and KPI measurement. This virtuous cycle was not completed due to the unexpected death of the Chancellor and the corresponding premature finalization of the board mandate period. We hope that these processes will mature in next years by continuation of the dFogIT development.

Prior to the adoption of dFogIT, problems that were explained at Section 3.2 were exacerbated until a point of no return in which board direction and IT staff practices seemed irreconcilable. However, the board of a public organization, e.g. UIB, could not continue acting without considering explicitly the public interest and the desirable behavior in the use and implementing IT assets. Thus, this work not only illustrates the maturity of the UIB in terms of IT governance, but also how this maturity is aligned with the principles of good governance in the public sector. And this is the major improvement of our results as board member, i.e. come back to the original focus of a public university by acting in public interest of our stakeholders.

5. Conclusions

Acting in public interest in all of times is not a nice sentence for political and social recognition of the governors. It must be a continuous activity of those who govern and manage public assets in a transparent and accountable way to all stakeholders. This public accountability must be present in all the activities in the public sector. Fortunately, there are some initiatives as the key principles of good governance in the public sector to clarify this openness and strong commitment to ethical values should be implemented in all the public entities’ assets. This implementation should be studied particularly in the Information Technologies (IT) assets. The IT governance frameworks, in their behavioral development, may contribute to the same goals for governing public IT assets as the general good governance initiatives. This research points out how to implement the key principles of good governance in IT frameworks. On one hand, the dFogIT framework was designed to be embedded within the normal management and governance functions of any institution, including public and private owned enterprises, but encouraging more transparent governance at public institutions through the implementation of virtual cycles by governance instruments implementation. By this light-design approach within institutional processes, structures and communication, value can be added for IT asset with relatively little additional organizational overhead. However, our IT framework was never thought only to increase the procedural effectiveness in governing, but also to produce the right behavior in spending the public funds in IT assets. On the other hand, the consultation draft of the framework of key principles of good governance in the public sector, from IFAC and CIPFA, sets out principles for each topic and creates a contextual background for implementing good governance in public sector entities.

This research showed that dFogIT not only implements easily the guidance in ISO/IEC 38500, that each organization adopting the standard needs to design the detailed adoption approach to suit its own situation and characteristics, but also matches with the orientation of the key principles of general good governance. In fact, each framework reinforces the other, mutually. The more IT governance instruments are implemented in dFogIT, the more maturity produces in the application of good governance principles, and vice versa. We provide an example of implementation of IT governance in the University of the Balearic Islands (UIB) during the period 2007-2013. We located the principles of good governance in dFogIT and selected a considerable set of IT governance instruments that could be implemented in any public entity. We subjectively score the maturity of this set of instruments, with and without the implementation of dFogIT framework, in order to illustrate the gains of persevering in their implementation to reach to better governing costumes and day-to-day activities in public entities, particularly in IT assets. This evaluation was done since our position as IT governors during six years at UIB. Additionally, IT can promote good governance in three basic ways: increasing transparency, information, and accountability; facilitating accurate decision making and public participation; and enhancing the efficient delivery of public goods and services. Thus, publishing dFogIT framework, and their corresponding IT governance instruments, in the UIB public website, increased considerably the openness of the decision-making results and processes that were opaque to all stakeholders before implement this IT framework.

Open problems to further research are how good governance principles are related to e-government practices through IT assets, different from the IT governance implementation. Particularly, we are researching in how to extend the dFogIT framework with additional instrumentation coming from or addressing to the stakeholders and the general public. Another interesting problem to further research is how IT governance maturity could decrease by leaving out the use of instruments depicted above.

Acknowledgements

This work has been partially supported by the Spanish Ministry of Economy and Competitiveness under grant TIN2011-23889. We want to acknowledge our initial joint work, with our former collaborator M. Gómez, about the relationship between Nolan Principles and IT Governance frameworks which was the starting point of this research.

REFERENCES