Amanat Ali - prr.hec.gov.pk

IT Governance Implementation Framework for Public Sector

Organizations of Pakistan

By

Amanat Ali

10-UET/PhD-CASE-EM-65

Supervised by:

Dr. Asim Nisar

ENGINEERING MANAGEMENT DEPARTMENT

CENTER FOR ADVANCED STUDIES IN ENGINEERING

UNIVERSITY OF ENGINEERING AND TECHNOLOGY TAXILA PAKISTAN

Spring, 2018

II

Abstract

The use of Information Technology (IT) has become imperative for Public Sector

Organizations (PSOs) to improve and sustain public service delivery and meet and extend

other organizational objectives and strategies. This pervasive use of IT demands for a special

focus on effective IT governance in these organizations. Consequently, effective IT

governance practices need to be determined, implemented and sustained if these

organizations want to encourage and achieve the desirable behavior in the use of IT.

Nevertheless, IT governance is different in different organizational contexts and its

implementation in PSOs is more complex than their private counterparts due to many reasons

including complex intra and inter-organizational interactions & synergies, more bureaucracy

& less managerial autonomy and more legal & cultural constraints etc. The PSOs in

developing countries are even more challenging. Many generic frameworks, standards and

tools are considered to be as best practices to implement IT governance in organizations but

these have some inherent shortcomings towards the context of PSOs in a developing country.

These frameworks are very generic, complex and expensive due to which these organizations

may deem the practice daunting and unattainable. Therefore, a substitute framework to

complement the inherent shortcomings of the existing frameworks towards the context of

PSOs in a developing country is required to solve the problem. This study investigated and

analyzed IT governance in Pakistani Public Sector Organizations (PakPSOs) in the context of

a developing country and proposed a framework to implement effective IT governance in

these organizations. The study was conducted into four phases. In the first phase, the existing

state of IT governance in PakPSOs was determined and analyzed in terms of maturity through

exploratory case studies of six organizations using 15 IT processes of COBIT and compared

with a developed country, a developing country and the international public sector

benchmark for learning, benchmarking and embracing best practices. The results indicated

that the average maturity of 15 IT processes across six PakPSOs laid down between level 2

and level 3 of generic maturity model of COBIT. The process “Manage Data” demonstrated

highest maturity whereas the process “Communicate Management Aims and Direction”

showed lowest maturity. The results also indicated that PakPSOs performed better than a

developing country and lower than a developed country and the international public sector

benchmark. In the second phase, the relevant IT governance practices in PakPSOs were

III

identified and analyzed in terms of Critical Success Factors (CSFs) through exploratory case

studies of eight organizations. The results revealed that 12 CSFs were found to be relevant to

PakPSOs. In the third phase, the identified set of CSFs was validated in PakPSOs by testing

and analyzing its statistical effect on IT outcomes through confirmatory study using sample

data from PakPSOs. The results indicated that 11 CSFs demonstrated positive significant

effect on IT outcomes. The CSF “IT/business communication and partnership” found to be

most effective whereas the CSF “competitive IT professionals” found to be the least

effective. In the fourth phase, the IT governance framework was developed and evaluated

using design science research approach based on the results of the phase 3, more literature

review and qualitative and quantitative opinions from PakPSOs. This resulted into a proposed

framework for PakPSOs which consisted of effective IT governance practices in terms of

CSFs, activities to implement these practices, suitable roles and appropriate IT resources to

execute activities and operating environment in which it ought to be implemented. The

proposed framework provides a holistic view of IT governance by not only covering five

focus areas of IT governance i.e. strategic alignment, value delivery, risk management,

resource management and performance measurement but also wrapping three perspectives of

IT-business alignment i.e. human, social and intellectual perspectives. The results of the

evaluation phase indicated that the framework proved to be useful. The study provides many

practical and theoretical implications. From practitioners‟ perspective, the maturity

benchmark can help the public managers in PakPSOs and similar environment to identify and

improve weak areas and ultimately improve and sustain public service delivery. The

identified set of CSFs can assist them to recognize limited areas where focus can be given for

success. By understanding the relative importance of CSFs, they can improve their IT-related

plans and prioritize limited resources accordingly. Both IT and business management

personnel in PakPSOs can use the framework for planning, implementing and continuously

improving IT governance in their business settings. From theoretical and academic

perspective, the study fills the theoretical gap in the literature by explaining IT governance in

the perspective of CSFs approach and broadens the scope of effective IT governance

practices to the context of PSOs in developing countries. As compared to the other studies

from the relevant literature, this study provides a holistic view of IT governance by covering

both IT governance and IT-business alignment which lack in previous studies. The study

strengthens the existing IT governance frameworks like COBIT, ITIL and ISO/IEC 38500

etc. The study also provides new avenues for future researchers who want to conduct research

in the field of IT governance in PSOs of developing countries.

IV

Acknowledgements

First of all, I express my gratitude to my advisor Dr. Asim Nisar, who encouraged and

guided me with constructive and valuable advice during the course of this entire research

work. He always supported and encouraged me when I needed some guidance regarding the

research work and related matters. His keen interest in my research work and related progress

enabled me to complete this research within time.

Secondly, my thanks go to the Ex- Chairman of Engineering Management Department of

Center for Advanced Studies in Engineering (CASE) Dr. Ali Ahsan, who always

optimistically responded me at his office and granted his busy hours to advice me about

research and other academic related matters. Being an important member of my research

committee, his useful comments and suggestions led me to enrich my research work.

Thirdly, I extend my thanks to other research committee members Dr. Danial Saeed and Dr.

Baber Zaheer for their time and review of this research work with valuable comments.

Fourthly, I would like to express my thanks to the senior management of the studied

organizations for their active cooperation in data collection phase especially the IT and

business personnel involved in interviews and surveys process to provide me meaningful data

and information without which this research was not possible.

My thanks also go to Higher Education Commission (HEC) of Pakistan for funding my

whole PhD study without which it was not possible for me to meet PhD expenses by my own

resources.

Finally, special thanks to my parents for their prayers and my wife for her encouragement,

patience, and support and taking care of my children Farheen, Diyan and Samyan.

Above all, I am always grateful to the Almighty God for all the blessings.

Thanks for all

Amanat Ali

V

List of Tables

TABLE 2.1: LIMITATIONS OF GENERIC IT GOVERNANCE IMPLEMENTATION FRAMEWORKS TOWARDS PAKPSOS ... 39

TABLE 2.2: DIFFERENCES BETWEEN PUBLIC AND PRIVATE SECTOR ORGANIZATIONS BASED ON LITERATURE ....... 44

TABLE 3.1: MINIMUM SAMPLE SIZE FOR A TYPICAL RESEARCH (MARCOULIDES & SAUNDERS, 2006) .................. 62

TABLE 3.2: A QUICK VIEW OF THE RESEARCH METHODOLOGY ........................................................................... 65

TABLE 4.1: DISTRIBUTION OF THE RESPONDENTS IN THE SIX STUDIED PAKPSOS .............................................. 100

TABLE 4.2: AVERAGE MATURITY LEVELS OF THE 15 IT PROCESSES ACROSS THE SIX STUDIED PAKPSOS ........... 101

TABLE 5.1: THE ACCEPTED CSFS RELATED ARTICLES ..................................................................................... 110

TABLE 5.2: HARMONIZATION OF CSFS FROM THE ACCEPTED ARTICLES ........................................................... 112

TABLE 5.3: DISTRIBUTION OF THE RESPONDENTS IN THE EIGHT STUDIED PAKPSOS.......................................... 113

TABLE 5.4: THE SUMMARIZED QUALITATIVE RESPONSE OF THE INTERVIEWEES ................................................ 118

TABLE 5.5: CLASSIFICATION OF THE IDENTIFIED PRACTICES INTO FIVE FOCUS AREAS AND THREE PERSPECTIVES OF

IT-BUSINESS ALIGNMENT .............................................................................................................................. 119

TABLE 6.1: SAMPLE CHARACTERISTICS .......................................................................................................... 127

TABLE 6.2: MEASUREMENT OF CONSTRUCTS AND INDICATORS (WITH RELIABILITIES) ...................................... 128

TABLE 6.3: INTER-CORRELATION OF CONSTRUCTS AND THE CORRESPONDING SQUARE ROOT OF AVE ............... 130

TABLE 6.4: STRENGTHS AND SIGNIFICANCE OF PATH COEFFICIENTS ................................................................. 132

TABLE 7.1: THE INITIAL LIST OF ACTIVITIES FOR EACH PRACTICE EXTRACTED FROM THE EXISTING LITERATURE 140

TABLE 7.2: RELATIONSHIP OF 19 ROLES OF COBIT WITH FIVE ROLES OF SIMONSSON AND JOHNSON (2008) ..... 142

TABLE 7.3: FOUR TYPES OF IT RESOURCES CLASSIFIED BY ITGI (2007) ........................................................... 143

TABLE 7.4: DISTRIBUTION OF THE RESPONDENTS IN THE SIX STUDIED PAKPSOS .............................................. 144

TABLE 7.5: THE SUMMARIZED QUALITATIVE RESPONSE OF THE FOCUS GROUPS AFTER CONTENT ANALYSIS ...... 145

TABLE 7.6: ACTIVITIES FOR GUIDING PRACTICES WITH ROLES AND IT RESOURCES ........................................... 153

TABLE 7.7: RESPONDENTS‟ PROFILE AND THEIR SUMMARIZED SUGGESTIONS ................................................... 157

TABLE 7.8: ACTIVITIES FOR PRACTICES WITH ROLES AND IT RESOURCES ......................................................... 161

TABLE 8.1: DECISION-MAKING STRUCTURE OF THE ORGANIZATION M ............................................................. 174

TABLE 8.2: HOW ARE IT GOVERNANCE FOCUS AREAS ADDRESSED IN THE ORGANIZATION M ............................ 174

TABLE 8.3: RELEVANCY OF THE PROPOSED FRAMEWORK‟S PRACTICES WITH THE ORGANIZATION M ................. 175

TABLE 8.4: RESPONDENTS‟ PROFILE IN CASE STUDY FOR EVALUATING THE FRAMEWORK ................................. 178

TABLE 8.5: THE SUMMARY OF INTERVIEW RESPONSE ON EVALUATION CRITERIA AND RESULTANT IMPROVEMENTS

INTO THE FRAMEWORK .................................................................................................................................. 179

TABLE 8.6: ACTIVITIES FOR PRACTICES WITH ROLES AND IT RESOURCES ......................................................... 185

TABLE 9.1: COMPARISON OF THE PROPOSED FRAMEWORK WITH GENERIC FRAMEWORKS .................................. 205

VI

List of Figures

FIGURE 1.1: THE LINKAGE OF RESEARCH PROBLEM, QUESTIONS AND OBJECTIVES .............................................. 10

FIGURE 2.1: CORPORATE AND KEY ASSET GOVERNANCE (WEILL & ROSS, 2004) ................................................ 18

FIGURE 2.2: COBIT 5 PRINCIPLES (ISACA, 2012) ........................................................................................... 28

FIGURE 2.3: ITIL SERVICE LIFECYCLE (ITIL, 2007) ......................................................................................... 31

FIGURE 2.4: ISO/IEC 38500: 2015 INFORMATION TECHNOLOGY- GOVERNANCE OF IT FOR THE ORGANIZATION

(ISO/IEC 38500:2015, 2015) .......................................................................................................................... 33

FIGURE 2.5: DEFOGIT FRAMEWORK (GÓMEZ, BERMEJO, & JUIZ, 2017) ............................................................. 34

FIGURE 2.6: STRATEGIC ALIGNMENT MODEL (HENDERSON & VENKATRAMAN, 1993) ....................................... 36

FIGURE 2.7: BALANCED SCORE CARD (KAPLAN & NORTON, 1992) ................................................................... 37

FIGURE 3.1: STAIR-CASE DIAGRAM OF RESEARCH PHASES ................................................................................. 58

FIGURE 3.2: RESEARCH PHILOSOPHICAL PARADIGMS ADAPTED FROM MYERS (2008) AND STRAUB ET AL. (2005) 60

FIGURE 3.3: RESEARCH MODEL ....................................................................................................................... 75

FIGURE 3.4: INFORMATION SYSTEMS RESEARCH FRAMEWORK (HEVNER ET AL., 2004) ....................................... 86

FIGURE 3.5: FRAMEWORK DEVELOPMENT AND EVALUATION PROCESS ............................................................... 88

FIGURE 4.1: DOMAIN WISE AVERAGE MATURITY OF THE 15 IT PROCESSES IN THE SIX STUDIED PAKPSOS ......... 103

FIGURE 4.2: MATURITY LEVELS OF THE SIX STUDIED PAKPSOS FOR THE 15 IT PROCESSES ............................... 104

FIGURE 5.1: IT GOVERNANCE PRACTICES BASED ON THE QUANTITATIVE RESPONSE OF THE INTERVIEWEES IN THE

EIGHT STUDIED PAKPSOS .............................................................................................................................. 114

FIGURE 7.1: QUANTITATIVE RESPONSE OF THE FOCUS GROUPS ON PERCEIVED EFFECTIVENESS AND EASE OF

IMPLEMENTATION OF IMPROVED ACTIVITIES................................................................................................... 150

FIGURE 7.2: THE INITIAL VERSION OF THE PROPOSED FRAMEWORK.................................................................. 152

FIGURE 7.3: FIRST VERSION OF THE FRAMEWORK ........................................................................................... 160

FIGURE 8.1: THE RELATIONSHIP AMONG IT GOVERNANCE DECISIONS AND FOCUS AREAS AND PROJECT

MANAGEMENT LIFE CYCLE PHASES................................................................................................................. 169

FIGURE 8.2: QUANTITATIVE RESPONSE ON EVALUATION CRITERIA .................................................................. 180

FIGURE 8.3: QUANTITATIVE RESPONSE ON IMPLEMENTATION ASPECTS ............................................................ 181

FIGURE 8.4: SECOND VERSION OF THE FRAMEWORK ....................................................................................... 184

FIGURE 9.1: RANKED GUIDING IT GOVERNANCE PRACTICES (1ST AND LAST) ................................................... 202

FIGURE 9.2: PRIORITY CONSIDERATION IN USING THE FRAMEWORK ................................................................. 203

VII

List of Abbreviations

BCS Balanced Scorecard

CCTA Central Computer and Telecommunications Agency

CIO Chief Information Officer

CIPFA The Charted Institute of Public Finance & Accountancy

CMMI Capability Maturity Model® Integration

COBIT Control Objectives for Information and related Technologies

COSO Committee of Sponsoring Organizations

CSFs Critical Success Factors

EGD Electronic Government Directorate

EMD Evaluate-Direct-Monitor

HDI Human Development Index

ICT Information and Communication Technologies

IE Information Economics

IFAC International Federation of Accountants

IS Information System

ISACA Information Systems Audit and Control Association

ISACF Information Systems Audit and Control Foundation

ISO International Organization for Standardization

IT Information Technology

ITGBSC IT Governance Balanced Scorecard

ITGI IT Governance Institute

ITIL Information Technology Infrastructure Library

ITOMAT Organization Modeling and Assessment Tool

LDCs Developing Countries

MDAs Ministries, Departments & Agencies

MOST Ministry of Science and Technology

OGC Office of Government Commerce

PakPSOs Pakistani Public Sector Organizations

PC-I Planning Commission-I

PDCA Plan, Check, Do and Act

P & D Planning and Development Department

PLS Partial Least Squares

VIII

PMBOK Project Management Body of Knowledge

PMI Project Management Institute

PRINCE2 Projects in Controlled Environments

PSOs Public Sector Organizations

PTA Pakistan Telecommunication Authority

PwC PriceWaterHouseCoopers

ROI Return on Investment

SAM Strategic Alignment Model

SEM Structural Equation Modeling

TOGAF The Open Group Architecture Framework

UNDP United Nations Development Program

IX

Contents

ABSTRACT ................................................................................................................................................... II

ACKNOWLEDGEMENTS ......................................................................................................................... IV

LIST OF TABLES......................................................................................................................................... V

LIST OF FIGURES ..................................................................................................................................... VI

LIST OF ABBREVIATIONS ..................................................................................................................... VII

CONTENTS ................................................................................................................................................ IX

1 INTRODUCTION .................................................................................................................................. 1

1.1 CHAPTER OBJECTIVES ...................................................................................................................... 1

1.2 BACKGROUND OF THE STUDY ........................................................................................................... 1

1.3 RATIONALE FOR THE STUDY ............................................................................................................. 4

1.4 PROBLEM STATEMENT ...................................................................................................................... 6

1.5 AIMS & OBJECTIVES ......................................................................................................................... 8

1.6 RESEARCH QUESTIONS ..................................................................................................................... 8

1.7 RESEARCH PHASES ......................................................................................................................... 11

1.8 RESEARCH SCOPE ........................................................................................................................... 11

1.9 STRUCTURE OF THE THESIS ............................................................................................................. 12

2 LITERATURE REVIEW .................................................................................................................... 14

2.1 CHAPTER OBJECTIVES .................................................................................................................... 14

2.2 OVERVIEW OF IT GOVERNANCE ...................................................................................................... 14

2.2.1 Emergence of IT Governance ..................................................................................................... 14

2.2.2 IT Governance Definitions ......................................................................................................... 15

2.2.3 IT Governance and Corporate Governance ................................................................................ 17

2.2.4 IT Governance and IT Management ........................................................................................... 19

2.3 IT GOVERNANCE MATURITY .......................................................................................................... 19

2.3.1 Concept of Process Maturity in COBIT ...................................................................................... 21

2.4 IT GOVERNANCE CRITICAL SUCCESS FACTORS (CSFS) .................................................................... 22

2.5 IT OUTCOMES (DESIRABLE BEHAVIOR IN PUBLIC SECTOR OF A DEVELOPING COUNTRY) ..................... 24

2.6 GENERIC IT GOVERNANCE IMPLEMENTATION FRAMEWORKS ........................................................... 26

2.6.1 Control Objectives for Information and related Technology (COBIT) ......................................... 27

2.6.2 Organization Modeling and Assessment Tool (ITOMAT) ............................................................ 29

2.6.3 Information Technology Infrastructure Library (ITIL) ................................................................ 30

2.6.4 ISO/IEC 38500 Information Technology- Governance of IT for the Organization ....................... 31

2.6.5 Detailed Framework of Governance of Information Technologies (dFogIT)................................ 33

2.6.6 Strategic Alignment Model (SAM) .............................................................................................. 35

2.6.7 Balanced Scorecard (BSC) ........................................................................................................ 36

X

2.6.8 Limitations of Generic IT Governance Implementation Frameworks towards PakPSOs .............. 38

2.7 CONTEXT OF PUBLIC SECTOR ORGANIZATIONS................................................................................ 41

2.7.1 Defining and Understanding Public Sector Organizations .......................................................... 41

2.7.2 Characterizing Public Sector Organizations .............................................................................. 42

2.7.3 Public Sector Organizations in Developing Countries ................................................................ 42

2.8 PREVIOUS IT GOVERNANCE RESEARCH ........................................................................................... 45

2.8.1 Previous IT Governance Research in General ............................................................................ 45

2.8.2 Previous IT Governance Research in Public Sector Organizations ............................................. 49

2.9 RESEARCH GAPS ............................................................................................................................ 52

2.10 CHAPTER SUMMARY ...................................................................................................................... 52

3 RESEARCH METHODOLOGY......................................................................................................... 54


3.2 METHODOLOGY ............................................................................................................................. 54

3.2.1 Research Phases ........................................................................................................................ 55

3.2.2 Research Philosophy ................................................................................................................. 59

3.2.3 Research Methods ..................................................................................................................... 60

3.2.4 Sampling Techniques and Sample Size ....................................................................................... 61

3.2.5 Data Collection Techniques ....................................................................................................... 63

3.2.6 Data Analysis Approaches ......................................................................................................... 63

3.3 RESEARCH PROCESS ....................................................................................................................... 66

3.3.1 Phase 1: Assessing the Existing State of IT Governance in PakPSOs .......................................... 66

3.3.1.1 Rationale for Selecting COBIT Framework‟s Processes ..................................................... 66

3.3.1.2 Phase Methodology ........................................................................................................... 67

3.3.2 Phase 2: Identifying the Relevant IT Governance Practices in PakPSOs ..................................... 69

3.3.2.1 Rationale for Adopting Critical Success Factor Approach .................................................. 69

3.3.2.2 Systematic Literature Review ............................................................................................ 70


3.3.3 Phase 3: Investigating the Effect of IT Governance Practices on IT Outcomes in PakPSOs ........ 73

3.3.3.1 Rationale for Investigating IT Governance at Strategic Projects‟ Level ............................... 74


3.3.4 Phase 4: Developing and Evaluating the Proposed IT Governance Framework .......................... 84

3.3.4.1 Rationale for Selecting Design Science Research Approach ............................................... 84


3.4 VALIDITY AND RELIABILITY ........................................................................................................... 94

3.4.1 Construct Validity...................................................................................................................... 94

3.4.2 Internal Validity ........................................................................................................................ 95

3.4.3 External Validity ....................................................................................................................... 95

3.4.4 Reliability .................................................................................................................................. 96

3.5 RESEARCH ETHICS ......................................................................................................................... 96

3.6 CHAPTER SUMMARY ...................................................................................................................... 97

XI

4 EXISTING STATE OF IT GOVERNANCE IN PUBLIC SECTOR ORGANIZATIONS OF

PAKISTAN ................................................................................................................................................... 99


4.2 RESULTS AND DISCUSSION.............................................................................................................. 99

4.2.1 Distribution of the Respondents in the Six Studied PakPSOs ....................................................... 99

4.2.2 IT Governance Maturity of the Studied PakPSOs ..................................................................... 100

4.2.3 Process Level Comparison ....................................................................................................... 101

4.2.4 Domain Level Comparison ...................................................................................................... 102

4.2.5 Organizational Level Comparison ........................................................................................... 103

4.2.6 Comparison of PakPSOs with Others ....................................................................................... 105

4.3 CONCLUSION AND FURTHER RESEARCH ........................................................................................ 106

4.4 CHAPTER SUMMARY .................................................................................................................... 108

5 IT GOVERNANCE PRACTICES IN PUBLIC SECTOR ORGANIZATIONS OF PAKISTAN.... 109

5.1 CHAPTER OBJECTIVES .................................................................................................................. 109

5.2 RESULTS OF SYSTEMATIC LITERATURE REVIEW ............................................................................ 109

5.2.1 Accepted CSFs Related Articles ............................................................................................... 109

5.2.2 Harmonization of CSFs from the Accepted Articles .................................................................. 111

5.3 OPERATIONALIZATION OF CSFS IN PAKPSOS ................................................................................ 113

5.3.1 Distribution of the Respondents in the Eight Studied PakPSOs ................................................. 113

5.3.2 Quantitative Response ............................................................................................................. 113

5.3.3 Qualitative Response ............................................................................................................... 115

5.4 CLASSIFICATION OF THE IDENTIFIED IT GOVERNANCE PRACTICES ................................................. 118

5.5 DISCUSSION ................................................................................................................................. 120

5.5.1 Practices Related to Human Perspective .................................................................................. 120

5.5.2 Practices Related to Social Perspective .................................................................................... 121

5.5.3 Practices Related to Intellectual Perspective ............................................................................ 122

5.6 CONCLUSION ................................................................................................................................ 123

5.7 CHAPTER SUMMARY .................................................................................................................... 125

6 EFFECT OF IT GOVERNANCE PRACTICES ON IT OUTCOMES IN PUBLIC SECTOR

ORGANIZATIONS OF PAKISTAN ......................................................................................................... 126


6.2 RESULTS ...................................................................................................................................... 126

6.2.1 Sample Characteristics ............................................................................................................ 126

6.2.2 Testing the Measurement Model............................................................................................... 127

6.2.3 Testing the Structural Model and Hypotheses ........................................................................... 130

6.3 DISCUSSION ................................................................................................................................. 133

6.4 CONCLUSION ................................................................................................................................ 134

6.5 CHAPTER SUMMARY .................................................................................................................... 136

XII

7 THE FRAMEWORK: DEVELOPMENT PHASE ........................................................................... 138


7.2 THE INITIAL VERSION OF THE FRAMEWORK: RESULTS OF ITERATION 1 ........................................... 138

7.2.1 Background ............................................................................................................................. 138

7.2.2 Results..................................................................................................................................... 143

7.3 THE FIRST VERSION OF THE FRAMEWORK: RESULTS OF ITERATION 2 ............................................. 156

7.3.1 Background ............................................................................................................................. 156

7.3.2 Results..................................................................................................................................... 156

7.4 DISCUSSION AND CONCLUSION ..................................................................................................... 164

7.5 CHAPTER SUMMARY .................................................................................................................... 165

8 THE FRAMEWORK: EVALUATION PHASE ............................................................................... 167


8.2 INTRODUCTION TO THE CASE ........................................................................................................ 167

8.3 IT GOVERNANCE IN ORGANIZATION M ......................................................................................... 168

8.4 RELEVANCY OF THE PROPOSED IT GOVERNANCE FRAMEWORK WITH THE ORGANIZATION M .......... 175

8.5 EVALUATION OF THE FRAMEWORK ............................................................................................... 177

8.5.1 Respondents‟ Profile in the Case Study .................................................................................... 178

8.5.2 Results of Qualitative Response ............................................................................................... 178

8.5.3 Results of Quantitative Response ............................................................................................. 180

8.5.4 Quantitative Response on Implementation Aspects ................................................................... 180

8.5.5 Accomplishment of the Seven Guidelines of Design Science Research ....................................... 181

8.6 THE SECOND VERSION OF THE FRAMEWORK ................................................................................. 183

8.7 DISCUSSION AND CONCLUSION ..................................................................................................... 187

8.8 CHAPTER SUMMARY .................................................................................................................... 187

9 CONCLUSIONS, CONTRIBUTIONS, LIMITATIONS AND RECOMMENDATIONS ............... 189


9.2 SUMMARY OF THE STUDY ............................................................................................................. 189

9.3 THE FRAMEWORK ........................................................................................................................ 191

9.3.1 Background ............................................................................................................................. 191

9.3.2 Elements of the Framework ..................................................................................................... 192

9.3.2.1 Environment ................................................................................................................... 192

9.3.2.2 Organization ................................................................................................................... 193

9.3.2.3 IT Governance Focus Areas and IT-business Alignment Perspectives .............................. 193

9.3.2.4 Guiding Practices ............................................................................................................ 195

9.3.2.5 The Activities, Roles and IT Resources............................................................................ 200

9.4 IMPLEMENTATION CONSIDERATIONS ............................................................................................. 201

9.5 COMPARISON OF THE PROPOSED IT GOVERNANCE FRAMEWORK WITH GENERIC FRAMEWORKS ...... 204

9.6 APPLICATION OF THE FRAMEWORK IN THE CONTEXT OF PSOS IN A DEVELOPING COUNTRY ............ 206

9.7 CONTRIBUTIONS ........................................................................................................................... 208

XIII

9.7.1 Contribution to Practice .......................................................................................................... 208

9.7.2 Contribution to Theory ............................................................................................................ 209

9.8 LIMITATIONS AND RECOMMENDATIONS ........................................................................................ 210

REFERENCES ........................................................................................................................................... 212

APPENDICES ............................................................................................................................................ 231

1

1 Introduction

1.1 Chapter Objectives

This chapter provides the background of the study, rationale for conducting this research,

problem statement, aims & objectives and research questions. It also presents the brief

introduction of research phases applied to conduct this research. It begins with the description

of study background followed by the rationale for conducting this research. In the fourth

section, problem statement is presented followed by the aims and objectives of study.

Research questions are given in the sixth section. In the seventh section, a brief introduction

of research phases is presented. Research scope is discussed in the eighth section. Final

section describes the thesis structure.

1.2 Background of the Study

Public Sector Organizations (PSOs) play an important role in the socio-economic

development of a country and well-being of its people. Therefore, an improved and sustained

public service delivery is essential for these organizations. The use of Information

Technology (IT) has become imperative for many PSOs to improve and sustain public

service delivery and meet and extend other organizational objectives & strategies. This

pervasive use of IT has also been enlarged due to the increasing demands for more efficient

and cost-effective public service delivery and escalating embracement of e-government for

efficient, transparent, responsive and accountable government. However, this critical use of

IT demands for a special focus on effective IT governance in these organizations.

Consequently, effective IT governance practices need to be determined, implemented and

sustained if these organizations want to encourage and achieve the desirable behavior in the

use of IT.

IT governance is a structure and process through which organizations make right IT

investments to ensure that the resulting activities (programs, projects & operations) are

performed properly and desired benefits are achieved & preserved (Selig, 2016). It involves

2

all assets related to IT like financial, human, physical, data and intellectual property (Weill &

Ross, 2004). Although, effective IT governance provides many benefits to organizations

including reduced costs and risks (Dintrans et al., 2013; Oyemade, 2012; Gheorghe, 2011;

Parent & Reich, 2009), increased security (Selig, 2016; PwC & ITGI, 2006), enhanced IT-

business alignment (Gheorghe, 2011; De Haes & Van Grembergen, 2009), organizational

competitiveness and performance (Park et al., 2017; Zhang et al., 2016; Rau, 2004), increased

profit or value for shareholders (Parent & Reich, 2009; Weill & Ross, 2004), improved

services and customer satisfaction (Selig, 2016; Rau, 2004) and effective and ethical

management (Selig, 2016) but these benefits are not automatic. A lot of commitment, effort,

resources and competencies are required to develop and implement suitable IT governance

structures, processes and relational mechanisms in line with organizational objectives and

competitive/market position.

Nevertheless, IT governance implementation is different in different organizational contexts

and depends on many contingency factors including organizational culture & structure,

strategy, maturity, size, industry, trust, ethical and regional differences (Pereira & Silva,

2012). A study on the design of IT governance argues that IT governance implementation

depends on the specific context, contingencies and operating environment of organizations

(Ribbers et al., 2002). Moreover, IT governance implementation in PSOs is different than

their private counterparts due to some contextual characteristics of PSOs including systematic

& complex decision making process, higher accountability, usually multiple & intangible

goals, services or public goods usually not for sale, more political influence, higher level of

IT outsourcing, higher skilled IT staff turnover and more shared IT resources, applications

and technical support instead of proprietary IT (Campbell et al., 2010; Liu & Ridley, 2005)

and control over IT function is even more crucial in PSOs (Liu & Ridley, 2005; Beaumaster,

2002). As a result, IT developments, implementations and governance in PSOs appear behind

private sector organizations due to such contextual differences (Campbell et al., 2010).

However, the quick development of technology over the past decade has narrowed down the

gap between the two sectors.

IT governance is relatively a new discipline and in developing countries, its implementation

is in early stages. Prior research mainly focuses on the PSOs of developed countries and little

research has been conducted in the PSOs of developing countries (Al Qassimi & Rusu, 2015;

Nfuka & Rusu, 2010) and even PakPSOs remained unexplored so far. This has emphasized

the need to investigate and implement IT governance in PakPSOs through contextualized

research.

3

This study investigates and analyzes IT governance in PakPSOs and proposes an IT

governance implementation framework for these organizations. The framework is developed

and evaluated using design science research approach. The design science research is used to

develop and evaluate IT artifacts to solve known problems in organizations (Hevner et al.,

2004). IT artifacts are not only computer and computer systems but also a complex and

changing combination of people, technology and organization (Dahlbom, 1996). An IT

artifact can be a construct, model, instantiation or method (Hevner et al., 2004). However, the

researcher prefers method in the form of a framework for the purpose of this study.

This research study is conducted into four phases. In research phase 1, the existing state of IT

governance in PakPSOs is determined in terms of maturity and compared with a developed

country (Australia), a developing country (Tanzania) and the international public sector

benchmark for learning, benchmarking and embracing best practices. This is paramount to

understand the relevant IT governance context of PakPSOs in terms of maturity as compared

to others. In research phase 2, the relevant IT governance practices in PakPSOs are identified

in terms of Critical Success Factors (CSFs) through systematic literature review and

operationalised in PakPSOs through multi-case study approach. This is paramount to

understand what is being happened in PakPSOs and which practices are more relevant to this

environment. In research phase 3, the effect of the identified practices of phase 2 is tested and

analyzed on IT outcomes i.e. desired behavior in PakPSOs. The purpose is to validate a set of

the relevant practices in PakPSOs that can be used as basic building blocks of the proposed

framework. In research phase 4, the proposed IT governance implementation framework is

developed and evaluated using design science research approach based on the results of

previous research phases, more literature review, focus groups‟ responses and qualitative &

quantitative opinions and experiences in PakPSOs.

The proposed framework consists of the practices in terms of CSFs, the activities to

implement these practices, suitable roles and appropriate IT resources to execute the activities

and the operating environment in which it ought to be implemented. As compared to other

frameworks from the relevant literature, the proposed framework provides a holistic view by

not only covering five focus areas of IT governance i.e. strategic alignment, value delivery,

risk management, resource management and performance measurement but also wrapping

three perspectives of IT-business alignment i.e. human, social and intellectual perspectives

which lack in previous studies.

4

1.3 Rationale for the Study

The significance of information systems in contemporary businesses can hardly be

undermined. A vast majority of business leaders (87%) believe that information systems are

critical for strategic success (Chen et al., 2010). Consequently, IT spending is persistently

getting higher and IT expenditure on average representing more than 4% of revenue in

organizations (Lazic et al., 2011). IT governance has attracted much attention in literature. It

is a key enabler and success factor for business performance. A study on IT governance

performance reveals that top performing organizations produce up to 40 percent more profit

than their competitors and organizations with above average IT governance produce more

than 20 percent profit than organizations with poor IT governance adopting the same strategy

i.e. customer intimacy (Weill & Ross, 2004). Another study on IT governance success

describes that many leading organizations apply IT governance to quest for increase in

efficiency, accountability and comply with regulatory and other forms (Lee et al., 2008).

Hence, IT governance is no more “nice to have” but it is “must have” because of increasing

IT investments in businesses for higher returns on assets (Webb et al., 2006). This has

emphasized the need to investigate and implement IT governance in organizations.

The need for effective IT governance has also been realized in PakPSOs because Pakistan has

introduced many adjustments to commercial and regulatory policies that, among other things,

have led towards a converged IT sector. This has also been accelerated by “National IT

Policy and Action Plan (2000)” and “E-Government Strategy and 5-Year Plan for the Federal

Government (2005)”. The PakPSOs have observed remarkable improvements regarding the

investment, use and demand of IT for public service delivery due to these adjustments.

Various IT applications like electronic processing of internal files, e-filing of income tax

return and citizen online etc. are functional in various PakPSOs. Other e-government projects

are under implementation. However, for envisaged improvement of public service delivery,

effective IT governance practices are not fully realized within and across various PakPSOs.

This has emphasized the need to investigate and implement IT governance in PakPSOs.

IT governance implementation in PSOs is more complex than their private counterparts due

to various reasons including complex intra and inter-organizational interactions and synergies

(Weill & Ross, 2004), more bureaucracy and less managerial autonomy (Lane, 2000), wider

accountability and expectations (Liu & Ridley, 2005), difficulties in setting goals and

measuring performance against these goals (Weill & Ross, 2004), changing ministerial needs

5

legislations and frequent rollout of top management (Liu & Ridley, 2005), more legal and

cultural needs (Lane, 2000) and difficult process improvement (Shad et al., 2011). Especially,

the PSOs in developing countries are very challenging. These are affected by low institutional

capacity, limited involvement of stakeholders, high level of corruption and informality which

obstruct their decision-making, control and accountability (Mimba et al., 2007). The IT

context of the PSOs in developing countries is generally characterized by low human

development, limited IT resources, inadequate related knowledge, constraints on culture

(Nfuka & Rusu, 2011). For example, Pakistan is a developing country because Pakistan‟s

HDI is 0.550 by 2016 (UNDP, 2017) which is much lower than world average (0.717).

Pakistan is also facing limited IT resources because IT infrastructure and IT literacy

relatively remained low (MOIT, 2017) despite the outstanding raise in total tele-density (with

major contribution of mobile density) from 4.31% in 2002-03 to 72.41% up to March 2017

(PTA, 2017). Knowledge and culture are other constraints (Aasi et al., 2014). These

limitations are also coupled with the basic competing needs of citizens like electricity and

clean water and law and order problems and menace of terrorism in the country which restrict

the flow of resources towards IT. This has emphasized the need to investigate and implement

IT governance through contextualized research.

Many generic frameworks are considered to be as best practices to implement IT governance

in organizations e.g. Control Objectives of Information and Related Technologies (COBIT),

Information Technology Infrastructure Library (ITIL) and ISO/IEC 38500 are some among

others. However, these frameworks have their roots largely in private sector organizations

and resultantly less IT governance research has been conducted on these frameworks in the

perspective of PSOs (Nfuka & Rusu, 2011). These frameworks are too complex, generic and

expensive due to which organizations often deem the practice daunting and unattainable

(Zhang & Le Fever, 2013; Upfold & Sewry, 2005). These frameworks are mainly of process-

based nature and rarely focus on CSFs which are limited number of areas where focus can be

given for success. Moreover, these frameworks suggest “one size fits for all” approach for all

organizations in all situations. However, specific context of the organization should be

considered while implementing IT governance (Ribbers et al., 2002). This has emphasized

the need to develop an IT governance implementation framework based on CSFs approach

through contextualized research i.e. PakPSOs, previously unexplored. Owing the importance

and potential of IT governance and scarcity of previous research in PSOs of developing

countries especially in PakPSOs and inherent weaknesses of the existing frameworks

aforesaid, the researcher selected this study.

6

The researcher selected design science research approach to develop and evaluate IT

governance implementation framework due to its relevance with behavioral science (Peffers

et al., 2008).

1.4 Problem Statement

Pakistan like other developing countries has been experiencing various problems regarding

the development, adoption and diffusion of technology in the country because technologies

have mainly shifted from the developed countries. However, the government of Pakistan has

enhanced the use of IT in the country as an investor, consumer, regulator and strategist like

other developed countries. Various efforts have been made by the government to uplift IT in

PakPSOs. For example, IT Board in each province and IT Directorates at district level have

been established to diffuse IT in every government department to promote economic growth

of Pakistan. Various PakPSOs have started their IT based operations to improve quality and

efficiency of public services in line with high standard of work ethics. Records of many

PakPSOs are being computerized on priority basis. Computer training has become mandatory

for every government employees to promote and implement e-government concept. However,

for envisaged improvement of public service delivery, effective IT governance practices are

not yet fully realized within and across various PakPSOs.

Nevertheless, PakPSOs like other developing countries are experiencing many governance

related problems regarding the use of IT which include: 1) fragmented IT initiatives including

IT enabled business applications and infrastructure in and across organizations (Kamal et al.,

2013; Qaisar & khan, 2010) resulting in economies of scale and synergistic losses, 2) lack of

identified critical areas where focus can be given for success (Haider et al., 2016; Nfuka &

Rusu, 2011), 3) lack of mutual understanding between business management and IT

personnel to plan, implement and monitor IT enabled business applications and infrastructure

(Qaisar & khan, 2010; Kundi et al., 2008), 4) lack of active performance measures, controls

and clear coordination regarding government activities, computerization and support in and

across organizations (Qaisar & khan, 2010; Bakari, 2007), 5) difficulties in holding

accountability of individuals for their results and addressing ineffective use of available IT

professionals for optimal use of IT (Kamal et al., 2013; Nfuka et al., 2009), 6) difficulties in

handling higher expectations regarding the contribution of IT for the responsive public sector

(MOIT, 2017; EGD, 2005), 7) higher rate of strategic IT projects failure including over-

7

budgeting, unfulfilled promises and abandonment (Haider et al., 2016), 8) lack of focus on

non-traditional view of IT projects implementation success i.e. looking into the value that IT

projects provide to the stakeholders instead of traditional view of success i.e. project delivery

on time and within budget (Haider et al., 2016).

The aforesaid governance-related problems regarding the use of IT are also enlarged due to

inadequate focus given to the best practices for optimal use of IT resources and their

management which result in serious consequences. These consequences include IT

investment loss, reputation loss, duplication of efforts, increased redundancy, user frustration

and poor decision-making (Nfuka & Rusu, 2011). This has led to the problem in this research

namely “IT governance in PakPSOs is ineffective”.

Various researchers have responded to this problem and investigated IT governance in PSOs

of developed countries (Wiedenhoft et al., 2017; Dawson et al., 2016; Juiz et al., 2014;

Campbell et al., 2010; Hoch & Payan, 2008; Ali & Green, 2007; Liu & Ridley, 2005 etc.).

However, a little IT governance research has been conducted in the context of PSOs in

developing countries (Al Qassimi & Rusu, 2015; Nfuka & Rusu, 2010). The situation is even

worst in PakPSOs which have not previously been explored.

Generic standards and frameworks also possess some inherent inadequacies and weaknesses

regarding the research objectives and the context of this study i.e. PakPSOs. The COBIT,

ITIL and ISO/IEC 38500 are most prominent among others. These frameworks are mainly of

process-based nature and rarely focus on CSFs. Moreover, these frameworks lack in

providing a holistic view of CSFs. Generality, complexity, expensiveness, need of

customization at large scale and required expertise are major weaknesses of these

frameworks. For example, the COBIT framework possesses complicated concepts and

structure and lack of implementation guidance, therefore, overwhelming to implement

(Zhang & Le Fever, 2013). The ITIL concentrates only on IT service management and does

not cover the entire scope of IT governance (Simonsson et al., 2010). The ISO/IEC 38500

principles have a high-level, top-down organizational focus and can easily be misinterpreted.

A framework which is easy to understand and implement by both business management and

IT personnel with less expertise and resources is required for the study environment. This has

emphasized the need for further research to investigate IT governance and develop an

implementation framework through contextualized research in the study environment i.e.

PakPSOs.

8

1.5 Aims & Objectives

The aims of this research study are to determine and analyze the existing state of IT

governance in PakPSOs and develop and evaluate a CSFs based framework for effective IT

governance implementation. The objective is to augment the IT outcomes i.e. desirable

behavior in PakPSOs. This could help to improve and sustain public service delivery in

PakPSOs. The study underpins mainly public value management theory. The theory of public

value management essentially asserts that managers in public organizations should make

active endeavors on behalf of the public to create increased public value like managers in

private organizations strive to gain superior private value (Moore, 1995). This theory has

been conceptually applied in various studies to answer the question of how superior public

value can be created through the effective use of IT resources in public sector (Pang, Lee, &

DeLone, 2014; Andersen et al., 2010; Norris & Moon, 2005). The framework is developed

and evaluated using design science research approach.

Following are the sub-objectives of the study.

To determine and analyze the existing state of IT governance in PakPSOs in terms of

maturity.

To identify and analyze the relevant IT governance practices in PakPSOs in terms of

CSFs.

To test and analyze the effect of relevant IT governance practices on IT outcomes in

PakPSOs.

To develop and evaluate a framework for effective IT governance implementation in

PakPSOs.

1.6 Research Questions

The following four research questions are investigated to achieve the aforesaid objectives.

RQ1: What is the existing state of IT governance in PakPSOs?

9

It is paramount to determine and analyze the existing state of IT governance in organizations

before its implementation because the success of IT governance implementation depends on

the careful examination of the existing state of IT governance i.e. maturity (Pereira & Silva,

2012). This has raised the first research question of this study i.e. RQ1: What is the existing

state of IT governance in PakPSOs?

RQ2: Which IT governance practices are relevant to PakPSOs?

Effective IT governance can be implemented through a set of best practices. However, these

practices may be different in different organizational contexts. Therefore, it is paramount to

identify the relevant practices for a specific organizational context to implement IT

governance. This has raised the second research question of this study i.e. RQ2: Which IT

governance practices are relevant to PakPSOs?

RQ3: What is the effect of relevant IT governance practices on IT outcomes in PakPSOs?

The identified IT governance practices are only effective when these satisfy the desirable

behavior in organizations i.e. IT governance or IT outcomes success. This has raised the third

research question of this study i.e. RQ3: What is the effect of relevant IT governance practices on

IT outcomes in PakPSOs?

RQ4: How can effective IT governance practices be implemented in PakPSOs?

The identification and validation of the effective practices for a study environment is not the

final step in implementing IT governance. This does not automatically solve the problem of

ineffectiveness. The real challenge is to implement these practices in the study environment.

This has raised the fourth research question of this study i.e. RQ4: How can effective IT

governance practices be implemented in PakPSOs?

The linkage of research problem, questions and objectives of this study are shown in Figure

1.1.

10

RQ1: What is the

existing state IT

governance in PakPSOs?

RQ2: Which IT

governance practices

are relevant to PakPSOs?

RQ3: What is the

effect of relevant IT

governance practices on IT outcomes in

PakPSOs?

RQ4: How can effective IT

governance practices

be implemented in PakPSOs?

IT governance in PakPSOs is

ineffective

RO1: To determine

and analyze the

existing state of IT governance in

PakPSOs in terms of

maturity

RO2: To identify and

analyze the relevant

IT governance practices in PakPSOs

in terms of CSFs.

RO3: To test and

analyze the effect of

relevant IT governance practices

on IT outcomes in

PakPSOs.

RO4: To develop and

evaluate a framework

for effective IT governance

implementation in

PakPSOs.

Sub-objectives

Research Questions

Research Problem

To augment the IT outcomes i.e. desirable

behavior in PakPSOs Main Objective

Figure 1.1: The linkage of research problem, questions and objectives

11

1.7 Research Phases

This research study is carried out into four phases. Each research question is investigated into

a separate research phase. In this way, the four research questions are investigated into four

research phases.

Phase 1- In this phase, the first research question of this study is investigated i.e. RQ1: What is

the existing state of IT governance in PakPSOs? The objective of this phase is to determine and

analyze the existing state of IT governance in PakPSOs in terms of maturity and compare it

with a developed country (Australia), a developing country (Tanzania) and the international

public sector benchmark for learning, benchmarking and embracing best practices.

Phase 2- In this phase, the second research question of this study is investigated i.e. RQ2:

Which IT governance practices are relevant to PakPSOs? The objective of this phase is to

identify and analyze the relevant IT governance practices in PakPSOs in terms of CSFs.

These practices are identified through systematic literature review and operationalised in

PakPSOs through multi-case study approach.

Phase 3- In this phase, the third research question of this study is investigated i.e. RQ3: What

is the effect of relevant IT governance practices on IT outcomes in PakPSOs? The objective

of this phase to test and analyze the effect of the identified IT governance practices of phase 2

on IT outcomes in PakPSOs.

Phase 4- In this phase, the fourth research question of this study is investigated i.e. RQ4:

How can effective IT governance practices be implemented in PakPSOs? The objective of

this phase is to develop and evaluate a framework for effective IT governance implementation in

PakPSOs.

1.8 Research Scope

The scope of the research needs to be narrowed down to ensure the sufficient level of internal

validity within a research project (Cook & Campbell, 1979). They argued that in applied

research, internal validity has priority over external validity and construct validity. Therefore,

due to the applied nature of this research, the researcher‟s main focus is on internal validity.

The scope of the research is narrowed down on multiple aspects to ensure sufficient level of

internal validity. First, the scope is reduced in geographic terms to avoid cultural and regional

12

differences. For this, Pakistan is selected as a developing country. Second, the scope is

reduced in terms of industry/sector because the implementation of IT governance may be

different in different types of industries. For this, public sector is selected to focus only on

one sector. Public sector is selected due to scarcity of IT governance research in this sector

(Nfuka & Rusu, 2010; Ali & Green, 2007).

Third, the scope is also reduced in terms of organizational levels. IT governance is

implemented at three levels: 1) strategic level where board is involved; 2) management level

where executive management is involved and 3) operational level where IT management is

involved (De Haes & Van Grembergen, 2006). Usually, IT management is involved in

strategic IT projects but involvement of executive management and board is also crucial to

achieve desired results. As most IT initiatives in PakPSOs are undertaken in the form of e-

government projects which are usually strategic IT projects, therefore, the study specifically

focuses on IT management level with necessary intervention of executive management at this

level.

Finally, the scope is reduced in terms of IT governance practices. There could be many

practices that lead towards effective IT governance implementation, for example, portfolio

management, knowledge management and benefit management & reporting etc. This study

mainly focuses on CSFs of effective IT governance in research questions 2, 3 and 4.

However, this study uses IT processes of COBIT framework in research question 1 where the

purpose is to determine the existing state of IT governance in PakPSOs. The measures taken

for the reduction in research scope obviously affect the external validity or generalisability of

this research. The inclusion of other countries, industries/sectors, organizational levels and

other/new practices would be the motivating area for future research.

1.9 Structure of the Thesis

This thesis contains nine chapters. It begins with the introduction of the study followed by the

literature review. In the third chapter, methodology of the research is described in detail.

Chapters 4, 5 & 6 present the results of research phases 1, 2 & 3 respectively. Seventh and

eighth chapters provide the results of research phase 4. The conclusions, contributions,

limitations and recommendations are given in chapter 9. Here is the brief description of each

of the chapters.

13

The chapter 2 presents the literature review. This chapter provides an understanding of IT

governance and its various definitions, general standards and frameworks with their strengths

and weaknesses, public sector organizations & their characteristics and previous research in

the field of IT governance. This results in author‟s review of literature in line with the

research topic, questions and objectives to identify the research gap.

The chapter 3 presents the research methodology and process to conduct this research. This

chapter describes the research phases and research philosophy and methods applied to this

research. The underlying data collection techniques and analysis approaches are discussed in

this chapter. It provides the complete research process of the study in detail. The issues of

validity and reliability are also discussed in this chapter.

The chapter 4 provides the results of research phase 1. In this chapter, the existing state of IT

governance in PakPSOs is determined and analyzed and compared with others for learning,

benchmarking and embracing best practices.

The chapter 5 provides the results of research phase 2. In this chapter, the relevant IT

governance practices in PakPSOs are identified through systematic literature review and

operationalised in PakPSOs through multi-case study approach. The practices are then

analyzed, discussed, and conclusion is made based on results.

The chapter 6 provides the results of research phase 3. In this chapter, the statistical effect of

the relevant practices in research phase 2 is tested and analyzed on IT outcomes in PakPSOs.

The results are presented, discussed and conclusion is made.

The chapter 7 provides the results of the development phase of the proposed framework. In

this chapter, the initial and the first version of the framework are developed based on the

results. Both versions of the framework are presented in this chapter along with discussion

and conclusion.

The chapter 8 provides the results of the evaluation phase of the proposed framework. It

provides the introduction of the case where the framework is evaluated and the results of the

case study. The second version of the framework is presented in this chapter along with

discussion and conclusion.

The chapter 9 presents the conclusions, contributions, limitations and recommendations of

the study. It provides the summary of the entire study. It also describes the proposed

framework, its elements and implementation considerations in detail. Moreover, the

contributions of the study are presented in this chapter. Furthermore, the limitations of the

study and recommendations are pointed out in this chapter.

14

2 Literature Review


This chapter provides the author‟s review of literature in line with the research topic,

questions and objectives of the study to identify the research gap for its research questions

and objectives. Literature review begins with the overview of IT governance. In the third

section, the previous research on IT governance maturity is presented, discussed and analyzed

which results into the research gap for the research question 1 of this study. In the fourth

section, prior research on IT governance CSFs is presented, discussed and analyzed to

identify to the research gap for the research question 2 of this study. In the fifth section, the

concept of IT outcomes i.e. desirable behavior in terms of strategic IT projects‟ success is

presented, discussed and analyzed to provide rationale for investigating the research question

3 of this study. In the sixth section, generic IT governance implementation frameworks are

presented, discussed and analyzed with their strengths and weaknesses towards the context of

the study which results into the research gap for the research question 4 of this study. In the

seventh section, the context of public sector organizations is discussed and analyzed in detail.

The eights section provides an overview of previous studies in the field of IT governance.

The consolidated research gap is presented in the ninth section. The last section summarizes

the most important points of this chapter.

2.2 Overview of IT Governance

This section provides the overview of IT governance and related concepts.

2.2.1 Emergence of IT Governance

The fundamental concepts of IT governance were implicitly investigated by various

researchers up to early 1990s (Ives & Jarvenpaa, 1991; King, 1978; Garrity, 1963). The

15

explicit concept of IT governance started to appear in literature when Henderson and

Venkatraman (1993) introduced the term “IT governance” in their seminal paper. They

described IT governance as selection and use of mechanisms to obtain and deploy IT

competencies. They proposed various mechanisms for positioning the organization in the IT

marketplace. IT governance was one among these mechanisms. The other mechanisms were

technology capability, human capability and value management. They pointed out that IT

governance is about centralization and decentralization of decision-making. Brown and Grant

(2005) described that the notation of IT governance frameworks appeared in the academic

literature by the work of others e.g. Sambamurthy and Zmud (1999) and Brown (1997) in the

late 1990s. Earlier IT governance research focused on exercise of IT arrangements and locus

of decision-making authority and mainly investigated centralized and decentralized decision-

making arrangements in organizations (King, 1983). Later on, federal or hybrid arrangements

identified (Brown & Magil, 1998). Subsequently, more complex arrangements had been

found in organizations (Weill, 2004). In centralized IT governance arrangement, decisions are

made by central or corporate unit whereas in decentralized IT governance arrangement,

decisions are made by individual business units (Sambamurthy & Zmud, 1999). In federal or

hybrid IT governance arrangement, some decisions are made by corporate unit and others are

made by business units (Sambamurthy & Zmud, 1999).

2.2.2 IT Governance Definitions

IT governance is a structure and process through which organizations make right IT

investment to ensure that the resulting activities (programs, projects & operations) are

performed properly and desired benefits are achieved and preserved (Selig, 2016). It focuses

on several aspects of IT management such as IT strategy and its association with overall

organizational strategy, IT architecture and its level of standardization & integration,

organizational policies for IT infrastructure & applications and IT investment &

prioritization. It covers all assets related to IT like financial, human, physical, data and

intellectual property. It is an integral part of corporate governance which deals with how a

corporation is directed and controlled and how stakeholders work with each other to achieve

corporate goals. IT governance is implemented at organizational level and affects the culture

of the entire organization. It directs business processes end-to-end and aligns these processes

across organizational boundaries. It means IT governance is not limited to top management

16

but affects the processes throughout the organization. It deals with both managerial and

cultural aspects for selecting, adopting and using IT in the organization and is a holistic

approach for managing IT. IT governance is an endeavor by the entire organization with

suitable structures, processes and procedures in place to support the judicious and effective

use of IT to achieve organizational objectives. IT governance is implemented using a mixture

of structures, processes and relational mechanisms (Bianchi & Sousa, 2016; Bermejo et al.,

2014; De Haes & Van Grembergen, 2009). At its most basic level, it deals with the decisions

around IT investment i.e. what decisions are made and who make the decisions (structures),

how the decision are implemented (processes) and how the decisions are communicated

(relational mechanisms). IT governance has been defined by various researchers in various

ways. Most renowned and frequently used definitions in the literature are as under:

“Policies, procedures and systems for the allocation of design-rights to the key decision

makers both within the organization as well as external vendors and/or partners responsible

for IT management” (Venkatraman et al., 1993).

“The organizational capacity exercised by the board, executive management and IT

management to control the formulation and implementation of IT strategy and in this way

ensure the fusion of business and IT” (Van Grembergen, 2002).

“IT governance is the responsibility of the board of directors and executive management. It is

an integral part of enterprise governance and consists of the leadership and organizational

structures and processes that ensure that the organization‟s IT sustains and extends the

organization‟s strategies and objectives” (ITGI, 2007).

“Specifying the decision rights and accountability framework to encourage desirable

behavior in the use of IT” (Weill & Ross, 2004).

“IT governance is the system by which an organization‟s IT portfolio is directed and

controlled. IT governance describes (a) the distribution of IT decision-making rights and

responsibilities among different stakeholders in the organization, and (b) the rules and

procedures for making and monitoring decisions on strategic IT concerns” (Peterson, 2004).

17

“IT governance is the strategic alignment of IT with the business such that maximum

business value is achieved through the development and maintenance of effective IT control

and accountability, performance management and risk management” (Webb et al., 2006).

Except the first definition, all other definitions provide the IT governance purpose i.e.

strategic alignment (alignment of IT with business). In the definition of Weill and Ross

(Weill & Ross, 2004), “the desirable behavior in the use of IT”, implicitly means that

desirable behavior leads to the execution of the intended strategy and hence represents

strategic use of IT. All the definitions directly or indirectly focus on allocation of decision

rights, responsibility and accountability for IT activities in organizations.

2.2.3 IT Governance and Corporate Governance

Most of the corporate governance principles can be applied to IT governance because IT

organization itself is a business within a business (McFarlan & McKenney, 1983). IT

governance is implemented to achieve corporate performance goals (Weill & Ross, 2004). It

is an integral part of corporate governance (ITGI, 2007) rather than a complement of it. The

relationship between corporate governance and IT governance established by Weill and Ross

(Weill & Ross, 2004) is shown in Figure 2.1.

18

Figure 2.1: Corporate and key asset governance (Weill & Ross, 2004)

They defined six key organizational assets that organizations use to implement strategies and

create business value: human assets (people, skills & competencies), financial assets;

physical assets (buildings, plants & equipment), intellectual property (process know-how),

information assets (data & information) and relationship assets (brand & reputation). They

also identified various organizational mechanisms to govern these key assets such as

structures, processes, committees, procedures and audits etc. Their study revealed that

physical and financial assets typically best governed in the organizations whereas information

assets typically worst governed. They suggested that common mechanisms should be used to

govern multiple assets in order to achieve high business value from these assets i.e. the same

committee should govern both IT and financial assets.

19

2.2.4 IT Governance and IT Management

IT governance and IT management are two related but different concepts. The difference

between the two terms is fundamental due to the distinct activities despite in some cases are

performed by the same individual (Bird, 2001). Bird (2001) highlights this distinction by

stating that managers “manage organizations by virtue of the authority delegated to them by

those who govern”. Another study argues that governors are responsible for overall

organizational policy, direction and culture whereas managers administer, design, apply and

examine business strategies on operational basis (Webb et al., 2006).

Peterson (2004) advocates that IT management is involved in managing existing IT

operations and effective supply of IT products/services whereas IT governance is involved in

performing and transforming IT to fulfill existing and future business needs internally and

customers needs externally. Peterson (2004) further states that “this does not undermine the

importance and complexity of IT management, …, but whereas elements of IT Management

and the supply of (commodity) IT services and products can be commissioned to an external

provider, IT Governance is organization specific, and direction and control over IT cannot

be delegated to the market”.

ISACA (2012) makes the distinction as “Governance ensures that stakeholder needs,

conditions and options are evaluated to determine balanced, agreed-on enterprise objectives

to be achieved; setting direction through prioritization and decision making; and monitoring

performance and compliance against agreed-on direction and objectives” whereas

“Management plans, builds, runs and monitors activities in alignment with the direction set

by the governance body to achieve the enterprise objectives”.

2.3 IT Governance Maturity

One way to assess the IT governance success is the use of IT governance maturity

measurements (Dahlberg & Lahdelma, 2007). Organizations with higher IT governance

maturity of structures and processes showed higher IT governance performance (De Haes &

Van Grembergen, 2008). IT governance maturity indicators with higher maturity levels

strongly correlated with higher IT governance performance (Simonsson et al., 2010). Also,

20

specific context of the organizations and their geographical situations are important to

implement IT governance (Ribbers et al., 2002).

Previous IT governance research in PSOs mostly focused on IT governance approaches,

contingency factors and mechanisms for effective IT governance (Nfuka & Rusu, 2010; Ali

& Green, 2007; Lawry et al., 2007; Warland & Ridley, 2005; Weill & Ross, 2004). A few

studies were performed to measure IT governance maturity in PSOs. A study on IT control

and governance maturity was conducted after performing an international survey to set up a

reference benchmark (Guldentops et al., 2002). After interviewing approximately 20 senior

IT and audit practitioners, 15 most important IT processes were finalized out of 34 IT

processes of COBIT framework. Four classes of international benchmarks were finalized

based on maturity levels of control over IT processes: mixed, size, industry and geography.

The results indicated that majority of IT processes had maturity levels between 2 and 2.5.

Larger organizations showed higher maturity than smaller organizations. The finance sector

showed higher maturity than others sectors. Public sector showed higher maturity in planning

domain due to existence of policies and regulations. Asia and Oceania and global working

companies showed higher maturity than Americas, Europe, Middle East and Africa. Another

study investigated maturity of IT processes in the PSOs of Australia (Liu & Gail Ridley,

2005). The study used 15 IT processes earlier identified (Guldentops et al., 2002). The results

revealed that the Australian PSOs performed better than the other nations and majority of IT

processes had maturity levels between 3 and 3.5. The same 15 most important IT processes

ere used in the PSOs of Tanzania in the perspective of a developing country (Nfuka & Rusu,

2010). The results revealed that the Tanzanian PSOs performed lower than the Australian

PSOs and also internationally across a range of nations and majority of IT processes had

maturity levels below 2. It is obvious from the above literature review that most of the

previous studies investigated IT governance maturity in the context of PSOs in developed

countries. However, no study has investigated IT governance maturity in the context of PSOs

in a developing country that benchmarked a developed country, a developing country and the

international public sector across a range of nations simultaneously. This has created a gap

for the first research question of the study i.e. RQ1: “What is the existing state of IT

governance in PakPSOs?”

21

2.3.1 Concept of Process Maturity in COBIT

The aim of the maturity model is to assist improvements in organizations. Both internal and

external stakeholders of an organization can use maturity models. For internal stakeholders,

maturity models can be used for capability development of the organization such as to assess

the current state i.e. “as–is” and set goals for future state i.e. “to-be” to discover strengths and

weaknesses and observe the success of the improvement implementation plan. For external

stakeholders such as owners, partners or customers, maturity models can be used to assess the

organization‟s capability to evaluate how the organization meet the requirements they have

set for it. Moreover, organizations can use maturity models for benchmark purposes to

compare their capabilities to the industry. Some maturity models support independent

external assessment. Organizations can improve their image by attaining evidence of high

maturity level from external assessment. Maturity models are used not to measure the actual

results achieved in the organization rather they consider and assess the policies, processes and

practices of the organization. COBIT borrows the concept of process maturity from

Capability Maturity Model (CMM) of Software Engineering Institute (SEI) which has its

roots in software development and expands it to the variety of processes of the framework for

complete IT investment lifecycle. There are five maturity levels (in addition of 0 level) to

measure maturity of IT processes: “0-Non-existent”; “1-Initial”; “2- Repeatable”; “3-

Defined”; “4-Managed”; and “5- Optimized” (Humphrey, 1988). Several maturity models

utilize these maturity levels. Each level of process maturity has three definitions in COBIT

i.e. generic, process-specific and attribute specific. COBIT claims that different processes

may have different maturity levels in and across organizations and path to higher

organizational maturity may also differ across domains and processes. It is economically

inappropriate that all processes to be at level “5- Optimized” because benefits associated with

a specific process may not justify the costs to attain and sustain it. The level of a process

maturity depends on individual process, organizational needs and priorities, IT infrastructure

and industry characteristics. For example, it may be reasonable for one process to be at level

“2-Repeatable” but it would be highly unsuitable for another more-critical process at that

level.

22

2.4 IT Governance Critical Success Factors (CSFs)

The CSFs are “the limited number of areas in which results, if they are satisfactory, will

ensure successful competitive performance for the organization” (Rockart, 1979). These

factors are used to direct the focus on key areas central to the organizations‟ objectives where

they invest their resources for success (Ward & Peppard, 2002). Due to their importance,

such factors are applied in various perspectives from a single project to the whole

organization (Esteves, 2004). Here is a brief overview of some of the previous studies on IT

governance CSFs.

Luftman et al. (1999) identified six enablers of IT-business alignment which is one of the

objectives of IT governance (ITGI, 2007). The results indicated that these enablers were

senior management support, involvement of IT personnel in strategy development,

understanding of IT personnel about business, IT/business partnership, well-prioritized IT

projects and the role of IT leadership. Teo and Ang (999) conducted a survey in 169

organizations and identified 18 CSFs for strategic alignment by considering it as the key

objective of IT governance. The results revealed that the three top most CSFs were top

management commitment, IT management business knowledge and top management

confidence in the IT department. Ribbers et al. (2002) highlighted the need of strategic

integration of IT/business decisions, shared understanding among key stakeholders and

developing collaborative relationships among key stakeholders for effective IT governance

processes. ITGI (2003) proposed 11 CSFs for implementing effective IT governance in

organizations. These CSFs included considering IT as an integral part of the enterprise,

awareness, stakeholders‟ engagement, accountability, communication and monitoring across

the organization. Guldentops (2004) presented five CSFs. These CSFs mainly deal with

structures and processes for governance and control of IT. His study mainly focused on

formulation of IT strategies and various committees, alignment of IT-business in strategies

and operations, cascading of IT strategies and goals, applying emerging management

practices and implementing a governance and control framework for IT. Weill (2004)

identified eight success factors that are critical to effective IT governance. These included

transparency of IT governance mechanisms to all managers, actively designed mechanisms,

infrequently redesigned mechanisms, education about IT governance, simplicity of IT

governance arrangements, existence of exception handling process, governance designed at

multiple organizational levels and aligned incentives. PwC and ITGI (2006) identified six

23

CSFs after survey of 50 CIOs worldwide. These CSFs included senior management support,

communication, enforcements, measuring benefits, change management and not over

engineering the process. Tan et al. (2007) conducted a study in Australian PSOs based on

ITIL framework and found that senior management commitment, awareness and training,

performance/benefit management, appropriate guidelines and the use of an integrate tool set

were among the essential factors for success. Bowen et al. (2007) also suggested four

influential factors for effective IT governance. These included a shared understanding among

IT/business, active involvement of committees, balanced representation of IT/business

personnel in committees and well-communicated IT strategies and policies. De Haes and Van

Grembergen (2008) investigated ten minimum baselines IT governance practices. These

practices were validated as minimum necessary conditions for implementing IT governance

in the financial service sector of Belgian. The results indicated that IT steering committee and

IT leadership were at the top of the list. Hoch and Payan (2008) investigated IT governance

in the PSOs of Germany and proposed five factors for effective IT governance

implementation in the context of PSOs. These factors included IT leadership‟s mandate,

organizational structure, decision-making process, mindset & skills and performance metrics

& incentives. Pollard and Cater-Steel (2009) conducted multi-case study in two companies of

U.S.A and two companies of Australia to study CSFs for successful implementation of ITIL

framework. The results indicated that six previous studied CSFs were confirmed and three

new were found which included creating an ITIL-friendly culture, process as a priority, and

customer- focused metrics. Aggarwal (2008) investigated CSFs of IT alignment in public

sector petroleum industry of India and found that strong financial position, extensive

computer facilities, strong market position, strong technical expertise, existing IT leadership

position, IT takes care of the human factor, sharing of IT resources, prioritization of IT effort

and IT/business partnership were confirmed as CSFs. Nfuka and Rusu (2010) conducted a

case study research in five PSOs of Tanzania in the perspective of a developing country.

They investigated the CSFs to implement effective IT governance in these organizations. The

study found 11 CSFs in five focus areas of IT governance mentioned by COBIT. The

research revealed that most of the CSFs belonged to the strategic alignment focus area of

COBIT which means IT-business alignment was an important issue in the PSOs. Nenickova

(2011) found, analyzed and summarized the most CSFs for ITIL implementation best

practices in managing and delivering ICT services in large companies. He categorized these

factors as process related versus people related and internal versus external. The result

indicated that right tools and techniques, IT-business alignment, performance tracking &

24

measurement are process related and external factors. Optimizing competitive advantage,

services portfolio alignment, costs alignment and benefits realization of ICT are process

related and internal factors. Leadership, roles & responsibilities establishment, commitment

& participation and awareness & understanding are people related and external factors.

Optimizing IT functions is people related and internal factor. Kurti et al. (2013) performed a

review of current research on CSFs of IT-business alignment. They have identified 10 CSFs

categorized into three dimensions: human, social and intellectual. The results indicated that

most of the CSFs belonged to the human dimension. Razak and Zakaria (2014) identified 18

CSFs in Malaysian PSOs through Delphi research. They categorized the CSFs into five areas:

cost reduction, innovation, agility, customer satisfaction and compliance. Alreemy et al.

(2016) studied and extracted CSFs for effective IT governance implementation from the

literature. These factors were further analyzed, categorized and synthesized to create the

success factors for IT governance framework. The process resulted in 15 CSFs categorized in

five areas: strategic alignment; environmental effect (external); organizational effect

(internal); performance management; and resource management. The results indicated that

most of the CSFs belong to strategic alignment and organizational effect (internal) areas.

A comprehensive review of the previous literature on IT governance CSFs reveals that no

study has been conducted to identify the public sector relevant CSFs by adopting a holistic

approach that can cover five focus areas of IT governance and three aspects of IT-business

alignment and even PakPSOs remained unexplored. This has created a gap for the second

research question of the study i.e. RQ1: “Which IT governance practices are relevant to

PakPSOs?”

2.5 IT Outcomes (desirable behavior in public sector of a developing country)

Most IT initiatives in PSOs are undertaken in the form of e-government projects which are

usually strategic IT projects and PakPSOs are no exception. These projects are integrated

with business processes of organizations. However, these projects face the risk of being

abandoned, over budgeted and/or unfulfilled promises and situation is even worst in the PSOs

of developing countries. Strategic IT projects‟ success is an effective indicator of good IT

governance (Van Grembergen & De Haes, 2005). Moreover, one of the objectives of IT

governance is the strategic alignment of major IT projects with organizational goals

25

(Hiekkanen, 2015; ITGI, 2007). Therefore, IT outcomes (desirable behavior) in this study are

referred to as strategic IT projects‟ success in PakPSOs.

IT governance ensures that IT and business share accountability regarding IT projects and

helps in measuring their effectiveness which assists in avoiding rogue investment. Through

properly implemented IT governance, IT projects are managed effectively by default. IT

projects undergo to the analysis of IT strategy, IT architecture and IT infrastructure &

applications. IT investment is made and prioritized for right IT projects. The accountability is

established, strategic alignment is enhanced and value delivery is measured against costs to

ensure that IT projects meet current and future organizational needs. Risks are properly

identified and mitigated before the start and during projects‟ execution with assurance that

projects are not deviated from the original plan. In conclusion, IT governance has become the

standard through which IT projects are identified/selected and developed with viable value

proposition and deliverables that reduce rogue investment.

Nevertheless, IT projects‟ implementation success has constantly been a challenging issue for

organizations involved in managing IT projects (Xia & Lee, 2004). The term project success

has different meanings to different organizations and stakeholders involving with competing

needs. Traditionally, project success is measured against time, budget and specifications

(requirements/quality) criteria (Agarwal & Rathod, 2006) which reflect success from project

team, vendors or suppliers‟ point of view. Non-traditionally, some researchers used the term

project performance in place of project success using attributes like process performance and

product performance (Han & Huang, 2007). Process performance is measured against cost &

schedule overruns and product performance is measured against specifications (Jun et al.,

2011). Others used process efficiency and effectiveness as dimensions of project performance

(Rai & Al-Hindi, 2000; Ravichandran, 1999). However, Aladwani (2002) provides three

dimensions of project performance: task outcomes; psychological outcomes; and

organizational outcomes. Task outcomes deal with efficiency and effectiveness,

psychological outcomes deal with people‟s satisfaction and organizational outcomes deal

with benefits to the organization (Aladwani, 2002). These dimensions provide a better view

of success in technical, social and organizational perspectives.

The literature on information system success highlights the need to measure IT projects‟

success in terms of their ability to provide meaningful benefits to stakeholders rather than

timely and within budget delivery of an artifact (Rai et al., 2002; Irani & Love, 2001). The

purpose of IT investment or project approval process is to ensure that IT investment delivers

significant benefits to the stakeholders as compared to alternative investment opportunities.

26

No single benefit assessment technique is suitable for all organizations. For example, for

public sector IT projects, benefits are usually measured beyond traditional financial measures

due to the “best value” nature of the public sector instead of “profit” nature (Campbell et al.,

2010). A large stream of literature is available on non-financial benefits of IT investment or

project. Researchers have focused on economic benefits (Bharadwaj, 2000), public value

(Moore, 1997), organizational changes (Serafeimidis & Smithson, 2000), strategic,

informational, transactional & transformational benefits (Gregor et al., 2006) and

infrastructural benefits (Weill & Broadbent, 1998). Therefore, in the context of public sector

IT projects, a more comprehensive view of success can be obtained if such projects are

evaluated in terms of task outcomes (efficiency & effectiveness), organizational outcomes

and public outcomes which are the focus of this study. Task outcomes are referred to as IT

project‟s efficiency and effectiveness. Efficiency is a measure of amount of work produced,

cost and schedule adherences and overall efficiency of operations whereas effectiveness is a

measure of quality of work and ability of the project to meet its goals (Henderson & Lee,

1992). Organizational outcomes are referred to as the benefits that an IT project provides to

the host organization e.g. cost reduction and efficiency gains; improved quality of decision-

making (Gregor et al., 2006). Public outcomes are referred to as the benefits that an IT

project provides to citizens, businesses and employees e.g. cost and time saved using e-

services (Gilbert et al., 2004), better informed, knowledgeable about government policy

(Kolsaker & Lee-Kelley, 2008).

After the comprehensive review of the relevant literature, it is found that no single study has

investigated the determinants of strategic IT projects‟ success in terms of task, organizational

and public outcomes which is also referred to as desirable behave ior in this study. This has

created a gap for the third research question of the study i.e. RQ3: “What is the effect of

relevant IT governance practices on IT outcomes in PakPSOs?” This study investigates the

effect of relevant IT governance CSFs in PakPSOs on IT outcomes (desirable behavior) in

terms of tasks, organizational and public outcomes.

2.6 Generic IT Governance Implementation Frameworks

This section presents the generic IT governance implementation standards and frameworks.

This also presents the major weaknesses of each of the framework towards the study

27

environment. A brief description of some of the most well-known standards and frameworks

with their strengths and weaknesses is as under:

2.6.1 Control Objectives for Information and related Technology (COBIT)

It is a globally recognized framework to control IT function in the organizations. It assists

executives and IT professionals in ensuring that IT operations are aligned with organizational

objectives. It was originated in 1996 by the “Information Systems Audit and Control

Foundation (ISACF)” as a part of evaluation framework of the “Committee of Sponsoring

Organizations of the Treadway Commission (COSO)”. The “IT Governance Institute (ITGI)”

that was constituted by the “Information Systems Audit and Control Association (ISACA)”

released the third edition of COBIT in 2000. Subsequent editions were released in 2005

(COBIT 4.0) and 2007 (COBIT 4.1). The current version is COBIT 5 published in 2012

which helps enterprises in governing and managing IT to achieve enterprise objectives. It is a

high level framework that covers other well-known standards & frameworks such as ISO/IEC

38500, TOGAF, PRINCE2, PMBOK, ITIL, ISO/IEC 20000, ISO/IEC 27000, ISO/IEC 31000

and CMMI. The COBIT 5 has been formulated by consolidating & integrating COBIT 4.1,

Val IT and Risk IT into a single framework. It is based on 5 principles and 7 enablers. The

five principles of COBIT 5 are shown in Figure 2.2.

28

Figure 2.2: COBIT 5 Principles (ISACA, 2012)

COBIT framework provides best practices in business and process perspectives. The business

perspective relates stakeholder needs to enterprise goals, enterprise goals to IT-related goals

and IT-related goals to enabler goals and provides metrics to measure these goals. Moreover,

it fixes the roles and responsibilities for business and IT process owners. The process

perspective divides IT function into 37 processes (32 for IT management and 5 for IT

governance) scattered in five domains (one for IT governance and 4 for IT management) and

provides Process Assessment Model for process improvement.

The framework facilitates clear policy development and good control over IT throughout the

organization (ITGI, 2007). Besides a recognized practical audit guideline to review and

control IT activities, it is advocated as an IT governance implementation guideline (ITGI,

2007). It has become a de-facto standard in the field of IT governance (Simonsson &

Johnson, 2008). The framework contains an inclusive set of processes for complete IT

investment lifecycle ranging from strategic planning to day-to-day operations and covers a

complete sphere of IT activities that a typically organization is likely to perform (Debreceny

& Gray, 2009). It enables strategic alignment, value delivery and compliance to regulations

29

(Larsen et al., 2006) and helps in measuring performance, creating value and managing risks

(Rouyet-Ruiz, 2008). The framework is useful tool to establish a baseline for process

maturity (Bünten et al., 2014; Van Grembergen & De Haes, 2005).

COBIT framework also possesses some inherent weaknesses. It is a very generic framework

and organizations need to customize it according to their context (Zhang & Le Fever, 2013)

that requires a lot of effort, trained human resources and sufficient financial resources. Hence,

implementation cost is high. The COBIT processes are very difficult to use because the

process description is complicated and time consuming. It is a very complex framework. For

each process, there is a corresponding set of activities and input/output documents that must

be reviewed. For each process, there is a specific RACI chart. There is also a plethora of

goals and metrics categorized as enterprise goals, IT-related goals and process goals. The

implementation of COBIT is difficult to evaluate and experienced analysts are required for

this purpose (Simonsson et al., 2007).

2.6.2 Organization Modeling and Assessment Tool (ITOMAT)

After applying the concepts of measurement theory (validity, reliability and costs related to

assessment), Simonsson and Johnson (2008) investigated the goodness of COBIT as an

assessment framework. They discovered some intrinsic weaknesses in COBIT particularly in

its operationalization and efficient data collection & analysis support. To rectify COBIT‟s

intrinsic weaknesses, they designed a tool known as ITOMAT for IT governance model base

assessment. This tool is based on COBIT framework and covers all of the COBIT‟s processes

but has its own special operationalization scheme. A prime benefit of using ITOMAT is that

the person conducting analysis part does not has to be an IT governance expert which may

results in cost savings as claimed by the authors. It leverages the merits and alleviates some

of the weaknesses in COBIT. It separates modeling from analysis and supports automatic

data analysis. The framework is completely transparent & formalized and provides support

for collecting every single attribute to overall maturity scores at process level and ultimately

at organization level (Simonsson & Johnson, 2008).

The ITOMAT implementation cost is relatively lower as compared to COBIT. The major

weakness of the framework is that it is based on COBIT framework only that limits its

general usability. The method is not much suited for senior managers rather more useful for

managers at operational level.

30

2.6.3 Information Technology Infrastructure Library (ITIL)

It is a well-known framework to provide best practices for IT service management. It was

originated in 1989 by the “Central Computer and Telecommunications Agency (CCTA)”

which later became the part of the “Office of Government Commerce (OGC)” in 2000. It is

based on the experience of more than 1400 organizations. The framework mainly focuses on

processes about delivery and support of IT services. The ITIL V3 is the current version and

focuses on the Service Lifecycle shown in Figure 2.3.

Five phases are involved in the Service Lifecycle. A separate core book describes each phase

in detail. Service Strategy phase forms the core of the Service Lifecycle. The phase is used

for policy making and objective setting. All other phases revolve around this phase. Service

Design phase is used for designing & developing new or changed services and service

management practices. Service Transition phase guides for developing and improving

capabilities for transitioning new or changed services into live service operations. Service

Operation phase helps in carrying out and managing activities for day-to-day operations of

services. Continual Service Improvement phase enables learning and improvement.

Improvement initiatives are undertaken in this phase based on strategic organizational

objectives. This phase covers the entire Service Lifecycle. The Service Lifecycle of ITIL is

based on the PDCA cycle of quality control.

The framework provides integrated central processes and comprehensible performance

indicators (Elephant, 2008). It enables risk reduction, financial efficiency, reliability and user

satisfaction (ChePa et al., 2015; Cartlidge et al., 2007).

31

Figure 2.3: ITIL Service Lifecycle (ITIL, 2007)

The ITIL framework also possesses some inherent weaknesses. It is an operational level

framework rather than strategic (Simonsson et al., 2010). The organizations need to

customize best practices according to their requirements (Worthen, 2005). Governance is the

weakest link in the ITIL service sourcing strategy. In terms of IT governance, ITIL is not as

much comprehensive as COBIT.

2.6.4 ISO/IEC 38500 Information Technology- Governance of IT for the Organization

It is a high level principle based advisory framework. It was originated in 2005 by the

Standards Australia (AS8015:2005) and later adopted by the ISO/IEC in 2008 (ISO/IEC

3800:2008). The current version of the framework is ISO/IEC 38500:2015. The purpose of

the framework is “to promote effective, efficient, and acceptable use of IT in all

32

organizations by a) assuring stakeholders that, if the principles and practices proposed by

the standard are followed, they can have confidence in the organization's governance of IT,

b) informing and guiding governing bodies in governing the use of IT in their organization,

and c) establishing a vocabulary for the governance of IT”. The framework consists of two

parts: the governance function and the management function. In this way, it separates IT

governance from IT management. The governance function is based on the concept of EDM

(evaluate, direct and monitor) and provides three IT governance related tasks: direct, evaluate

and monitor. The management function is based on the concept of PDCA (plan, do, check

and act) and provides four tasks: plan, do, check and act. The ISO/IEC 38500:2015

framework is shown in Figure 2.4. The framework has been developed based on the six

principles of good governance: responsibility, strategy, acquisition, performance,

conformance and human behavior.

The framework provides a structure for effective IT governance for top management to

understand and fulfill their legal, regulatory and ethical obligations. It highlights the

importance of IT governance in organizations. Although, the latest version (ISO/IEC

38500:2015) has addressed many weaknesses of the previous versions like regulatory

obligations and source of authority have been added but it is still a generic framework. A lot

of expertise and customization is required to adapt it into a specific environment i.e.

PakPSOs. The framework is not public sector specific but it is based on the philosophy “one

size fits for all” as claimed by the ISO/IEC 38500: 2015. However, specific context of the

organizations and their geographical situations are important to implement the IT governance

(Ribbers et al., 2002).

33

Figure 2.4: ISO/IEC 38500: 2015 Information Technology- Governance of IT for the Organization

(ISO/IEC 38500:2015, 2015)

2.6.5 Detailed Framework of Governance of Information Technologies (dFogIT)

The dFogIT framework was developed by University of Balearic Islands based on ISO/IEC

38500 framework. It comprises of four layers as shown in Figure 2.5. Two layers, IT

governance and IT management are identical to ISO/IEC 38500 whereas top and bottom

layers, corporate governance and IT operation are added to involve the entire organization

into IT governance (Gómez et al., 2017). The arrows in the framework point out supply or

demand of something related to IT. For instance, corporate governance layer demands for

concrete results such as IT applications in the form of IT solutions which add value to the

organization. IT governance layer provides direction to evaluate the monitoring of lower

layers. IT management layer manages projects that facilitate business processes through

34

covered operations and resources. Nevertheless, the success or failure of dFogIT

implementation relies on how the various structures in the said layers support these pressures.

The dFogIT framework not only provides visibility of the governance structures, strategy

alignment and communications among various levels of the organization but also covers the

five IT governance decisions of Weill and Ross (2004) at different layers (Gómez et al.,

2017). The decisions which are more strategic are at top layers whereas the decisions which

are more technical are at lower layers. Juiz et al. (2014) argued that the current framework of

dFogIT does not cover the seven principles of good governance for the public sector as

proposed by (CIPFA & IFAC, 2013). Therfore, they addressed this issue by including seven

principles of good governance for the public sector into the dFogIT framework (Juiz et al.,

2014). However, the dFogIT framework is based on ISO/IEC 38500; therefore, it has the

same shortcomings as possessed by ISO/IEC 38500 i.e. high-level top down organizational

focus that may be easily misinterpreted.

Figure 2.5: deFogIT framework (Gómez, Bermejo, & Juiz, 2017)

35

2.6.6 Strategic Alignment Model (SAM)

The concept of strategic alignment was first introduced by Henderson and Venkatraman

(1993). The concept later translated into IT-business alignment. They developed Strategic

Alignment Model (SAM) with four domains: business strategy; IT strategy; organizational

infrastructure & processes; and IS infrastructure & processes. The SAM is shown in Figure

2.6.

Strategic fit means organizational structures & processes should support and reflect business

strategy whereas IS infrastructure & processes should support and reflect IT strategy.

Functional integration means IT strategy should be aligned with business strategy whereas IS

infrastructure & processes should be aligned with organizational infrastructure & processes.

Subsequent studies mostly investigated functional integration in the literature of strategic or

IT-business alignment.

The SAM specifies the importance of alignment between business and IT strategies to

increase IT contribution (Teo & King, 1996). The two way relationship between business and

IT strategies enables potential competitive advantage to business from the use of IT

(Henderson & Venkatraman, 1993). It focuses on linking IT requirements with organizational

objectives. However, it is a conceptual framework and difficult to apply in practice (Avison

et al., 2004). It fails to describe top management involvement & support and effective use of

IT resources. It does not address effective communication between business and IT strategies.

The framework does not cover the change management and related issues. Alignment is often

considered to be as moving target and difficult to implement (Coltman et al., 2015).

Moreover, Kruger and Snyman (2002) described that no generic model of IT-business

alignment fully aligns ICT strategy with business strategy. They further added that business

managers still consider strategic ICT management separate from business strategy which

leads towards an incapability to align ICT goals with corporate goals.

36

Figure 2.6: Strategic Alignment Model (Henderson & Venkatraman, 1993)

2.6.7 Balanced Scorecard (BSC)

Conventionally, organizations used financial measures to assess past organizational

performance. However, financial measures alone are not enough to predict future

organizational performance. BSC was developed by Kaplan and Norton (1992) to assess

organizational performance in four perspectives: financial; customer; internal business; and

innovation & learning. Financial perspective deals with the financial measures like earning

37

per share and return on investment (ROI). Customer satisfaction and internal business

processes are important drivers to achieve financial performance. Example of customer

satisfaction is the mean-time response to a service call and example of internal process is the

manufacturing cycle time. In turn, innovation & learning drive customer satisfaction and

efficient internal processes. Example of innovation & learning is the development of an

innovative product and time to new market. The BSC developed by Kaplan and Norton

(1992) is shown in Figure 2.7.

Figure 2.7: Balanced Score Card (Kaplan & Norton, 1992)

38

Based on the concepts of BSC, IT Governance Balanced Scorecard (ITGBSC) was prepared

to evaluate IT governance performance (Van Grembergen & De Haes, 2005). It has four

perspectives: corporate contribution; stakeholders; operational excellence; and future

orientation. The ITGBSC is a modified form of the original BSC to measure IT governance

performance (Van Grembergen & De Haes, 2005). Corporate contribution perspective deals

with ensuring maximum profit through IT with reasonable risks. Example of this perspective

is strategic match of major IT projects.

Stakeholder perspective deals with measuring up to stakeholders‟ expectations. Example of

this perspective is number complaints of stakeholders. Operational excellence perspective

deals with ensuring effective and sustained IT governance. Example of this perspective is

composition of IT committees. Future orientation perspective deals with building foundations

for IT governance delivery. Example of this perspective is level and use of IT governance

knowledge management system.

BSC is a multidimensional approach to assess and manage organizational performance. It

links performance measures with the organizational strategy (Otley, 1999). It balances the

internal and external aspects of the business (Olve et al., 2003) and enables the employees to

understand the strategy & objectives and facilitates evaluation and feedback on ongoing basis

(Pandey, 2005). It can also measure economic returns, social benefits and local impact

(Mohamad et al., 2015). It is applicable to all organizations of all sizes for assessing and

managing organizational strategy, monitoring operational efficiency and communicating

processes throughout the organization (Rohm, 2006). However, some researchers discussed

the weaknesses of the BSC. It makes invalid assumptions about causal relationships between

performance indicators (Norreklit, 2000). It provides no mechanism to sustain the relevance

of the initially defined measures (Hudson et al., 2001). It is hard to achieve a balance between

financial and non-financial measures due to the problems in the implementation of strategy

(Anand et al., 2005).

2.6.8 Limitations of Generic IT Governance Implementation Frameworks towards

PakPSOs

All the aforesaid generic IT governance implementation frameworks possess some

inadequacies and weaknesses towards the context of the study i.e. PakPSOs. Table 2.1 shows

39

the limitations of various generic IT governance implementation frameworks towards the

context of PakPSOs.

Table 2.1: Limitations of generic IT governance implementation frameworks towards PakPSOs

Framework Limitations towards PakPSOs

COBIT It is a very generic framework and organizations need to customize it according to

their context (Zhang & Le Fever, 2013) that requires a lot of effort, trained human

resources and sufficient financial resources.

The implementation of COBIT is difficult to evaluate and experienced analysts

are required for this purpose (Simonsson et al., 2007).

The COBIT processes are very difficult to use because the process description is

complicated and time consuming.

ITOMAT It is based on COBIT framework only that limits its general usability.

The method is not much suited for senior managers rather more useful for

managers at operational level (Simonsson et al., 2010).

ITIL It is an operational level framework rather than strategic (Simonsson et al., 2010).

The organizations need to customize best practices according to their

requirements (Worthen, 2005).

Governance is the weakest link in the ITIL service sourcing strategy.

ISO/IEC 38500 The framework is generic and designed for all types of organizations i.e. public

and private (ISO/IEC 38500:2015). A lot of expertise and customization is

required to make it context specific.

The principles of the framework have been borrowed from the previous version

which still follows top-down approach which may be easily misinterpreted.

dFogIT It is based on ISO/IEC 38500 and possesses the inherent shortcomings of the said

framework.

It does not cover external stakeholders (Gómez et al., 2017)

SAM It is a very conceptual framework and difficult to apply in practice (Avison et al.,

2004).

It fails to describe top management involvement & support and effective use of IT

resources.

It does not address effective communication between business strategy and IT

strategy and change management and related issues.

40

Table 2.1 Continued…


BSC It makes invalid assumptions about causal relationships between performance

indicators (Norreklit, 2000).

It provides no mechanism to sustain the relevance of the initially defined

measures (Hudson et al., 2001).

It is hard to achieve a balance between financial and non-financial measures due

to the problems in the implementation of strategy (Anand et al., 2005).

CMMI It does not provide any process area for effective communication and

coordination among IT and business personnel.

The level of diversity and depth to monitor & control the IT activities is missing

in CMMI (Agerfalk & Fitzgerald, 2006).

ISO 9000:2000 Different ISO standards are launched very frequently without performing

complete analysis of practices in different cultures and countries (Nadvi &

Waltring, 2004)

Organizations may face the problems of different levels of adoption of ISO

standards among different departments.

Practitioners face the problems of integration of processes of different standards

(Heras-Saizarbitoria & Boiral, 2013).

Six Sigma This framework is effective in environments/industries where IT activities are

identical and repetitive. However, the dynamics of PSOs does not allow managers

to gain ultimate objectives through this framework (Antony & Fergusson, 2004).

None of the methodologies of Six Sigma explicitly address PSOs.

TQM TQM requires additional frameworks related to management to implement its

philosophy.

Public managers may face conceptual, technical and social challenges to

implement TQM in PakPSOs.

ISO/IEC

17799:2000

This standard focuses on implementation of IT security and its management only

and does not focus on IT-business alignment which is main goal of IT

governance.

ASL Its scope is limited to application management and maintenance. Hence, it does

not cover the entire scope of IT governance.

This framework is implemented along with other frameworks like ITIL which

makes its implementation more tricky and complicated.

41



OPM3 This framework mainly focuses on project management instead of governance

The scope of the framework is limited to improve project management maturity.

All existing models of project management do not fulfill the governance needs of

PakPSOs.

The discussion on various generic IT governance standards and framework reveals that

nothing of these standards and frameworks are specially designed to fulfill the needs of the

PSOs of a developing country. These frameworks are generic, complex and costly due to

which these organizations may deem the practice daunting and unattainable. Therefore, a

substitute framework to complement the inherent shortcomings of the existing frameworks

towards the context of PSOs in a developing country is required to solve the problem. This

has created a gap for the second research question of the study i.e. RQ4: “How can effective

IT governance practices be implemented in PakPSOs?”

2.7 Context of Public Sector Organizations

In this section, the context of PSOs regarding developments, implementations and

governance is discussed in detail.

2.7.1 Defining and Understanding Public Sector Organizations

The public sector is defined as a part of nation‟s economic and administrative life pertaining

to the provision of services/goods by and for the government at federal, provincial,

local/municipal level (Lane, 2000). The public sector covers the organizations which are

controlled by the government and rely on government budgetary allocations for their funding

(Campbell et al., 2010). It also covers the organizations which generate their own funding

independent of government budgetary allocations i.e. autonomous bodies and semi-

government organizations (Campbell et al., 2010).

42

PSOs are constituted like pyramids. Policies, procedures and decisions are formulated at the

top of the pyramid. Roles and responsibilities are also decided at the top and delegated to the

lower levels through a hierarchical chain of command. Authority remains at the top of

hierarchy. Most PSOs are bureaucratic in nature and arranged functionally to maintain

specialization (Spittler & McCracken, 1996). This helps in assigning responsibility and

tracing accountability more easily.

However, the structure of PSOs involves various issues that occur from the employees‟

behavior in the functional areas. One major issue is the employees‟ focus on their own area of

skills with no/little understanding of how their decisions can influence the others. Other

issues are: lack of information flow, inadequate decision making and short term outlook etc.

(Spittler & McCracken, 1996).

2.7.2 Characterizing Public Sector Organizations

IT development, implementation and governance in PSOs appear behind private sector

organizations due to the contextual differences between two sectors (Campbell et al., 2010).

IT governance implementation in PSOs is more complex than their private counterparts due

to various reasons including complex intra and inter-organizational interactions and synergies

(Weill & Ross, 2004), more bureaucracy and less managerial autonomy (Lane, 2000), wider

accountability and expectations (Liu & Ridley, 2005), difficulties in setting goals and

measuring performance against these goals (Weill & Ross, 2004), changing ministerial needs,

legislator and frequent rollout of top management (Liu & Ridley, 2005) and more legal and

cultural needs (Lane, 2000). However, the quick development of technology over the past

decade has narrowed down the gap between the two sectors and even important practices may

be portable between the two sectors (Dawson et al., 2016). The summary of differences

between two sectors based on the literature of IT governance is shown in Table 2.2.

2.7.3 Public Sector Organizations in Developing Countries

Countries are categorized into two groups: developed countries; and developing countries

(United Nation, 2001). Developing courtiers can also be referred to as developing countries.

Countries in North America, Europe, Australia, New Zealand, Japan and former USSR are

43

developed countries whereas all other countries are developing countries (United Nation,

2001). Developing countries are usually characterized by lower Human Development Index

(HDI) which is composed of life expectancy, gross national income per capita and access to

knowledge (UNDP, 2017). Other characteristics of developing countries include lower level

of industrialization and a higher level of population growth (Caiden & Wildavsky, 1980). The

PSOs in developing countries are very challenging. These are affected by low institutional

capacity, limited involvement of stakeholders, high level of corruption and high level of

informality which obstruct their decision-making, control and accountability (Mimba et al.,

2007). The IT context of PSOs in developing countries is generally characterized by low

human development, limited IT resources, inadequate related knowledge, constraints on

culture and an increasing level of IT investments (Nfuka & Rusu, 2011).

44

Table 2.2: Differences between public and private sector organizations based on literature

Public Sector Organizations Private Sector Organizations Reference

Ownership Owned by members of political

communities

Owned by entrepreneurs or

stakeholders

Rainey et al.

(1976)

Goals Have multiple, intangible and

conflicting goals due to numerous

stakeholders with competing needs

Have specific and tangible goals Dawes et al.

(2004)

Product Provide services and public goods

usually not for sale

Provide goods and services for

sale, profit

Rocheleau and

Wu (2002)

Achievements Measured by political efficiency

and fulfillment of policy mission

Measured by financial

profitability and efficiency

Campbell et al.

(2010)

Funds Funded mostly by taxation from

public

Funded by fees paid directly by

customers

Boyne (2002)

Control Controlled principally by political

forces

Controlled principally by market

forces

Boyne (2002)

Flexibility Have more formal procedures for

decision-making and are less

flexible and more risk averse

Have flexible procedures for

decision-making and are less risk

averse than public sector

organizations

Rocheleau and

Wu (2002)

Red Tape More rigid in following the rules.

The red tape puts needless and

counter-productive mania with

rules rather than results

Less rigid in following rules. Are

more concerned with results and

outcomes

Campbell et al.

(2010)

Managerial

Autonomy

Managers have less freedom to

react to the circumstances

Much more freedom than public

sector organizations

Campbell et al.

(2010)

Shared versus

proprietary IT

Shared IT resources, applications

and technical help

Treat IT as proprietary to stay

ahead and competitive

Rocheleau and

Wu (2002)

Managerial

Values

Less materialistic More materialistic Pratchett and

Wingfield

(1996)

Skilled staff

Turnover

Face high skilled staff turnover Face low skilled staff turnover

than public sector organizations

Caudle et al.

(1991)

Outsourcing

of

IT function

High Low Caudle et al.

(1991)

Accountability High Low Nicoll (2005)

45

2.8 Previous IT Governance Research

Previous IT governance research mainly deals with exercise of IT governance arrangements

or locus of decision-making authority, contingency factors that influence these arrangements

or decision rights, design and implementation of IT governance mechanisms of structures,

processes and relations, strategic alignment or IT-business alignment, enablers, inhibitors or

critical success factors of IT governance and IT governance performance measurement. A

short overview of previous IT governance research is presented here.

2.8.1 Previous IT Governance Research in General

Sambamurthy and Zmud (999) conducted a case study research on IT governance

arrangements at 8 organizations using theory of multiple contingencies. They argued that IT

governance arrangements in organizations are influenced by multiple interacting

contingencies instead of a single contingency. They identified three mutually exclusive sets

of multiple interacting contingencies: reinforcing; interacting; and dominating. The study

revealed that reinforcing and dominating contingencies persuade a centralized or

decentralized IT governance arrangement whereas conflicting contingencies persuade a

federal IT governance arrangement.

Peterson (2001) conducted a case study research on configurations and coordination for IT

governance at three European financial service organizations. He identified that the

organizations use federal IT governance arrangements and coordination mechanisms based

on their strategic context. He suggested that whatever IT governance arrangement is used,

mechanisms for lateral coordination (relational mechanisms) are required. Structures are not

enough for relational mechanisms and focus should be on IT governance processes.

Peterson (2004) performed a literary study on integration strategies and tactics for IT

governance. He concluded that small organizations use centralized IT governance

arrangements due to stable environment, centralized business governance structure, low IT

experience/competency and cost-focused business strategy. Conversely, large and complex

organizations use decentralized IT governance arrangements due to volatile environment,

decentralized business governance structure, higher IT management experience/competency

46

and innovation-focused business strategy. However, he admitted that these findings are not

prescriptive.

Ribbers et al. (2002) investigated the importance of IT governance processes and structures at

9 organizations. The research revealed that management tools and related frameworks

(scorecard and information economics etc.) are not sufficient for IT governance success

rather these tools should be leveraged into the deep organizational context related to

experiences of stakeholders and their understandings and judgments. However,

considerations for experiences of stakeholders, their understanding and judgments in absence

of some cost-benefit analysis and risk analysis are unlikely to deliver pleasing results.

Weill and Ross (2004) are perhaps among the first researchers who investigated the real

effect of IT governance on business performance. They conducted case studies on IT

governance performance at more than 250 organizations. Based on their research methods

and findings, they wrote a book. This book is mostly cited book in the discipline of IT

governance (Simonsson et al., 2010). Their study revealed that top performing organizations

produce up to 40 percent more profit than their competitors and organizations with above

average IT governance produce more than 20 percent profit than organizations with poor IT

governance adopting the same strategy i.e. customer intimacy.

Csaszar and Clemons (2006) conducted a study on governance of IT function. They found

that IT functional areas‟ governance influence the firm‟s performance under most conditions.

Performance is influenced by the CIO‟s capability to communicate with the senior

management and business know-how by taking into account the quality and the pace of

consensus decisions.

De Haes and Van Grembergen (2006) conducted a cases study on IT governance best

practices at 6 organizations in Belgium. They also included a previous in-depth case study at

KBC (a large Belgian bank). They made several propositions: First, “organizations are using

a mix of structures, processes and relational mechanisms to build up an IT governance

framework.” Second, “the chosen mix of structures, processes and relational mechanisms is

dependent upon multiple contingencies.” Lastly, “a well balanced mix of structures,

processes and relational mechanisms will enable better IT governance outcomes.” Findings

revealed that all hypotheses were supported. Other interesting findings of their study are as

follows. IT steering committees are prevalent and exist with different names whereas IT

strategy committees are uncommon in Belgium. Majority of the organizations have either a

centralized or federal IT governance arrangement. In federal IT governance arrangement,

operations are centralized to gain economies of scale but developments are decentralized to

47

remain nearer to the business needs. Regarding IT governance processes, ITIL processes such

as SLAs are more popular but the BSC and the COBIT are not (or merely) used. Many

processes and prioritization methods are identified regarding Information Economics (IE) or

other frameworks associated with ROI type of measures. Finally, various relational

mechanisms are applied in shared understanding domains of business/IT objectives, cross

functional business/IT training, business/IT job rotation and active conflict resolution.

However, these mechanisms are informally organized in most organizations.

De Haes and Van Grembergen (2009) conducted a case study research on IT governance

implementations and its impact on IT-business alignment at 10 Belgian organizations. They

finalized a list of 33 IT governance mechanisms from literature, six case studies and Delphi

research. The maturity of each IT governance mechanism was assessed by business and IT

managers with consensus using COBIT‟s maturity model. The concept of IT-business

alignment was used to assess IT governance effectiveness. Strategic alignment maturity

assessment of Luftman (2000) was used to measure IT-business alignment. Then a

comparison was made between IT governance mechanisms maturity and IT-business

alignment maturity. The study revealed that organizations with high IT-business alignment

have more and mature IT governance mechanisms than organizations with low IT-business

alignment.

Lee et al. (2008) conducted an empirical study on relationship between IT governance

inhibitors and its success at Korean organizations. Using multiple regression analysis, five

inhibitors were tested: lack of communication; inadequate stakeholder involvement; lack of

clear IT governance principle & policies; lack of clear IT governance processes; and

inadequate support of financial resources. The results showed that IT governance success is

negatively affected by these inhibitors.

Ali and Green (2009) investigated IT governance mechanisms that enable more overall IT

governance effectiveness in a cost-effective manner. Moreover, to investigate the relationship

between IT governance effectiveness and level of decisions about IT outsourcing, a

supplementary question was investigated empirically. The study comprised of 110 members

of ISACA in Australia. The results revealed that presence of ethic or culture compliance

system, involvement of senior management and existence of corporate communication

system positively influence the IT governance effectiveness.

Simonsson et al. (2010) conducted a case study research to investigate the effect of IT

governance maturity on its performance at 35 European organizations. The results indicated

that definition of the organization and quality management showed a strong correlation with

48

IT governance performance. However, processes like problem management, define and

manage service levels showed no correlation.

Prasad et al. (2010) developed an integrative model in order to obtain an in-depth

understanding of IT governance effectiveness. The model was tested through a field study.

The results revealed that IT steering committee enables good IT-related capabilities. The

good IT-related capabilities improve internal process performance. The improved internal

process performance assists in customer service improvement and overall organizational

performance improvement.

Oyemade (2012) argued that an organization can manage IT-related risks effectively through

an IT governance framework. This framework can be enabled through three lines of defense:

risk identification, management and monitoring. IT governance framework could be

strengthened by implementing COBIT and Risk IT within three lines of defense.

Bunten et al. (2014) examined the impact of COBIT and VALIT maturity on IT governance

disclosure. The results showed that overall maturity in COBIT and VALIT have a positive

impact on IT governance disclosure. The study further mentioned that COBIT maturity and

most of its domains have positive impact on disclosure whereas VALIT maturity has mostly

insignificant impact.

Hiekkanen (2015) explored the effect of IT governance on strategic alignment at strategic and

tactical levels. The results confirmed a positive relationship between IT governance and

strategic alignment. The study further suggested eight key IT governance practices to

enhance strategic alignment in the organizations.

Zhang et al. (2016) examined the impact of IT governance and IT capability on firm

performance. Based on resource-based and strategic choice theories and using secondary

data, they empirically validated that IT governance is a pre-requisite of IT capability which in

turn improves firm performance.

Park et al. (2017) tested the effect of three alignments between internal and external IT

governance (hierarchy, market and network) on firm performance using data from 213

Korean firms. The results revealed that hierarchy-based alignment enhances the operational

efficiency, market-based alignment improves market growth and a network-based alignment

increases innovation performance.

49

2.8.2 Previous IT Governance Research in Public Sector Organizations

Previous IT governance research in PSOs mainly deals with IT governance modes or

approaches, factors that influence these modes or approaches, and mechanisms for effective

IT governance. A short overview of previous IT governance research in PSOs is presented

here.

Weill and Ross (2004) specifically analyzed the PSOs among others in their study of more

than 250 organizations. This study investigated the factors that influenced the approach that

organizations selected to make successful IT decisions. The structure, industry, size,

governance experience, strategic goals, performance goals and geographical location were

among those factors. The results revealed that IT governance performance in the PSOs was

lower than their private counterparts by a factor of 10%. The researchers argued that this low

IT governance performance was due to the difficulties in setting goals and assessing

performance in the PSOs which already mentioned by Moore (1997) in his value framework

study.

Liu and Ridley (2005) conducted a study to assess the maturity of IT processes of COBIT

framework in the PSOs of Australia. They used COBIT‟s maturity model to assess 15 IT

processes that were already identified as most important IT processes (Guldentops et al.,

2002). They compared these IT processes by benchmarking them with other nations. The

study revealed that Australian PSOs performed better than the other nations. Among other

things, this was due to the differences in awareness. The study also suggested the need to

improve shared understanding about IT governance importance in both (Australia and other

nations).

Warland and Ridley (2005) conducted a case study research in three PSOs of Australia to

investigate the awareness and perception about the value of IT governance frameworks. The

study revealed that even though some practices were present in these organizations but the

awareness and perception about the value of IT governance frameworks appeared to be low.

The study suggested the need to increase such awareness in these organizations. The study

also indicated the need for further investigation about the effective mechanisms that enhance

the value of IT governance frameworks in these organizations.

Marais and Kruger (2005) conducted a study to understand the human issues regarding the

implementation of an information system in a bureaucratic environment (public sector).The

findings of the study revealed that user resistance and lack of user involvement were the most

50

dominant and challenges issues in this environment. The study also revealed that user training

significantly influenced the acceptance of the system. However, they argued that although

user training and involvement could help to reduce the resistance in this environment, but for

this, a favorable environment would be needed before the training could assist the change

process.

Lawry et al. (2007) conducted a study in PSOs to investigate IT governance mechanisms in

terms of structures. These mechanisms were roles, responsibilities and futures of CIOs. The

study revealed that although there were some similarities but also important differences due

to the context in which the PSOs operated. These differences included low autonomy for

managers and dependency on rules and procedures. Based on these differences, a model to

identify CIOs particularly for PSOs was proposed.

Ali and Green (2007) investigated IT governance mechanisms that influenced IT governance

effectiveness in the PSOs of Australia. The results indicated that IT strategy committee and

corporate communication systems significantly correlated with IT governance effectiveness.

Hoch and Payan (2008) investigated IT governance in the PSOs of Germany. They developed

a framework with five dimensions to recognize the design model by organizations which can

be more suitable for their environments. The framework can also be used to create a baseline

for calculating the value of IT.

Campbell et al. (2010) conducted a study to examine the difference between public and

private sector organizations. The study revealed that regardless of many similarities, many

inherent differences were also present. The study advised that when studying the two sectors,

one size fits for all approach is not suitable. Moreover, the study suggested more research on

IT governance approaches suitable for the context of PSOs by acknowledging the lack of

empirical research on this topic. However, no study investigated IT governance in PakPSOs

in the perspective of a developing country.

Nfuka and Rusu (2011) tested the effect of IT governance CSFs on IT governance

performance in Tanzanian PSOs. The results showed that the CSF “involve and get support

of senior management” was at top of the list whereas the CSF “consolidate, standardize and

manage IT infrastructure and application to optimize costs and information flow across the

organization” was at bottom of the list. Other CSFs showed moderate to strong effect on IT

governance performance.

Allassani (2013) conducted a case study research of “Ghana Rural Bank Computerization and

Inter-connectivity Project”. The study concluded that project management principles,

although supportive, do not guarantee the success of the project. IT projects should need to be

51

brought within the principles of IT governance for their success. The study further added that

a well-defined governance structure is a pre-condition for the implementation success of a

project.

Nfuka and Rusu (2013) have developed a CSFs based IT governance framework (CEITG

framework) for Tanzanian PSOs in the perspective of a developing country using design

science research approach. By adopting a holistic approach, they have categorized their CSFs

into five focus areas of IT governance. They have also identified activities, roles and IT

resources to implement each CSF in Tanzanian PSOs. The results revealed that the CEITG is

useful for Tanzanian PSOs. However, they have not covered the three perspectives of IT-

business alignment to provide more holistic view of IT governance.

Razak and Zakaria (2014) conducted an exploratory study to identify, validate and refine

CSFs in the PSOs of Malaysia. The results showed that the identified CSFs reflect the focus

areas that need to be considered strategically to strengthen IT governance implementation and

to ensure business success in this environment. They further categorized the CSFs into five

areas: cost reduction, innovation, agility, customer satisfaction and compliance.

Al Qassimi and Rusu (2015) conducted an interpretive case study in a public sector

organization of a develping country using primary and secondary data The results conculded

that there was an unintentional IT governance implementation in the organization. They

further suggested that IT governance structures, processes and relational mechanisms should

be improved to promote accountability of IT projects in the organization.

Dawson et al, (2016) examined effective IT governance in public sector of U.S using the

legal view of agency theory. They extended the theory to examine the combination of roles

that lead to effective performance for the state versus those required for the IT department.

The results revealed that the most important practices may be transferable between the public

and private sector despite highly differing structures of the two sectors.

Wiedenhoft et al. (2017) identified and validated a list of mechanisms that meet the

objectives and principles of IT governance in PSOs through exploratory and descriptive

cross-sectional research using qualitative and quantitative data. The results showed that 11

mechanisms meet the objectives and principles of IT governance in PSOs. These mechanisms

were mainly IT governance arrangements (structure mechanisms) and practices (process

mechanisms) and combination of arrangements and practices (relational mechanisms).

52

2.9 Research Gaps

After the critical review of the relevant literature, the following research gaps have been

identified for this study:

Lack of investigation of existing state of IT governance in PakPSOs and its

comparison with others for learning, benchmarking and embracing best practices.

Lack of identification of critical areas in PakPSOs where focus can be given for

success.

Lack of examination of relative importance of effective IT governance practices for

IT outcomes i.e. desirable behavior in PakPSOs for prioritizing available IT resources.

Lack of a substitute IT governance implementation framework to complement the

inherent shortcomings of the existing frameworks towards the context of PakPSOs.

2.10 Chapter Summary

The following themes are emerged after the comprehensive review of literature.

IT governance is relatively a new discipline. It is a structure and process through

which organizations make right IT investments to ensure that the resulting activities

(programs, projects & operations) are performed properly and desired benefits are

achieved and preserved.

IT governance is implemented at organizational level and affects the culture of the

entire organization. It deals with both managerial and cultural aspects for selecting,

adopting and using IT and is a holistic approach for managing IT in organizations.

IT governance provides many benefits to organizations including reduced costs and

risks, increased security, enhanced IT-business alignment, organizational

competitiveness, increased profit or value for shareholders and improved services and

customer satisfaction.

IT governance is an integral part or subset of corporate governance and different to IT

management.

One way to measure IT governance success is the maturity measurement.

53

CSFs are limited numbers of areas where focus can be given for success. CSFs may

be different for different contexts.

IT outcomes in PSOs can be considered in terms of strategic IT projects

implementation success.

A number of general standards and frameworks exist which are considered to be as

best practices to implement IT governance in organizations. However, these are too

complex, generic and expensive due to which organizations may deem the practice

daunting and unattainable. Moreover, these suggest one size fits for all approach for

all organizations in all situations. However, specific context of the organization and

its geographical situation is crucial for implementing IT governance.

PSOs are different to their private counterparts due to the contextual differences

between the two sectors and the implementation of IT governance in PSOs is more

complex than their private counterparts.

The IT context of PSOs in developing countries is generally characterized by low

human development, limited IT resources, inadequate related knowledge and

constraints on culture. Therefore, the implementation of IT governance in these

organizations is even more difficult due to low institutional capacity, limited

involvement of stakeholders, high level of corruption and high level of informality

which obstruct their decision-making, control and accountability.

Previous IT governance research in PSOs mainly focused on developed countries but

little IT governance research has been conducted in the context of PSOs in developing

countries especially PakPSOs remained unexplored.

Generic IT governance implementation frameworks posses some inherent weaknesses

towards the context of PakPSOs.

The literature review about the topic and the context of the study ascertain the gap for

the objectives of this study and its research questions.

The literature review has emphasized the need for further research to investigate IT

governance through contextualized research in PakPSOs, previously unexplored and

develop and evaluate a framework for effective IT governance implementation in

PakPSOs.

54

3 Research Methodology


This chapter provides the research methodology and research process of this study. It begins

with the research methodology applied to conduct this research. This study is carried out into

four phases. The overview of research phases, research philosophy, research methods,

sampling techniques & sample size, data collection techniques and data analysis approaches

are discussed in the sub-sections of methodology. The third section describes the research

process applied to conduct this research. The separate research process of each research phase

is discussed in detail in the related sub-sections. The fourth section discusses the issues of

validity and reliability followed by the ethical standards applied to conduct this research. The

last section summarizes the most important points of this chapter.

3.2 Methodology

Research methodology deals with careful investigation of research problems and systematic

approach of knowledge contribution into existing knowledge base (Kothari, 2004). Different

frameworks are developed through different methodologies. For example, COBIT framework

is developed by collecting and integrating well-known standards and frameworks such as

ISO/IEC 38500, TOGAF, PRINCE2, PMBOK, ITIL, ISO/IEC 20000, ISO/IEC 27000,

ISO/IEC 31000 and CMMI. ITIL is developed by collecting and integrating best practices of

IT service management from more than 1400 organizations of different industries. CMMI is

developed by harmonizing best practices of management from more than 600 organizations

belonging to various industries.

In this study, mixed method research approach has been applied. Mixed method research is a

combination of qualitative and quantitative methodologies to study the same phenomenon

with multiple viewpoints (Bryman, 2006). Rohner (1977) believes that mixed method

research approach neutralizes the weaknesses and exploits the strengths of each method.

Consistent results from mixed method approach increase the validity of results (Bouchard,

55

1976). Campbell and Fiske (1959) argue that mixed method approach ensures that consistent

results are due to the traits of variables and not due to any specific method of research.

Creswell (2009) advocates the usage of mixed research method to attain better accuracy,

precision and confidence in the results. Jick (1979) proposes that qualitative research should

be used to explore the meaning and understanding of constructs whereas quantitative research

should be used to assess the magnitude and frequency of constructs.

In this study, after having a detailed understanding of existing state of IT governance in

PakPSOs in terms of maturity, the relevant IT governance practices in terms of CSFs are

exploratory and qualitatively identified in PakPSOs through systematic literature review

process complemented with multi-case study. Subsequently, these identified practices are

confirmatory and quantitatively validated in PakPSOs using survey research method. The set

of validated practices are then used as basic building blocks or components of the proposed

framework. Consequently, the proposed framework is iteratively developed and evaluated

using design science research approach which is also a combination of qualitative and

quantitative approaches (McKay & Marshall, 2007). In this way, this research study is carried

out into four phases. A brief overview of each phase and its corresponding research question

is given in the following section. This approach is conceptually similar to the exploratory

design described by Creswell (2009), to the triangulation design of Morse (1991) and to the

mixed method approach of Teddlie and Yu (2007). It is also similar to the design science

research approach of Peffers el al. (2008) and Hevner et al. (2004) and design science IT

artifact development and evaluation approach used by Nfuka and Rusu (2013).

3.2.1 Research Phases

This study is carried out into four phases. A brief overview of each phase is given here.

Phase 1- The context of organizations is crucial to implement IT governance (Ribbers, et al,

2002). Therefore, it is paramount to understand the relevant IT governance context of

PakPSOs before moving forward. IT governance context depends on many contingency

factors including organizational culture & structure, strategy, maturity, size, industry, trust,

ethical and regional differences (Pereira & Silva, 2012). One way to understand the relevant

context is to assess the state of IT governance through the use of maturity measurements

(Nfuka & Rusu, 2010). This phase assesses the existing state of IT governance in PakPSOs in

terms of maturity and compares it with a developed country (Australia), a developing country

56

(Tanzania) and the international public sector benchmark for learning, benchmarking and

embracing best practices. This is paramount to understand the relevant IT governance context

of PakPSOs to identify weak areas for improvement. However, the results and findings of this

phase are not used in the proposed IT governance implementation framework development

and/or evaluation process which is the subject of successive research phases. The only

purpose of this phase is to have an idea and understanding of IT governance implementation

status in PakPSOs, previously unidentified. This is crucial to understand the context of

PakPSOs to conduct further research activities in this area. It addresses the first research

question of this study, RQ1: What is the existing state of IT governance in PakPSOs? The

detailed results of research phase 1 are given in chapter 4.

Phase 2- Although, the research phase 1 provides an in-depth understanding of the existing

state of IT governance in PakPSOs in terms of maturity and its comparison with other

countries but it is based on COBIT framework IT processes. No doubt, COBIT framework

contains an inclusive set of processes for complete IT investment lifecycle but it is very

generic, complex, costly and difficult to implement. However, industry specific practices are

more crucial than generic practices and address the ground realities more wisely. Therefore, it

is paramount to identify CSFs of IT governance relevant to PakPSOs. This phase identifies

the relevant IT governance practices in PakPSOs in terms of CSFs through systematic

literature review complemented with multi-case study. The purpose of this phase is to

identify what is being happened in PakPSOs and which practices are more relevant. It

addresses the second research question of this study, RQ2: Which IT governance practices

are relevant to PakPSOs? The detailed results of research phase 2 are given in chapter 5.

Phase 3- The identified practices of phase 2 are further tested and analyzed in phase 3 to see

their effectiveness towards IT outcomes i.e. desirable behavior in PakPSOs. This phase tests

and analyzes the effect of the identified IT governance practices of phase 2 on IT outcomes in

PakPSOs. The purpose of this phase is to validate a statistical relationship between the

identified practices of phase 2 and IT outcomes throughout PakPSOs. It addresses the third

research question of this study, RQ3: What is the effect of relevant IT governance practices

on IT outcomes in PakPSOs? The detailed results of research phase 3 are given in chapter 6.

Phase 4- The validated set of IT governance practices of phase 3 only provides a high level

view. It does not provide any guidance on how to implement these practices in PakPSOs.

This phase addresses this issue by proposing an IT governance implementation framework

based on validated set of practices of phase 3. In this phase, an IT governance

implementation framework is iteratively developed and evaluated in PakPSOs using design

57

science research approach. It addresses the fourth research question of this study, RQ4: How

can effective IT governance practices be implemented in PakPSOs? The detailed results of

research phase 4 are given in chapters 7 & 8. The stair-case diagram of research phases is

shown in Figure 3.1.

58

RO3: To test and

analyze the effect of


on IT outcomes in

PakPSOs.

RO1: To determine and analyze the existing state of IT governance in

PakPSOs in terms of maturity.

RO2: To identify and analyze the relevant IT governance practices in PakPSOs in terms of

CSFs.

RO4: To develop

and evaluate a

framework for

effective IT

governance

implementation in

PakPSOs.

RQ1: What is the existing state

of IT governance in PakPSOs?

RQ2: Which IT governance

practices are relevant to PakPSOs?

RQ3: What is the effect of

relevant IT governance practices on IT outcomes in

PakPSOs?

RQ4: How can effective IT governance practices be

implemented in PakPSOs?

Phase 1

Phase 2

Phase 3

Phase 4

IT g

overn

ance im

plem

entatio

n fram

ework

for P

akP

SO

s

Figure 3.1: Stair-case diagram of research phases

59

3.2.2 Research Philosophy

Based on fundamental epistemology (knowledge that guides the research and how it can be

obtained), a research study can be conducted under three philosophical paradigms:

interpretive, positivist and critical research (Myers, 2008). However, due to the nature of this

study, the researcher has focused on interpretive and positivist research. The critical research

which deals with social critique of current conditions and assumes that reality is socially

constructed (Alvesson & Deetz, 2000) is not the focus of this study.

Interpretive research- It explores a research topic and emphasizes on meanings in context

without predefining independent and dependent variables (Kaplan & Maxwell, 1994). As

interpretive research is used to explore and understand the context within which decisions

and actions are performed, therefore, this philosophical paradigm is applied in research

phases 1, 2 & 4 due to their interpretive nature.

Positivist research- It tests falsifiable theories and increases the predictive understanding of

phenomena using independent and dependent variables and their relations (Straub et al.,

2005). As positivist research is used for numerical analysis of theoretical constructs and their

interpretations, therefore, this philosophical paradigm is applied in research phase 3 due to its

positivist nature.

Moreover, interpretive research has been considered due to exploratory nature of research

phases 1, 2 & 4 and positivist research has been considered due to confirmatory nature of

research phase 3. Furthermore, interpretive research is applied due to qualitative nature of

research phases 1, 2 & 4 whereas positivist research is applied due to quantitative nature of

research phase 3.

Qualitative approach is applied to studies in natural settings usually case studies (Yin, 2003)

whereas quantitative approach is applied for testing and understanding hypothesized relations

through numerical analysis (Straub et al., 2005). Qualitative research is conducted under

interpretive, positivist and critical research and uses qualitative & quantitative data whereas

quantitative research is conducted under positivist research and uses quantitative data only as

shown in Figure 3.2.

60

3.2.3 Research Methods

A research method is a strategy of the enquiry (Myers, 2008). Two research methods are

selected for this study: case study; and survey research. The said research methods are

selected based on the nature of research problem, questions and guidelines for selecting a

research method proposed by Royer and Zarlowaski (1999).

Case study research- It is a method of empirical enquiry (Yin, 2003). In this study, it is

applied from an interpretive research philosophical paradigm point of view. According to Yin

(2003), a case study “investigates a contemporary phenomenon within its real-life context,

especially when the boundaries between phenomenon and context are not clearly evident”. A

case study also “relies on multiple sources of evidence and benefits from the prior

development of theoretical propositions to guide data collection and analysis” (Yin, 2003).

Various researchers argue that case study research method is more appropriate to conduct

information systems research (Oates, 2006; Benbasat et al., 1987). Generally, it is not easy to

separate the IT governance phenomenon from its environment i.e. PakPSOs. Therefore, case

Quantitative

research

Interpretive

research

Positivist

research

Critical

research

Philosophical paradigms

of this study

Qualitative

research

Qualitative

data

Quantitative

data

Figure 3.2: Research philosophical paradigms adapted from Myers (2008) and Straub et al. (2005)

61

study research method is applied in research phases 1, 2 & 4 due to their interpretive and

qualitative nature.

Survey research- It is a method of studying a sample from a population and determining the

possibility of generalizing it to the population (Fowler, 2002). In this study, it is applied from

a positivist research philosophical paradigm point of view. Survey research argues that reality

can be represented through measurable properties and testing of theory (Straub et al., 2005).

Survey research is often used to investigate variables with quantitative and confirmatory

point of view. Therefore, survey research method is applied in research phase 3 due to its

positivist and quantitative nature.

3.2.4 Sampling Techniques and Sample Size

Two types of sampling techniques are commonly used in research studies: purposive

sampling; and probability sampling (Teddlie & Yu, 2007). Purposive sampling techniques are

mostly applied in qualitative research to increase replication and transferability of results

whereas probability sampling techniques are mainly applied in quantitative research to

increase generalisability of results (Teddlie & Yu, 2007). However, purposive sampling

technique can also be applied in quantitative research for selecting right respondents and

obtaining meaningful data where probability sampling is not feasible or costly (Black, 2010).

In purposive sampling techniques, individuals, groups and organizations are purposely

selected from a population to obtain particular information to answer the research questions

of the study (Maxwell, 1998). In probability sampling techniques, units and cases are

randomly selected from a population (Teddlie & Yu, 2007) with assumption that all

respondents are equally knowledgeable and well-aware of the phenomenon under study

which is a major drawback of this technique regarding the context and nature of this study.

Therefore, purposive/non-probability sampling techniques are more suitable in situations

where data sources are limited (Black, 2010).

In this study, the researcher has adopted theoretical sampling technique under sequential

sampling strategy in purposive sampling technique for case study research in research phases

1, 2 & 4. However, the researcher has adopted a mix of purposive sampling technique and

simple random sampling technique under probability sampling for survey research in

research phase 3 due to the context and nature of the study.

62

For sample size, the research has adopted various theoretical guidelines. For multi-case study

research, Eisenhardt (1989) recommends four to seven organizations. Therefore, six

organizations have been selected in research phase 1, eight have been selected in research

phase 2 and 29 have been selected in research phase 4 for framework development process

and one for framework evaluation process.

Creswell (2009) recommends at least 2-3 participants for case study research. Therefore, 28

participants have been selected in research phase 1, 18 have been selected in research phase 2

and 81 have been selected in research phase 4 during framework development process and 27

have been selected during framework evaluation process.

For focus groups, a typical focus group contains 3-12 participants (Brandtner et al., 2015).

However, when complex issues or problems are the focus of the study then size of the focus

group should not exceed more than seven participants (Brandtner et al., 2015). Therefore, 5-7

participants have been formed the focus groups in research phases 1 & 4.

For survey research in phase 3, the researcher has adopted the guidelines provided by

Marcoulides and Saunders (2006). For a typical research with 5% significance level, 80%

statistical power and R2 ≥ 0.25, Marcoulides and Saunders (2006) suggest a minimum sample

size as shown in Table 3.1. In our case, the maximum number of arrows pointing at a latent

variable is 7. This results in a minimum required sample size of 80. This is also in line with

Urbach and Ahlemann (2010) who recommends a range from 30 to 100 cases. Therefore, a

total of 200 questionnaires were distributed in PakPSOs out of which 104 were returned.

Table 3.1: Minimum sample size for a typical research (Marcoulides & Saunders, 2006)

Minimum sample size required Maximum number of arrows pointing at a latent variable in the model

52 2

59 3

65 4

70 5

75 6

80 7

84 8

88 9

91 10

63

3.2.5 Data Collection Techniques

To gather relevant data, three data collection techniques have mainly applied in this study

depending on research methods. These include interviews, focus groups and survey

questionnaires.

Interviews- These can be structured, semi-structured or unstructured (Yin, 2003). Interviews

are used to comprehend the ideas, beliefs and experiences of respondents in their natural

settings. Semi-structured interviews are commonly used in social sciences (Myers, 2008).

Therefore, semi-structured interviews are partly applied in research phase 1 and mainly

applied in research phases 2 & 4.

Focus groups- These are generally healthy in generating ideas and consensus (Kleiber,

2004). Marshall and Rossman (1999) argue that focus groups have high apparent reliability

and validity. With group interaction, the researcher assures views on the defined topic

(Myers, 2008). Therefore, focus groups are mainly applied in research phase 1 and partly

applied in research phase 4.

Survey questionnaires- These are used to collect meaningful data (Yin, 2003; Fowler, 2002).

Survey questionnaires are mainly applied in research phase 3 and partly applied in research

phase 4.

3.2.6 Data Analysis Approaches

Various data analysis approaches are applied in this study depending on research methods

and data collection techniques.

Exploratory Data Analysis (EDA)- It is an approach for analyzing data sets through

statistical tools to comprehend their important characteristics (Fowler, 2002). One of the

purposes of EDA is to increase insights into data sets to extract important information e.g.

ranked lists. Measures pertaining to relative location such as ranking and measures pertaining

to centre such as means can be addressed through EDA. EDA is applied in research phases 1,

2 & 4 for analyzing quantitative data in these phases.

Content Analysis (CA)- It is a technique for qualitative data analysis through which

structures and patterns regularities are searched in texts and inferences are made based on

these regularities (Myers, 2008). In CA, qualitative data gathered through interviews and/or

64

documents are examined step-wise by dividing them into content analytical units, also known

as theoretical categories, which provide foundation for organizing qualitative data and

making interpretations in line with research questions of study (Payne & Payne, 2004). These

theoretical categories and sometimes their hierarchies can be created deductively through

previous literature (theories and frameworks) and/or are achieved inductively through data

analysis process. CA is mainly applied in research phase 2 and party applied in research

phase 4.

Structural Equation Modeling (SEM)- It is capable for developing and testing hypotheses

with falsifiable implications (Bollen & Long, 1993). SEM is mainly applied in research phase

3 to test correlated effect of IT governance practices on IT outcomes. A variance based SEM

technique known as Partial Least Squares (PLS) has been specifically applied. The PLS is a

variance-based structural equation modeling technique useful for testing relationships within

a structural model to ensure statistical conclusion validity (Fornell & Larcker, 1981). The

PLS is particularly appropriate for assessing predictive relationships or analysis designed to

build theory (Wold, 1985) and suitable for small sample size without normal distribution

(Peng & Lai, 2012). Due to ease of use and readily available support, the researcher

specifically prefers Smart PLS flavor.

A quick view of research phases and their corresponding research questions & objectives,

philosophical paradigms, type of study, research methods, sampling techniques & sample

size, data collection techniques, data analysis approaches and empirical sources is shown in

Table 3.2.

65

Table 3.2: A quick view of the research methodology

Phase 1 Phase 2 Phase 3 Phase 4

Research question

RQ1: What is the existing state of IT governance in PakPSOs

and how?

RQ2: Which IT governance practices are relevant to

PakPSOs?

RQ3: What is the effect of relevant IT governance practices

on IT outcomes in PakPSOs?

RQ4: How can effective IT governance practices be implemented

in PakPSOs?

Objective To determine & analyze the

existing state of IT governance

in PakPSOs in terms of maturity

To determine & analyze the

relevant IT governance

practices in PakPSOs in terms of CSFs

To test and analyze the effect of


on IT outcomes in PakPSOs

To develop and evaluate a framework

for effective IT governance

implementation in PakPSOs

Philosophical

paradigm

Interpretive

Positivist Interpretive

Type of study Exploratory Confirmatory Exploratory

Sampling technique &

sample size

Purposive sampling,

Organizations: 6 Participants: 28

Purposive sampling

Organizations: 8 Participants: 18

A mix of purposive sampling &

probability sampling Participants: 104

Purposive sampling

First Iteration (development)

Organizations: 6, Participants: 35

Second Iteration (development)

Organizations: 23, Participants: 46

Third Iteration (evaluation)

Organization: 1, Participants: 27

Research

method

Case study research Survey research Case study research

Data collection technique

Focus groups & interviews

Interviews Survey questionnaires Interviews, focus groups & survey questionnaires

Data analysis

approach

Exploratory data analysis Content analysis &

exploratory data analysis

Structural equation modeling Content analysis & exploratory data

analysis

Empirical

source

Literature & case study organizations

Literature & sample from

PakPSOs

Literature & case study organizations

66

3.3 Research Process

This section describes the detailed research process of this study. As previously mentioned,

this research study is conducted into four phases. Therefore, the separate research process for

each research phase is given in the following sub-sections.

3.3.1 Phase 1: Assessing the Existing State of IT Governance in PakPSOs

The main purpose of this phase was to determine and analyze the existing state of IT

governance in PakPSOs in terms of maturity, previously unidentified and compare it with a

developed country, a developing country and the international public sector benchmark for

learning, benchmarking and embracing best practices which were paramount to understand

the relevant IT governance context of PakPSOs. This was in response to the first research

question of this study, RQ1: “What is the existing state of IT governance in PakPSOs?” This

was achieved by assessing IT governance maturity in the selected six PakPSOs based on the

15 most important and public sector relevant IT processes of COBIT framework.

3.3.1.1 Rationale for Selecting COBIT Framework’s Processes

After a comprehensive literature review of IT governance related frameworks and maturity

models, the researcher found that COBIT framework provides a complete set of guidelines to

measure IT governance maturity in organizations (ITGI, 2007) and is a useful tool to

establish a baseline for process maturity (Van Grembergen et al., 2004). COBIT is a high

level framework based on other well known IT standards and frameworks and provides best

practices in business and process perspectives (ITGI, 2007). It contains an inclusive set of 34

processes for complete IT investment lifecycle ranging from strategic planning to day-to-day

operations (Debreceny & Gray, 2009) which makes it universally applicable. It has become a

de-facto standard in the field of IT governance (Simonsson & Johnson, 2008). The current

version of the framework is COBIT 5 launched in 2012. However, COBIT 4.1 was applied

for this study because a few of the PakPSOs use this version to some extent and have not

migrated to COBIT 5. This was also applied because a reference maturity benchmark is

67

available for this version. Out of 34 processes of COBIT 4.1, 15 are most important processes

(Guldentops et al., 2002) and more relevant to PSOs (Nfuka & Rusu, 2010; Liu & Ridley.

2005). Thirty four IT processes of COBIT framework scattered into four domains are given

Appendix-I. Fifteen most important and more relevant public sector IT processes of COBIT

framework are given in Appendix-II. Generic maturity model of COBIT framework is given

in Appendix-III. The researcher selected 15 IT processes of COBIT to assess IT governance

maturity in PakPSOs‟ context due to the following reasons:

1. These are most important and more relevant to PSOs.

2. A reference benchmark is available for these processes to fulfill the study‟s need for

comparing the PakPSOs with the PSOs of a developed country (Australia), a

developing country (Tanzania) and the international public sector benchmark.

3.3.1.2 Phase Methodology

Generally, it is not easy to separate the IT governance phenomenon from its business setting

or environment i.e. PakPSOs. Therefore, case study research method was selected. Case

study is a more appropriate research method for information system research (Oates, 2006;

Benbasat et al., 1987). Due to the diversity of PakPSOs, a multi-case study approach was also

necessary to enhance the confidence in the results and possible replication (Myers, 2008; Yin,

2003) because evidence and findings from multiple case studies are more convincing than

one case study (Oates, 2006). We selected six Federal level PakPSOs based on many aspects

including existence of IT organization or function, relatively better IT processes, level of IT

infrastructure and applications, experienced business and IT management and IT based

services for the public and themselves. Other PakPSOs were not at the level of sufficient IT

deployment and/or dependent on some of the selected PakPSOs for consultancy, policy

formulation and implementation, project planning, preparation and execution and support and

training in their IT related matters so those were excluded. As COBIT framework covers a

complete sphere of activities that a typical IT organization would likely to execute

(Debreceny & Gray, 2009), therefore, COBIT deployment was not necessary for the

organizations to join this study.

The main data collection technique was the focus groups. However, separate interviews of

senior managers were also conducted to get their judgments on maturity levels of the IT

processes in their respective PakPSOs where focus groups were not feasible or denied. The

68

data collection process was started in December, 2014. Persons at the level equivalent to

CIOs in the organizations assisted to arrange the focus groups. The distribution of the

respondents in the six studied PakPSOs is shown in Table 4.1 of chapter 4. There were five to

seven members in each focus group representing both business and IT management in order

to discuss and make consensus on maturity level of each of the IT process to provide realistic

and credible results. In case of interviews, data were collected from more than one person by

ensuring the presence of both business and IT management and finally their arithmetic means

were taken. This also provided triangulation i.e. getting data from more than one source to

increase reliability (Yin, 2003). In both cases, respondents were mainly directors, managers,

section heads, superintendents and IT administrators etc.

A case study protocol was developed based on the guidelines provided by Yin (2003). The

researcher gave a brief presentation to the focus groups members and each interviewee about

the research project and interview protocol at the start. A copy of study questionnaire was

provided to them. The questionnaire was based on COBIT‟s maturity assessment tool. The

focus group members and interviewees were asked to assess each statement on a four point

Likert scale i.e. How much do you agree: “Not at all (0)”; “A little (0.33)”; “To some extent

(0.66)”; “Or Completely (1)”. More than 20 statements were assessed per process. An

example of the statement was “IT projects are monitored, with defined and updated

milestones, schedules, budget and performance measurements”. The validity of the data was

assured by inspecting organizational documents such as IT-related policies, strategies, plans,

procedures, structures, frameworks, SLAs, annual and performance reports etc. The

researcher gathered those documents whichever were available before the focus groups

sessions and interviews with the help of the persons at the level equivalent to CIOs of the

organizations and/or from their respective websites. The researcher closely observed the

focus group sessions and intervened when necessary. When higher maturity level was

assessed for a process but the associated document did not support it then the researcher

quoted, explained and discussed the document with the respondents and asked them to enter

the real score according to the practices on ground. For example, for process “ME1-Monitor

and evaluate IT performance”, the researcher confirmed the presence of the singed

performance report in the organization. The same technique was adopted in case of

interviews.

Majority of the respondents well understood the processes, their associated statements and

maturity levels but some were initially confused. The misunderstandings were resolved

69

through explanations, examples and analogies. Each focus group and interviewee took 4-5

hours on average in multiple sessions.

Data were analyzed using maturity assessment tool, generic maturity definitions, process-

specific maturity definitions of COBIT and MS-Excel. MS-Excel was used due to its

capability of exploratory data analysis and plotting results in the forms of figures, tables and

graphs. The results of the research phase 1 along with discussion are given in chapter 4.

3.3.2 Phase 2: Identifying the Relevant IT Governance Practices in PakPSOs

The main purpose of this phase was to identify and analyze the relevant IT governance

practices in PakPSOs in terms of CSFs, previously unidentified. This was in response to the

second research question of this study, RQ2: “Which IT governance practices are relevant to

PakPSOs?” This was achieved by identifying IT governance CSFs through systematic

literature review and operationalizing them through multi-case study approach in the selected

eight PakPSOs.

3.3.2.1 Rationale for Adopting Critical Success Factor Approach

IT governance implementation in PSOs is more complex than their private counterparts

(Weill & Ross, 2004) and situation is even challenging in PSOs of developing countries

(Nfuka & Rusu, 2011). The IT context of PSOs in developing countries is generally

characterized by low human development, limited IT resources, inadequate related

knowledge & competencies and cultural constraints (Nfuka & Rusu, 2011). Therefore, it is

not easy and feasible to implement generic IT governance practices in PSOs of developing

countries because such practices have been designed with major focus on private sector

organizations. The problem is even enlarged in PakPSOs due to the shortage of previous

research and non-availability of relevant data in this environment. Existing standards and

frameworks have many limitations in this environment including their complex nature, high

cost of implementation and lack of required competencies. However, CSFs are “the limited

number of areas in which results, if they are satisfactory, will ensure successful competitive

performance for the organization” (Rockart, 1979). These factors are used to direct the focus

on key areas central to the organizations‟ objectives where they invest their resources for

70

success (Ward & Peppard, 2002). Due to their importance, such factors are applied in various

perspectives from a single project to the whole organization (Esteves, 2004). Therefore,

based on the context and nature of the study, CSFs approach is selected to identify right IT

governance practices in PakPSOs.

The researcher adopted CSFs approach to identify relevant IT governance practices in

PakPSOs due to the following reasons:

1) Lack of previous IT governance research on CSFs in PakPSOs.

2) CSFs are limited number of areas where focus can be given for success.

3.3.2.2 Systematic Literature Review

Systematic Literature Review (SRL) is a process of searching, evaluating, and interpreting

relevant papers/studies related to specific research question(s), area of interest and topic of

interest (Kitchenham, 2004). It has been considered as a leading method for collecting and

analyzing existing search work when nothing is available to a particular context. Various

researchers suggested various stages/steps for conducting systematic literature review. For

example, Kitchenham (2004) proposed three main stages: 1) review planning; 2) execution of

the review; 3) and reporting the results. At review planning stage, a review protocol is

developed containing the research question, search terms, criteria of paper/study selection

and strategy of data extraction. At execution of the review stage, a search of databases is

performed, executed stages are documented and papers/studies are selected based on the

evidence related to the research question. Moreover, quality of papers/studies is evaluated

and data within the papers are extracted, monitored and synthesized. At reporting the results

stage, a report is written based on the results and findings. Khan et al. (2003) proposed five

stages for conducting systematic literature review: 1) framing questions for a review; 2)

identifying relevant work; 3) assessing the quality of studies; 4) summarizing the evidence; 5)

and interpreting the findings. At framing questions for a review stage, the research question

and related terms are clearly defined before the commencement of actual literature review. At

identifying relevant work stage, the resources for the relevant literature are carefully

identified. At assessing the quality of studies stage, the discovered papers/studies are filtered

based on some quality measures. At summarizing the evidence stage, the discovered

evidences related to research question(s) are gathered and summarized for next step which is

actually data analysis and interpretation of results. At interpreting the findings stage, the

71

results from the previous stages are analyzed and conclusions are made. However, the

researcher adopted five stages process proposed by Khan et al. (2003) for conducting

systematic literature review in this research phase due to its comprehensiveness and well

recognition in the literature.


The researcher has adopted five stages process proposed by Khan et al. (2003) for conducting

systematic literature review. The detail of actions taken by the researcher is as follows.

Stage 1: Framing question(s) for a review

At this stage, the research question and related terms are clearly defined before the

commencement of actual literature review. Therefore, the following research question was

formulated for this research phase: Which IT governance practices are relevant to PakPSOs?

The researcher selected following key words & terms to search related papers/studies and

publications: IT governance CSFs; IT governance performance & success factors, IT-

business alignment success factors, IT governance implementation minimum baselines,

factors affecting IT governance success etc.

Stage 2: Identifying relevant work

At this stage, the resources for the relevant literature are carefully identified. For this, the

researcher used Google scholar, ResearchGate network and Scopus database. These resources

wrap all the prominent journals in this field such as MIS journals, AIS journals and senior

scholar basket of journals etc. Moreover, the researcher searched papers from eminent

conferences in the area of IT governance such as “International Conferences on System

Sciences”, “Hawaii International Conference on System Sciences”, Mediterranean, Pacific

Asia, European and Australian conferences etc. Furthermore, the researcher used repositories

of IT Governance Institute (ITGI) which conducts IT governance research globally. A total of

55 papers/studies were identified and reviewed at this stage.

72

Stage 3: Assessing the quality of papers/studies

At this stage, the discovered papers/studies are filtered out based on some quality measures.

The researcher applied the following quality measures to the discovered papers/studies: 1) the

paper/study is clearly related to the research question; 2) The paper/study has a clear

methodology; 3) the paper/study comes from some trusted resource and/or journal; 4) the

publication year of the paper/study should be 1995 or above because the phenomenon of IT

governance emerged in the literature in the late 1990s. The papers/studies that not met the

aforesaid quality criteria were rejected. In this way, a total of 18 papers/studies out of 55 were

finalized at this stage which is shown in Table 5.1 of chapter 5.

Stage 4: Summarizing the evidence

At this stage, the discovered evidences related to research question(s) are gathered and

summarized. Based on this explanation, 18 articles were investigated thoroughly in order to

determine their relevance with the research question of the study. For this, the researcher

selected those papers/studies in which IT governance CSFs have positive impact on IT

outcomes in terms of IT governance performance, IT-business alignment, IT effectiveness, IT

performance or strategic IT projects‟ success etc. Fortunately, all 18 papers well fitted to this

criterion. The focus was also given to papers/studies in PSOs especially of developing

countries. A total of 23 CSFs were logically harmonized from the aforesaid studies with the

consultation of research advisor and one public sector IT expert according to the context of

PakPSOs which are shown in Table 5.2 of chapter 5. These 23 CSFs were further

operationalised in PakPSOs through multi-case study approach. Quantitative and qualitative

responses of 18 senior managers in eight PakPSOs were sought through filling out

questionnaires and face-to-face interviews respectively. The distribution of the respondents in

the eight studied PakPSOs is shown in Table 5.3 of chapter 5. Purposive sampling technique

was used due to its simplicity. The unit of analysis was the organization. At least two

participants (one from business and other from IT) in each organization participated in the

interview process. A case study protocol was developed as suggested by Yin (2003). The

major interview questions are given in Appendix-IV. In step 1, the respondents were

requested to rate the “effectiveness” of each of the 23 CSFs on a scale from 1 (not effective)

to 5 (very effective) in their business settings. The purpose of step 1 was to drop the

irrelevant CSFs. The CSFs with 80% score or above were selected as IT governance CSFs for

73

further analysis and the rest were dropped. In step 2, semi-structured interviews were

conducted of the respondents. The respondents were asked to choose the most relevant CSFs

from the list with comments/justification and/or enter their own as per their business settings.

When a theme started reoccurring, the interview process stopped. Archival records were also

checked to verify the responses. The interviews were tape-recorded and conducted into

national language which later converted into English language.

Stage 5: Interpreting the findings

At this stage, the results from the previous stages are analyzed and conclusions are made.

Content analysis was applied to extract themes from the data. NVIVO-10 was used for this

purpose. As a result, a total of 12 IT governance CSFs were found to be relevant for

PakPSOs. The results of the research phase 2 along with interpretation/discussion are given in

chapter 5.

3.3.3 Phase 3: Investigating the Effect of IT Governance Practices on IT Outcomes in

PakPSOs

The main purpose of this phase was to test and analyze the statistical effect of the identified

IT governance practices of research phase 2 on IT outcomes in PakPSOs. For this study, IT

outcomes are referred to as strategic IT projects‟ success attributes (task, organizational and

public outcomes) because most IT initiatives in this environment are undertaken in the form

of e-government projects which are usually strategic IT projects. Therefore, the focus of this

phase is on strategic IT projects‟ success attributes instead of overall IT spending. This was in

response to the third research question of this study, RQ3: “What is the effect of relevant IT

governance practices on IT outcomes in PakPSOs?” This was achieved by developing a

research model based on the CSFs finalized in the research phase 2 and applying PLS-based

structural equation modeling using sample data from PakPSOs. However, the main research

question was broken into the following three sub-questions.

RQ3.1: What is the effect of IT governance practices on IT projects‟ task outcomes?

RQ3.2: What is the effect of IT governance practices on IT projects‟ organizational

outcomes?

74

RQ3.3: What is the effect of IT governance practices on IT projects‟ public outcomes?

3.3.3.1 Rationale for Investigating IT Governance at Strategic Projects’ Level

Prior research investigated IT governance arrangements at organizational level

(organizational context variables) but later research extended it to business unit level

(business unit context variables). At business unit level, differentiated IT governance

arrangements were identified where some business units of the same organization had

centralized IT decisions and others had decentralized (Brown, 1997). The context of the

business unit affects the selection of IT governance arrangement (Brown & Magil, 1998). It

means that the concept of IT governance has been evolved from organizational level to

business unit level with possibility of several IT governance arrangements in the same

organization. This trend can be carried on and extended from business unit level to projects‟

level because IT governance improves accountability of projects (Al Qassimi & Rusu, 2015).

The researcher investigated the effect of identified practices of research phase 2 on IT

projects‟ outcomes due to the following reasons:

1) Most IT initiatives in PakPSOs are undertaken in the form of e-government projects

which are usually strategic IT projects. Therefore, most of the data is available on

strategic IT projects in this environment instead of overall IT spending.

2) Most of IT success/failure is accounted at strategic IT projects‟ level in this

environment.

3) Strategic IT projects‟ success is an effective indicator of good IT governance (Van

Grembergen & De Haes, 2005).

4) One of the objectives of IT governance is the strategic alignment of major IT projects

with organizational goals (Hiekkanen, 2015; ITGI, 2007).


Development of Research Model and Hypotheses

The research model of this phase is shown in Figure 3.3. It consists of 12 CSFs as

independent variables and IT projects‟ task, organizational and public outcomes as dependent

75

variables. It is reasonable to believe that 12 CSFs significantly influence task, organizational

and public outcomes of strategic IT projects. The description of each variable of the research

model with necessary support from existing literature for hypotheses development is

provided below.

V1. IT leadership

V2. Senior management

involvement and support

V3. IT/business communication

& partnership

V4. Engagement of key stakeholders

V5. Defined, aligned and cascaded

IT and business strategies

V6. IT structures for

responsiveness and accountability

V7. Policies and guidelines for optimal acquisition and use of IT

V9. Standardized and managed IT

infrastructure and applications

V10. IT governance awareness

and training

V11. Competitive IT professionals

V12. Performance measures and benchmarks

V8. Risk identification and

mitigation mechanism

+

DV1. Task Outcomes

DV2. Organizational Outcomes

DV3. Public Outcomes

IT Outcomes

IT Governance Practices

Figure 3.3: Research Model

76

IT Leadership- The literature on strategic use of IT demonstrates the importance of IT

leadership for success (De Haes & Van Grembergen, 2009; Ewusi-Mensah, 1997; Beath,

1991). It refers to the ability of CIO or similar position to articulate a vision for the IT‟s role

in the organization and ensure that the vision is clearly understood by managers throughout

the organization (De Haes & Van Grembergen, 2009). The practice is crucial to manage and

lead IT and transformation program which is often executed in the form of IT projects in

PSOs. IT leadership looks into the potential & contribution of IT projects and demonstrates

viable IT value proposition for organization and general public. This practice is influential in

tabling relevant IT projects‟ plans for the management and ensuring necessary support and

intervention. IT leadership actively communicates IT project vision to the project team and

obtains support from stakeholders (Ewusi-Mensah, 1997) and strives for removing hurdles at

project approval and implementation stages. It possesses competencies to inspire, influence

and guide IT strategic integration (Luftman et al., 1999). Hence, it is reasonable to believe

that IT leadership greatly influences on IT projects‟ task, organizational and public outcomes

success: Therefore:

H1a: The degree to which IT leadership is demonstrated in organization significantly affects

task outcomes.

H1b: The degree to which IT leadership is demonstrated in organization significantly affects

organizational outcomes.

H1c: The degree to which IT leadership is demonstrated in organization significantly affects

public outcomes.

Senior Management Involvement and Support- This practice refers to the engagement of

executive and senior management in IT-related decision-making and monitoring processes

for favorable results (Huang et al., 2010). It also refers to the commitment of top management

to provide required resources and authority for project success to achieve desired outcomes

(Pinto & Slevin, 1989). Top management involvement and support is imperative for effective

management and use of IT because IT is a key enabler for organizational strategy and related

processes (Weill & Ross, 2004). The need is enlarged in the context of developing countries

which requires strong political support for strategic use and management of IT (Nfuka &

Rusu, 2010). Moreover, top management commitment and practices get great deal of

attention among users (Tan et al., 2009). Top management involvement can enhance the

possibility of IT projects‟ efficiency and quality (Ravichandran & Rai, 2000), oranizational

77

outcomes (Aladwani, 2001) and benefits in terms of transparancy and e-democarcy (Ndou,

2004). This leads towards the following hypothesis:

H2a: The degree to which senior management is involved and supports IT activities

significantly affects task outcomes.

H2b: The degree to which senior management is involved and supports IT activities

significantly affects organizational outcomes.

H2c: The degree to which senior management is involved and supports IT activities

significantly affects public outcomes.

IT/Business Communication and Partnership- The literature on IT-business alignment

highlights the importance of involvement of business people into IT activities and IT people

into business processes (De Haes & Van Grembergen, 2009). The business people IT

knowledge and IT people business knowledge is crucial for IT governance (De Maere &

Kutzschenbach, 2017). Responsibilities of IT projects are shared among IT and business

people in higher performing organizations (Avital & Vandenbosch, 2002). Equally important

is the communication and partnership between them (Luftman et al., 1999). This practice is

vital for the success of IT projects‟ task outcomes (Pinto & Slevin, 1989), organizational

outcomes (Weill & Ross, 2004) and public outcomes (Moore, 1997). Thus:

H3a: The degree to which IT/business communication and partnership is encouraged and

supported in organization significantly affects task outcomes.

H3b: The degree to which IT/business communication and partnership is encouraged and

supported in organization significantly affects organizational outcomes.

H3c: The degree to which IT/business communication and partnership is encouraged and

supported in organization significantly affects public outcomes.

Engagement of Key Stakeholders- This practice refers to the engagement of key stakeholders

with clear roles, goals and shared understanding of common agenda and success criteria

(Belassi & Tukel, 1996). The need is enlarged in PSOs due to the presence of numerous

stakeholders with competing needs than their private counterparts (Dawes et al., 2004). More

the organization involves key stakeholders, more the success of IT investment or project

(Weill & Ross, 2004). Shared understanding among key stakeholders is a critical success

factor for IT projects‟ task outcomes (Belassi & Tukel, 1996). Moreover, this practice is

78

crucial for organizational outcomes of IT investment or projects (Nfuka & Rusu, 2011,

Ribbers et al., 2002). Furthermore, Moore (1997) highlights the importance of this practice

for public outcomes in his public value framework. Hence:

H4a: The degree to which key stakeholders are engaged in IT activities significantly affects

task outcomes.

H4b: The degree to which key stakeholders are engaged in IT activities significantly affects

organizational outcomes.

H4c: The degree to which key stakeholders are engaged in IT activities significantly affects

public outcomes.

Defined, Aligned and Cascaded IT and Business Strategies- One of the goals of IT

governance is the strategic alignment i.e. alignment between IT and business (De Haes &

Van Grembergen, 2009). One way to achieve strategic alignment is to define, align and

implement IT strategy in line with organizational strategy and communicate it down in an

organization (Nfuka and Rusu, 2011; Luftman et al., 1999). Moreover, one of the measures of

strategic alignment is the strategic match of major IT projects with organizational objectives

(Van Grembergen & De Haes, 2005) and strategic alignment is crucial to control and oversee

IT activities that lead towards IT projects‟ implementation success with desired benefits. It is

reasonable to believe that properly defined, aligned and cascaded IT and business strategies

with clear goals and targets lead towards IT projects‟ task, organizational and public

outcomes success. Thus:

H5a: The degree to which IT and business strategies are defined, aligned and cascaded in

organization significantly affects task outcomes.

H5b: The degree to which IT and business strategies are defined, aligned and cascaded in

organization significantly affects organizational outcomes.

H5c: The degree to which IT and business strategies are defined, aligned and cascaded in

organization significantly affects public outcomes.

IT Structures for Responsiveness and Accountability- Governance is about accountability and

responsiveness. IT structure refers to the presence of responsible functions and clear roles &

responsibilities for IT decision-making (De Haes & Van Grembergen, 2006). It also involves

various committees to prioritize and oversee IT projects/investments (De Haes & Van

79

Grembergen, 2008; Bowen et al., 2007; Weill, 2004) which are crucial for ensuring

responsiveness and accountability. IT steering committee is a key determinant for IT project

implementation success (Allassani, 2013) and IT project steering committee is among the top

10 most important IT governance practices (De Haes & Van Grembergen, 2008). This

practice has direct impact on IT projects‟ task, organizational and public outcomes. Hence, it

is proposed:

H6a: The degree to which IT structures for responsiveness and accountability are present in


H6b: The degree to which IT structures for responsiveness and accountability are present in


H6c: The degree to which IT structures for responsiveness and accountability are present in


Policies & Guidelines for Optimal Acquisition and Use of IT- This practice is crucial to

institute and enforce best practices throughout the organization for clear processes, methods

and frameworks to encourage desirable behavior and create and preserve optimal value of IT

(Tan et al., 2009; Weill, 2004). Many generic standards and framework such as COBIT, ITIL,

PRINCE2 and PMBOK etc. are available but which framework is suitable for an organization

depends on the context and priority of the organization (Bowen et al., 2007). Some

organizations have designed their own frameworks. The literature on best practices revealed

that embedding best practices in organizational context increase the likelihood of IT projects‟

implementation success. It is reasonable to believe that adherence to organizational policies

guidelines for optimal acquisition and use of IT increases the success of IT projects‟ task,

organizational and public outcomes. This leads to the following hypothesis:

H7a: The degree to which policies and guidelines for optimal acquisition and use of IT are

exercised in organization significantly affects task outcomes.

H7b: The degree to which policies and guidelines for optimal acquisition and use of IT are

exercised in organization significantly affects organizational outcomes.

H7c: The degree to which policies and guidelines for optimal acquisition and use of IT are

exercised in organization significantly affects public outcomes.

80

Risk Identification and Mitigation Mechanism- This practice involves analyzing and

assessing IT risks, monitoring efficiency of internal controls and implementing necessary

mechanisms to minimize risks. It also deals with procedures to ensure transparency about

significant risks and a proactive risk management approach to create competitive advantage.

It ensures information security against various threats and insists in embedding risk

management in the operation of the organization. One of the reasons of an IT investment or

project failure is the inability to identify and mitigate risks until it is too late or costly to make

corrections. Proponents of IT project risk management argue that identifying and mitigating

threats to success decrease the chances of the project failure (Boehm, 1991). Usually, three

types of risks are involved in IT projects: technology; resource; and business (Keil et al.,

1998). This leads to the following hypothesis:

H8a: The degree to which IT risks are identified and mitigated in organization significantly

affects task outcomes.

H8b: The degree to which IT risks are identified and mitigated in organization significantly

affects organizational outcomes.

H8c: The degree to which IT risks are identified and mitigated in organization significantly

affects public outcomes.

Standardized and Managed IT Infrastructure and Applications- This practice refers to the

provision and management of a standardized and reliable IT infrastructure and applications

(Peterson, 2004). In IT projects‟ context, it refers to the support technologies. Henderson and

Cooprider (1990) describe three dimensions of support technologies: production;

coordination; and organizational. Production technologies are used to describe information

requirements; to analyze information flows and data relationships; and to transform program

views into program codes. Coordination technologies enable control and cooperative

activities. Organizational technologies deal with support and infrastructure functionalities.

Post et al. (1999) argue that development tools and equipment are crucial in determining the

success or failure of IT projects. Support technologies not only enhance the

programmers/analysts abilities but also reduce the delivery cycle (Henderson & Cooprider,

1990). Standardized and managed IT infrastructure and applications not only facilitates IT

projects‟ task outcomes but also organizational and public outcomes. Thus, we propose:

81

H9a: The degree to which IT infrastructure and applications are standardized and managed in


H9b: The degree to which IT infrastructure and applications are standardized and managed in


H9c: The degree to which IT infrastructure and applications are standardized and managed in


IT Governance Awareness and Training- This practice refers to the campaigns to clarify the

need of IT governance to business and IT people (De Haes & Van Grembergen, 2009). In the

context of lower IT knowledge and culture, Nfuka and Rusu (2010) refer this practice as

mindset change and competency improvement. It is reasonable to believe that provision of IT

governance awareness and training throughout the organization on IT projects‟ contribution

and resulting benefits facilitates the success of IT projects „tasks, organizational and public

outcomes. Hence:

H10a: The degree to which IT governance awareness and training is provided in organization

significantly affects task outcomes.

H10b: The degree to which IT governance awareness and training is provided in organization

significantly affects organizational outcomes.

H10c: The degree to which IT governance awareness and training is provided in organization

significantly affects public outcomes.

Competitive IT Professionals- This practice refers to the human resources‟ knowledge, skills,

competencies and acquaintance with organizational goals and public expectations. It is an

engine of innovation, optimization and performance (Peterson, 2004). Prior literature reveals

that knowledge and experience and resulting acquaintance with problem faced is an essential

determinant of IT projects‟ implementation success (Aladwani, 2002). Since, a large portion

of IT projects involves repeated problems (Swanson et al., 1991) and experienced members

are more likely to have faced the similar problems (Prietula & Simon, 1989) so experienced

members are expected to show higher performance than inexperienced members. Expertise of

team members is a critical success factor for IT projects‟ implementation success (Wateridge,

1995; Pinto & Slevin, 1989). The same is true for the acquaintance of team members with IT

projects‟ contribution towards organizational goals and public service delivery. Thus, it is

82

reasonable to believe that attracting, developing and retaining competitive IT professionals

lead towards better task, organizational and public outcomes of IT projects:

H11a: The degree to which competitive IT professionals are attracted, developed and retained

in organization significantly affects task outcomes.

H11b: The degree to which competitive IT professionals are attracted, developed and retained

in organization significantly affects organizational outcomes.

H11c: The degree to which competitive IT professionals are attracted, developed and retained

in organization significantly affects public outcomes.

Performance Measures & Benchmarks- This practice refers to measuring and reporting IT

projects‟ efficiency & effectiveness and their contribution towards the organizational goals. It

involves tracking and monitoring IT projects & operations and IT strategy. It also deals with

the performance of processes, resources and public service delivery. One of the examples of

performance measurement is the use of Balanced Scorecard (BSC) that translates strategies &

policies into action to achieve measurable goals from four perspectives: organizational,

customer/general public, operations and innovation/skills. This practice is considered as an

integral part of effective IT governance (Peterson, 2004; Weill, 2004). Prior literature

highlights the importance of performance monitoring and feedback for IT projects‟

implementation success (Muller & Turner, 2005). Hence, it is proposed:

H12a: The degree to which active performance measures and benchmarks are applied in


H12b: The degree to which active performance measures and benchmarks are applied in


H12c: The degree to which active performance measures and benchmarks are applied in


The Population and Sample

The study population contained fully or partially completed IT projects in Ministries,

Departments & Agencies (MDAs). The projects were mainly public datacenters, database and

registration systems; e-filing, e-tax and e-billing systems; driving licensing and vehicle

registration systems; land record management systems; hospital management systems;

83

disaster management systems; monitoring and evaluation related e-systems; e-

recruitment/procurement systems; online education systems and other academia related e-

systems. The sampling frame was the Public Sector Development Programs (PSDPs) of last

12 years at federal and provincial levels. Due to the context of the study, purposive sampling

technique was applied to select right projects and respondents. The unit of analysis was

individuals, mainly IT executives, IT and project directors, managers and coordinators

knowledgeable and well-versed in managing public sector IT projects. It also included key

project users in some cases who remained involved in project implementation phase and

shifted in operation phase after projects‟ completion. The sample characteristics are shown in

Table 6.1 of chapter 6. A total of 200 questionnaires were distributed by hand and through

emails. The data collection process was commenced in December, 2015.

Operational Measures

Whenever possible, we used existing and previously validated scales. However, some

questions were slightly modified. All the scales were discussed with two IT experts having

rich experience in managing public sector IT projects. Their recommendations were

incorporated in the final questionnaire. The items of scale for 12 IT governance practices

were adopted from Nfuka and Rusu (2011) and Keil et al. (1998) and measured on five point

Likert scale, 1 (strongly disagree) to 5 (strongly agree). The items of scale for task outcomes

were borrowed from Henderson and Lee (1992) and measured on seven-point Likert scale, 1

(extremely low) to 7 (extremely high). The items of scales for organizational and public

outcomes were used from the existing literature and resulted in self-constructed scales. The

items of both scales were measured on seven-point Likert scales, 1 (strongly disagree) to 7

(strongly agree). The items and their sources are given in Appendix-V.

Data Analysis

The analysis was based on the research model (Figure 3.3) and PLS-based structural equation

modeling. The PLS is a variance-based structural equation modeling technique useful for

testing relationships within a structural model to ensure statistical conclusion validity (Fornell

& Larcker, 1981). The results of the research phase 3 along with discussion are given in

chapter 6.

84

3.3.4 Phase 4: Developing and Evaluating the Proposed IT Governance Framework

The main purpose of this phase was to develop and evaluate a framework for effective IT

governance implementation in PakPSOs. This was in response to the fourth research question

of this study, RQ4: “How can effective IT governance practices be implemented in

PakPSOs?” This was achieved by developing and evaluating IT governance implementation

framework using design science research approach.

3.3.4.1 Rationale for Selecting Design Science Research Approach

Design activities have been playing an important role in many applied science disciplines.

There is a long history of design science research in various fields such as engineering,

architecture, education, fine arts and psychology (Cross, 2001). Majority of the research on

design science has recognized the seminal contribution of work of Simon (1969) who wrote

the book “The Sciences of the Artificial”. Many design science ideas, concepts and methods

originated from other disciplines have been applying to information systems. However,

information systems inherently face various distinctive and challenging design problems due

to the frequent advancements in this discipline which require fresh and innovative ideas.

Design science research demonstrates high relevancy with information system research as it

apparently deals with two of the central issues of this discipline: artifact‟s role in information

system research; the perceived lack of professional relevance of information system research

(Benbasat & Zmud, 2003). One important characteristic of design science is that it provides

explicit prescriptions (guidelines or principles) for constructing an artifact (Gregor & Jones,

2007). Therefore, design theory is normative or prescriptive type of theory. Other important

characteristic that distinguishes design science from natural sciences is that its outcomes are

evaluated against the criteria of utility whereas theories of natural sciences are evaluated

against the criteria of truth (March & Smith, 1995). Within the management literature, design

science has been advocating as an approach to mitigate the serious utilization problem or

relevance problem of traditional description driven research (Van Aken, 2004). Peffers et al.

(2008) advocate that design science research is highly associated with behavioral science

research.

85

Through design science research, a new IT artifact can be developed and evaluated to solve

known problems in organizations (Hevner et al., 2004). These artifacts are not only computer

and computer systems but also a complex and changing combination of people, technology

and organization (Dahlbom, 1996). An IT artifact can be a construct, model, instantiation or

method (Hevner et al., 2004). A method can be used as a framework because a framework is

an outline of interconnected elements that supports a particular approach to a specific

objective and serves as a guide that can be modified when and where required by adding or

deleting elements (Business Dictionary, 2012). Moreover, a framework can be based on

theoretical and/or practical experiences that provide recommendations to help practitioners

and academicians in the same way.

Many researchers consider design science itself as a paradigm (Peffers et al., 2008; Vaishnavi

& Kuechler, 2007; Hevner et al., 2004; Gregg et al, 2001). However, McKay and Marshall

(2007) consider design science as a body of knowledge that can be developed through the

application of a variety of methods based on the existing interpretive and positivist

paradigms.

Various researchers proposed various comprehensive methodologies and processes to

conduct design science research (Peffers et al., 2008; Vaishnavi & Kuechler, 2007; McKay &

Marshall, 2005; Hevner et al., 2004; Walls et al., 1992). However, these methodologies and

processes share in common the two core activities identified by Hevner et al. (2004) in their

framework of information systems. These two core activities are: develop/build the artifact;

justify/evaluate the artifact. Hevner et al. (2004)‟s framework is shown in Figure 3.4.

86

A brief description of the framework is provided here.

The environment consists of people, organization and technology. Goals, tasks, problems and

opportunities that create the business needs of the organization lie in the environment.

Business needs are realized by the people of the organization depending on their roles,

capabilities and characteristics. Strategies, structure, culture and business processes of the

organization are used to assess and evaluate business needs. Existing and planned

technological infrastructure, applications, communication architectures and development

capabilities shape the strategies, structure, culture and business processes of the organization.

In this way, people, organization and technology altogether define the business needs or

problem. The research relevance is ascertained when research activities are formulated to

address the business needs.

The IS research is conducted into two complementary phases for such an articulated business

needs (Hevner et al., 2004). Behavior science research builds and justifies theories to describe

or forecast phenomenon relevant to the known business needs whereas design science

People

Roles

Capabilities

Characteristics

Organization

Strategies

Structure and

culture

Processes

Technology

Infrastructure

Applications

Communication

architecture

Development

capabilities

Foundations

Theories

Frameworks

Instruments

Constructs

Models

Methods

Instantiations

Methodologies

Data analysis

techniques

Formalisms

Measures

Validation

criteria

Business

Needs

Applicable

Knowledge

Environment IS Research Knowledge Base Relevance Rigor

Develop / Build

Theories

Artifacts

Justify / Evaluate

Analytical

Case study

Experimental

Field study

Simulation

Assess

Refine

Application to the appropriate environment Additions to the knowledge base

Figure 3.4: Information Systems research framework (Hevner et al., 2004)

87

research builds and evaluates artifacts to fulfill the known business needs. Both types of

research use justify/evaluate activities to discover weaknesses in the theory and artifact.

Therefore, refinement and reassessment is needed. Future research directions are typically

addressed in refinement and reassessment process.

The knowledge base consists of foundations and methodologies to provide raw material to

conduct information system research. Theories, frameworks, instruments, constructs, models,

methods and instantiations from the previous information system research and related

disciplines are used for develop/build phase of the research. Guidelines for justify/evaluate

phase are provided by methodologies. Through the proper utilization of prior foundations and

methodologies, the rigor is accomplished. Methodologies are mainly used in behavior

science research for data collection and empirical analysis whereas mathematical and

computational techniques are mainly applied in design science research to evaluate the

artifacts. In design science, empirical techniques can also be used.

The researcher adopted design science research approach in line with Hevner et al. (2004) to

develop and evaluate IT governance implementation framework for PakPSOs due to the

following reasons:

1) Design science research is capable for developing and evaluating IT artifacts to solve

known problems in organizations.

2) Design science research is highly associated with behavioral science research.


According to design science research, a framework is iteratively built in two phases: develop;

and evaluate (Hevner et al., 2004). Therefore, two iterations were performed in the

development phase and one in the evaluation phase. In iteration 1, the initial IT governance

implementation framework (initial version) was built based on the results of research phase 3,

existing knowledge base and focus groups‟ opinion in PakPSOs. In iteration 2, the initial

version of the framework was extended and enhanced through interview and survey research

using empirical data from the heads of IT and business units having experience on the

strategic management of IT in PakPSOs. This resulted in an enhanced IT governance

implementation framework (first version). In iteration 3, the enhanced framework was

evaluated in a real business environment in one of the PakPSOs. This resulted in the proposed

IT governance implementation framework (second version). In this way, the methodology of

88

this phase which is framework development and evaluation process has been adopted from

Nfuka and Rusu, (2013). They have already applied this methodology in their study of

framework development and evaluation process.

The framework development and evaluation process is shown in Figure 3.5.

Iteration 1: Developing Initial Version of the Framework

The initial version of the framework was developed based on the results of research phase 3

and extended with the existing knowledge base and focus groups‟ opinion in PakPSOs. The

basic building blocks of the initial version were the IT governance practices identified and

validated in research phases 2 & 3 respectively. In research phase 2, the most influential and

relevant IT governance practices in terms of CSFs were identified and operationalised in

PakPSOs. In research phase 3, the identified practices were validated through survey-based

Build and Extend the

Framework

(Initial Version)

Initially based on the

results of research phase

3

Extended with existing

knowledge base and focus groups‟ opinion of

35 IT and management

personnel in 6 PakPSOs

Enhance the Framework

(First Version)

Based on interviews of

46 heads of IT and

business in 23 PakPSOs

having rich experience in strategic management of

IT and business

Complemented by

interviews of 5 related

industry/academic

experts

Evaluate the Framework

(Second Version)

Based on case study in

one of the PakPSOs

Complemented with

qualitative and

quantitative opinion of

27 IT and management personnel

Development Phase Evaluation Phase

Iteration 1 Iteration 2 Iteration 3

Figure 3.5: Framework development and evaluation process

89

quantitative research in PakPSOs. As a result, a total of 11 IT governance practices found to

be relevant and effective to this environment i.e. PakPSOs.

However, the validated set of IT governance practices provided only the high level view. It

provided no guidance on how to implement the relevant actions for each guiding IT

governance practice to meet the claimed objective of the framework. In order to ensure the

relevant actions to be employed for each guiding IT governance practice, activities

(checkpoints) were introduced in the initial version. Due to the scarcity of this kind of

previous research in PakPSOs, the researcher adopted these activities from the existing

literature. The activities were adopted mainly from the studies of Alreemy et al. (2016),

Razak and Zakaria (2014), Nfuka and Rusu (2013), Aggarwal (2010); Tan et al. (2009), Lee

et al. (2008), De Haes and Van Grembergen (2008), Hoch and Payan (2008), Lawry et al.

(2007), Bowen et al. (2007), PwC and ITGI (2006), Guldentops (2004), Weill and Ross

(2004), Weill (2004), ITGI (2003), Ribbers et al. (2002), Luftman et al. (1999) and Teo and

Ang (1999) etc. A total of 62 activities were adopted from the existing literature for 11 IT

governance practices (four to eight activities for each practice) and operationalised them in

PakPSOs through focus groups‟ opinion for the purpose to develop the initial version.

The role for each activity was also incorporated into the initial version due to the relegating

IT issues and lack of IT ownership in the PSOs of developing countries and their overall less

effective governance (Nfuka & Rusu, 2013). A role is a set of duties, rights, norms and

behavior that an individual or group of individuals has to face and accomplish (Hindin,

2007). The suitable role for each activity was adopted from the existing literature. COBIT

framework suggests 19 roles. However, these roles are complex and exhaustive and all

organizations do not employ all these roles (Simonsson & Johnson, 2008). They arranged 19

roles of COBIT into five categories which resulted in five roles: executives; business; IT

management; IT operations; and compliance, audit, risk and security. Therefore, the

researcher adopted five roles from the study of Simonsson and Johnson (2008) and

operationalised them in PakPSOs through focus groups‟ opinion for the purpose to develop

the initial version.

The existing literature on IT governance and related frameworks also highlights the need of

effective management and use of IT resources for success (ITGI, 2007; Peterson, 2004). The

need is even enlarged in this study environment due to the scarcity of adequate IT, developed

human and sufficient financial resources. ITGI (2007) classified IT resources into four types:

applications; information; infrastructure; and people; and. Therefore, four IT resources to

90

perform each activity were adopted from ITGI (2007) for the purpose to develop the initial

version.

The environment is also accounted as an important element of any framework. Due to the

operating culture of PakPSOs and state of IT in these organizations and overall in the

country, the environment was incorporated as another element of the framework. Although

the environment lies outside the system‟s control but some aspects of the system‟s

performance are influenced by the environment (Schoderbek et al., 1990). As the matter for

the current study, the researcher operationalised the environment as national level IT-related

strategies & policies (Digital Pakistan Policy, 2017 and National IT Policy and Action Plan,

2001), E-government strategies, policies, regulation & infrastructure (E-government Strategy

and Five Years Plan for Federal Government, 2005, E-government strategy, 2012, E-

government strategy, 2015) and IT governance standards and best practices (COBIT, ITIL,

ISO/IEC 38500 etc.) implemented to some extent in some of the PakPSOs.

Another important element of the framework is the organization in which it is implemented.

Although things may vary based on the type and nature of the organization and especially the

services that it provides to the public but a framework is generally supposed to be aligned and

interacted with its strategies & policies, structures & systems and objectives & goals.

Therefore, the researcher operationalised the organization as organizational strategies &

policies, organizational structures & systems and organizational objectives & goals for

sustainable success.

As aforesaid, an initial list of activities, roles and IT resources was developed from the

relevant literature as shown in Table 7.1, Table 7.2 and Table 7.3 respectively of chapter 7. A

case study protocol was developed as proposed by Yin (2003). The major questions asked are

given in Appendix-VI & VII. The data collection process was commenced in March, 2016. A

total of six focus groups were formed in six PakPSOs i.e. one focus group in one of the

PakPSOs. The respondents were mainly consisted of IT/business directors, deputy directors

and IT project directors well-versed in managing public sector IT related matters. Persons at

the level equivalent to CIOs in the organizations assisted to arrange the focus groups. A total

of 35 personnel participated in the focus groups. The distribution of the respondents in the six

studied PakPSOs is shown in Table 7.4 of chapter 7. There were five to seven members in

each focus group representing both IT and business management in order to discuss and

develop consensus on each activity, its suitable role and its appropriate IT resource. The

focus groups were conducted in two rounds. In the first round, the respondents were

requested to provide feedback on each activity, assign a suitable role to each activity and

91

choose an appropriate IT resource for each activity as shown in Appendix VI. They were

allowed to add, delete and change activities, roles and IT resources as per their business

settings. No other feedback was solicited at this stage. The purpose was to operationalize the

predefined list of activities, roles and IT resources in PakPSOs. The interview notes were

used to record the responses. Content analysis was applied for data analysis. In the second

round, the respondents were requested to rate each activity for its “perceived effectiveness”

on a scale from 1 (not effective) to 5 (very effective) and its “perceived ease of

implementation” on a scale form 1 (not easy) to 5 (very easy) as shown in Appendix VII.

EDA was applied for data analysis. The activities with scores equal to or above 60% on both

perceived effectiveness and ease of implementation were selected for the initial version.

Consequently, the initial version of the framework was built with all of the aforesaid

components i.e. activities, roles, IT resources, environment and organizational strategies,

structures & systems and goals. The initial version of the IT governance implementation

framework is shown in Figure 7.2 of chapter 7.

Iteration 2: Developing First Version of the Framework

In iteration 2, the initial version of the framework was enhanced through the interviews of 46

personnel in 23 PakPSOs mainly heads of IT and business having rich experience in strategic

management of IT and business. This was also complemented by the interviews of 5 related

industry experts. The respondents profile is shown in Table 7.7 of Chapter 7. The purpose

was the general enhancement of the framework through new or improved activities,

suitability of the assigned roles and IT resources. A case study protocol was developed as

proposed by Yin (2003). Semi-structured interviews were conducted using a questionnaire

developed based on the components of the initial version. The major questions asked are

given in Appendix-VIII. The interviews were tape-recorded and conducted in national

language which later converted into English language. The collected data were analyzed

using content analysis through which structures and patterns regularities are searched in the

text and inferences are made based on these regularities (Myers, 2008). The analyzed data

then categorized and incorporated into the framework. The process resulted in the first

version of the framework. The first version of the IT governance implementation framework

is shown in Figure 7.3 of chapter 7.

92

Iteration 3: Finalizing Second Version of the Framework

The purpose of iteration 3 was to evaluate the first version of the framework in one of the

PakPSOs ending up in the second version. However, little work in the design science research

arena has addressed the choice of strategies for evaluation (Pries-Heje et al., 2008). Here is

brief overview of some of the studies. Walls et al. (1992) introduce the notion of discrete

testable hypotheses for explicitly evaluating two components of information system design

theories: the design process; and the design product (meta-design) in their ability to achieve

meta-requirements. However, they provide no guidance on how to evaluate but the

presumption seems to be a positivist approach. March and Smith (1995) emphasize

evaluation as one of the two activities in design science: build and evaluate. They argue that

evaluation regards the development of criteria and the assessment of the artifact‟s

performance in comparison to the criteria. Among their seven guidelines, Hevner et al. (2004)

require researchers to rigorously evaluate design artifacts. They summarize five kinds of

evaluation methods (analytical, case study, experimental, field study and simulation).

However, they do not provide much guidance in choosing among extant evaluation methods.

Venable (2006) classified design science research evaluation approaches into two primary

forms: naturalistic and artificial evaluation. They argue that naturalistic evaluation explores

the performance of a solution technology in its real environment i.e. within the organization,

whereas artificial evaluation evaluates a solution technology in a contrived and nonrealistic

way. Sun and Kantor (2006) makes distinction between naturalistic and artificial evaluation.

They argue that naturalistic evaluation relates closely to natural setting which involves real

users using real systems to solve real problems i.e. to accomplish real tasks in real settings,

whereas artificial evaluation is unreal in some way or ways such as unreal users, unreal

systems, and especially unreal problems. Naturalistic evaluation methods include case

studies, field studies, surveys, ethnography, phenomenology, hermeneutic methods, and

action research, whereas artificial evaluation methods include laboratory experiments, field

experiments, simulations, criteria-based analysis, theoretical arguments, and mathematical

proofs (Pries-Heje et al., 2008). Naturalistic evaluation is always empirical and may be

interpretive, positivist, and/or critical, whereas artificial evaluation may be empirical or non-

empirical (Walls et al., 1992). Pries-Heje et al. (2008) describe that naturalistic evaluation

embraces all of the complexities of human practice in real organizations and may be difficult

and costly because it must discern the effects of many confounding variables in the real

93

world. They argue that, to the extent that naturalistic evaluation is affected by confounding

variables or misinterpretation, evaluation results may not be precise or even truthful about an

artifact‟s utility or efficacy in real use. Klecun and Cornford (2005) described two

perspectives of information system evaluation: ex ante and ex post evaluation. They argued

that in the ex ante perspective, candidate systems or technologies are evaluated before they

are chosen and acquired or implemented, whereas in the ex post perspective, a chosen system

or technology is evaluated after it is acquired or implemented. Pries-Heje et al. (2013)

propose ex anti perspective for artificial evaluation and ex post perspective for naturalistic

evaluation. However, they claim that more naturalistic forms of ex ante evaluation are also

possible. Venable (2006) uses ex post perspective largely in his study but he also

accommodates ex ante perspective. Purao and Storey (2008) propose that the Technology

Acceptance Model (Davis, 1989) can be used as a predictive theory (Gregor, 2006) to

evaluate whether a design science research artifact is likely to be adopted in practice or

otherwise.

In this study, the researcher adopted Hevner et al. (2004) approach of evaluation as it covers

both naturalistic and artificial evaluation. Hevner et al. (2004) proposed five approaches for

evaluation of a developed artifact against the utility it provides in the business environment.

These five approaches are: analytical, case study, experimental, field study and simulation.

However, the case study approach was selected because of the context of the framework and

the need for a real business environment within which PakPSOs operate. Therefore, the

researcher selected one of the PakPSOs (refers to as organization M in this study) to evaluate

the proposed framework. The selection of the organization was based on its relatively mature

IT structures, processes and experienced IT/management personnel. All these were

considered for valuable inputs to evaluate the framework.

A case study protocol was developed as suggested by Yin (2003) based on the studies of

Walford (1990) and Clementi and Carvalho (2006) to measure the effectiveness of the

framework. Semi-structured interviews of 27 IT and business personnel from top

management to operational management were conducted in organization M. The

respondents‟ profile in case study for evaluating the framework is shown in Table 8.4 of

chapter 8.

A questionnaire was handed over to the respondents and considerable time was granted them

to review it and answer the questions. The major questions asked during the evaluation of the

framework are given in Appendix-IX. The validity was assured by inspecting organizational

documents such as IT-related policies, strategies, plans, procedures, structures, frameworks,

94

annual and performance reports etc to triangulate with the respondents‟ views. The researcher

gathered those documents before the interviews with the help of the person equivalent to CIO

of the organization.

The following evaluation criteria were applied:

(1) Formal description to meet the need for no ambiguity

(2) Definable activities through understandability of the framework

(3) Completeness of the framework to ensure no additional activities are needed

(4) Activities to be capable of implementation

Two more evaluation criteria were applied as suggested by Hevner et al. (2004).

(5) Usability via measuring ease of use

(6) Fit by measuring the usefulness of the framework in the organization

Each evaluation criterion was assessed quantitatively on a five-point Likert scale ranging

from 1 (strongly disagree) and 7 (strongly agree). EDA was applied for data analysis.

Qualitative opinion was also sought for the further improvement of the framework which was

tape-recorded originally in national language and later converted into English language. The

said evaluation criteria were also applied by Nfuka & Rusu (2013). The process resulted in

the second version of the framework. The second version of the IT governance

implementation framework is shown in Figure 8.5 of chapter 8.

3.4 Validity and Reliability

In social science methods, the most applied aspects to meet research quality are construct

validity, internal validity, external validity and reliability (Yin, 2003). Therefore, this study

only focuses on construct validity, internal validity, external validity and reliability. Other

types of validities such as face validity, content validity and criterion validity etc. is not the

focus of this study.

3.4.1 Construct Validity

It deals with the exact operational measures for the concepts and how these concepts are

operationalised for credible interpretations of collected data (Yin, 2003). For case study

95

research in phases 1, 2 & 4, the construct validity was assured by applying the three tactics

suggested by Yin (2003) which are: use of multiple sources of evidence; use of chain of

evidence; and a review of the case study report by the key informants. The interviews, focus

groups and questionnaires were used to provide multiple sources of evidence. This allows

triangulation which helps in developing convergent line of enquiry (Patton, 1987). It also

minimizes the bias created by interview/respondent dialogues. A derivation of evidence from

the initial research questions to conclusion was the part of the research design to provide

chain of evidence. A draft report was sent back to the organization for assessment by the key

informants and asked them to provide a review of the case study report for increasing the

quality of results. The detail is given in corresponding chapters 4, 5, 7 & 8.

For survey research in phase 3, statistical construct validity was assured through convergent

and discriminant validity as proposed by Hair et al., (2006) for correct operational measures.

The detail is given in corresponding chapter 6.

3.4.2 Internal Validity

It deals with the internal design of the research and establishes the rigor with which research

is conducted (Brewer, 2000). Due to exploratory and confirmatory nature of this study,

strategies were developed to collect and analyze data that guided towards the conclusions.

For exploratory study in phases 1, 2 & 4, all relevant evidence were provided and used to

reach the conclusions. Well-established theoretical categories and subcategories from the

relevant literature were used for content analysis. Emerging subcategories during the process

of data analysis were also applied. The detail is given in corresponding chapters 4, 5, 7 & 8.

For confirmatory research in phase 3, a research model was developed to test the correlating

effect of IT governance practices on IT outcomes. The detail is given in corresponding

chapter 6.

3.4.3 External Validity

External validity is the generalisability of a study (Yin, 2003). For case study research in

phases 1, 2 & 4, external validity was assured through the use of considerable number of

96

respondents at various management levels that are both IT and business personnel. The detail

is given in corresponding chapters 4, 5, 7 & 8.

For survey research in phase 3, external validity was assured through statistical generalization

i.e. using representative sample from the population. The detail is given in corresponding

chapter 6.

3.4.4 Reliability

Reliability is the consistency of the measurement (Trochim & Donnelly, 2007). For case

study research in phases 1, 2 & 4, the researcher applied case study protocols and databases

as suggested by Yin (2003) to increase the reliability. Important procedures for case design

were outlined and documented. In advance, the research prepared case study overviews,

instruments for data collection, list of evidence and a guide for the report. A case study

database for linking case study notes and documents was established. Moreover, the

interview protocols were developed and used in such a way that these provided same format

and sequence of the questions so that each respondent can understand them in the same way.

The detail is given in corresponding chapters 4, 5, 7 & 8.

For survey research in phase 3, the correctness of the questionnaire was first checked by the

two experts in PakPSOs and then its reliability was checked through pilot study and actual

study as proposed by Fowler (2002). Average variance, Cronbach‟s alpha and composite

reliability measures were used to estimate internal consistency in both cases. The detail is

given in corresponding chapter 6.

3.5 Research Ethics

The purpose of complying ethics in research is to make sure that no one is suffered by the

adverse consequences from the research activities (Cooper & Schindler, 2006). The ethical

standards for doing research were strictly followed by the researcher during the course of this

research study. The obligation of the researcher was not only professional but also ethical to

make wise judgment and use discretion where required to solve the ethical issues as

suggested by Lancaster (2005). The respondents who participated in this research study were

97

assured by the researcher that their privacy would be kept intact at all time during and after

the research. The researcher also ensured the conformance of this research study in

accordance to the ethical code of practice in research of Center for Advanced Studies in

Engineering (CASE). A formal application for ethics approval was sent to the respondents

before the data collection phase. Consent of the respondents for their willingness to

participate in the study was sought by the researcher on consent form. An option was given to

each respondent on consent form to withdraw from the data collection phase at any time at

his/her own discretion.

3.6 Chapter Summary

In this chapter, the research methodology applied to conduct this research has been described

in detail. The overall research process undertaken to conduct this research and issues of

validity and reliability have been discussed. The summary of important points of this chapter

is as under:

The main objective of the study was to develop and evaluate an IT governance

implementation framework for PakPSOs using design science research approach. In

order to achieve this objective, the study was broken into four research phases i.e.

research phases 1, 2, 3 & 4. Mixed methods research approach was applied to conduct

this research.

The main purpose of research phase 1 was to assess the existing state of IT

governance in PakPSOs in terms of maturity, previously unidentified, and compare it

with a developed country, a developing country and the international public sector

benchmark for learning, benchmarking and embracing best practices. A multi-case

study approach was applied under interpretive research paradigm to serve this

purpose.

The main purpose of research phase 2 was to identify the relevant IT governance

practices in PakPSOs in terms of CSFs. Systematic literature review process

complemented with multi-case study approach under interpretive research paradigm

was applied to achieve this purpose.

The main purpose of research phase 3 was to investigate the statistical effect of

identified IT governance practices of research phase 2 on IT outcomes in PakPSOs.

98

Survey research method under positivist research paradigm was applied to fulfill this

purpose.

The main purpose of research phase 4 was to develop and evaluate an IT governance

implementation framework for PakPSOs. Design science research approach was

applied to accomplish this task. The basic building blocks of the framework were the

IT governance practices identified in research phase 2 and further validated in

research phase 3. The framework was iteratively built. Two iterations were performed

in the development phase and one in the evaluation phase. A multi-case study

approach was applied in the development phase and single case study approach was

applied in the evaluation phase.

The validity and reliability issues in qualitative research in research phases 1, 2 & 4

were addressed through the guidelines provided by (Yin, 2003) i.e. the use of multiple

sources of evidence; use of chain of evidence; and a review of case study report by the

key informants in case of validity and use of case study protocols and databases in

case of reliability.

The validity and reliability issues in quantitative research in research phase 3 were

addressed through convergent and discriminant validity.

This research was undertaken following the ethical standards.

99

4 Existing State of IT Governance in Public Sector Organizations of

Pakistan


This chapter provides the results of research phase 1, discussion on the results and conclusion

made based on the results. The main purpose of research phase 1 was to determine and

analyze the existing state of IT governance in PakPSOs in terms of maturity, previously

unexplored and compare it with a developed country (Australia), a developing country

(Tanzania) and the international public sector benchmark for learning, benchmarking and

embracing best practices. This was paramount to understand the relevant IT governance

context of PakPSOs and explore further research activities in these organizations. This was in

response to the first research question of this study, RQ1: “What is the existing state of IT

governance in PakPSOs?” This was achieved by assessing IT governance maturity in the

selected six PakPSOs based on the 15 most important and public sector relevant IT processes

of COBIT framework. The detailed methodology and research process of this phase is given

in section 3.3.1of chapter 3. The results indicated that PakPSOs performed better than the

developing country (Australia) but poorer than the developed country (Tanzania) and the

international benchmark. Moreover, the weak areas in PakPSOs were also identified for

improvement. The rest of the chapter proceeds as follows. In the second section, data

analysis, results and discussion are provided. The conclusion and further research directions

are given in the third section. Last section provides the summary of important points of this

chapter.

4.2 Results and Discussion

4.2.1 Distribution of the Respondents in the Six Studied PakPSOs

The researcher visited six PakPSOs. A total of 28 respondents participated in the focus group

sessions and interviews. The distribution of the respondents in each studied organization with

mode of data collection is shown in Table 4.1.

100

Table 4.1 shows that in each studied PakPSOs, both IT and business management personnel

were among the respondents which provided triangulation i.e. use of data from multiple

sources to increase confidence in the results. A total of 16 IT management and 12 business

management personnel were among the respondents in the six studied PakPSOs. Table 4.1

also shows that focus groups were applied in three PakPSOs only because focus groups were

not feasible or simply denied in other three PakPSOs. Therefore, interviews were conducted

in the remaining three PakPSOs. Five to seven personnel representing both IT and business

management participated in the focus groups and three to five personnel participated in the

interviews in the studied PakPSOs.

Table 4.1: Distribution of the respondents in the six studied PakPSOs

NADRA

Interviews

HEC

Focus group

NTC

Focus group

FBR

Interviews

NITB

Focus group

AGPR

Interviews

Total

IT Management 2 3 3 2 4 2 16

Business Management 1 2 2 1 3 3 12

Total 3 5 5 3 7 5 28

4.2.2 IT Governance Maturity of the Studied PakPSOs

The average maturity levels of the 15 IT processes across the six studied PakPSOs is shown

in Table 4.2. This shows that the average maturity of the six studied PakPSOs was 2.24

ranged from 1.65 to 3.05 and majority of the processes (10 out of 15 or 67%) were above the

maturity level 2. The bottom side was at maturity level 1 (Initial/Ad-Hoc) which represents

that organizations recognized the existence of issues which need to be solved. However, the

issues were not solved through standardized processes but through ad-hoc approaches which

were adopted on individual or case-by-case basis. The top side was at maturity level 2

(Repeatable but Intuitive) (with an exception of the process “DS11- Manage Data” with

maturity level 3.05) which represents that processes had built-up to the extent where different

people executing same tasks pursued similar procedures but revealed the absence of formal

training and communications of standard procedures. A great dependence was on individuals‟

knowledge and errors were expected to be occurred. In conclusion, in order to improve the IT

governance maturity in the PakPSOs and consequently IT governance performance, these

concerns need to be addressed.

101

Table 4.2: Average maturity levels of the 15 IT processes across the six studied PakPSOs

IT Process Average Maturity

Level

PO1-Define a Strategic IT Plan 2.42

PO3-Determine Technological Direction 2.31

PO4-Define the IT Process, Organization and Relationships 2.33

PO5-Manage the IT Investment 2.65

PO6-Commuincate Management Aims and Direction 1.65

PO9-Assess and Manage IT Risks 1.80

PO10-Manage Projects 2.40

AI1-Identify Automated Solutions 2.45

AI2-Acquire and Maintain Application Software 1.82

AI6-Manage Changes 1.94

DS1-Define and Manage Service Levels 2.34

DS4-Ensure Continuous Service 2.18

DS5-Ensure System Security 2.36

DS11-Manage Data 3.05

ME1-Monitor and Evaluate IT Performance 1.91

Average maturity levels of 15 IT processes across the six studied

organizations

2.24

4.2.3 Process Level Comparison

Different processes demonstrated different maturity levels and some performed better than

the others.

The process,”DS11-Mange data” performed better than the others. This might be due to the

extra efforts that the government made since a decade to store and preserve government data

and citizens‟ record electronically for better decision making regarding menace of terrorism,

revenue and taxation, higher education and other economic matters. This finding was

consistent with the previous study of a developing country (Nfuka & Rusu, 2010). The other

process that performed relatively better than the others was “PO5- Manage the IT

investment”. This was not a surprising result because in the most studied PakPSOs, almost all

102

the IT initiatives are executed in the form of projects through development budget from

Ministry of Planning, Development and Reforms. The ministry also has its own budgetary

mechanism and procedures regarding scrutiny and evaluation. This finding was consistent

with the previous study of a developed country (Liu & Ridley, 2005). Other processes that

performed at or above maturity level 2 were “DS5- Ensure systems security”, “DS1- Define

and manage service levels”, “PO10-Manage projects”, “PO4- Define the IT processes,

organization and relationships”, ”PO1- Define a strategic IT plan”, “AI1- Identify automated

solutions”, “PO3- Determine technological direction”, “DS4- Ensure continuous service”,

“AI6 Manage changes”.

The process,”PO6-Communicate management aims and direction” performed poorly than the

others. This was due to the lack of proper mechanisms for dissemination of information,

control and quality management environment to rest of the organization. Policies, procedures

and standards are inconsistent and restricted to only top management and communicated to

concerned individuals only on ad-hoc basis through informal channels. This finding is almost

consistent with the previous study of a developed country (Liu & Ridley, 2005). Other

process that performed relatively poorer than the others was “PO9-Assess and manage IT

risks”. The reason could be associated with the fact that IT risks are considered through ad-

hoc approaches and depend on project to project basis. Risks are usually defined in project

plan and not assigned to specific individual. Even IT risks such as security, availability and

integrity are not defined in project plan. Day-to-day operations are not discussed in

management meetings. This finding is almost consistent with the previous study of a

developing country (Nfuka & Rusu, 2010). Other processes that performed below maturity

level 2 were “AI2- Acquire and maintain application software” and “M1- Monitor and

evaluate IT performance”.

4.2.4 Domain Level Comparison

Different domains demonstrated different maturity levels and some showed higher maturity

than the others. The domain wise average maturity of the 15 IT processes across the six

studied PakPSOs is shown in Figure 4.1.

We can see that that the domain “Deliver and Support (DS)” showed highest maturity than

the others. This finding is inconsistent to the previous study which revealed that public sector

showed higher maturity in planning domain due to presence of policies and regulations

103

(Guldentops et al., 2002). However, the domain “Planning and Organize (PO)” showed

second highest maturity level. It means the PakPSOs were relatively weak in planning than

support. The domain “Monitor and Evaluate (ME)” showed lowest maturity than the others

which means the PakPSOs were weak in performance measurement which was also evident

from a previous study which revealed that PSOs were weak in performance measurement

(Weill & Ross, 2004).

Figure 4.1: Domain wise average maturity of the 15 IT processes in the six studied PakPSOs

4.2.5 Organizational Level Comparison

Different organizations demonstrated different maturity levels and some performed better

than the others. shows the maturity level of each of the six studied PakPSOs based on the 15

IT processes.

104

Figure 4.2: Maturity levels of the six studied PakPSOs for the 15 IT processes

We can see from the Figure 4.2 that NADRA showed highest maturity as compared to the

other organizations. This was due to the higher maturity levels of majority of the processes.

The processes “DS11-Manage Data” and “DS5-Ensure System Security” were more mature

than the others. On the other hand, the processes “AI6- Manage Changes” and “AI2- Acquire

and Maintain Application Software” were less mature than the others. The possible reason of

those higher mature processes might be that NADRA has the mandate of national database

and registration. Managing data and related activities are among the core functions of

NADRA. It has a world class system to acquire, store and preserve data related to national

identity as claimed by the sources in NADRA. However change management in NADRA was

less mature which is also a common practice in PSOs due to complex decision making

structures (Sethibe et al., 2007) but low maturity for the process “AI2- Acquire and Maintain

Application Software” was a surprised result. The second mature organization was HEC. The

processes “DS11- Manage Data” and “AI1-Identify Automated Solutions” were more mature

than the others. This might be due to the mandate of HEC to acquire and preserve data of

105

universities/institutes of higher education across the country regarding enrolment, degree

verification and attestation, scholarship schemes, digital library etc. and provision of

consultancy about IT based services to universities/institutes. On the other hand, the

processes “DS4-Ensure Continuous Service” and “AI2-Acquire and Maintain Application

Software” were less mature and need to be improved. The average maturity of NTC was 2.33.

The processes “DS11-Manage Data” and “PO10-Manage Projects” were more mature than

the others. This could be due to the mandate of NTC for the provision of data, web hosting

facility and Internet services to all PakPSOs. On the other hand, the processes “DS4-Ensure

Continuous Service” and “AI6-Manage Changes” were less mature. FBR exhibited average

maturity level of 2.08. The processes “DS11-Manage Data” and “DS4- Ensure Continuous

Service” were more mature than the others. This might be due to the mandate of FBR for

provision of revenue and taxation related IT based services. On the other hand, the processes

“PO6- Communicate Management Aims and Direction” and “AI2-Acquire and Maintain

Application Software” were less mature. NITB was restricted to an average maturity level of

1.96. The processes “PO10- Manage Projects” and “PO1-Define a Strategic IT Plan” were

more mature than the others. This could be due to the mandate of NITB to execute IT projects

in PakPSOs as per National Action Plan and the provision of IT consultancy to PakPSOs and

training to government employees. On the other hand, the processes “AI2-Acquire and

Maintain Application Software” and “PO6-Communicate Management Aims and Direction”

were less mature. AGPR performed lowest than the other organizations. The processes

“DS11-Manage Data” and “DS4- Ensure Continuous Service” were more mature than the

others. On the other hand, the processes “PO6- Communicate Management Aims and

Direction” and “PO10- Manage Projects” were less mature. In conclusion, all the studied

PakPSOs except NITB were more mature in managing data but majority of them were less

mature in acquiring and maintaining application software.

4.2.6 Comparison of PakPSOs with Others

Finally, the average maturity of the 15 IT processes across the six studied PakPSOs was

compared with the similar study of the selected PSOs of a developed country (Australia), a

developing country (Tanzania) and internationally across a range of nations. The average

maturity levels of the same 15 IT processes were already measured in the selected Australian

PSOs, Tanzanian PSOs and the public sector across a range of nations by Liu & Ridley

106

(2005), (Nfuka & Rusu, 2010) and Guldentops et al. (2002) respectively. As the data for the

studied Australian PSOs is from a 2005 publication, for the studied Tanzanian PSOs is from a

2010 publication and for the studied international public sector benchmark is from a 2002

publication and none of the study used a representative sample of the PSOs of its respective

country, therefore, the numerical comparison could not be made. However, a qualitative

discussion was made for the purpose of comparison of the studied PakPSOs with these three

benchmarks to have an insight into the existing state of IT governance in PakPSOs. The

results of comparison indicated that majority of the processes in the six studied PakPSOs

performed lower than the studied Australian PSOs. However, the process “DS11-Manage

Data” performed similar to the studied Australian PSOs. It means that the studied PakPSOs

are relatively well in managing data and related activities. For other processes, the studied

PakPSOs should learn from the studied Australian PSOs and improve lower performed

processes. Moreover, majority of the processes in the six studied PakPSOs performed lower

than the studied international public sector benchmark. It means that the studied PakPSOs

were still poorer than the studied international public sector benchmark despite a long time

span between the two studies. Therefore, there is an urgent need to improve lower performed

processes in the studied PakPSOs. Two processes “DS11- Manage Data” and “PO5- Manage

the IT Investment” performed better than the studied international benchmark. However, the

process “PO1-Define a Strategic IT Plan” performed similar to the studied international

public sector benchmark. Furthermore, most of the processes in the studied PakPSOs

performed better than the studied Tanzanian PSOs. Among other things, this might also be

due to the time span between the two studies. However, four processes performed lower than

the studied Tanzanian PSOs. Also, the processes “ME1-Monitor and Evaluate IT

Performance” performed similar to the studied Tanzanian PSOs. It means the studied

PakPSOs must pay special focus to lower performed processes because these are less mature

even than a developing country. In conclusion, the studied PakPSOs performed better than

the studied Tanzanian PSOs whereas poorer than the studied Australian PSOs and the studied

international public sector benchmark.

4.3 Conclusion and Further Research

The objective of research phase 1 was “To determine and analyze the existing state of IT

governance in PakPSOs in terms of maturity”. This was achieved by assessing IT governance

107

maturity of the selected six PakPSOs in the perspective of a developing country through case

study research method and comparing it with similar studied of a developed country

(Australia), a developing country (Tanzania) and internationally across a range of nations

against a similar benchmark for learning and embracing best practices. The results revealed

that the average maturity levels of the 15 IT processes across the six studied PakPSOs was

2.24 ranged from 1.65 to 3.05 and majority of the processes (10 out of 15 or 67%) were

above the maturity level 2. Majority of the PakPSOs were more mature in managing data but

less mature in acquiring and maintaining application software. The studied PakPSOs

performed poorer than the studied Australian PSOs and the mixed international studied public

sector organizations. However, these performed better than the studied Tanzanian PSOs.

Many processes were identified where public managers in the PakPSOs should focus to

improve IT governance maturity and consequently IT governance performance. This helped

to achieve the first objective of this study i.e. RO1: “To determine and analyze the existing

state of IT governance in PakPSOs in terms of maturity”.

This research phase also provides important implications for both practitioners and academia.

From practitioners‟ point of view, the study provides guidance for decision-makers in

PakPSOs to optimize their IT-related plans and use of scarce resources by directing focus on

weak areas and ultimate improvement in public service delivery. By understanding the

relative importance of IT processes, public managers can prioritize limited resources

accordingly. Moreover, the study provides a reference benchmark of maturity levels of IT

processes in public sector of Pakistan which was previously unavailable. For academia, the

results may be used to broaden the scope of IT processes for successful implementation of IT

governance in the context of PSOs of developing countries.

This study was restricted to only six PakPSOs because others were not at the level of

sufficient IT deployment and hence away from the concept of knowledge-based

organizations. The research can be extended in future by including more PakPSOs because E-

Office suit is being deployed throughout the federal government ministries/divisions.

Moreover, the study is limited to the PSOs of Federal government. This can be extended to

provincial governments‟ organizations because IT investments are also increasingly being

made in these organizations.

108

4.4 Chapter Summary

In this chapter, the results of research phase 1 with discussion and conclusion have been

provided in detail. The summary of important points of this chapter is as under:

The average maturity levels of the 15 IT processes of COBIT framework across the

six studied PakPSOs is 2.24 ranging from 1.65 to 3.05 with majority of the processes

above the maturity level 2 which shows that PakPSOs are at repeatable but intuitive

stage.

The process,”DS11-Mange data” performed better than the others whereas he

process,”PO6-Communicate management aims and direction” performed poorer than

the others. This means PakPSOs are better in managing data but poorer in

communicating IT-related plans and strategies.

The domain “Deliver and Support (DS)” showed highest maturity than the others

whereas the domain “Monitor and Evaluate (ME)” showed lowest maturity than the

others. This means PakPSOs are better in delivery and support of IT-related services

but poorer in performance measurement and evaluation.

The average maturity of the 15 IT processes in the studied PakPSOs is lower than the

studied Australian PSOs as a developed country and the studied international public

sector benchmark as well. However, it is higher than the studied Tanzania PSOs as a

developing country. This shows the studied PakPSOs performed poorer than the

studied PSOs of a developed country and international public sector benchmark.

However, these performed better than the studied PSOs of a developing country.

The aforesaid findings of the study not only provide an in-depth understanding of IT

governance context of PakPSOs but also the need for further researcher to implement

effective IT governance in this environment.

109

5 IT Governance Practices in Public Sector Organizations of Pakistan


This chapter provides the results of research phase 2. The main purpose of this phase was to

identify and analyze the relevant IT governance practices in PakPSOs in terms of CSFs,

previously unidentified. This was in response to the second research question of this study,

RQ2: “Which IT governance practices are relevant to PakPSOs?” This was achieved by

identifying IT governance CSFs through systematic literature review complemented with

multi-case study in the selected eight PakPSOs. The detailed methodology and research

process of this phase is given in section 3.3.2 of chapter 3. The results indicated that 12 IT

governance practices in terms of CSFs were found to be relevant to PakPSOs. The rest of the

chapter proceeds as follows. In the second section, the results of systematic literature review

are presented. In the third section, IT governance practices are operationalised in PakPSOs.

The fourth section describes the categorization of identified IT governance practices.

Discussion is made in the fifth section. Conclusion is given in the sixth section. Last section

provides the summary of important points of this chapter.

5.2 Results of Systematic Literature Review

5.2.1 Accepted CSFs Related Articles

A total of 55 CSFs related articles were identified from the relevant literature based on the

criteria provided in stages 1 & 2 of section 3.3.2.3. Subsequently, the identified articles were

carefully reviewed based on the quality criteria described in stage 4 of section 3.3.2.3. As a

result, 18 CSFs related articles were found to be more relevant and hence accepted for this

study. Table 5.1 shows the accepted CSFs related articles.

110

Table 5.1: The accepted CSFs related articles

Title No. of CSFs

Author(s) Years

Journal/Conference/Website

Enablers and Inhibitors of Business-IT Alignment 6 Luftman et al. (1999) Communications of the Association for Information Systems

Critical Success Factors in the Alignment of IS Plans with Business Plans 18 Teo and Ang (1999) International Journal of Information Management

Designing Information Technology Governance Processes: Diagnosing

Contemporary Practices and Competing Theories

4 Ribbers et al. (2002) Proceedings of the 35th Hawaii International Conference on

System Sciences

Board Briefing on IT Governance 11 ITGI (2003) https://www.oecd.org/site/ictworkshops/year/2006/37599342.pdf

Key Success Factors for Implementing IT Governance: Let's Not Wait for

Regulators to Tell Us What to Do

5 Guldentops (2004) Information Systems Control Journal

Don't Just Lead, Govern: How Top-Performing Firms Govern IT 8 Weill (2004) MIS Quarterly Executive

IT Governance in Practice: Insight from Leading CIOs 6 PwC and ITGI

(2006)

http://www.pwc.com/ca/en/technology/publications/it-

governance-in-practice-2006-en.pdf

Implementing Centralized IT Service

Management: Drawing Lessons from the Public Sector

10 Tan et al. (2007) 18th Australasian Conference on

Information Systems

Enhancing IT Governance Practices: A Model and Case Study of an

Organization's Efforts

4 Bowen et al. (2007) International Journal of Accounting

Information Systems

An Exploratory Study into the Design of an IT Governance Minimum Baseline through Delphi Research

10 De Haes and Van Grembergen (2008)

Communications of the Association of the Information Systems

Establishing Good IT Governance in the Public Sector 5 Hoch and Payan

(2008)

http://www.mckinsey.de/downloads/publikation/transforming_go

vernment/2008/0803_TG_it_governance.pdf

Justifications, strategies, and critical success factors in successful ITIL

implementations in U.S. and Australian companies: An exploratory study

9 Pollard and Cater-

Steel (2009)

Information Systems Management

Critical Success Factors for Effective IT Governance in the Public Sector

Organizations in a Developing Country: The Case of Tanzania

11 Nfuka and Rusu

(2010)

18th European Conference on Information Systems

Critical Success Factors in IT Alignment in Public Sector Petroleum

Industry of India

9 Aggarwal (2010) International Journal of Innovation, Management and

Technology

Critical Success Factors for ITIL Best Practices Usage 12 Nenickova (2011) Economics and Management

Critical Success Factors for Business – IT Alignment: A Review of Current

Research

10 Kurti et al. (2013) Romanian Economic and Business Review

The Critical Success Factors for Effective ICT Governance in Malaysian

Public Sector: A Delphi Study

27 Razak and Zakaria

(2014)

International Journal of Social, Behavioral, Educational,

Economic, Business and Industrial Engineering

Critical success factors (CSFs) or information technology governance (ITG)

15 Alreemy et al. (2016) International Journal of Information Management

https://www.oecd.org/site/ictworkshops/year/2006/37599342.pdf

111

5.2.2 Harmonization of CSFs from the Accepted Articles

The CSFs in the 18 finalized papers were logically harmonized based on the criteria provided

in stage 4 of section 3.3.2.3. This resulted in a list of 23 CSFs. Table 5.2 shows the list of 23

CSFs with their reference studies from which these have been extracted.

112

Table 5.2: Harmonization of CSFs from the accepted articles

Alr

eem

y e

t al

.

(20

16)

Raz

ak a

nd Z

akar

ia

(20

14)

Ku

rti

et a

l. (

20

13)

Nen

ick

ova

(20

11

)

Ag

gar

wal

(2

01

0)

Nfu

ka

and R

usu

(20

10)

Po

llar

d a

nd C

ater

-

Ste

el (

20

09)

Ho

ch a

nd P

ayan

(20

08

)

De

Hae

s an

d V

an

Gre

mber

gen

(2

00

8)

Bo

wen

et al

.

(20

07

)

Tan

et

al.

(20

07)

Pw

C a

nd I

TG

I

(20

06)

Wei

ll (

20

04

)

Gu

lden

top

s (2

00

4)

ITG

I (2

00

3)

Rib

ber

s et

al.

(20

02)

Teo

and

Ang

(19

99)

Lu

ftm

an e

t al

.

(19

99)

Top management support X X X X X X X X X X

Alignment between IT and business strategy X X X X X X X X

IT demonstrates leadership X X X X X X X X X

Adequate stakeholders involvement X X X X X X X

Effective communication between IT and business X X X X X X X X X

Regulatory environment and compliance requirements X X X

Existing governance and transparency X X X X X

Organizational culture X X

Financial support X X

Adequate IT skills and staff X X X X X X X X

Performance measurement and aligned incentives X X X X X X X X X X X

Change management and exception handling X X X X X X X

Well prioritized IT Projects X X X X

Clear IT strategy, principles & policies X X X X X X X X X

Clear roles and responsibilities X X X

IT governance awareness and understanding X X X X X

IT structures to ensure accountability and flexibility to the IT

organizational needs

X X X X X X X X X X X

Risk identification and mitigation process X X X

Standardized and managed IT infrastructure & applications

to optimize costs and information flow

X X X X X X X

IT skills and knowledge of business executives/personnel X X X X X

Business skills and knowledge of IT executives/personnel X X X X

Mutual trust and respect between business and IT

executives/personnel

X X X

Shared understanding between business and IT executives/personnel

X X X X

Note: an “X” indicates that the factor is present in the mentioned article

113

5.3 Operationalization of CSFs in PakPSOs

5.3.1 Distribution of the Respondents in the Eight Studied PakPSOs

The researcher visited eight PakPSOs. A total of 18 senior managers participated in the

interview process. The respondents were mainly heads of IT and business units, directors and

deputy directors of IT and business. Both IT and business management personnel were

among the respondents which provided triangulation i.e. use of data from multiple sources to

increase confidence in the results. The distribution of the respondents in each studied

organization is shown in Table 5.3. A total of 10 IT management and 8 business management

personnel participated from the eight studied PakPSOs.

Table 5.3: Distribution of the respondents in the eight studied PakPSOs

Org. A Org. B Org. C Org. D Org. E Org. F Org. G Org. H Total

IT Management 2 2 1 1 1 1 1 1 10

Business Management 1 1 1 1 1 1 1 1 8

Total 3 3 2 2 2 2 2 2 18

5.3.2 Quantitative Response

The results of the quantitative response of the interviewees are shown in Figure 5.1. It shows

that 16 practices had scores equal to or above 80 percent which made them critical in this

environment. The rest of the practices had scores below 80 percent which made them not so

much critical. Therefore, these practices were dropped. The results also shows that the

practice “IT demonstrates leadership” with score 95 percent is at top of the list followed by

“effective communication between IT and business” with score 94 percent and “adequate

stakeholder involvement” with score 93 percent. However, the practice “shared

understanding between business and IT executives and personnel” with score 81 percent is at

bottom of the list. The seven practices showed scores less than 80 percent which means

majority of the respondents were not in the favor of these practices as considering them CSFs

114

and hence these practices were dropped from the study. One possible reason might be the fact

that these practices are not relevant to PakPSOs or not implemented in this environment.

Figure 5.1: IT governance practices based on the quantitative response of the interviewees in the eight

studied PakPSOs

81

81

82

83

83

85

86

88

90

90

91

91

92

93

94

95

70 75 80 85 90 95 100

Business skills and knowledge of IT executives/personnel


Regulatory environment and compliance requirements

Well prioritized IT projects

IT structures to ensure accountability and flexibility to the IT organizational needs

Risk identification and mitigation process

Clear IT strategy, principles & policies

Adequate IT skills and staff

Alignment between IT and business strategy

Standardized and managed IT infrastructure & applications to optimize costs and …

IT governance awareness and understanding

Top management support

Performance measurement and aligned incentives

Adequate stakeholders involvement

Effective communication between IT and business

IT demonstrates leadership

115

5.3.3 Qualitative Response

The qualitative response of the interviewees was then sought through face-to-face interviews

on the IT governance practices list of Figure 5.1. The analysis was made through content

analysis. After the process, three practices have dropped from the list, two have merged into a

new one and 11 have adjusted/updated as per their contextual arrangements. Here is a brief

description of interviewees‟ response.

One of the respondents responded that “the practice „IT demonstrates leadership‟ should be

updated by „IT leadership‟. In this way, the term becomes more understandable and self-

explanatory in our environment. In our organization, this practice is more crucial due to

bureaucratic environment and lack of IT knowledge and understanding of IT contribution by

the top civil servants. I think „IT leadership‟ matters much in our organizational setting and

we have gained a lot due to our new IT leadership”. The similar response was given by

another respondent. Three more respondents declared this practice useful in their

organizational settings.

Three respondents expressed their concerns that the practices “effective communication between

IT and business” and “shared understanding between business and IT executives/personnel” seem to

be identical or at least their purpose seems to be identical. Therefore, these practices were merged into

a new one named “IT/business communication and partnership” and same was approved by the said

respondents. Majority of the respondents declared this practice extremely crucial in their business

settings.

One respondent argued that “the practices „adequate stakeholders involvement‟ should be updated by

„engagement of key stakeholders‟ because there are numerous stakeholders in public sector and it is

almost impossible to involve all of these stakeholders. Moreover, their engagement is important than

involvement”. This was also verified by another respondent. Almost all of the respondents declared

this practice inevitable for success of IT in their respective organizations and same was confirmed by

their archival records.

One of the heads of business said that “the practice „performance measurement and aligned

incentives‟ is not suitable because there is no concept of providing incentives like promotions and

increments in salaries on performance basis in PakPSOs as per Constitution rather it is on seniority

basis. So, incentive is a broad and confusing word. The practice should be like this „performance

measures and benchmarks‟”. However, he confirmed that this practice is very much important for

success of IT in his organization. Three more respondents also confirmed the presence of this practice

in their respective organizations which were also verified by their archival records.

116

The practice “IT governance awareness and understanding” was replaced by “IT governance

awareness and training” on the intimation of one of the respondents. However, only two

respondents confirmed the presence of this practice in their respective organizations. The

same was evident from their archival records.

One of the heads of IT said “not only „top management support‟ is critical but their active

involvement in IT-related matters is also important for success”. He suggested that this

practice should be like this “senior management involvement and support”. He agreed that

without this practice, their IT initiatives could not be materialized. This was also confirmed

by three more respondents.

One of the respondents replied the interviewer that the practice “alignment between IT and

business strategy” should be replaced by “defined, aligned and cascaded IT and business

strategies” because some of the PakPSOs even not have IT strategy. If they have, then they

do not communicate it down to the organization. However, he said that this practice is active

in his organization which was also confirmed by the archival records of the organization.

Four more respondents confirmed that this practice is exercised in their respective

organizations.

One of the directors IT suggested that “the practice „standardized and managed IT infrastructure &

applications to optimize costs and information flow‟ should be restricted up to „standardized and

managed IT infrastructure & applications‟ because the purpose of this practice is obvious which is to

optimize costs and information flow‟. Therefore, there is no need to explain it further”. He also

confirmed that his organization is striving for this practice. Three more respondents revealed that their

organizations are also very keen in focusing on this practice.

Majority of the respondents declared that the practice “adequate IT skills and staff” is a need of the

hour in their respective organizations. One of the respondents added that retaining of IT skills and

staff is an inherent problem in government sector due to good salaries in private sector. He further

added that although cloud computing has solved the issue of IT services and support to some extent

but PakPSOs are still in early stages in this regard. Another respondent suggested that practice should

be “competitive IT professionals” to provide the more clear meaning to the term. Therefore, the

practice was replaced by “competitive IT professionals”.

Many respondents showed their concerns on the name of the practice “clear IT strategy, principles &

policies“. They agreed that the name of the practice should be “policies and guidelines for optimal

acquisition and use of IT”. However, all respondents confirmed the presence of this practice in their

respective organizations which was also evident from their archival records. All PakPSOs follow

Public Procurement Regulatory Authority (PPRA) guidelines for this purpose.

117

One of the respondents argued that the practice “risk identification and mitigation process” should be

updated by “risk identification and mitigation mechanism” because this practice is hardly

implemented in PakPSOs in the form of proper process. However, he confirmed the presence of this

mechanism in his organization which was also verified from archival records of his organization. Two

more respondents confirmed this practice in their respective organization to some extent.

The practice “IT structures to ensure accountability and flexibility to the IT organizational

needs” was updated by “IT structures for responsiveness and accountability” on the

suggestion of one of the respondents. Five respondents were satisfied by the existing IT

structures in their respective organizations but three were unsatisfied. However, all the

respondents agreed that this practice is crucial for implementing effective IT governance in

PakPSOs.

No respondent confirmed the presence of “well prioritized IT projects”, “business skills and

knowledge of IT executives/personnel” and “regulatory environment and compliance requirements”

in their respective organization or declared them crucial for implementing IT governance in

their operating environment. It is worthy to mention that no new practice has been emerged in

PakPSOs because the specific practices in some of the PakPSOs also fall under the aforesaid

studied practices. However, PakPSOs use these practices with different names. The results of

the summarized qualitative response of the interviewees after content analysis are shown in

Table 5.4.

118

Table 5.4: The summarized qualitative response of the interviewees

Contextualized practice No. of studied PakPSOs in which the practice is

implemented

IT leadership 5 (B, C, D, F, H)

IT/business communication and partnership 6 (A, B, C, F, G, H)

Engagement of key stake holders 7 (A, B, C, D, F, G, H)

Performance measures and benchmarks 4 (B, C, D, F)

IT governance awareness and training 2 (B, H)

Senior management involvement and support 4 (A, B, E, G)

Defined, aligned and cascaded IT and business

strategies

5 (A, B, D, E, H)

Standardized and managed IT infrastructure &

applications

4 (B, C, D, E)

Competitive IT professionals 6 (A, B, D, E, F, H)

Policies and guidelines for optimal acquisition

and use of IT

8 (A, B, C, D, E, F, G, H)

Risk identification and mitigation mechanism 3 (B, E, G)

IT structures for responsiveness and

accountability

5 (A, B, D, E, F)

5.4 Classification of the Identified IT Governance Practices

After having a comprehensive literature review, the reseacher found many categorization

schemes for CSFs arrangement. The simplest scheme contained only two dimensions i.e.

internal and external (Zahedi, 1987), qualitative and quantitative (Keen & Scot Morton,

1978), and controllable and uncontrollable (Ein-Dor & Segev, 1978). The simplicity of two

dimensional scheme was then improved by some researchers and resulted in three

dimensional scheme i.e. quality of implementation, user-system fit and organizational fit

(Ginzberg, 1980), inherent, developmental and functional (Dickinson et al., 1984). Later on,

more complex categorization schemes were introduced by other researchers i.e. system, task,

user and environment factors (Liang, 1986), and information system, task characteristics,

decision maker, organizational context (Lee, 1989). However, Nfuka and Rusu (2010)

categorized the CSFs for effective IT governance into five focus areas of ITGI (2007),

adopting a holistic approach, which are: strategic alignment, value delivery, risk

119

management, resource management, and performance measurement. Moreover, Schlosser et

al. (2012) introduced three dimensions of IT-business alignment which are: human, social,

and intellectual. The human perspective deals with the characteristics of individuals such as

knowledge, skills, leadership and attitude. The social perspective deals with relational,

informal and cultural aspects. The intellectual perspective deals with the end products and

deliverables resulting from the work of individual and group of people.

This study adopts the categorization schemes of Nfuka and Rusu (2013) and Schlosser et al.

(2012) simultaneously. The practices (CSFs) of this study are arranged in such a way that on

one hand they cover the five focus areas of ITGI (2007) and on the other hand they cover the

three IT-business alignment perspectives described by Schlosser et al. (2012). In this way, the

practices provide a holistic view of IT governance. The arrangement of practices in five focus

areas of IT governance and three perspectives of IT-business alignment is shown in Table

5.5.

Table 5.5: Classification of the identified practices into five focus areas and three perspectives of IT-

business alignment

IT-business alignment

perspective IT governance

focus area

Human perspective Social perspective Intellectual

perspective

Strategic alignment IT leadership

IT/business

communication and partnership

Defined, aligned and

cascaded IT and business

strategies

Senior management


Engagement of key

stakeholders

IT structures for


Value delivery &

risk management

Policies and

guidelines for optimal

acquisition and use of IT

Risk identification

and mitigation mechanism

Resource management IT governance

awareness and training

Standardized and

managed IT

infrastructure and applications

Competitive IT

professionals

Performance measurement Performance

measures and

benchmarks

120

5.5 Discussion

The identified 12 IT governance practices in PakPSOs are discussed along three IT-business

alignment perspectives i.e. human, social and intellectual perspectives.

5.5.1 Practices Related to Human Perspective

IT Leadership

This practice showed 95 percent score in the quantitative response which indicates that the

practice is vital in the study environment. The results of qualitative response also showed that

the practice is crucial and exercised in five PakPSOs. De Haes and Van Grembergen, (2008)

declared this practice among the top 10 minimum baselines practices for effective IT

governance. The practice is crucial to lead IT and manage transformation program. Among

many other things, IT leadership looks into the potential & contribution of IT and

demonstrates viable IT value proposition to the executive management and politicians.

Senior Management Involvement and Support

The respondents provided 91 percent score to this practice in the quantitative response which

indicates its importance in the study environment. This is also supported by the qualitative

response where the practice declared essential and exercised in four studied PakPSOs. The

use of this practice is also supported by many previous studies (Alqahtani, 2017; Nfuka &

Rusu, 2010; Tan et al., 2009; Ndou, 2004). The need is even enlarged in the context of

developing countries which requires strong political support for strategic use and

management of IT (Nfuka & Rusu, 2010). Tan et al. (2009) argued that top management

commitment and practices also get great deal of attention among users.

121

IT Governance Awareness and Training

This practice gained 91 percent score in the quantitative response. The results of qualitative

response also mentioned its importance in the study environment. However, this practice is

exercised in the two studied PakPSOs only which indicates the urgent need for provision of

IT governance awareness and training in this environment. PakPSOs should focus on this

practice to achieve success. The practice is also supported by the study of Nfuka and Rusu

(2010) where this practice referred to as the mindset change and competency improvement.

Competitive IT Professionals

The respondents granted 88 percent score in the quantitative response and agreed on its

importance in the qualitative response as well. The results indicated that this practice is

exercised in six PakPSOs. This practice is also supported by the study of Peterson (2004)

where it referred to as the engine of innovation, optimization and performance.

5.5.2 Practices Related to Social Perspective

IT/business Communication and Partnership

This practice acquired 94 percent score in the quantitative response and its criticality also

confirmed in the qualitative response. The results indicated that the practice is vital in the

study environment and is exercised in six PakPSOs. This practice is also supported and

declared crucial and imperative by Luftman et al. (1999).

Engagement of Key Stakeholders

This practice showed 93 percent score in the quantitative response and also declared

imperative by the qualitative response in the study environment. The results revealed that the

practice is exercised in seven studied PakPSOs. The need of this practice is even enlarged in

122

PSOs due to the presence of numerous stakeholders with competing needs than their private

counterparts (Dawes et al., 2004).

5.5.3 Practices Related to Intellectual Perspective

Defined, Aligned and Cascaded IT and Business Strategies

This practice acquired 90 percent score in the quantitative response which indicates its

importance in this environment. The results of qualitative response showed that the practice is

crucial and exercised in five PakPSOs. It is also supported by a previous study (Nfuka &

Rusu, 2011) which revealed that defined, aligned and well-communicated IT and business

strategies down into the organization have positive effect on successful IT governance

implementation.

IT Structures for Responsiveness and Accountability

IT structure refers to the presence of responsible functions and clear roles & responsibilities

for IT decision-making (De Haes & Van Grembergen, 2006). This practice showed 83

percent score in the quantitative response which indicates its criticality in the study

environment. The results of qualitative response also showed that the practice is crucial and

exercised in five PakPSOs.

Risk Identification and Mitigation Mechanism

This practice involves analyzing and assessing IT risks, monitoring efficiency of internal

controls and implementing necessary mechanisms to minimize risks. The respondents granted

85 percent score to this practice in the quantitative response which shows its importance in

the study environment. However, the results of qualitative response showed that although the

practice is crucial but exercised in three PakPSOs only. This shows that PakPSOs are weak in

identifying and mitigating risks. PakPSOs should improve this area for better results

regarding successful implementation of effective IT governance.

123

Policies and Guidelines for Optimal Acquisition and Use of IT

This practice gained 86 percent score in the quantitative response and its criticality also

established in the qualitative response in the study environment. The results indicated that

this practice is exercised in all of the studied PakPSOs. The same is reflected in another study

by Weill (2004) in which he argued that this practice is crucial to institute and enforce best

practices throughout the organization for clear processes, methods and frameworks to

encourage desirable behavior and create and preserve optimal value of IT.

Standardized and Managed IT Infrastructure & Applications

This practice showed 90 percent score in the quantitative response which indicates that the

practice is vital in the study environment. The results of qualitative response also showed that

the practice is crucial and exercised in four PakPSOs. This practice is also declared

imperative by Peterson (2004) who argued that the provision and management of a

standardized and reliable IT infrastructure and applications lead towards successful IT

governance implementation.

Performance Measures and Benchmarks

This practice gained 92 percent score in the quantitative response which revealed its

importance in implementing effective IT governance in the study environment. Moreover, the

qualitative response showed that the practice is imperative and exercised in four PakPSOs.

This practice is considered as an integral part of effective IT governance (Weill, 2004).

Among other things, this practice deals with the performance of processes, resources and

public service delivery. One way to implement this practice is the use of BSC.

5.6 Conclusion

The objective of research phase 2 was “To identify and analyze the relevant IT governance

practices in PakPSOs in terms of CSFs”. This was achieved by identifying and analyzing IT

124

governance practices in terms of CSFs relevant to PakPSOs through systematic literature

review complemented with multi-case study in the selected eight PakPSOs. A total of 55

research articles were reviewed out of which 18 found to be fitted to the study‟s quality

criteria and hence accepted. The CSFs of the accepted articles were logically harmonized into

a list of 23 CSFs. Further, the list 23 CSFs was operationalised in the eight selected PakPSOs

through case study research. After the data analysis, it was found that the studied PakPSOs

mainly exercise 12 CSFs in their operating environment. Specific practices with different

names in some of the studied PakPSOs also fall under these 12 CSFs. The finalized set of

CSFs then categorized into five focus areas of IT governance i.e. strategic alignment, value

delivery, risk management, resource management and performance measurement and three

perspectives of IT-business alignment i.e. human, social and intellectual perspectives to

provide a holistic view of IT governance. The results indicated that majority of the practices

fall under strategic alignment focus area of IT governance and intellectual perspective of IT-

business alignment. This shows that PakPSOs have more concerns in these areas. This

research phase sheds light on contextualized practices for implementing effective IT

governance in PakPSOs. The results indicated that all of the studied PakPSOs exercise these

practices or a set of these practices in their operating environment and consider these

practices effective for success of IT. The results also revealed that the identified CSFs are

slightly different to the existing studies i.e. studies in developed countries and private sector.

This shows that IT governance is a contextual phenomenon. This helped to achieve the

second research objective of this study i.e. RO2: “To identify and analyze the relevant IT

governance practices in PakPSOs in terms of CSFs”.

This research phase also contributes to the practice and existing body of knowledge in a

several ways. Public managers in PakPSOs and similar environment can use the results of

this study to recognize critical areas where focus can be given for success. Ultimately, they

can invest their resources and time to improve areas which are central to the organizational

success and successful public service delivery. Theoretically, the study has broadened the

scope of IT governance practices in terms of CSFs in the PSOs of a developing country. The

study was restricted to one country and eight organizations. Future researchers can extend it

to more countries and more organizations to enhance the replicability of results. Moreover,

they can test and analyze the effect of these practices on their specific IT outcomes i.e.

desirable behavior.

125

5.7 Chapter Summary



23 IT governance practices in terms of CSFs from the relevant literature have been

operationalised and validated in eight PakPSOs.

12 IT governance practices with some modifications found to be relevant to PakPSOs.

The practice “Policies and guidelines for optimal acquisition and use of IT” is vital for and

exercised in all of the studied PakPSOs.

The practice “Risk identification and mitigation mechanism” is vital for but exercised

only in three studied PakPSOs.

Specific IT governance practices in PakPSOs are exercised with different names.

However, each of these practices fall under one of the studied practices.

The identified practices can be categorized into five focus areas of IT governance i.e.

strategic alignment, value delivery, risk management, resource management and

performance measurement and three perspectives of IT-business alignment i.e.

human, social and intellectual perspectives.

Categorization of practices into IT governance focus areas and IT-business alignment

perspectives provides a holistic view of IT governance.

Six practices belong to strategic alignment and human, social and intellectual

perspectives.

Two practices belong to value delivery & risk management and intellectual

perspective.

Three practices belong to resource management and human perspective whereas one

belongs to resource management and intellectual perspective.

One practice belongs to performance measurement and intellectual perspective.

Public managers in PakPSOs and similar environment can use the results of this study

to recognize critical areas where focus can be given for success.

126

6 Effect of IT Governance Practices on IT Outcomes in Public Sector

Organizations of Pakistan


This chapter presents the results of research phase 3. The main purpose of this phase was to

test and analyze the effect of relevant IT governance practices in terms of CSFs on IT

outcomes in terms of task, organizational and public outcomes of strategic IT projects in

PakPSOs. This was in response to the third research question of this study, RQ3: “What is the

effect of relevant IT governance practices on IT outcomes in PakPSOs?” This was achieved

by developing a research model based on the CSFs identified in the research phase 2 and

applying PLS-based structural equation modeling using sample data from PakPSOs. The

detailed methodology and research process of this phase is given in section 3.3.2 of chapter 3.

The results indicated that the identified practices have small to moderate effect on IT

projects‟ outcomes. The practice “IT/business communication and partnership” found to be

the most effective whereas the practice, “IT structures for responsiveness and

accountability” proved to be the least effective. The rest of the chapter proceeds as follows.

In the second section, results are presented. In the third sections, discussion is made.

Conclusion is provided in the fourth section. Last section provides a summary of the

important points of this chapter.

6.2 Results

6.2.1 Sample Characteristics

A total of 104 completed questionnaires were returned by the respondents out of 200 sent out.

This also included those that were received after sending two reminders to the non-

respondents of first and second rounds. In this way, the response rate is 52 percent. The

distribution of respondents based on their role, experience & qualification is given in Table

6.1. It shows that 18 were senior IT executives, 30 were Directors/Deputy Directors (IT), 40

127

were Project Directors/Managers/Coordinators and 16 were key project users. Table 6.1 also

shows the respondents‟ experience in using and managing IT which was above five years on

average and familiarity with IT governance was at level four on a five point Likert scale. As

for as academic qualification of the respondents is concerned, 66 were master degree holder,

30 had bachelor degree and 8 were below the bachelor degree. The non-response bias was

tested by comparing early and late responses against key sample characteristics i.e.

respondents‟ demographics (academic qualification, role in the organization, and experience

in managing IT and IT projects and familiarity with IT governance). The results indicated no

significant differences.

Table 6.1: Sample characteristics

Frequency Percentage

Role in organization (n=104)

Senior IT executives 18 17.30

Directors/Deputy Directors (IT) 30 28.85

Project Directors/Managers/Coordinators 40 38.46

Key project users 16 15.39

Experience* Median

Experience of managing IT in general 5

Experience of managing IT projects 5

Familiarity with ITG 4

Qualification

Master degree 66

Bachelor degree 30

Others 8

* On a five-point Likert scale (1 – not at all, 5 – beyond five years); (1 – not at all, 5 – to a great

extent).

6.2.2 Testing the Measurement Model

The measurement model was tested through convergent and discriminant validity.

Convergent validity is tested through indicator reliability (item loading), internal consistency

reliability (composite reliability), AVE, Cronbach‟s alpha coefficient and t-value of outer

loading. Table 6.2 shows the values of these measurements emerged from the data. The

128

lowest item loading is 0.638 which is above the minimum required value of 0.4 (Hair et al.,

2006). The composite reliability is in range 0.818-0.952, AVE is in range 0.531-0.848 and

Cronbach‟s alpha is in range 0.718-0.937 which all are above the minimum thresholds of 0.5,

0.5 and 0.7 respectively (Gefen & Straub, 2005). The t-values of outer loading for all

indicators are also greater than 1.96 at 5% significant levels.

Discriminant validity was tested in two steps. In the first step, the items cross loading was

examined on other constructs. Discriminant validity is established when items cross loading

are lower than the loading on their own constructs (Gefen & Straub, 2005). In our case, items

cross loading were lower than the loading on their own constructs as given in Appendix-X. In

the second step, discriminant validity was tested through the criteria provided by Fornell and

Larcker (1981) i.e. square root of AVE between constructs and its measures is ≥ to other

constructs. Table 6.3 shows that discriminant validity was established because the square root

of AVE between constructs and its measures was greater than the corresponding inter-

correlations.

Table 6.2: Measurement of constructs and indicators (with reliabilities)

Latent construct Indicators Factor loading

(t-values)

Composite

Reliability

AVE Cronbach‟s

alpha

V1 (3 items) V1.1 0.892 (89.897) 0.911 0.774 0.854

V1.2 0.907 (89.335)

V1.3 0.838 (36.897

V2 (4 items) V2.1 0.740 (17.745) 0.854 0.593 0.777

V2.2 0.785 (37.693)

V2.3 0.782 (26.008)

V2.4 0.774 (31.081)

V3 (5 items) V3.1 0.904 (77.892) 0.946 0.777 0.929

V3.2 0.880 (59.872)

V3.3 0.878 (57.016)

V3.4 0.863 (49.701)

V3.5 0.882 (57.725)

V4 (3 items) V4.1 0.918 (108.453) 0.941 0.842 0.907

V4.2 0.920 (99.258)

V4.3 0.915 (88.766)

V5 (5 items) V5.1 0.912 (93.543) 0.951 0.795 0.936

V5.2 0.880 (62.578

V5.3 0.883 (67.285)

V5.4 0.882 (66.569)

V5.5 0.902 (73.700)

V6 (5 items) V6.1 0.898 (72.025) 0.950 0.791 0.934

V6.2 0.885 (51.946)

V6.3 0.892 (46.904)

V6.4 0.908 (78.937)

V6.5 0.865 (45.072)

129


Latent construct Indicators Factor loading

(t-values)

Composite

Reliability

AVE Cronbach‟s

alpha

V7 (5 items) V7.1 0.916 (88.251) 0.952 0.799 0.937

V7.2 0.889 (68.767)

V7.3 0.876 (61.672)

V7.4 0.884 (68.158)

V7.5 0.902 (81.334)

V8 (3 items) V8.1 0.886 (76.048) 0.911 0.774 0.854

V8.2 0.885 (57.282)

V8.3 0.868 (49.730)

V9 (3 items) V9.1 0.923 (102.718) 0.926 0.806 0.879

V9.2 0.894 (75.511)

V9.3 0.875 (63.872)

V10 (3 items) V10.1 0.914 (91.550) 0.944 0.848 0.911

V10.2 0.928 (101.355)

V10.3 0.921 (113.733)

V11 (3 items) V11.1 0.896 (68.887) 0.908 0.767 0.848

V11.2 0.876 (77.528)

V11.3 0.854 (47.999)

V12 (4 items) V12.1 0.692 (17.620) 0.818

0.531

0.718

V12.2 0.638 (11.524)

V12.3 0.772 (17.240)

V12.4 0.800 (21.692)

Task outcomes (7items)

TO1 0.716 (17.191) 0.890 0.536 0.856

TO2 0.739 (23.849)

TO3 0.751 (26.503)

TO4 0.780 (30.314)

TO5 0.733 (19.263)

TO6 0.732 (19.287)

TO7 0.671 (15.142)

Organizational outcomes

(6 items)

OO1 0.755 (21.151) 0.912 0.635 0.884

OO2 0.821 (34.546)

OO3 0.819 (32.449)

OO4 0.864 (50.963)

OO5 0.809 (29.338)

OO6 0.704 (16.413)

Public outcomes

(5 items)

PO1 0.709 (17.475) 0.885 0.607 0.836

PO2 0.757 (23.575)

PO3 0.856 (42.450)

PO4 0.796 (32.002)

PO5 0.756 (23.109)

Criteria Loading > 0.40 t > 1.96 at 5%

significance level

>0.50 >0.50 >0.70

130

Table 6.3: Inter-correlation of constructs and the corresponding square root of AVE

V1 V2 V3 V4 V5 V6 V7 V8 V9 V10 V11 V12

V1 0.880

V2 0.581 0.770

V3 0.217 0.425 0.881

V4 0.655 0.603 0.358 0.918

V5 0.431 0.482 0.359 0.470 0.892

V6 0.333 0.346 0.121 0.434 0.412 0.889

V7 0.390 0.396 0.189 0.508 0.366 0.253 0.894

V8 0.506 0.546 0.290 0.611 0.503 0.378 0.511 0.880

V9 0.524 0.576 0.438 0.622 0.490 0.450 0.549 0.530 0.898

V10 0.528 0.557 0.575 0.613 0.451 0.356 0.479 0.537 0.591 0.921

V11 0.503 0.531 0.419 0.606 0.612 0.494 0.505 0.600 0.638 0.563 0.876

V12 0.565 0.502 0.265 0.528 0.421 0.567 0.336 0.344 0.486 0.433 0.458 0.729

6.2.3 Testing the Structural Model and Hypotheses

The structural model is used for hypotheses test. It is tested through variance (R2) and path

coefficients and their significance. We calculated the effect of 12 IT governance practices on

task, organizational and public outcomes in one step instead of three separate steps. The

variance (R2) and strength & significance of path coefficients are shown in Table 6.4. As

given in Table 6.4, 83.5 percent variance in task outcomes, 56.6 percent variance in

organizational outcomes and 81.1 percent variance in public outcomes can be explained by

12 IT governance practices which are above the cutoff value of 50 percent (Hair et al., 2006).

The path coefficient strength (γ) and significance (t-value) generated by Smart PLS

bootstrapping with 5000 samples are given in Table 6.4.

The practice with most positive effective is “IT/business communication and partnership”. It

demonstrates positive support for all three success attributes i.e. task outcomes (γ = 0.263, t =

6.049), organizational outcomes (γ = 0.211, t = 2.973) and public outcomes (γ = 0.315, t =

5.646). Therefore, H3a, H3b and H3c are supported. Two more practices with relatively

higher positive effect are “engagement of key stakeholders” and “IT leadership”. The former

indicates positive support for task outcomes (γ = 0.245, t = 5.363) and public outcomes (γ =

0.233, t = 4.678). Hence, H4a and H4c are supported. The latter also indicates positive

131

support for task outcomes (γ = 0.244, t = 5.531) and public outcomes (γ = 0.249, t = 4.178).

Therefore, H1a and H1c are also supported.

The practice “senior management involvement and support” indicates small positive support

for task outcomes (γ = 0.187, t = 4.247) but its higher significance shows its importance.

Hence, H2a is supported. However, “competitive IT professionals” indicates smallest support

for task outcomes (γ = 0.120, t = 2.622). Hence, H11a is weakly supported.

Moreover, the practices “defined, aligned and cascaded IT and business strategies” and

“policies and guidelines for optimal acquisition and use of IT” show positive support for

organizational outcomes (γ = 0.226, t = 3.397 and γ = 0.209, t = 4.170 respectively). In this

way, H5b and H7b are supported.

Furthermore, “IT structures for responsiveness and accountability”, “IT governance

awareness and training” and “performance measures and benchmarks” reveal small positive

support for organizational outcomes (γ = 0.162, t = 2.659, γ = 0.173, t = 2.174 and γ = 0.154,

t = 2.125 respectively). Hence, H6b, H10b and H12b are weakly supported.

The practice “standardized and managed IT infrastructure and applications” show positive

support for public outcomes (γ = 0.256, t = 4.697). Therefore, H9c is supported. However,

“risk identification and mitigation mechanism” indicates no significant support for any of the

success attributes in the study environment.

132

Table 6.4: Strengths and significance of path coefficients

Task outcomes (R2 = 0.835) Organizational outcomes (R

2 = 0.566) Public outcomes (R

2 = 0.811)

Constructs Path coeff.

(γ)

t-values

(t)

Hypothesis

Support

Path coeff.

(γ)

t-values

(t)

Hypothesis

Support

Path coeff.

(γ)

t-values

(t)

Hypothesis

support

V1 0.244 5.531 Supported -0.028 0.378 Not supported 0.249 4.178 Supported

V2 0.187 4.247 Supported -0.059 0.995 Not supported 0.034 0.876 Not supported

V3 0.263 6.049 Supported 0.211 2.973 Supported 0.315 5.646 Supported

V4 0.245 5.363 Supported 0.049 0.577 Not supported 0.233 4.678 Supported

V5 0.023 0.535 Not supported 0.226 3.397 Supported 0.019 0.409 Not supported



V8 0.067 1.445 Not supported -0.013 0.213 Not supported 0.076 1.737 Not supported

V9 0.006 0.156 Not supported -0.049 0.823 Not supported 0.256 4.697 Supported

V10 -0.012 0.309 Not supported 0.173 2.174 Supported -0.033 0.578 Not supported

V11 0.120 2.622 Supported 0.044 0.697 Not supported 0.019 0.510 Not supported

V12 -0.045 1.169 Not supported 0.154 2.125 Supported -0.063 1.262 Not supported

Note: Path coefficients (γ) ≥ 0.1 small support, ≥ 0.3 moderate support, ≥ 0.5 strong support (Cohen, 1988).

133

6.3 Discussion

The results presented in the previous section indicate that majority of the studied IT

governance practices (11 out of 12) had small to moderate effect on either task,

organizational and/or public outcomes. The practice “IT/business communication and

partnership” is the most important in the whole study. It showed positive effect on task,

organizational and public outcomes. This might be due to the fact that most PakPSOs have IT

project steering committees with a balanced representation of both business and IT personnel

besides a central IT steering committee at their respective planning sector organizations.

They have also newly established cross-training and communication mechanisms in place to

encourage this practice at employees‟ level.

The practice “IT leadership” showed positive effect on task and public outcomes. However,

this practice showed no support for organizational outcomes. It means PakPSOs are still

lacking in providing leadership structures and related competencies for organizational

outcomes. One possible reason might be the fact that PSOs are usually weak in setting goals

and measuring performance at organizational level (Weill & Ross, 2004) and possibly IT

leadership in PakPSOs undertakes IT projects in isolation i.e. without properly aligning them

with organizational objectives.

The practice “senior management involvement and support” indicated positive effect on task

outcomes. This practice is also important because the role of senior management is crucial in

resource prioritization, provision of additional resources and support to the project in crisis.

The need is enlarged in the context of a developing country due to limited resources,

competing needs and strong political influence. However, this practice provided no support

for organizational and public outcomes which is a surprising result of this study.

The practice “engagement of key stakeholders” indicated positive effect on task and public

outcomes. This finding is consistent with stakeholder theory that emphasizes the need of

involving inside and outside stakeholders for success (Freeman, 1994). However, this

practice showed no effect on organizational outcomes in the study environment which shows

a major weakness of PakPSOs.

The practices “defined, aligned and cascaded IT and business strategies” and “IT structures

for responsiveness and accountability” indicated positive effect on organizational outcomes.

The former is consistent with the study of Bowen et al. (2007) in which this practice found to

be an effective indicator for IT outcomes success. The later is consistent with the study of De

134

Haes and Van Grembergen (2008) which highlights the need of IT structures for success.

However, these practices indicated no effect on task and public outcomes. One possible

reason might be the ineffectiveness and absence of IT strategies and policies in most of the

PakPSOs. The poor strategic alignment is another reason for this to happen.

Similarly, the practices “policies and guidelines for optimal acquisition and use of IT”, “IT

governance awareness and training” and “performance measures and benchmarks” showed

positive effect on organizational outcomes. However, these practices indicated no effect on

task and public outcomes. This indicates that these practices are more important for

organizational context and should be implemented in organizational context mainly rather

than projects‟ context.

The practice “competitive IT professionals” indicated positive effect on task outcomes.

However, this practice indicated no effect on organizational and public outcomes. This shows

that PakPSOs mainly emphasize on IT professionals for task outcomes rather than

organizational and public outcomes. Most of the time, IT professionals are hired on contract

basis till the duration of the project. Attracting and retaining IT professionals is also a

problem in PakPSOs due to higher salaries in multinational and private organizations.

The practice “standardized and managed IT infrastructure and applications” showed

positive on public outcomes. However, this practice indicated no effect on task and

organizational outcomes. This shows that this practice is more critical to deliver an improved

quality of public service delivery in the study environment.

The most studied IT governance practices demonstrated positive effect on strategic IT

projects‟ outcomes in PakPSOs which shows their importance in this environment. However,

various practices demonstrated support for various attributes of IT projects. Some indicated

support for task outcomes and some indicated support for organizational and public outcomes

with varying degree of effect. Due to the relative importance of these practices, public

managers and decision-makers in PakPSOs and similar environment can improve their IT-

related plans, optimize limited resources and consequently, improve & sustain public service

deliver.

6.4 Conclusion

The objective of research phase 3 was “To test and analyze the effect of relevant IT

governance practices on IT outcomes in PakPSOs”. This was achieved by investigating the

135

effect of IT governance practices in terms of CSFs on IT outcomes in terms of task,

organizational and public outcomes of strategic IT projects in the PSOs of a developing

country i.e. Pakistan. A research model was developed and tested statistically using sample

data from PakPSOs. Based on the data analysis approach i.e. PLS-based structural equation

modeling, the most studied IT governance practices demonstrated small to moderate effect on

IT projects‟ outcomes. It happened even in the context of a developing country with low

human development, limited resources, insufficient related knowledge & competencies and

constraints on cultural. The major findings emerged from the study are as under:

“IT/business communication and partnership” proved to be an effective practice for

IT projects‟ task, organizational and public outcomes.

“IT leadership” and “engagement of key stakeholders” found to be effective

practices for IT projects‟ task and public outcomes.

“Senior management involvement and support” and “competitive IT professionals”

revealed as effective practices for IT projects‟ task outcomes

“Defined, aligned and cascaded IT and business strategies”, “IT structures for

responsiveness and accountability”, “policies and guidelines for optimal acquisition

and use of IT” and “IT governance awareness and training” found to be effective

practices for IT projects‟ organizational outcomes.

“Standardized and managed IT infrastructure and applications” proved to an

effective practice for IT projects‟ public outcomes.

The IT governance practices which were not significant on other IT projects‟ attributes

perhaps do not stand alone rather they are interdependent so such practices altogether could

not be ignored. This helped to achieve the third research objective of this study i.e. RO3: “To

test and analyze the effect of relevant IT governance practices on IT outcomes in PakPSOs”.

This research phase also provides important implications for both practitioners and academia.

From practitioners‟ point of view, it provides guidance for decision-makers in PSOs of a

developing country to optimize their IT-related plans and use of limited resources by

directing focus on limited areas that have significant effect on IT outcomes. By understanding

the relative importance of IT governance practices, public managers can prioritize limited

resources accordingly. By involving senior management, engaging key stakeholders and

building IT/business collaboration, they can prioritize IT resources and ensure optimal use of

136

IT in this environment. By aligning IT strategies with business strategies and enabling

structures, they can incorporate and integrate IT into related public sector reforms to improve

public service delivery. By consolidating and communicating IT governance related policies

and guidelines, they can change, control and enforce policies, strategies and decisions to

perform IT enabled functions more effectively. By providing IT governance awareness and

attracting, developing and retaining competitive IT professionals and IT leadership, they can

strengthen and sustain required IT competencies to standardize and harmonize IT

infrastructure and applications cost-effectively in this environment. By setting IT and

business oriented performance measures and benchmarks, they can demonstrate success and

enable IT contribution for continuous business improvement. Moreover, in addition to

focusing on traditional criteria of project outcomes (time, cost & quality), public managers

can adopt a holistic approach to look into the values that IT projects deliver to the

organization and public (citizens, business & employees).

This study also contributes to the existing body of knowledge from academicians‟ point of

view. The results may be used to broaden the scope of effective IT governance practices in

the context of PSOs of developing countries. The research theoretically enhances the

understanding of organizational and public value of IT projects. The results may also be used

to strengthen the existing IT governance frameworks like COBIT and ITIL etc.

6.5 Chapter Summary



11 IT governance practices out of 12 showed small to moderate effect on either on

task, organizational or public outcomes in PakPSOs. Some practices showed positive

effect on task outcomes and some showed on organizational and public outcomes of

strategic IT projects in PakPSOs.

The practice “IT/business Communication and Partnership” found to be the most

effective whereas the practice, “IT Structures for Responsiveness and Accountability”

proved to be the least effective.

The practice “Risk Identification and Mitigation Mechanism” showed no effect on

either of the success attribute.

137

Due to the relative importance of IT governance practices (CSFs) for IT projects‟

success attributes (task, organizational and public outcomes), public managers can

prioritize limited resources and consequently, improve & sustain public service

delivery in this environment.

The validated set of IT governance practices of this research phase can also be used to

develop an IT governance implementation framework for this environment i.e.

PakPSOs.

138

7 The Framework: Development Phase


This chapter and the next chapter 8 provide the results of research phase 4. The main purpose

of research phase 4 was to develop and evaluate an IT governance implementation

framework for PakPSOs. This was in response to the fourth research question of this study,

RQ4: “How can effective IT governance practices be implemented in PakPSOs?” This was

achieved by developing and evaluating an IT governance implementation framework using

design science research approach. The detailed methodology and research process of phase 4

is given in section 3.3.4 of chapter 3. This chapter provides the results of development phase

of the framework. The results of the first two iterations (iterations 1 & 2) are presented in this

chapter. In iteration 1, the initial version of the framework is developed whereas in iteration

2, the first version of the framework is developed based on the results. The two versions are

given in this chapter. The rest of the chapter proceeds as follows. In the second section, the

initial version is developed based on the results. In third section, the first version is developed

based on the results. Discussion and conclusion are provided in the fourth section. Last

section provides the summary of important points of this chapter.

7.2 The Initial Version of the Framework: Results of Iteration 1

7.2.1 Background

The basic building blocks of the initial version of the proposed framework are the 11 IT

governance practices validated in research phase 3 (refer to as” guiding practices” onward in

this study). However, the validated set of these guiding practices provides only the high level

view of the framework. It provides no guidance on how to implement the relevant actions for

each guiding practice to meet the claimed objective of the framework. Therefore, the first

concern is what relevant actions are to be employed for each guiding practice to ensure its

successful implementation. For this, activities (checkpoints) have been introduced in the

139

initial version. Due to the scarcity of this kind of previous research in PakPSOs, the

researcher adopted these activities from the existing literature and operationalised them in

PakPSOs through focus groups‟ opinion for the purpose to develop the initial version. The

initial list of activities for each guiding practice with their reference studies is shown in Table

7.1. There are four to eight activities for each guiding practice.

140

Table 7.1: The initial list of activities for each practice extracted from the existing literature

Guiding practice Proposed activities Cross-reference from the literature

1. IT/business communication

and partnership

1.1 Establish viable IT/business communication and partnership practice (Nfuka & Rusu, 2013; Aggarwal, 2010;

Lee et al., 2008; Bowen et al., 2007;

ITGI, 2003; Peterson, 2001; Luftman et

al., 1999; Teo & Ang, 1999)

1.2 Involve business personnel in IT initiatives and IT personnel in business imperatives

1.3 Develop shared understanding among IT/business personnel on IT/business goals

and imperatives

1.4 Make IT related decisions with the same criteria used by the business

1.5 Educate business management regarding the importance of partnering with IT

1.6 Assure active conflict resolution

2. Engagement of key

stakeholders

2.1 Identify key stakeholders with clear roles and responsibilities (Alreemy et al., 2016; Razak & Zakaria,

2014; Nfuka & Rusu, 2013; Weill &

Ross, 2004; ITGI, 2003; Ribbers et al.,

2002)

2.2 Consult and involve key stakeholders in IT plan preparation and implementation

2.3 Create shared understanding among key stakeholders on shared IT/business goals

and imperatives

2.4 Provide assurance to satisfy stakeholder concerns

2.5 Analyze the potential contribution of key stakeholders

3. IT leadership 3.1 Provide a clear and top level mandate to lead and manage IT and transformation

program

(Nfuka & Rusu, 2013; Aggarwal, 2010;

De Haes & Van Grembergen, 2008; Hoch

& Payan, 2008; Lawry et al., 2007;

Luftman et al., 1999; Teo & Ang, 1999) 3.2 Persuade IT leadership on articulation a vision for the role of IT in organization

3.3 Encourage IT leadership on business imperatives and viable IT intervention

3.4 Convince business management on IT potential and contribution

3.5 Develop confidence of senior management in IT leadership

3.6 Develop focused IT leadership competencies

4. Senior management


4.1 Establish senior management role in IT decision-making and monitoring processes (Nfuka & Rusu, 2013; Aggarwal, 2010;

Tan et al., 2009; Weill & Ross, 2004;

Luftman et al., 1999; Teo & Ang, 1999) 4.2 Demonstrate viable business value proposition from IT for senior management,

board and politicians‟ support

4.3 Convince senior management on delegating viable authority for decision-making and

control over resources

4.4 Convince senior management for additional resources in crisis

4.5 Motivate senior management to use IT actively

5. Defined, aligned and cascaded

IT and business strategies

5.1 Involve IT/business personnel in IT/business strategic planning (Alreemy et al., 2016; Nfuka & Rusu,

2013; De Haes & Van Grembergen, 2009;

Bowen et al., 2007; Guldentops, 2004;

Weill & Ross, 2004; ITGI, 2003; Ribbers

et al., 2002; Luftman et al., 1999)

5.2 Define and align IT goals with business goals

5.3 Establish business aligned IT strategy, resources and operations

5.4 Prioritize, harmonize and establish IT projects cost-effectively

5.5 Integrate IT effectively into related public sector reforms

5.6 Cascade IT strategy down to all levels of organization

141


Guiding practice Proposed activities Cross-reference from the literature

6. IT structures for

responsiveness and

accountability

6.1 Establish clear and appropriate IT roles and responsibilities (Nfuka & Rusu, 2013; Tan et al., 2009;

De Haes & Van Grembergen, 2008;

Hoch & Payan, 2008; Bowen et al.,

2007; Guldentops, 2004; Weill, 2004)

6.2 Establish the role of CIO or IT head to report directly to executive head

6.3 Establish IT steering committee with balanced representation of IT/business

6.4 Establish IT project steering committee to prioritize and manage IT projects

6.5 Ensure shared understanding and active participation of committees

7. Policies and guidelines for

optimal acquisition and use of

IT

7.1 Establish needed IT processes and governance framework (Alreemy et al., 2016; Razak & Zakaria,

2014; Nfuka & Rusu, 2013; Tan et al.,

2009; De Haes & Van Grembergen,

2008; PwC & ITGI, 2006; Guldentops,

2004; Weill, 2004; ITGI, 2003)

7.2 Establish clear mechanism for IT budget control and reporting

7.3 Ensure optimized IT investment, procurement and operational cost

7.4 Establish cost-effective and responsible use of IT resources

7.5 Establish ownership and efficient use of IT applications

7.6 Establish IT governance policies & guidelines for IT value creation and preservation

7.7.Determine and implement required change management

7.8 Cascade and enforce IT policies & guidelines at all levels

8. IT governance awareness and

training

8.1 Determine drivers and state of IT governance practices (Razak & Zakaria, 2014; Nfuka & Rusu,

2013; Pollard and Cater-Steel, 2009; De

Haes & Van Grembergen, 2008) 8.2 Determine required mindset change and best practices

8.3 Adopt and undertake IT governance awareness and training for IT/business personnel

8.4 Establish knowledge management mechanism

8.5 Reduce employees resistance

9. Competitive IT professionals 9.1 Attract, develop and retain skilled IT personnel for IT/business success (Alreemy et al., 2016; Razak & Zakaria,

2014; Nfuka & Rusu, 2013; Aggarwal,

2010; Tan et al., 2009; Warland &

Ridley, 2005; Peterson, 2004)

9.2 Develop broad IT competencies to manage IT resources

9.3 Establish and motivate aligned IT innovation and practices

9.4 Treat skilled IT professionals as working capital

10. Standardized and managed

IT infrastructure and

applications

10.1 Provide and leverage IT facilities rationally (Razak & Zakaria, 2014; Nfuka & Rusu,

2013; Aggarwal, 2010; Peterson, 2004;

ITGI, 2003; Teo & Ang, 1999) 10.2 Standardize and share IT infrastructure effectively

10.3 Standardize, integrate and manage IT applications prudently

10.4 Determine and actively manage services offered by the third parties

10.5 Benchmark and provide efficient IT services in and across organizations

10.6 Establish research activities for new and innovative IT services

11. Performance measures and

benchmarks

11.1 Perform adequate analysis and evaluation of current and future use of IT (Alreemy et al., 2016; Nfuka & Rusu,

2013; Campbell et al., 2010; Tan et al.,

2009; Hoch & Payan, 2008; Ali &

Green, 2007; ; PwC & ITGI, 2006;

Peterson 2004; Weill, 2004; ITGI, 2003)

11.2 Establish effective performance management strategy

11.3 Set and monitor IT/business oriented performance measures

11.4 Evaluate and demonstrate business value of IT

11.5 Assess IT governance performance and continually improve

11.6 Establish performance aligned rewards and penalties

142

The next concern was who will execute each activity or set of activities? For this, the role for

each activity was incorporated into the initial version. COBIT framework suggests 19 roles.

However, these roles are complex and exhaustive and all organizations do not employ all

these roles (Simonsson & Johnson, 2008). Simonsson and Johnson (2008) arranged 19 roles

of COBIT into five roles. The researcher adopted five roles suggested by Simonsson and

Johnson (2008) and operationalised them in PakPSOs through focus groups‟ opinion for the

purpose to develop the initial version. The relationship of 19 roles of COBIT with five roles

of Simonsson and Johnson (2008) is shown in Table 7.2.

Table 7.2: Relationship of 19 roles of COBIT with five roles of Simonsson and Johnson (2008)

Roles suggested by COBIT Roles suggested by Simonsson and Johnson (2008)

The Board Executives

Chief Executive Officer

Chief Financial Officer

Business Executive Business

Business Process Owner

Business Senior Management

Chief Information Officer IT management

Chief Architect

Head Development

Program Management Officer

Head Operations IT operations

Deployment Team

Head IT Administration

Training Department

Service Managers

Service Desk/Incident Manager

Configuration Manager

Problem Manager

Compliance, audit, risk and security Compliance, audit, risk and security

Another concern was that what IT resources are required to execute each activity or set of

activities. ITGI (2007) classified IT resources into four types. The researcher adopted four

types of IT resources suggested by ITGI (2007) and operationalised them in PakPSOs

143

through focus groups‟ opinion for the purpose to develop the initial version. Four types of IT

resources classified by ITGI (2007) are shown in Table 7.3.

Table 7.3: Four types of IT resources classified by ITGI (2007)

IT resources Definition

Applications The automated user systems and manual procedures that process the information

Information The data in all their forms, input, processed and output by the information

systems in whatever form is used by the business.

Infrastructure The technology and facilities (i.e., hardware, operating systems, database

management systems, networking, multimedia, and the environment that houses

and supports them) that enables the processing of the applications.

People The personnel required to plan, organize, acquire, implement, deliver, support,

monitor and evaluate the information systems and services. They may be

internal, outsourced or contracted as required.

An important building block of the proposed framework should be the environment in which

these practices would be implemented. Due to the operating culture of PakPSOs and state of

IT in these organizations and overall in the country, the environment was incorporated as an

element into the framework. The researcher operationalised the environment as national level

IT-related strategies & policies, E-government strategies, policies, regulation & infrastructure

and IT governance standards and best practices.

Another important building block of the framework is the organization in which it is

implemented. Although things may vary based on the type and nature of the organization and

especially the services that it provides to the public but a framework is generally supposed to

be aligned and interacted with its strategies & policies, structures & systems and objectives &

goals. Therefore, the researcher operationalised the organization as organizational strategies

& policies, organizational structures & systems and organizational objectives & goals for

sustainable success.

7.2.2 Results

A total of six focus groups participated from six PakPSOs i.e. one focus group from one of

the PakPSOs. A total of 35 personnel participated in the focus groups. There were five to

seven members in each focus group representing both IT and business management in order

144

to discuss and develop consensus for credible results. The respondents were mainly

IT/business directors, deputy directors and IT project directors well-versed in managing

public sector IT related matters. The distribution of the respondents in each focus group in

each studied organization is shown in Table 7.4.

Table 7.4: Distribution of the respondents in the six studied PakPSOs

Org. U Org. V Org. W Org. X Org. Y Org. Z Total

IT management 3 3 4 3 3 4 20

Business management 2 3 2 3 2 3 15

Total 5 6 6 6 5 7 35

The focus groups were conducted in two rounds. In the first round, the respondents were

requested to provide feedback on each activity of Table 7.1, assign a suitable role to each

activity from Table 7.2 and choose an appropriate IT resource for each activity from Table

7.3. They were allowed to add, delete and change activities, roles and IT resources as per

their business settings. No other feedback was solicited at this stage. The purpose was to

operationalise the predefined list of activities, roles and IT resources in PakPSOs.

The summarized qualitative response of the focus groups after content analysis is given in

Table 7.5. The results show that nine activities have removed, one added, 20 updated and 32

remained unchanged after the focus group interaction. Table 7.5 also shows the suitable role

for each activity and IT resource required to execute each activity.

145

Table 7.5: The summarized qualitative response of the focus groups after content analysis

Proposed activities from the relevant literature Improved activities after focus groups‟ interaction R* S

**

1.1 Establish viable IT/business communication and partnership practice

1.1 Formalize viable IT/business communication and partnership

practice

B IN


1.2 Train/involve business personnel in IT initiatives and IT personnel in business imperatives

B PP

1.3 Develop shared understanding among IT/business personnel on

IT/business goals and imperatives

1.3 No change E IN

1.4 Make IT related decisions with the same criteria used by the business 1.4 Removed ---- ----

1.5 Educate business management regarding the importance of partnering

with IT

1.4 Convince business management on IT/business partnership B IN

1.6 Assure active conflict resolution Removed ---- ----

2.1 Identify key stakeholders with clear roles and responsibilities 2.1 Identify key stakeholders and establish appropriate roles & responsibilities

B PP

2.2 Consult and involve key stakeholders in IT plan preparation and

implementation

2.2 Involve key stakeholders in IT/business plans preparation and

implementation

E PP

2.3 Create shared understanding among key stakeholders on shared IT/business goals and imperatives

2.3 No change E IN

2.4 Provide assurance to satisfy stakeholder concerns 2.4 Removed ---- ----

2.5 Analyze the potential contribution of key stakeholders 2.4 Analyze and report the potential contribution of key stakeholders B IN

3.1 Provide a clear and top level mandate to lead and manage IT and transformation program

3.1 Formalize a clear and top level mandate to lead and manage overall transformation program

E PP

3.2 Persuade IT leadership on articulation a vision for the role of IT in

organization

3.2 Removed ---- ----


3.2 No change E PP

3.4 Convince business management on IT potential and contribution 3.3 No change ITM PP

3.5 Develop confidence of senior management in IT leadership 3.4 No change ITM PP

3.6 Develop focused IT leadership competencies 3.5 No change E PP

*Role (R) - Executives (E), Business (B), IT Management (ITM), IT Operations (ITO), Compliance, audit, risk and security (CARS)

**IT Resource (S) - Applications (AP), Information (IN), Infrastructure (IF), People (PP)

146



**

4.1 Establish senior management role in IT decision-making and

monitoring processes

4.1 Establish senior management role in strategic IT decision-

making, resource prioritization and monitoring processes

E PP

4.2 Demonstrate viable business value proposition from IT for senior management, board and politicians‟ support

4.2 Demonstrate viable business value proposition of IT to get support of senior management, politicians and sponsor

ITM IN

4.3 Convince senior management on delegating viable authority for

decision-making and control over resources

4.3 Convince senior management to delegate viable authority over

resources

ITM PP


4.4 Convince senior management to provide required resources for IT/business success

ITM PP

4.5 Motivate senior management to use IT actively 4.5 No change ITM PP

5.1 Involve IT/business personnel in IT/business strategic planning 5.1 Involve IT/business personnel in strategic IT/business planning E PP

5.2 Define and align IT goals with business goals 5.2 No change ITM IN

5.3 Establish business aligned IT strategy, resources and operations 5.3 No change ITM IN


5.4 Prioritize and align IT projects with business goals and

imperatives

B AP

5.5 Integrate IT effectively into related public sector reforms 5.5 Incorporate IT effectively into required public sector reforms B AP

5.6 Cascade IT strategy down to all levels of organization 5.6 No change E IN

6.1 Establish clear and appropriate IT roles and responsibilities 6.1 No change B PP

6.2 Establish the role of CIO or IT head to report directly to the executive

head

6.2 No change E PP


6.3 Establish IT steering committee with balanced representation of IT/business executives

E PP

6.4 Establish IT project steering committee to prioritize and manage IT

projects

6.4 No change B PP

6.5 Ensure shared understanding and active participation of committees 6.5 No change E PP



147



**

7.1 Establish needed IT processes and governance framework 7.1 No change CARS IN

7.2 Establish clear mechanism for IT budget control and reporting 7.2 Establish transparent IT/business budget control and reporting CARS IN

7.3 Ensure optimized IT investment, procurement and operational cost 7.3 No change ITM IF

7.4 Establish cost-effective and responsible use of IT resources 7.4 Removed ---- ----

7.5 Establish ownership and efficient use of IT applications 7.4 Establish ownership and ensure effective use of IT infrastructure

& applications

B IF


7.5 No change ITM IF

7.7 Determine and implement required change management 7.6 No change B PP

7.8 Cascade and enforce IT policies & guidelines at all levels 7.7 No change E IN

8.1 Determine drivers and state of IT governance practices 8.1 No change ITM PP

8.2 Determine and fix required mindset change and best practices 8.2 No change ITM PP

8.3 Adopt and undertake IT governance awareness and training for

IT/business personnel

8.3 No change ITM PP

8.4 Establish knowledge management mechanism 8.4 Removed ---- ----

8.5 Reduce employees resistance 8.5 Removed Added: 8.4 Create IT governance awareness among employees

through top management announcements

E PP

9.1 Attract, develop and retain skilled IT personnel for IT/business success 9.1 No change B PP

9.2 Develop broad IT competencies to manage IT resources 9.2 No change ITM PP

9.3 Establish and motivate aligned IT innovation and practices 9.3 Establish and motivate aligned IT/business innovation and

practices

ITM IN

9.4 Treat skilled IT professionals as working capital 9.4 No change B PP

*Role (R) - Executives (E), Business (B), IT Management (ITM), IT Operations (ITO), Compliance, audit, risk and security (CARS) **IT Resource (S) - Applications (AP), Information (IN), Infrastructure (IF), People (PP)

148



**

10.1 Provide and leverage IT facilities rationally 10.1 Removed ---- ----

10.2 Standardize and share IT infrastructure effectively 10.1 No change ITO IF

10.3 Standardize, integrate and manage IT applications effectively 10.2 No change ITO AP

10.4 Determine and actively manage services offered by the third parties 10.3 Define and manage SLAs effectively ITM IF

10.5 Benchmark and provide efficient IT facilities in and across

organizations

10.4 Benchmark and provide efficient IT facilities in and across

organizations

ITM AP

10.6 Encourage research activities for new and innovative IT services 10.5 No change ITM IN

11.1 Perform adequate analysis and evaluation of current and future use of IT

11.1 No change ITM IN

11.2 Establish effective performance management strategy 11.2 No change B IN

11.3 Set and monitor IT/business oriented performance measures 11.3 No change B IN

11.4 Evaluate and demonstrate business value of IT 11.4 Evaluate and demonstrate business value proposition of IT ITM IN

11.5 Assess IT governance performance and continually improve 11.5 No change ITM IN

11.6 Establish performance aligned rewards and penalties 11.6 Removed ---- ----



149

In the second round, the quantitative response of the focus groups was sought on “perceived

effectiveness” and “ease of implementation” of improved activities in their business settings.

The respondents were requested to rate each improved activity for its “perceived

effectiveness” on a scale from 1 (not effective) to 5 (very effective) and its “perceived ease of

implementation” on a scale from 1 (not easy) to 5 (very easy). The purpose was to acquire an

effective list of activities which are easy to implement in the study environment i.e. PakPSOs.

The activities with cut-off scores equal to or above 60% on both perceived effectiveness and

ease of implementation were selected for the initial version of the framework. After the

process of data analysis, it was found that all the improved activities had scores equal to or

above 60% on both perceived effectiveness and ease of implementation as shown in Figure

7.1. Therefore, all the improved activities were selected for the initial version of the

framework.

The results indicate that majority of the improved activities have higher scores for

effectiveness than ease of implementation. This shows that although improved activities are

effective but their implementation in PakPSOs is not as easy. Some possible reasons among

others may be the insufficient IT resources, inadequate related knowledge & competencies,

and prevailing culture of PakPSOs.

150

0.0%

10.0%

20.0%

30.0%

40.0%

50.0%

60.0%

70.0%

80.0%

90.0%

Activity 1.1Activity 1.2Activity 1.3

Activity 1.4Activity 2.1

Activity 2.2

Activity 2.3

Activity 2.4

Activity 3.1

Activity 3.2

Activity 3.3

Activity 3.4

Activity 3.5

Activity 4.1

Activity 4.2

Activity 4.3

Activity 4.4

Activity 4.5

Activity 5.1

Activity 5.2

Activity 5.3

Activity 5.4





Activity 7.4

Activity 7.5

Activity 7.6

Activity 7.7

Activity 8.1

Activity 8.2

Activity 8.3

Activity 8.4

Activity 9.1

Activity 9.2

Activity 9.3

Activity 9.4

Activity 10.1

Activity 10.2

Activity 10.3

Activity 10.4

Activity 10.5



Effectiveness

Ease of Implementation

Figure 7.1: Quantitative response of the focus groups on perceived effectiveness and ease of implementation of improved activities

151

Now, we have all the required elements and sub-elements for the intinal version of the

framework. These elements and sub-elements have been validated and/or operationalised in

the PakPSOs. The intial version of the framework consists of the guiding practices, activities

to implement these parctices, suitable roles to execute the activities, approperiate IT resources

required for the activities, the organizational strategies & policies, structures & systems,

objectives & goals and the environment in which it is implemneted. All these said elements

and sub-elements have been discussed, validated and/or operationalised in the PakPSO. The

intial verstion of the proposed IT governance implementation framework is shown in Figure

7.2 and the activities detail for the practices are shown in Table 7.6.

152

Figure 7.2: The initial version of the proposed framework

153

Table 7.6: Activities for guiding practices with roles and IT resources

Guiding practice Activities R* S

**


and partnership

1.1 Formalize viable IT/business communication and partnership practice B IN

1.2 Train/involve business personnel in IT initiatives and IT personnel in business imperative B PP

1.3 Develop shared understanding among IT/business personnel on IT/business goals and imperatives E IN

1.4 Convince business management on IT/business partnership B IN


stakeholders

2.1 Identify key stakeholders and establish appropriate roles & responsibilities B PP

2.2 Involve key stakeholders in IT/business plans preparation and implementation E PP

2.3 Create shared understanding among key stakeholders on shared IT/business goals and imperatives E IN

2.4 Analyze and report the potential contribution of key stakeholders B IN

3. IT leadership 3.1 Establish clear and top level mandate to lead and manage overall transformation program E PP

3.2 Encourage IT leadership on business imperatives and viable IT intervention E PP

3.3 Convince business management on IT potential and contribution ITM PP

3.4 Develop confidence of senior management in IT leadership ITM PP

3.5 Develop focused IT leadership competencies E PP



4.1 Establish senior management role in strategic IT decision-making, resource prioritization and monitoring processes E PP

4.2 Demonstrate viable business value proposition of IT to get support of senior management, politicians and sponsor ITM IN

4.3 Convince senior management to delegate viable authority over resources ITM PP

4.4 Convince senior management to provide required resources for IT/business success ITM PP

4.5 Motivate senior management to use IT actively ITM PP



154



**

5. Defined, aligned and


strategies

5.1 Involve IT/business personnel in strategic IT/business planning E PP

5.2 Define and align IT goals with business goals ITM IN

5.3 Establish business aligned IT strategy, resources and operations ITM IN

5.4 Prioritize and align IT projects with business goals and imperatives B AP

5.5 Incorporate IT effectively into required public sector reforms B AP

5.6 Cascade IT strategy down to all levels of organization E IN


responsiveness and

accountability

6.1 Establish clear and appropriate IT roles and responsibilities B PP

6.2 Establish the role of CIO or IT head to report directly to the executive head E PP

6.3 Establish IT steering committee with balanced representation of IT/business executives E PP

6.4 Establish IT project steering committee to prioritize and manage IT projects B PP

6.5 Ensure shared understanding and active participation of committees E PP



IT

7.1 Establish needed IT processes and governance framework CARS IN

7.2 Establish transparent IT/business budget control and reporting CARS IN

7.3 Ensure optimized IT investment, procurement and operational cost ITM IF

7.4 Establish ownership and ensure effective use of IT infrastructure & applications B IF

7.5 Establish IT governance policies & guidelines for IT value creation and preservation ITM IF

7.6 Determine and implement required change management B PP

7.7 Cascade and enforce IT policies & guidelines at all levels E IN


training

8.1 Determine drivers and state of IT governance practices ITM PP

8.2 Determine and fix required mindset change and best practices ITM PP

8.3 Adopt and undertake IT governance awareness and training for IT/business personnel ITM PP

8.4 Create IT governance awareness among employees through top management announcements E PP



155



**

9. Competitive IT professionals 9.1 Attract, develop and retain skilled IT personnel for IT/business success B PP

9.2 Develop broad IT competencies to manage IT resources ITM PP

9.3 Establish and motivate aligned IT/business innovation and practices ITM IN

9.4 Treat skilled IT professionals as working capital B PP



applications

10.1 Standardize and share IT infrastructure effectively ITO IF

10.2 Standardize, integrate and manage IT applications effectively ITO AP

10.3 Define and manage SLAs effectively ITM IF

10.4 Benchmark and provide efficient IT facilities in and across organizations ITM AP

10.5 Encourage research activities for new and innovative IT services ITM IN


benchmarks

11.1 Perform adequate analysis and evaluation of current and future use of IT ITM IN

11.2 Establish effective performance management strategy B IN

11.3 Set and monitor IT/business oriented performance measures B IN

11.4 Evaluate and demonstrate business value proposition of IT ITM IN

11.5 Assess IT governance performance and continually improve ITM IN



156

7.3 The First Version of the Framework: Results of Iteration 2

7.3.1 Background

In iteration 2, the initial version of the framework is enhanced through the interviews of

senior IT and business management personnel in PakPSOs. This is also complemented by the

interviews of related industry experts. The purpose is the general enhancement of the

framework through new or improved activities, suitability of the assigned roles and IT

resources. The collected data are then analyzed using content analysis. Consequently, the

analyzed data are categorized and incorporated into the framework ending up in the first

version.

7.3.2 Results

A total of 46 personnel from 23 PakPSOs participated in the interview process. Twenty six

personnel were from IT side and 20 from business side. Five personnel participated from

industry. The respondents‟ profile and their summarized suggestions after content analysis

are shown in Table 7.7. The results indicate that nine activities have updated, the positions of

four activities have changed, two activities have merged resulting into one new activity, one

activity has added and one activity has removed. All the generic roles have been replaced by

the specific roles. As for as the IT resources concern, there was no change in any of the IT

resources. All the summarized suggestions have incorporated into the framework ending up

in the first version. The first version of the framework is shown in Figure 7.3 and the

activities detail is shown in Table 7.8.

157

Table 7.7: Respondents‟ profile and their summarized suggestions

Respondents‟ profile Summarized suggestions

IT management

Director Generals - 3

Executive Directors - 1

Directors/Deputy Directors - 22

Total - 26

Business Management

Director Generals - 2

General Managers/Managing Directors -

4

Directors - 14

Total – 20

Activities

Update activity 1.4 “Convince business management on IT/business partnership” by “Convince IT/business management on

IT/business partnership”.

Interchange the positions of activities 1.2 and 1.4.

Update activity 3.1 “Establish clear and top level mandate to lead and manage overall transformation program” by “Establish

clear and top level mandate to lead IT transformation program”.

Interchange the positions of activities 3.4 and 3.5.

Update activity 4.3 “Convince senior management to delegate viable authority over resources” by “Convince senior

management to delegate viable negotiating authority”.

Remove activity 7.1.

Update activity 7.4 “Establish ownership and ensure effective use of IT infrastructure & applications” by “Ensure effective

& efficient use of IT infrastructure & applications”.

Update activity 7.5 “Establish IT governance policies & guidelines for IT value creation and preservation” by “Establish

policies & guidelines for IT value creation and preservation”.

Update activity 8.1 “Determine drivers and state of IT governance practices” by “Determine state and drivers of IT

governance practices”.

Update activity 8.2 “Determine and fix required mindset change and best practices” by “Determine and implement best

practices for mindset change”.

Merge activities 10.1 & 10.2 into one activity i.e. “Standardize, share and manage IT infrastructure & applications cost-

effectively.

Update activity 10.4 “Benchmark and provide efficient IT facilities in and across organizations” by “Benchmark and provide

effective & efficient IT facilities in and across organizations”.

Update activity 10.5 “Encourage research activities for new and innovative IT services” by “Encourage aligned research

activities for innovative IT services”.

158



Roles/IT resources

Replace the generic roles by the specific roles due to ambiguity and need of explanation of these roles. The generic roles are against the

true spirit of governance where roles should be clear to ensure responsibility & accountability. Replace Executives by Executive Head

(EH), Business by Business Head (BH) and Business Team (BT), IT management by IT Head (ITH). IT operations by IT Team (ITT),

and Compliance, audit, risk and security by Regulations Head (RH).

Change role of activity 7.4 from Business Head to IT Head.

All the proposed IT resources are appropriate.

Environmental and organizational components are OK.

Other comments

It is impractical to implement this framework in all PakPSOs because required IT facilities are not available in some of the PakPSOs.

Researcher‟s relevant point of view: The issue has been addressed by activity 10.3 “Benchmark and provide effective & efficient IT

facilities in and across organizations.

The framework provides no activity to receive public feedback for decision-making and improvement of quality of government

services because public including citizens, businesses and employees are important stakeholders in public sector.

Researcher‟s relevant point of view: A new activity 2.5 “Formalize virtual connection between IT and business practices and

communities”, adopted from Peterson (2001), is added to the framework.

It is hard to measure and demonstrate business value of IT in public sector because most organizations in this sector are non-profit

based. Moreover, it is difficult to convert intangible benefits into monetary value because the main purpose of this sector is to serve

and facilitate the nation.

Researcher‟s relevant point of view: The business value of IT in public sector can be viewed in terms of cost reduction and efficiency

gain, improved quality of decision-making & services and employees‟ productivity etc.

The framework is a useful tool to govern strategic IT projects.

The framework is a suitable tool for improving and sustaining public service delivery.

159



Industry

Heads of lT Management -3

Governance related services- 2

Total – 5

Activities/Roles/IT resources

Update activity 8.4 “Create IT governance awareness among employees through top management announcements” by “Ensure compliance

among employees through top management announcements”.

Other comments

The framework has not mentioned the possibility of using emerging trend of cloud computing that provides many benefits to

organization in terms of cost reduction, increased collaboration, enhanced security, disaster recovery etc.

Researcher‟s relevant point of view: The concept of cloud computing is at very early stages in PakPSOs. No cloud computing facility has

been fully established for PakPSOs so far and private cloud computing facility could not be used for classified government data &

information for security reasons. However, this has been implicitly covered in activity 10.1 “Standardize, share and manage IT

infrastructure & applications cost-effectively”.

The framework has not discussed the opportunity of providing public services through mobile phones i.e. emerging trend of m-

government.

Researcher‟s relevant point of view: This has been implicitly addressed by activity 10.4 “Encourage aligned research activities for

innovative IT services”.

The framework is silent on risk management.

Researcher‟s relevant point of view: The practice “Risk Identification and Mitigation Mechanism” has not been validated statistically in

PakPSOs. However, it is implicitly addressed by activity 7.4 “Formalize policies & guidelines for IT value creation and preservation”.

Cover IT governance practices with environmental and organizational components. Remove IT governance focus areas box, IT-

business alignment box, IT outcomes box and all arrows because all these things are self-explanatory and superfluous.

Researcher‟s relevant point of view: The framework is amended as per aforesaid comments/suggestions.

The framework is useful for IT governance awareness, IT management and service delivery in public sector.

Linkage to environmental and organizational elements is nice and all elements are sophisticated.

Coverage in five IT governance focus areas and three IT-business alignment perspectives is the novelty of the framework.

160

Figure 7.3: First version of the framework

161

Table 7.8: Activities for practices with roles and IT resources


**


and partnership

1.1 Formalize viable IT/business communication and partnership practice BT IN

1.2 Convince IT/business management on IT/business partnership EH PP

1.3 Develop shared understanding among IT/business personnel on IT/business goals and imperatives EH IN

1.4 Train/involve business personnel in IT initiatives and IT personnel in business imperatives BH IN


stakeholders

2.1 Identify key stakeholders and establish appropriate roles & responsibilities BH PP

2.2 Involve key stakeholders in IT/business plans preparation and implementation EH PP

2.3 Create shared understanding among key stakeholders on shared IT/business goals and imperatives EH IN

2.4 Analyze and report the potential contribution of key stakeholders BT IN

2.5 Formalize virtual connection between IT and business practices and communities EH IN

3. IT leadership 3.1 Establish clear and top level mandate to lead IT transformation program EH PP

3.2 Encourage IT leadership on business imperatives and viable IT intervention EH PP

3.3 Convince business management on IT potential and contribution ITH PP

3.4 Develop focused IT leadership competencies EH PP

3.5 Develop confidence of senior management in IT leadership ITH PP



4.1 Establish senior management role in strategic IT decision-making, resource prioritization and monitoring processes EH PP

4.2 Demonstrate viable business value proposition of IT to get support of senior management, politicians and sponsor ITH IN

4.3 Convince senior management to delegate viable negotiating authority ITH PP

4.4 Convince senior management to provide required resources for IT/business success ITH PP

4.5 Motivate senior management to use IT actively ITH PP

*Role (R) – Executive Head (EH), Business Head (BH), Business Team (BT), IT Head (ITH), IT Team (ITT), Regulations Head (RH)


162



**



strategies

5.1 Involve IT/business personnel in strategic IT/business planning EH PP

5.2 Define and align IT goals with business goals ITH IN

5.3 Establish business aligned IT strategy, resources and operations ITH IN

5.4 Prioritize and align IT projects with business goals and imperatives BT AP

5.5 Incorporate IT effectively into required public sector reforms BT AP

5.6 Cascade IT strategy down to all levels of organization EH IN


responsiveness and

accountability

6.1 Establish clear and appropriate IT roles and responsibilities BH PP

6.2 Establish the role of CIO or IT head to report directly to the executive head EH PP

6.3 Establish IT steering committee with balanced representation of IT/business executives EH PP

6.4 Establish IT project steering committee to prioritize and manage IT projects BH PP

6.5 Ensure shared understanding and active participation of committees EH PP



IT

7.1 Establish transparent IT/business budget control and reporting RH IN

7.2 Ensure optimized IT investment, procurement and operational cost ITH IF

7.3 Ensure effective & efficient use of IT infrastructure & applications ITH IF

7.4 Formalize policies & guidelines for IT value creation and preservation ITH IF

7.5 Determine and implement required change management BH PP

7.6 Cascade and enforce IT policies & guidelines at all levels EH IN


training

8.1 Determine state and drivers of IT governance practices ITH PP

8.2 Determine and implement best practices for mindset change ITH PP

8.3 Adopt and undertake IT governance awareness and training for IT/business personnel ITH PP

8.4 Ensure compliance among employees through top management announcements EH PP



163



**

9. Competitive IT professionals 9.1 Attract, develop and retain skilled IT personnel for IT/business success BH PP

9.2 Develop broad IT competencies to manage IT resources ITH PP

9.3 Establish and motivate aligned IT/business innovation and practices ITH IN

9.4 Treat skilled IT professionals as working capital BH PP



applications

10.1 Standardize, share and manage IT infrastructure & applications cost-effectively ITT IF

10.2 Define and manage SLAs effectively ITH IF

10.3 Benchmark and provide effective & efficient IT facilities in and across organizations ITH AP

10.4 Encourage aligned research activities for innovative IT services ITH IN


benchmarks

11.1 Perform adequate analysis and evaluation of current and future use of IT ITH IN

11.2 Establish effective performance management strategy BT IN

11.3 Set and monitor IT/business oriented performance measures BT IN

11.4 Evaluate and demonstrate business value proposition of IT ITH IN

11.5 Assess IT governance performance and continually improve ITH IN



164

7.4 Discussion and Conclusion

The results presented above deals with the development phase of the proposed framework.

According to design science research, a framework is iteratively developed and evaluated.

Therefore, two iterations have been performed in the development phase. In iteration 1, the

initial version of the framework has developed and in iteration 2, the first version of the

framework has developed. The initial version has developed based on the results of research

phases 2 & 3, existing knowledge base and focus groups‟ opinion of 35 IT and management

personnel in 6 PakPSOs. The initial list of activities has been adopted from the existing

literature and then operationalised in PakPSOs. Similarly, generic roles and IT resources have

also been adopted from the existing literature and operationalised in PakPSOs. The results

indicated that nine activities were removed, one added, 20 updated and 32 remained

unchanged after the focus group interaction on the initial list. One possible reason of the

deleted activities might be the fact that these are not relevant to PakPSOs. The other reason

might be the fact that these are hardly to implement due to the lack of related knowledge &

competencies in this environment. The results also indicated that the activities are more

effective than ease of implementation. This might be due to the low human development,

limited IT resources, inadequate related knowledge & competencies and operating culture of

PakPSOs. The initial version of the framework is not an ultimate solution because it is based

on the opinions in limited number of PakPSOs. Therefore, the initial version has been further

enhanced through the interviews of 46 heads of IT and business in 23 PakPSOs having rich

experience in strategic management of IT and business. It is also complemented by the

interviews of 5 related industry experts. This resulted into the first version of the framework.

The results indicated that nine activities have updated, two activities have merged resulting

into one new activity, one activity has added and one activity has removed and four changed

their positions. All the generic roles have replaced by the specific roles. As for as the IT

resources concern, there was no change in any of the IT resources. The results of the first

version are more credible than the initial version because they are based on the opinions of

senior managers having rich experience in strategic management of IT and business and

representing more PakPSOs. Therefore, the first version is considered for evaluation in a case

study organization which is a subject of chapter 8. Another important aspect of the proposed

framework is that the practices are grouped into two categories i.e. IT governance focus areas

and IT-business alignment perspectives. This provides two views of the framework. On one

165

hand, the framework covers five focus areas of IT governance and on other hand it covers

three perspectives of IT-business alignment. In this way, the proposed framework provides a

holistic view of IT governance. This helped to partially achieve the fourth objective of this

study i.e. RQ4: “To develop and evaluate a framework for effective IT governance

implementation in PakPSOs”. The development of the framework has been covered in this

chapter whereas the evaluation of the framework is covered in chapter 8.

7.5 Chapter Summary

In this chapter, the results of the development phase of the proposed framework with

discussion and conclusion have been provided in detail. The summary of important points of

this chapter is as under:

The framework has developed using design science research approach. According to

design science, a framework is developed and evaluated in iterations. This chapter

deals with the development phase of the framework and evaluation phase is not the

subject of this chapter.

The framework has developed in two iterations. In iteration 1, the initial version of

the framework has developed whereas in iteration 2, the first version of the

framework has developed.

The basic building blocks of the framework are the guiding practices, the activities to

implement these practices, suitable roles and appropriate IT resources to execute the

activities, the organizational strategies & policies, structures & systems, objectives &

goals and the environment in which it is implemented.

The initial version of the framework consists of 11 guiding practices, 54 activities

(checkpoints), five generic roles and four types of IT resources. All the said elements

and sub-elements have been validated and/or operationalised in PakPSOs.

The initial version has developed based on the results of research phases 2 & 3,

existing knowledge base and focus groups‟ opinion of 35 IT and management

personnel in 6 PakPSOs.

The initial version has enhanced based on the interviews of 46 heads of IT and

business in 23 PakPSOs having rich experience in strategic management of IT and

business. It is also complemented by interviews of 5 related industry experts. This

resulted into the first version of the framework.

166

The first version of the framework is the updated version of the initial version. It

consists of 11 guiding practices, 53 activities, six specific roles and four types of IT

resources.

The framework not only covers the five focus areas of IT governance but also covers

the three perspectives of IT-business alignment. In this way, the framework provides a

holistic view of IT governance.

167

8 The Framework: Evaluation Phase


This chapter provides the results of the evaluation phase (iteration 3) of the proposed

framework. As already discussed, the framework has been developed and evaluated in three

iterations. In iterations 1 & 2, the framework has been developed ending up in the initial

version and the first version respectively. In iteration 3, the first version of the framework is

evaluated in one of the PakPSOs using case study research approach ending up in the second

version which is also the final version of this study. The purpose of iteration 3 is to evaluate

the framework in a real business setting. The detailed methodology and research process of

the evaluation phase is given in section 3.3.4.1 of chapter 3. The results indicated that after

incorporating suggested improvements, the second version of the proposed framework is the

useful for implementing effective IT governance in PakPSO. The rest of the chapter proceeds

as follows. In the second section, a brief introduction of the case is provided. In the third

section, IT governance in organization M is described in detail. In the fourth section, the

proposed framework is harmonized with organization M. The fifth section provides the

results of the case study. In the sixth section, the second version of the framework is given.

Discussion and conclusion are provided in the seventh section. Last section provides the

summary of important points of this chapter.

8.2 Introduction to the Case

The organization M is a service sector organization involved in the implementation of e-

government projects in the country. It is entrusted with responsibility of capacity building

particularly in the field of IT in government sector. Currently, it provides IT and

infrastructure services to more than 100 government departments including health, education,

agriculture, police, transport, excise & taxation, land & revenue and law & justice etc. Most

of its projects are government funded. However, the organization also explores funding

opportunities from private sector, national and international donor agencies. It is an

168

autonomous body having a board of directors and considers as the best class public sector IT

organization in the country.

The major objectives of the organization M are: 1) to introduce IT at all levels of the

government to improve efficiency, transparency and quality of services, 2) to provide a

reliable and scalable IT infrastructure up to districts level 3) to formulate and implement

policies & guidelines for automation and business process re-engineering, 4) to enhance

foreign and domestic IT investment through collaboration with renowned international firms,

and 5) to develop human resources through IT training of incubators, professionals and

government employees.

8.3 IT Governance in Organization M

As mentioned above, the organization M is striving for implementing e-government projects

in the country which are usually strategic IT projects. Therefore, the organization M views IT

governance as the governance of its strategic IT projects.

The relationship among five IT governance decisions i.e. IT principles (IT strategy), IT

architecture, IT infrastructure, IT applications and IT investment & prioritization (Weill &

Ross, 2004), five focus areas of IT governance i.e. strategic alignment, value delivery, risk

management, resource management and performance measurement (ITGI, 2007) and five

phases of the project management life cycle i.e. initiating, planning, executing, monitoring &

controlling and closing (PMI, 2004) in the organization M can be explained by Figure 8.1.

169

Figure 8.1: The relationship among IT governance decisions and focus areas and project management

life cycle phases.

As shown in Figure 8.1, all decisions are interlinked with each other. IT strategy covers other

four decisions. IT architecture is designed for IT infrastructure and IT applications. IT

infrastructure is prepared for IT applications. IT investment & prioritization is made for IT

infrastructure and applications.

Each decision is related with one or more phases of project management life cycle but the

relation is not one to one rather a fusion exists among them (Pelt, 2009). However, IT

strategy is more related to initiating phase, IT architecture is more related to planning phase,

IT infrastructure is more related to executing phase, IT applications are more related to

monitoring & controlling phase and IT investment & prioritization is more related to closing

phase. Figure 8.1 maps each decision with most appropriate phase of project management life

cycle.

170

Similarly, each phase is related to more than one focus areas. Initiating phase is more related

to strategic alignment and value delivery. Planning phase is more related to risk management

and resource management. Executing phase is more related to risk management, resource

management and performance measurement. Monitoring & controlling phase is more related

to performance measurement and value delivery. Closing phase is more related to value

delivery and strategic alignment. Figure 8.1 maps each phase with most appropriate focus

areas of IT governance.

Hence, each phase of the project management life cycle from start to end can be evaluated

against both IT governance and project management best practices to ensure that project

remains on track and delivers what promised. It is reasonable to believe that organizations

with good IT governance are also good in successful projects‟ implementation.

Therefore, IT governance exercised in the organization M at each phase of the project

management life cycle can be described based on Figure 8.1. The description of each of the

phases is as follows.

Initiating

In the organization M, IT projects are usually identified/selected by the Board of Directors

with consultation of the Planning and Development Department (P & D) based on their

relevance with provincial plans/vision, sectoral analysis, current situation and/or special

policy directives of the government. In some cases, national and international donor agencies

are also participated in the process of project identification. The project proposal is prepared

in the form of PC-I (Planning Commission-1) Proforma by the Director General (E-

Governance) and submitted to the P & D for appraisal. The P & D has developed its own

guidelines based on international best practices to conduct ex-ante evaluation. The Chairman

of the organization M is the member of the board of P & D and the Chairman of P & D is the

member of the board of the organization M. After the successful appraisal, the PC-I is

submitted to the PDWP (Provincial Development Working Party) for approval. After the

approval, the project is handed over to the organization M for implementation and funds are

released as per formal mechanism. The IT strategy is formulated by the Director General (IT)

with consultation of internal and external stakeholders. The organization has comprehensive

IT strategy document as an integral part of the organizational strategy which focuses on

implementing IT projects as part of an integrated approach rather than as silos. It also

emphasizes on top level ownership without which successful implementation of

171

programs/projects is not possible. The strategic alignment (alignment of IT projects with

organizational objectives) is assured against the organizational strategy which is updated time

to time. The value delivery expected from an IT project is explicitly described in the Section

B of the PC-I form mostly in terms of non financial benefits.

Planning

The organization M follows project management methodology PMBOK which is supported

by the Chairman of the organization. Primavera P-V software is used for planning purpose.

After the approval by the competent forum, the project proposal turns into project charter.

Before the start of the project, stakeholders meetings are arranged. All the potential

stakeholders are invited and formal presentation is given to them about the project and its

purpose. Matters related to the client organization and its work processes, standardization and

integration, project architecture/design, and potential risks are discussed and finalized based

on the inputs from the stakeholders. Necessary resources for the project such as human,

financial and physical are discussed. Usually, the organization M is equipped with skilled

human resources. However, in case of lack of skilled human resources, the post is advertized

in the newspapers. In the team building process, the responsibility and communication mode

is identified. A detailed project plan is finalized based on the inputs from the technical staff

and stakeholders. Project activities are shaped and necessary resources are estimated. A

baseline plan is formulated against which the project progress is measured during successive

phases. The IT architecture/design is decided by the Director (Software Eng.) based on the

work processes of the client government department and their own guidelines for

standardization and integration. The risk management and resource management plans are

explicitly described in the Sections B & C respectively of the PC-I form.

Executing

The organization M is responsible for the execution of its IT projects. After the detailed

project plan is formulated, the tendering process starts. A bidding process is performed and

project is awarded based on quality and cost. International contractors can also participate in

the bidding process. To avoid the issue of inflation, the contracts are awarded on lump-sum

basis. Procurement activities are performed in line with the rules and guidelines of Public

Procurement Regulatory Authority (PPRA). Funds are released on quarterly basis by the P &

172

D. Contractors submit weakly progress reports to the project director in a specified format.

Weekly meetings with the contractors are arranged to discuss and address issues encountered

during the course of the project execution. Other communication tools like email, telephone

and fax are also used to ensure smooth functioning of project activities. Weekly meetings

with contractors are arranged to discuss and address issues during the course of project.

The IT infrastructure is decided by the Joint Director (Infrastructure). It is developed by

contractors/vendors according to the project architecture/design and scope. During execution,

contractors/vendors provide, install and configure IT infrastructure such as LAN/WAN,

routers/switches, servers/computers, operating systems, databases, ERP systems and

accounting systems etc as per the architecture/design and scope of the project. The risk

management in terms of issues faced, resource management in terms of funds utilized and

performance measurement in terms of milestones achieved are conveyed in the form of PC-

III on monthly and quarterly basis to the P & D. The project evaluation during executing

phase is called interim evaluation.

Monitoring & Controlling

The organization M uses Primavera P-V software for monitoring & controlling. Earned Value

Analysis Technique (EVA) is used for this purpose. Basic EVA is performed to convey the

performance of the project to the higher level of decision makers. Contractors submit weekly

reports to the project director on the project performance in a prescribed format. Quarterly

meetings with stakeholders are arranged to review the performance of the project.

The IT applications are decided by the Joint Director (e-gov. applications) in the organization

M. The organization has in house development facility. When a project is near to complete,

IT applications (developed or purchased) are tested on the developed IT infrastructure in a

real business environment against key performance indicators (performance measurement)

and projected benefits (value delivery). These measures are communicated to the P & D in

the form of PC-III on quarterly basis. Any change request or issues faced by the client

government department are addressed accordingly.

Closing

When a project is completed; the organization M submits a close out report in the form of

PC-IV to the P & D. It is also required to submit a report in the form of PC-V for the next

173

five years. The Directorate General Monitoring & Evaluation (DGME) of P & D is

responsible for terminal and ex-post evaluation. The DGME evaluates the report to review

the implementation process and achievement of results with main focus on efficiency,

effectiveness and sustainability. The purpose is to see whether the project has been

successfully completed and if so then to what extent. The report also suggests the

requirements of project follow up. A team of experts is constituted to evaluate the project in a

meeting held at DGME with roles and responsibilities based on the expertise in the domain of

the project i.e. IT, data collection & analysis and interpretation. The team physically visits the

sites, conducts interviews of the key stakeholders and makes expert observations. The

assessment tools and techniques used in the evaluation process are: PC-I & PC-IV reports;

assessment report by the sponsor; JICA‟s evaluation tool to judge as objectively as possible

the relevance and effectiveness at four levels: ex-ante, mid-term, terminal, and ex-post

evaluation; Program Assessment Tool (PART) designed by the US office of Management and

Budget and Federal agencies to evaluate the program‟s purpose, design, planning,

management, results and accountability to determine its overall effectiveness; and DGME

evaluation guidelines.

The IT investment & prioritization is made by the Director General (IT). However, it is

usually not made based on the lesson learned from the previous projects. The value delivery

is measured in terms of the proposed benefits provided in the project plan and impact on the

target groups. However, there is no mechanism to assess strategic alignment in the

organization after closing the project. The organization M should address these weak areas.

The decision-making structure of the organization M at the level of IT projects regarding key

IT governance decisions and decisions review is shown in Table 8.1. The Table 8.2 shows

how are IT governance focus areas addressed in the organization M.

174

Table 8.1: Decision-making structure of the organization M

IT governance decisions Phases involved Decision-making and reviewing authority

IT strategy Initiating Decision made by Decision reviewed by

Director General (IT) Board of Directors

IT architecture Planning Decision made by Decision reviewed by

Director (Software

Eng.)

Director General (IT

Solutions)

IT infrastructure Executing Decision made by Decision reviewed by

Joint Director

(Infrastructure)

Director General (IT)

IT applications Monitoring &

controlling

Decision made by Decision reviewed by

Joint Director (e-gov.

applications)

Director General (e-

governance)

IT investment &

prioritization

Closing Decision made by Decision reviewed by

Director General (IT) Board of Directors

Table 8.2: How are IT governance focus areas addressed in the organization M

Phases involved Mechanism used Evaluation type

Strategic alignment Initiating IT strategy Nil

Closing Nil Nil

Value delivery Initialing PC-I Ex-ante

Monitoring &

Controlling

PC-III Interim

Closing PC-IV & V Terminal & Ex-post

Risk management Planning PC-I Ex-ante

Executing PC-III Interim

Resource management Planning PC-I Ex-ante


Performance

measurement


Monitoring &

controlling

PC-III Interim

175

8.4 Relevancy of the Proposed IT Governance Framework with the

Organization M

This section describes the relevancy of the proposed framework‟s practices (basic building

blocks) with the organization M. Table 8.3 shows the relevancy of the proposed framework‟s

practices with the organization M.

Table 8.3: Relevancy of the proposed framework‟s practices with the organization M

The guiding practice Relevancy with the organization M

IT/business communication

and partnership

This practice is considered as the most important practice in the

organization M because most of its IT projects are executed in other

government departments where IT/business communication and

partnership is crucial for the success of these projects. The organization

is also involved in provision of IT training to business personnel of

other government departments in addition to its own employees.

Engagement of key

stakeholders

In the organization M, the key stakeholders are involved in IT

initiatives with clear roles and responsibilities. Service sector, planning

sector and consultant & contractors sector organizations are also

among these key stakeholders. When a project is started, the

organization arranges stakeholders meetings. All the key stakeholders

are invited and formal presentation is given to them about the project

and its purpose. Key stakeholders are engaged throughout the project

management life cycle in the organization.

IT leadership IT leadership of the organization M is highly capable and experienced

in managing strategic use of IT in public/private sector organizations. It

has articulated the vision of the organization as “to develop IT as a

major sphere of economic activity, and promote its use in the public

and private sectors to increase efficiency and competitiveness”. IT

leadership has played an important role for the success of the

organization and currently it is considered as best class organization in

the country. Most of its IT projects are declared successful by the

Directorate General of Monitoring and Evaluation (DGME) which is a

principle body for monitoring and evaluating public sector projects.

Most IT initiatives of the organization M have also been appreciated by

national and international dignitaries and forums. The organization has

won many international awards in this respect.

176



Senior management


The senior management of the organization M is actively involved in

strategic IT decision-making, resource prioritization and monitoring

processes. IT projects in the organization M are selected in the board of

directors‟ meeting with the consultation of P & D which is a principle

body for approving public sector projects. The chairman of the

organization M is a member of the board of P & D and the chairman of

P & D is a member of the board of the organization M.

Defined, aligned and


strategies

The organization M has a comprehensive IT strategy document which

mainly focuses on implementing IT projects as part of an integrated

approach rather than as silos. It focuses on top level ownership without

which successful implementation of programs/projects is not possible.

It also focuses on basic IT infrastructure & applications and human

resource development due to lack of such resources in this

environment. IT strategy of the organization M is an integral part of

business strategy. It is communicated through web portal and senior

management announcements.

IT structure for

responsiveness and

accountability

The organization M has a consolidated structure. It has IT project

steering committees. However, it has no IT steering committee.

Policies and guidelines for

optimal acquisition and use

of IT

The organization M has a comprehensive policy and guidelines for cost

effective acquisition and use of IT. The organization uses project

management methodology PMBOK. After the detailed IT project plan

is formulated, the tendering process starts. A bidding process is

performed and project is awarded based on quality and cost.

International contractors can also participate in the bidding process.

Procurement activities are performed in line with the rules and

guidelines of Public Procurement Regulatory Authority (PPRA).

IT governance awareness

and training

Although, the organization M has institutionalized employees training

and career development path but it lacks on provision of IT governance

awareness and training to IT and business personnel for optimal use of

IT. Most of the training contents emphasize on IT and project

management knowledge & skills and job related activities. The

organization needs to harmonize these contents with IT governance

awareness and training for optimal use of IT.

177



Competitive IT

professionals

The organization M is equipped with skilled human resources and has

a central pool of competitive IT professionals. However, in case of

shortage of skilled IT professionals, the post is advertized in the

newspapers. The recruitment is made in a transparent and competitive

manner. Formal training mechanism for developing broad

competencies on IT and project management knowledge & skills is

present in the organization.

Standardized and managed


applications

IT infrastructure and applications in PakPSOs are implemented by the

organization M. Contractors/vendors provide, install and configure IT

infrastructure & applications as per the architecture/design in the

project plan. When the project is about to complete, IT applications are

tested on the developed infrastructure in a real business environment to

determine the adequacy of the applications and infrastructure in

fulfilling the organizational needs. Monthly reports are submitted by

the client government department to the organization M on the issues

faced and any change request regarding the configuration of IT

applications and infrastructure.

Performance measures and

benchmarks

The organization M currently uses Key Performance Indicators (KPIs)

approach to evaluate the performance of IT strategy, operations and

major IT projects. As the major focus of the organization M is on

implementing IT projects in PakPSOs so, performance measures and

benchmarks to track and demonstrate success are mainly related to IT

projects & operations instead of IT and business strategy in

organizational context. However, the organization needs to improve

this area by extending this practice to organizational context.

8.5 Evaluation of the Framework

The framework was evaluated using the evaluation criteria described in section 3.3.4.1 of

chapter 3. The qualitative and quantitative response of the respondents was sought on six

criteria: 1) formal description to meet the need for no ambiguity, 2) definable activities

through understandability of the framework, 3) completeness of the framework to ensure no

additional activities are needed, 4) activities to be capable of implementation, 5) usability via

178

measuring ease of use, and 6) fit by measuring the usefulness of the framework in the

organization. The said criteria are considered to be useful to measure the effectiveness of the

framework (Nfuka & Rusu, 2013).

8.5.1 Respondents’ Profile in the Case Study

A total of 27 respondents participated in the interview process. The respondents‟ profile in

the case study for evaluating the proposed framework is shown in Table 8.4. Table 8.4 shows

that 20 respondents participated from IT management side and seven participated from

business management side. The representation of the respondents was also from three levels

of hierarchy: top management, middle management, and operational management. Seven

respondents represented top management, 11 represented middle management and nine

represented operational management. The representation of the respondents from different

groups and hierarchy levels provides triangulation which is considered imperative to reduce

bias for credible results.

Table 8.4: Respondents‟ profile in case study for evaluating the framework

Top management Middle management Operational management

IT management Director General – 2

Joint Directors – 3

Program Managers – 8 Program Officers – 4

Project Coordinator - 1

Database Administrator - 1

Software Eng. – 1

Business management Director/Joint

Director – 2

Assistant Director – 2

Audit Officer – 1

HR Officer/Coordinator- 2

8.5.2 Results of Qualitative Response

Qualitative response was sought through the interviews. The interview responses were

analyzed using content analysis and summarized suggestions were incorporated into the

proposed framework. Table 8.5 shows the summarized interview response and resultant

improvements in the proposed framework.

179

Table 8.5: The summary of interview response on evaluation criteria and resultant improvements into the framework

Evaluation criteria Summarized interview response Resultant improvements into the framework

Formal description Majority of the respondents declared the framework description nice. However, some

argued that the framework layout should be changed to make it simpler. They

suggested that the framework layout should be changed from grid form to circular

form just like many other frameworks in the relevant literature.

The framework layout has been changed from grid form to

circular form.

Understandability Majority of the respondents agreed that the framework is understandable. However,

some indicated that guidelines should be provided for the use of the framework.

Guidelines for the use of the framework have been incorporated

as shown in Figure 9.2 of chapter 9.

Completeness of

the framework

Majority of the respondents agreed that the framework is complete by all means. The

guiding practices, activities, roles and IT resources are appropriate for the study

environment. However, some emphasized that the framework should be subjected to

continuous improvement.

The framework has been made subject to continuous

improvement as indicated in Figure 9.2 of chapter 9.

Ease of use of the

framework

Many respondents said that the framework is easy to use. However, some especially

from business side highlighted the need to make it more user-friendly.

The framework has been made user-friendly by taking all

possible measures as indicated above.

Usefulness of the

framework

Most of the respondents declared the framework very useful because it provides high

level tool for implementing, monitoring and evaluating IT governance initiatives in

PakPSOs.

The framework proved to be useful for claimed objective but

further motivation is required for its use in PakPSOs.

Implementable

actions

Most of the respondents agreed that the framework is implementable. However, a few

expressed their concerns regarding related knowledge, skills & competencies,

management support, commitment of IT and business personnel and lack of IT

facilities in some of the PakPSOs to implement it.

These concerns have been addressed through the practices and

activities such as

Competitive IT professionals & IT governance awareness &

training

Senior management involvement and support.

IT/business communication and partnership.

Benchmark and provide effective & efficient IT facilities in

and across organizations.

180

8.5.3 Results of Quantitative Response

The quantitative response was also sought on a five point Likert scale ranging from 1

(strongly disagree) and 5 (strongly agree). The mean score of the respondents against each

evaluation criteria is shown in Figure 8.2. The results show that the mean score is highest for

usefulness followed by formal description and understandability. The mean score is also

higher for implementable action. However, the mean score is relatively lower on ease of use.

This shows that the framework well satisfies five criteria of effectiveness out of six.

However, its ease of use in the study environment is not as feasible as other criteria.

Figure 8.2: Quantitative response on evaluation criteria

8.5.4 Quantitative Response on Implementation Aspects

Additionally, quantitative response was solicited on implementation aspects especially on

generality, complexity, required skills, ease of implementation, perceived cost of

implementation and applicability to public sector. The results are shown in Figure 8.3. The

results show that the mean score is higher for applicability to public sector followed by ease

of implementation. Moreover, the mean score is lower for perceived cost of implementation

181

followed by complexity and required skills. This shows that the proposed framework is

highly applicable to public sector with low perceived cost of implementation.

Figure 8.3: Quantitative response on implementation aspects

8.5.5 Accomplishment of the Seven Guidelines of Design Science Research

The proposed framework also satisfies the seven design science research guidelines

suggested by Hevner et al. (2004).

Guideline 1: Design as an artifact

This guideline has been followed by developing a method in the form of a framework to

facilitate effective IT governance implementation in PakPSOs. With this artifact, business/IT

management personnel could be able to recognize their roles and plan, apply and continually

improve IT governance implementation in their environment.

182

Guideline 2: Problem relevance

This guideline has implemented by carefully identifying the research problem i.e. IT

governance in PakPSOs is ineffective and providing a technology-based solution of this

problem in the form of a framework.

Guideline 3: Design evaluation

This guideline has been regarded by evaluating the framework in a case study organization.

This evaluation results indicated that the framework is relevant, valuable and usable thus it

could facilitate effective IT governance implementation in PakPSOs.

Guideline 4: Research contribution

This guideline has been adopted by providing the research contributions of this study.

Contributions of this research to practice and theory are given in chapter 9.

Guideline 5: Research rigor

This guideline has been satisfied by applying various research methods and data collection

and analysis techniques. This has also applied to the literature review to gain theoretical

insights and the interaction with the business environment for solution requirements.

Guideline 6: Design as a research process

This guideline has been fulfilled by using available means while satisfying applicable laws

such as getting credentials to the study cases. Three iterations and the respective methods,

empirical sources and data collection and analysis approaches have been applied

systematically during the research process.

183

Guideline 7: Communication of research

This guideline has been fulfilled by publishing the results of this research study in reputable

international journals. Three research papers have been published and currently are online

and one more has been submitted.

8.6 The Second Version of the Framework

The second version of the proposed framework after incorporating the resultant

improvements suggested by the interviewees is shown in Figure 8.4. The associated set of

activities, roles and IT resources to implement the practices are shown in Table 8.6.

184

Figure 8.4: Second version of the Framework

185

Table 8.6: Activities for practices with roles and IT resources


**

1. IT/business

communication and

partnership

1.1 Formalize viable IT/business communication and partnership practice BT IN

1.2 Convince IT/business management on IT/business partnership EH PP

1.3 Develop shared understanding among IT/business personnel on IT/business goals and imperatives EH IN

1.4 Train/involve business personnel in IT initiatives and IT personnel in business imperatives BH IN


stakeholders

2.1 Identify key stakeholders and establish appropriate roles & responsibilities BH PP

2.2 Involve key stakeholders in IT/business plans preparation and implementation EH PP

2.3 Create shared understanding among key stakeholders on shared IT/business goals and imperatives EH IN

2.4 Analyze and report the potential contribution of key stakeholders BT IN

2.5 Formalize virtual connection between IT and business practices and communities EH IN

3. IT leadership 3.1 Establish clear and top level mandate to lead IT transformation program EH PP

3.2 Encourage IT leadership on business imperatives and viable IT intervention EH PP

3.3 Convince business management on IT potential and contribution ITH PP

3.4 Develop focused IT leadership competencies EH PP

3.5 Develop confidence of senior management in IT leadership ITH PP



4.1 Establish senior management role in strategic IT decision-making, resource prioritization and monitoring processes EH PP

4.2 Demonstrate viable business value proposition of IT to get support of senior management, politicians and sponsor ITH IN

4.3 Convince senior management to delegate viable negotiating authority ITH PP

4.4 Convince senior management to provide required resources for IT/business success ITH PP

4.5 Motivate senior management to use IT actively ITH PP



strategies

5.1 Involve IT/business personnel in strategic IT/business planning EH PP

5.2 Define and align IT goals with business goals ITH IN

5.3 Establish business aligned IT strategy, resources and operations ITH IN

5.4 Prioritize and align IT projects with business goals and imperatives BT AP

5.5 Incorporate IT effectively into required public sector reforms BT AP

5.6 Cascade IT strategy down to all levels of organization EH IN

6. IT Structures for

responsiveness and

accountability

6.1 Establish clear and appropriate IT roles and responsibilities BH PP

6.2 Establish the role of CIO or IT head to report directly to the executive head EH PP

6.3 Establish IT steering committee with balanced representation of IT/business executives EH PP

6.4 Establish IT project steering committee to prioritize and manage IT projects BH PP

6.5 Ensure shared understanding and active participation of committees EH PP



186



**

7. Policies and guidelines

for optimal acquisition

and use of IT

7.1 Establish transparent IT/business budget control and reporting RH IN

7.2 Ensure optimized IT investment, procurement and operational cost ITH IF

7.3 Ensure effective & efficient use of IT infrastructure & applications ITH IF

7.4 Formalize policies & guidelines for IT value creation and preservation ITH IF

7.5 Determine and implement required change management BH PP

7.6 Cascade and enforce IT policies & guidelines at all levels EH IN

8. IT governance


8.1 Determine state and drivers of IT governance practices ITH PP

8.2 Determine and implement best practices for mindset change ITH PP

8.3 Adopt and undertake IT governance awareness and training for IT/business personnel ITH PP

8.4 Ensure compliance among employees through top management announcements EH PP

9. Competitive IT

professionals

9.1 Attract, develop and retain skilled IT personnel for IT/business success BH PP

9.2 Develop broad IT competencies to manage IT resources ITH PP

9.3 Establish and motivate aligned IT/business innovation and practices ITH IN

9.4 Treat skilled IT professionals as working capital BH PP

10. Standardized and

managed IT infrastructure

and applications

10.1 Standardize, share and manage IT infrastructure & applications cost-effectively ITT IF

10.2 Define and manage SLAs effectively ITH IF

10.3 Benchmark and provide effective & efficient IT facilities in and across organizations ITH AP

10.4 Establish aligned research activities for innovative IT services ITH IN

11. Performance

measures and benchmarks

11.1 Perform adequate analysis and evaluation of current and future use of IT ITH IN

11.2 Establish effective performance management strategy BT IN

11.3 Set and monitor IT/business oriented performance measures BT IN

11.4 Evaluate and demonstrate business value proposition of IT ITH IN

11.5 Assess IT governance performance and continually improve ITH IN



187

8.7 Discussion and Conclusion

The results presented in this chapter deals with the evaluation phase of the proposed

framework. The first version of the proposed framework has been evaluated in one of the

PakPSOs as a case study using design science research approach. The purpose was to

evaluate the framework in a real business setting. The quantitative and qualitative responses

have gathered from the case study organization against the pre-test evaluation criteria. The

results indicated that framework is useful for the study environment. However, qualitative

response also suggested some improvements into the first version of the framework.

Consequently, these improvements have incorporated into the framework resulting into the

second version of the framework. The second version of the framework is the final version of

this study. However, further iterations and improvements could be introduced in the second

version in future because a framework is always subject to continuous improvement.

Using design science elements and comprising effective IT governance practices and

corresponding activities, roles and kind of IT resources, the framework demonstrates a

comprehensive view of IT governance. Both IT and business management personnel in

PakPSOs are the intended users of the proposed framework. The proposed framework could

enable effective IT governance implementation in PakPSOs which lead to augment IT

outcomes and ultimately improve public service delivery in this environment. This helped to

partially achieve the fourth objective of this study i.e. RQ4: “To develop and evaluate a

framework for effective IT governance implementation in PakPSOs”. The evaluation of the

framework has been covered in this chapter whereas the development of the framework has

been covered in chapter 7.

8.8 Chapter Summary

In this chapter, the results of the evaluation phase of the proposed framework with discussion

and conclusion have been provided in detail. The summary of important points of this chapter

is as under:

The proposed framework has evaluated in one of the PakPSOs as a case study using

design science research approach against the pre-set evaluation criterion.

The quantitative response indicated that the framework is useful.

188

The qualitative response suggested minor improvements in the framework.

Consequently, these improvements have incorporated into the framework resulting

into the second version.

The framework is well-harmonized with the working processes of the case study

organization.

The framework also satisfies the seven guidelines of the design science research.

IT and business management personnel in PakPSOs can use this framework to

recognize their roles and to plan, apply and continually improve IT governance

implementation in their environment.

189

9 Conclusions, Contributions, Limitations and Recommendations


This chapter provides the conclusions, contributions, limitations and recommendations of this

study. It begins with the summary of the study. In the third section, the proposed IT

governance implementation framework is described along with its key components. The

fourth section compares the proposed framework with other frameworks in relevant literature

and points out how it is different and better than the other frameworks. The fifth section

provides the contributions of this study. The limitations and recommendations are given in

the last section.

9.2 Summary of the Study

This research study has attempted to propose a framework to solve the problem of IT

governance ineffectiveness in PakPSOs. The aims of the study are to determine and analyze

the existing state of IT governance and to develop and evaluate a framework for effective IT

governance implementation in PakPSOs. The objective is to augment the IT outcomes i.e.

desirable behavior in PakPSOs. The research journey of this study has been completed into

four phases after investigating the four research questions and achieving their four linked

sub-objectives. The linkage of research problem, questions and objective is shown in Figure

1.1 of Chapter 1.

In research phase 1, the study has determined and analyzed the existing state of IT

governance in the selected six PakPSOs in terms of maturity based on 15 most important and

relevant IT processes of COBIT framework and compared it with a developed country

(Australia), a developing country (Tanzania) and the international public sector benchmark

for learning, benchmarking and embracing best practices. The findings indicate that the

average IT governance maturity of the studied PakPSOs is 2.24. The bottom side is at

maturity level 1 (Initial/Ad-Hoc) which represents that PakPSOs recognize the existence of

issues which need to be solved. However, the issues are not solved through standardized

processes but through ad-hoc approaches which are adopted on individual or case-by-case

190

basis. The top side is at maturity level 2 (Repeatable but Intuitive) (with the exception of data

management) which represents that processes are built-up to the extent where different

people while executing same tasks pursue similar procedures. It reveals the absence of formal

training and communications of standard procedures in PakPSOs. A great dependence is on

individuals‟ knowledge. Therefore, errors are expected to be occurred. The findings also

indicated that PakPSOs are relatively better in managing data, IT investment, IT projects and

defining strategic IT plans but poorer in communicating management aims and directions,

assessing and managing IT risks, monitoring and evaluating IT governance, acquiring and

maintaining application software and managing changes. When PakPSOs compared with

other countries, the findings indicated that PakPSOs performed poorer than the developed

country (Australia) and the international public sector benchmark. However, PakPSOs

performed better than the developing country (Tanzania). This benchmark and other findings

of this research phase could be useful for public managers in PakPSOs and similar

environment to identify and improve weak areas and ultimately improve and sustain public

service delivery. However, the purpose of this research phase is to have an idea and

understanding of IT governance implementation status in PakPSOs, previously unidentified.

This is crucial to understand the context of PakPSOs to conduct further research activities in

this area. However, the results and findings of this phase are not used in the proposed IT

governance implementation framework development and/or evaluation process which is

actually the subject of the subsequent phases. The research phase 1 answered the first

research question of this study and achieved its linked objective.

In research phase 2, the study has identified and analyzed the relevant IT governance

practices in PakPSOs in terms of CSFs through systematic literature review complemented

with multi-case study approach in the selected eight PakPSOs. The findings indicate that 12

IT governance practices are founded to be relevant for PakPSOs. The identified practices are

then logically harmonized into five focus areas of IT governance ITGI (2007) and three

perspectives of IT-business alignment (Schlosser et al., 2012) to provide a holistic view of IT

governance. Public managers in PakPSOs and similar environment can use the findings of

this research phase to identify limited areas where focus can be given for success. The

research phase 2 answered the second research question of this study and achieved its linked

objective.

In research phase 3, the statistical effect of the identified practices of research phase 2 are

then tested and analyzed on IT outcomes in PakPSOs by taking sample data from 104

personnel in PakPSOs and applying PLS-based SEM. The findings indicate that 11 IT

191

governance practices out of 12 showed small to moderate positive significant effect on one or

more IT outcomes. The practice “IT/business communication and partnership” found to be

the most effective whereas the practice, “IT structures for responsiveness and

accountability” proved to be the least effective. Due to the relative importance of these

practices, the public managers in PakPSOs and similar environment can use the findings of

this research phase to prioritize limited resources to improve their IT related plans and

ultimately improve and sustain public service delivery. The purpose of this phase is to

validate the list of the practices for the basic building blocks of the proposed framework. The

research phase 3 answered the third research question of this study and achieved its linked

objective.

In research phase 4, the proposed IT governance implementation framework was developed

and evaluated based on the validated set of practices of research phase 3.The framework was

developed and evaluated using design science research approach. The detail of the framework

is given in the next section. The research phase 4 answered the fourth research question of

this study and achieved its linked objective as well as the main objective of the study.

9.3 The Framework

In this section, the proposed framework with its elements is described in detail.

9.3.1 Background

This study has investigated IT governance in the PSOs of a developing country with

relatively low human development, limited IT resources, inadequate related knowledge &

competencies and underlying cultural constraints and proposed a framework for effective IT

governance implementation in this environment i.e. PakPSOs. The framework has been

developed and evaluated using design science research approach. The design science research

approach is selected due to its association with behavioral science (Peffers et al., 2008). The

design science research is used to develop and evaluate IT artifacts to solve known problems

in organizations (Hevner et al., 2004). An IT artifact can be a construct, model, instantiation

or method (Hevner et al., 2004). The researcher has selected method in the form of

framework because a framework is an interconnected outline of specific elements that adopts

a meticulous approach to attain a desired objective and is used as a guide which can be

192

modified by adding and deleting elements when required (Business Dictionary, 2010).

According to design science research approach, a framework is iteratively built in two phases

(Hevner et al., 2004): develop and evaluate. In iterations 1 & 2, the framework has been

developed whereas in iteration 3, the framework evaluated. The results indicate that the

framework is useful and fulfils its claimed objectives.

The proposed IT governance implementation framework consists of the practices in terms of

CSFs, activities (check points) to implement these practices, suitable roles and appropriate IT

resources to execute the activities, the organizational strategies & policies, structures &

systems, objectives & goals and the environment in which it ought to be implemented. As

compared to the other frameworks from the relevant literature, the proposed framework

covers not only the five focus areas of IT governance i.e. strategic alignment, value delivery,

risk management, resource management and performance measurement but also the three

perspectives of IT-business alignment i.e. human, social and intellectual perspectives. Both

IT and business personnel in PakPSOs are the intended users of the framework. They can use

this framework to identify their role for planning, implementing and continuously improving

IT governance in their environment i.e. PakPSOs.

9.3.2 Elements of the Framework

The proposed framework consists of the following elements:

Environment

Organization

IT governance focus areas and IT-business alignment perspectives

Guiding practices

Activities, roles and IT resources

9.3.2.1 Environment

The first element of the proposed framework is the environment. The environment is

accounted as an important element of the framework because IT governance implementation

depends on the context of the organizations and their geographical situation (Ribbers et al.,

2002). As the matter for the current study, the researcher operationalised the environment as

national level IT-related strategies & policies (Digital Pakistan Policy, 2017 and National IT

193

Policy and Action Plan, 2001), E-government strategies, policies, regulation & infrastructure

(E-government Strategy and Five Years Plan for Federal Government, 2005, E-government

strategy, 2012, E-government strategy, 2015) and IT governance standards and best practices

(COBIT, ITIL, ISO/IEC 38500 etc.) implemented to some extent in some of the PakPSOs.

9.3.2.2 Organization

The second element of the proposed framework is the organization in which it is evaluated.

Although things may vary based on the type and nature of the organization and especially the

services that it provides to the public but the framework is generally supposed to be aligned

and interacted with its policies & strategies, goals, structures & systems for sustainable

success. Therefore, as the matter of current study, the researcher operationalised the

organization as organizational policies & strategies, goals and structures & systems.

9.3.2.3 IT Governance Focus Areas and IT-business Alignment Perspectives

ITGI (2007) proposed five focus areas of IT governance i.e. strategic alignment, value

delivery, risk management, resource management and performance measurement. Similarly,

Schlosser et al. (2012) proposed three perspectives of IT-business alignment i.e. human,

social and intellectual perspectives. Here is a brief description of each of the focus areas and

IT-business alignment perspectives and their related guiding practices in the context of

PakPSOs.

IT Governance Focus areas and related Guiding Practices

Strategic alignment- It is synonymous to IT strategy (ITGI, 2005). Strategic alignment

ensures that IT strategy is aligned with organizational strategy, IT delivers against the

strategy and IT investments are made in line with organizational objectives. It also ensures

strategic match of IT investments or projects with organizational objectives. The main focus

of strategic alignment is on linking the organizational and IT strategy with services and

projects. In the perspective of a developing country, PakPSOs have many concerns in this

focus area. The practices to address these concerns include IT/business communication and

partnership, engagement of key stakeholders, IT leadership, senior management involvement

194

and support, defined, aligned and cascaded IT and business strategies and IT structures for

accountability and responsiveness.

Value delivery and risk management- It ensures IT investment for significant return and

adequate benefits from IT services. It also ensures the completeness, quality and security of

IT services and IT plans proceed on schedule. The main focus of value delivery is on

optimizing costs and generating value of IT throughout the delivery cycle. Risk management

involves analyzing and assessing IT risks, monitoring efficiency of internal controls and

implementing necessary mechanisms to minimize risks. It also deals with procedures to

ensure the transparency about the significant risks to the organization and proactive risk

management approach to create competitive advantage. It ensures information security

against various threats. It insists on embedding risk management in the operation of the

organization. The main focus of risk management is on embedding accountability to mitigate

significant risks. PakPSOs have several concerns in these focus areas. The practices to

address these concerns include policies, guidelines and processes to create and preserve IT

value for cost-effective acquisition and use of IT across the organization.

Resource management- It involves high level direction for sourcing and management of IT

resources. In the perspective of IT governance, resource management focuses on allocating

and optimizing IT resources in association with organizational priorities. The major focus of

resource management is on optimizing knowledge and infrastructure. PakPSOs have many

concerns in this focus area. The practices to address these concerns include IT governance

awareness and training, attracting, developing and retaining competitive IT professionals and

standardized IT and managed IT infrastructure and applications.

Performance measurement- It is related to determine whether the IT organization have

achieved the goals set by the top management. It deals with tracking and monitoring the

implementation of IT strategies & policies and IT projects. It also involves the performance

of processes, resources and service delivery. The major focus of performance measurement is

on measuring IT performance through metrics. PakPSOs have many concerns in this focus

area. The practices to address these concerns include tracking and demonstrating IT success

and contribution to the business.

IT-business Alignment Perspectives and related Guiding Practices

Human Perspective- It deals with the characteristics of individuals such as knowledge, skills,

leadership and attitude (Schlosser et al., 2012). PakPSOs have many concerns in this

195

perspective. The practices to address these concerns include IT leadership, senior

management involvement and support, IT governance awareness and training and

competitive IT professionals. By focusing on these concerns and implementing related

activities, PakPSOs can exploit and enhance human competencies and capabilities in their

environment which are crucial for IT governance implementation success.

Social Perspective - It deals with relational, informal and cultural aspects (Schlosser et al.,

2012). PakPSOs have many concerns in this perspective. The practices to address these

concerns include IT/business communication and partnership and engagement of key

stakeholders. By emphasizing on these concerns and implementing related activities,

PakPSOs can address and develop relational, informal and cultural constraints in their

environment which are paramount for IT governance implementation success.

Intellectual Perspective - It deals with the end products and deliverables resulting from the

work of individual and group of people (Schlosser et al., 2012). PakPSOs have many

concerns in this perspective. The practices to address these concerns include defined, aligned

and cascaded IT and business strategies, IT structures for responsiveness and accountability,

policies and guidelines for cost effective acquisition and use of IT, standardized and managed

IT infrastructure and applications and performance measures and bench marks. By

concentrating on these practices and implementing related activities, PakPSOs can utilize and

improve intellectual capabilities and potential in their environment regarding structures,

processes, knowledge management and core competencies etc.

9.3.2.4 Guiding Practices

The framework consists of 11 guiding practices. The description of each practice is given as

follows.

Practice 1: IT/business Communication and Partnership

This practice deals with the strategic alignment focus area of IT governance and social

perspective of IT-business alignment. This practice can be implemented through four

activities i.e. 1.1 “Formalize viable IT/business communication and partnership practice”, 1.2

“Convince IT/business management on IT/business partnership”, 1.3 “Develop shared

understanding among IT/business personnel on IT/business goals and imperatives”, and 1.4

196

“Train/involve business personnel in IT initiatives and IT personnel in business imperatives”.

The activity 1.1 is a more effective way to implement IT governance such as formal meetings

between IT and business personnel and job-rotation i.e. involving IT people into business

tasks and business people into IT tasks. The activity 1.2 can be implemented through the

viable intervention of the senior management and job co-location i.e. physically sitting IT and

business people close to each other. The activity 1.3 can be implemented by arranging formal

and informal meetings among IT and business personnel and related workshops on achieving

business objectives. The activity 1.4 can be implemented through cross training i.e. IT

training of business personnel and business training of IT personnel.

Practice 2: Engagement of Key Stakeholders

This practice also deals with the strategic alignment focus area of IT governance and social

perspective of IT-business alignment. This practice can be implemented through five

activities i.e. 2.1 “Identify key stakeholders and establish appropriate roles &

responsibilities”, 2.2 “Involve key stakeholders in IT/business plans preparation and

implementation”, 2.3 “Create shared understanding among key stakeholders on shared

IT/business goals and imperatives”, 2.4 “Analyze and report the potential contribution of key

stakeholders” and 2.5 “Formalize virtual connection between IT and business practices and

communities”. The activity 2.1 can be implemented by performing a stakeholders‟ analysis

with respect to their roles & responsibilities and needs & demands. This is also in accordance

with stakeholder theory (Freeman, 1994) which emphasizes the need of engaging inside and

outside stakeholders. The activity 2.5 can be implemented by getting public feedback

including citizens, business and employees‟ feedback through website, email and/or emerging

trend of social media.

Practice 3: IT Leadership

This practice deals with the strategic alignment focus area of IT governance and human


activities i.e. 3.1 “Establish clear and top level mandate to lead IT transformation program”,

3.2 “Encourage IT leadership on business imperatives and viable IT intervention”. 3.3

“Convince business management on IT potential and contribution”, 3.4 “Develop focused IT

leadership competencies” and 3.5 “Develop confidence of senior management in IT

197

leadership”. As the competency is a mixture of knowledge, skills and behaviors for enabling

an individual to perform effectively in a job or circumstance (Kraiger et al., 1993), therefore,

IT leadership competency must involve both IT and business competencies. These

competencies are also required for awareness of IT potential and contribution from existing

usage and new opportunities (Nfuka & Rusu, 2013). The activity 3.1 is more crucial and can

be implemented by granting viable authority and control to IT leadership.

Practice 4: Senior Management Involvement and Support

This practice also deals with the strategic alignment focus area of IT governance and human


activities i.e. 4.1 “Establish senior management role in strategic IT decision-making, resource

prioritization and monitoring processes”, 4.2 “Demonstrate viable business value proposition

of IT to get support of senior management, politicians and sponsor”, 4.3 “Convince senior

management to delegate viable negotiating authority”, 4.4 “Convince senior management to

provide required resources for IT/business success” and 4.5 “Motivate senior management to

use IT actively”. The activity 4.1 can be implemented by incorporating five key IT

governance decisions suggested by Weill and Ross (2004) including IT investment and

prioritization. The activity 4.2 is mainly related to public service delivery improvement and

cost reduction due to the non-profit nature of the public sector. However, in some PakPSOs,

activity 4.2 is also related to revenue generation.

Practice 5: Defined, Aligned and Cascaded IT and Business Strategies

This practice deals with the strategic alignment focus area of IT governance and intellectual

perspective of IT-business alignment. This practice can be implemented through six activities

i.e. 5.1 “Involve IT/business personnel in strategic IT/business planning”, 5.2 “Define and

align IT goals with business goals”, 5.3 “Establish business aligned IT strategy, resources and

operations”, 5.4 “Prioritize and align IT projects with business goals and imperatives”, 5.5

“Incorporate IT effectively into required public sector reforms”, and 5.6 “Cascade IT strategy

down to all levels of organization”. The activity 5.2 can be materialized through the use of

existing IT and business goals cascading map of COBIT (ITGI, 2007). The activity 5.6 can be

implemented through the use of web portals and senior management announcements. Senior

198

management announcements usually receive a great deal of attention throughout the

organization.

Practice 6: IT Structures for Responsiveness and Accountability

This practice also deals with the strategic alignment focus area of IT governance and

intellectual perspective of IT-business alignment. This practice can be implemented through

five activities i.e. 6.1 “Establish clear and appropriate IT roles and responsibilities”, 6.2

“Establish the role of CIO or IT head to report directly to the executive head”, 6.3 “Establish

IT steering committee with balanced representation of IT/business executives”, 6.4 “Establish

IT project steering committee to prioritize and manage IT projects” and 6.5 “Ensure shared

understanding and active participation of committees”. The activity 6.3 can be materialized

by involving both IT and business personnel in IT steering committee. IT steering committee

should be chaired by the executive head. Similarly, for activity 6.4, IT project committee

should be chaired by the relevant business head. This results in responsive and accountable

IT structures to promote IT enabled business applications‟ acceptance and sustainability.

Practice 7: Policies and Guidelines for Optimal Acquisition and Use of IT

This practice deals with the value delivery and risk management focus areas of IT governance

and intellectual perspective of IT-business alignment. This practice can be implemented

through six activities i.e. 7.1 “Establish transparent IT/business budget control and

reporting”, 7.2 “Ensure optimized IT investment, procurement and operational cost”, 7.3

“Ensure effective & efficient use of IT infrastructure & applications”, 7.4 “Formalize policies

& guidelines for IT value creation and preservation”, 7.5 “Determine and implement required

change management”, and 7.6 “Cascade and enforce IT policies & guidelines at all levels”.

The activity 7.2 can be materialized by paying special attention to optimize procurement and

acquisition in line with PPRA rules and sharing IT resources effectively. The activity 7.4 can

be implemented by concentrating not only on value creation but also preservation i.e.

embedding accountability to mitigate risks.

199

Practice 8: IT Governance Awareness and Training

This practice deals with the resource management focus areas of IT governance and human

perspective of IT-business alignment. This practice can be implemented through four

activities i.e. 8.1 “Determine state and drivers of IT governance practices”, 8.2 “Determine

and implement best practices for mindset change”, 8.3 “Adopt and undertake IT governance

awareness and training for IT/business personnel” and 8.4 “Ensure compliance among

employees through top management announcements”. Due to existing state of IT governance

in PakPSOs, the activity 8.1 provides more focused awareness and training. Hence, it

provides more contribution for improving IT governance in this environment. The activity 8.2

is more critical in a bureaucratic environment. The same can be implemented by

demonstrating IT contribution especially to business personnel.

Practice 9: Competitive IT Professionals

This practice also deals with the resource management focus areas of IT governance and

human perspective of IT-business alignment. This practice can be implemented through four

activities i.e. 9.1 “Attract, develop and retain skilled IT personnel for IT/business success”,

9.2 “Develop broad IT competencies to manage IT resources”, 9.3 “Establish and motivate

aligned IT/business innovation and practices”, and 9.4 “Treat skilled IT professionals as

working capital”. The activity 9.1 can be implemented by providing competitive market-

based salaries and other incentives to IT professionals. The activity 9.2 can be materialized

through successful IT business strategies considering both IT and business related

competencies.

Practice 10: Standardized and Managed IT Infrastructure and Applications

This practice deals with the resource management focus areas of IT governance and


four activities i.e. 10.1 “Standardize, share and manage IT infrastructure & applications cost-

effectively”, 10.2 “Define and manage SLAs effectively”, 10.3 “Benchmark and provide

effective & efficient services in and across organizations” and 10.4 “Establish aligned

research activities for innovative IT services”. The activity 10.1 is crucial due to the

expanding IT infrastructure and increased number of IT applications in PakPSOs. The same

200

should be implemented by establishing cloud computing opportunity for PakPSOs. The

activity 10.3 can be implemented using innovative web and/or mobile-based applications due

to the escalating use of Internet and mobile throughout the country.

Practice 11: Performance Measures and Benchmarks

This practice deals with the performance measurement focus areas of IT governance and


five activities i.e. 11.1 “Perform adequate analysis and evaluation of current and future use of

IT”, 11.2 “Establish effective performance management strategy”, 11.3 “Set and monitor

IT/business oriented performance measures”, 11.4 “Evaluate and demonstrate business value

proposition of IT”, and 11.5 “Assess IT governance performance and continually improve”.

The activity 11.1 can be materialized by performing requirement/need analysis and setting

targets. The activity 11.3 can be materialized through the use of BSC that measures

performance beyond the conventional accounting measures and focuses on four perspectives:

corporate contribution, customer, internal processes and skills & innovation. The BSC

approach is more suitable for PSOs due to the “best” value nature of public sector instead of

“profit” nature. The activity 11.4 can be applied in the perspective of cost reduction and

public service delivery improvement and activity 11.5 can be materialized through the use of

Weill and Ross (2004) method that measures IT governance using four items or KPIs of

strategic IT projects.

9.3.2.5 The Activities, Roles and IT Resources

The practices provide only the high level view of IT governance. These provide no guidance

on how to implement the relevant actions to meet the claimed objective of the framework. In

order to ensure the relevant actions to be implemented, activities (checkpoints) have been

introduced in the proposed framework. Each practice is implemented through a set of

activities. There are 53 activities for 11 guiding practices (four to six activities for each

practice). Each activity is executed by a suitable role and used appropriate IT resource. There

are six roles and four types of IT resources. Roles include Executive Head (EH), Business

Head (BH), Business Team (BT), IT Head (ITH), IT Team (ITT), Regulations Head (RH)

and IT resources include Applications (AP), Information (IN), Infrastructure (IF), People

201

(PP). The proposed framework provides a suitable role to perform each activity and IT

resources to execute each activity.

9.4 Implementation Considerations

This section provides the guidelines to use the framework i.e. where to start and end up? A

supplementary survey was conducted in iteration 2 during the development phase. The

respondents were requested to rank 11 guiding practices with respect to their implementation

order based on the state and application of IT governance in their respective organizations.

The results suggested that “IT leadership” should be implemented first and “performance

measures and benchmarks” to be at last. The results are shown in Figure 9.1. Some guiding

practices were ranked equally. In conclusion, the process resulted in six steps as priority

consideration in using the framework.

These steps are as under:

1. Demonstrate IT leadership

2. Establish IT structures

3. Define, align and cascade IT and business strategies

4. Establish policies and guidelines for optimal IT acquisition and use of IT

5. Standardize and manage IT infrastructure and applications

6. Develop benchmarks, measure and monitor performance and ensure continuous

improvement.

These steps were also supported by the qualitative responses. For instance, first step was

supported due to need of IT leadership in bureaucratic environment in PakPSOs. The six

steps were also made part of the evaluation process in iteration 3 in which the respondents

generally confirmed them as being the right priority steps in implementation. The six step

process for priority consideration in using the framework is shown in Figure 9.2.

202

Figure 9.1: Ranked guiding IT governance practices (1st and last)

Fre

quen

cy

1st Last 11

th

203

Figure 9.2: Priority consideration in using the framework

204

9.5 Comparison of the Proposed IT Governance Framework with Generic

Frameworks

Table 9.1 shows the comparison of the proposed framework with the other frameworks in the

relevant literature. The comparison is made on implementation aspects. The comparison

shows that the proposed framework is a better choice among the others especially in the

aspects of generality which is low, complexity which is low, required skills for implementing

the framework which are low, ease of implementation which is high, perceived cost of

implementation which is low, focus on CSFs which is high and applicability to public sector

which is high. This shows that the proposed framework is a good substitute of generic

frameworks especially in an environment with limited resources and related competencies.

205

Table 9.1: Comparison of the proposed framework with generic frameworks

Framework

Implement- ation Aspect

COBIT ITOMAT ITIL ISO/IEC 38500 dFogIT SAM BSC The proposed

framework

Major Focus

IT control &

Audit

IT control &

Audit

IT service

management

Evaluate-Direct-

Monitor the use of

IT

Evaluate-

Direct-

Monitor the use of IT

Strategic

alignment

Corporate

performance

Augment the IT

outcomes

Composition

5 domains

and 37 processes

4 domains and

34 processes

5 phases 6 principles 4 Layers 4 domains 4 perspectives 11 CSFs

Governance

Strong link Strong link Weak link Strong link Strong link Moderate link Moderate link Strong link

Strategic use of

IT

High support Medium support Low support High support High support High support High support High support

Generality

High High High High High High Medium

Low

Complexity High Medium

Medium High High Medium Medium Low

Required Skills

High Low

Medium High High High Medium Low

Ease of

implementation

Low Low

Medium Low Low Low Medium High

Perceived cost of

implementation

High Medium

Medium Medium Medium Medium Medium Low

Focus on CSFs Limited

No Limited No No No No High

Applicability to

public sector

Low Medium

Medium Low High Low Low High

206

9.6 Application of the Framework in the Context of PSOs in a Developing

Country

The IT context of public sector organizations (PSOs) in a developing country is generally

characterized by low human development, limited IT resources, inadequate related

knowledge & competencies and cultural constraints. Many process-based IT governance

standards and frameworks such as COBIT, ISO/IEC38500 and deFogIT are available and

considered to be as the best practices to implement IT governance in organizations. However,

these frameworks are very generic, complex and expensive due to which organizations may

deem the practice daunting and unattainable (Zhang & Le Fever, 2013). Therefore, a

framework which is less complex, inexpensive and easy to use for both IT and management

personnel is required in this environment.

The proposed framework has been developed based on the critical success factors (CSFs)

which are limited number of areas where focus can be given for success due to limited

resources and other constraints mentioned above. The CSFs approach is comparatively less

complex and less expensive than the process-based approach but has more contextual

relevancy and suits to the PSOs in a developing country (Nfuka & Rusu, 2013). The CSFs

were first operationalised in eight Pakistani public sector organizations (PakPSOs) through

multi case study approach which made them context specific and then validated by taking

sample data throughout the PakPSOs. Moreover, the activities for each of the CSFs, the roles

to implement the activities and the IT resources to execute the activities were also

operationalised in PakPSOs through qualitative and quantitative opinions in PakPSOs which

also made them context specific. In this way, the framework is contextual in nature and

highly relevant to the context of the PSOs in a developing country. However, due to many

underlying similarities and commonalties among the structures & systems and working

procedures of PSOs in developing countries and developed countries, the framework may

also be useful for PSOs in developed countries. This can be considered as the strength of this

framework. In other words, specifically, the proposed framework has contextual relevance to

the PSOs in a developing country and generically, its application can be extended to the PSOs

of developed countries.

In the perspective of IT governance, there are several areas where the PSOs in developing

countries are generally considered poorer than the PSOs in developed countries. However,

the proposed framework contributes to the improvement of mainly five areas in the PSOs in a

207

developing country: better decision-making, enhancing IT projects efficiency & effectiveness

(IT project management), improving public service delivery, creating IT governance

awareness, and increasing accountability and transparency.

Decision-making- The PSOs in a developing country is usually poor in decision-making and

mutual understanding between business management and IT personnel to plan, implement

and monitor IT enabled business applications and infrastructure (Qaisar & khan, 2010; Kundi

et al., 2008). The proposed framework provides a suitable specific role (person accountable

and responsible for decision-making) to each activity of the guiding IT governance practices.

In this way, the proposed framework enables better decision-making throughout the IT

investment life cycle in these organizations. This is evident from role (R) column of Table

8.6.

IT Project Management- Most of the IT initiatives in the PSOs of a developing country are

implemented in the form of e-government projects which are usually strategic IT projects.

However, these IT projects often face the risks of being over budgeted, behind scheduled or

even being abandoned. The proposed framework enables these projects to be prioritized and

aligned with business goals and imperatives and to remain on track with concrete IT value

and deliverables. This is evident from activity 5.4 of Table 8.6

Public Service Delivery- Public service delivery in the PSOs of a developing country is

usually poor in terms of quality and method of delivery as compared to the PSOs in

developed countries. The proposed framework helps to improve public service delivery and

recommends new and innovative ways of public service delivery in these organizations. This

is evident from activities 10.3 and 10.4 of Table 8.6.

IT Governance Awareness- This practice refers to the campaigns to clarify the need of IT

governance to business and IT people (De Haes & Van Grembergen, 2009). In the context of

lower IT knowledge and culture (a developing country), Nfuka and Rusu (2010) refer this

practice as mindset change and competency improvement. This practice is more crucial in the

PSOs of a developing country due to political influence and bureaucratic hurdles in this

environment. The proposed framework helps to create IT governance awareness which is

evident from activities 8.1 to 8.4 of Table 8.6.

Accountability and Transparency- The PSOs in developing countries are often affected by

low institutional capacity, limited involvement of stakeholders, high level of corruption and

high level of informality which obstruct their decision-making, control and accountability

(Mimba et al., 2007). The proposed framework assists these organizations to enhance

208

accountability and transparency in their environment which is one of the objectives of IT

governance (IGTI, 2007). This is evident from activity 7.1 of Table 8.6.

9.7 Contributions

The outcomes of this research contribute to the practice and theory in several ways. The

major contribution of the research is the original investigation of IT governance in PakPSOs,

previously unexplored, in the perspective of a developing country. Based on this

investigation, the study develops and evaluates a framework for effective IT governance

implementation in PakPSOs. The guiding practices of the framework could help the public

managers in PakPSOs and similar environment in a number of ways. By involving senior

management, engaging key stakeholders and building IT/business collaboration, they can

prioritize IT resources and ensure optimal use of IT in an environment with scarce resources.

By aligning IT strategies with business strategies and enabling structures, they can

incorporate and integrate IT into PakPSOs to improve public service delivery. By

consolidating and communicating IT governance related policies and guidelines, they can

change, control and enforce policies, strategies and decisions to perform IT enabled functions

more effectively. By providing IT governance awareness and attracting, developing and

retaining competitive IT professionals and IT leadership, they can strengthen and sustain

required IT competencies to standardize and harmonize IT infrastructure and applications

cost-effectively. By setting IT and business oriented performance measures and benchmarks,

they can demonstrate success and enable IT contribution for continuous business

improvement. Theoretically, the study adds much into the existing body of knowledge and

provides several implications for academicians and future researchers.

9.7.1 Contribution to Practice

This study makes a number of contributions from practitioners‟ point of view. First, the study

benchmarks PakPSOs with a developed country (Australia), a developing country (Tanzania)

and the international public sector benchmark. This benchmark can help the public managers

in PakPSOs to identify and improve weak areas and ultimately improve and sustain public

service delivery. Second, the study presents a comprehensive examination of effective IT

governance practices in terms of CSFs. These CSFs can help the public managers in

209

PakPSOs and similar environment to use limited areas where focus can be given for success.

Third, the studies validates a statistical effect of IT governance CSFs on IT outcomes in

PakPSOs in terms of tasks, organizational and public outcomes of strategic IT projects. By

understanding the relative importance of CSFs, public managers and decision-makers in

PakPSOs and other developing countries can improve their IT-related plans and prioritize

limited resources accordingly to improve and sustain public service delivery in their

respective organizations. The study also develops an understanding of organizational and

public value of strategic IT projects and suggests that the public managers should look into

the meaningful benefits that these projects provide to various stakeholders in addition to

timely and within budget delivery of these projects. Fourth contribution of the study is the IT

governance implementation framework. Using design science elements and comprising of

effective IT governance practices and corresponding activities, roles and kind of IT resources,

the framework demonstrates a comprehensive view of IT governance by enabling both IT and

business management personnel to recognize the effective practices and individual roles for

planning, implementation and continuous improvement of IT governance. The framework not

only covers the five focus areas of IT governance but also covers the three perspectives of IT-

business alignment which lack in the previous studies. This research also creates and

enhances the awareness of IT governance in PakPSOs. The findings of this research study

could also be used by the policymakers to improve the ongoing strategies for successful

incorporation and integration of IT into PakPSOs.

9.7.2 Contribution to Theory

This study also contributes to the existing body of knowledge from theoretical and

academicians‟ point of view. First, the study fills the theoretical gap in the literature by

explaining IT governance in the perspective of CSFs approach proposed by Rockart (1979)

instead of traditional approach of structures, processes and relational mechanisms (De Haes

& Van Grembergen, 2009). Previously, CSFs approach has been adopted in various

management fields but in the field of IT governance, only few studies have used this

approach to identify and validate the discrete lists of CSFs. However, no study has adopted a

holistic approach to investigate CSFs in five focus areas of IT governance and three

perspectives of IT-business alignment simultaneously. This study provides a holistic view of

IT governance by not only focusing on five focus areas of IT governance and also covering

210

the three aspects of IT-business alignment. Second, the study adds a validated list of effective

IT governance practices in terms of CSFs in the context of PSOs in a developing country to

the exiting knowledge base. In this way, the study enhances the scope of IT governance

practices in the context of PSOs in a developing country. Third, the study contributes into the

existing literature through a new way of measuring strategic IT projects success in terms of

task outcomes, organizational outcomes and public outcomes instead of traditional measures

of project success (scope, time and quality criteria). No previous study has applied this

holistic and meaningful criterion to assess strategic IT projects success. Fourth, the proposed

framework as a novelty of this research is a new addition in the existing knowledge base.

Using design science research approach for framework development and evaluation process,

the study provides a new IT artifact in the form of framework that can be further investigated

by the future researchers for continuous improvement. The findings of the study also

strengthen the existing IT governance frameworks like COBIT, ITIL and ISO/IEC 38500 etc.

Using the findings of this study, the generic framework can also be updated and amended for

special versions for the PSOs in developing countries. Therefore, the knowledge developed

from this study advances the theories of IT management and information system

management. The study also provides new avenues for future researchers. Future researchers

can explore new IT governance practices or use the existing framework for its statistical

validation. They can include more organizations and more countries to enhance the

generalisability of the research findings of this study.

9.8 Limitations and Recommendations

Even though the research has been carried out carefully and professionally but there are a

number of limitations which are important to mention at this stage. These limitations may be

addressed through future research. These limitations and corresponding recommendations for

future research are as under:

IT governance practices- As mentioned in this study, IT governance practices are confined to

the CSFs of effective IT governance. There could be many more IT governance practices that

lead towards effective IT governance implementation, for example, portfolio management,

knowledge management and benefit management & reporting etc. However, it is not possible

to include all such practices in one study. Therefore, one should be careful while interpreting

the term “IT governance practices”. Thus, there is much scope for more research with more

211

IT governance practices. Future research may extend the scope of IT governance practices in

the perspective of developing countries and may involve, test and validate more practices

depending on their study environment.

Sample size and frame- This study used a reasonable sample size in its various research

phases but confined to one developing country (Pakistan) and one sector (public sector). A

number of studies used even small sample size than this study and also confined to one

country and one sector. Although, this does not affect the reliability of the results but the

scope can always be extended by including more countries and larger sample size. Future

researchers should involve more countries and greater sample size because such

considerations will increase the generalisability of results to PSOs of developing countries

and resultantly improve the framework.

Validation of results- This study has been conducted into four phases. The research phase 3

is mainly quantitative and confirmatory in nature. Therefore, the results of research phase 3

have been validated through statistical tests. The research phase 4 is related to the

development and evaluation of the proposed framework using design science research

approach. It has been developed based on the results of research phases 2 & 3, relevant

literature consultation and qualitative and quantitative opinions and experiences of the

respondents in PakPSOs. Therefore, this has not been validated statistically due to the design

of the research. Moreover, the time to conduct the required research to validate the proposed

framework could be more than five years. Thus, this longer time period is a strong hindrance

for the researcher. Future researchers could consider this aspect and validate the framework

in the PSOs of developing countries while carrying out research on IT governance

implementation in these organizations.

212

References

Aasi, P., Rusu, L., & Han, S. (2014). Culture Influence on IT Governance: What We have

Learned? International Journal of IT/Business Alignment and Governance , 5 (1), 34-49.

Agarwal, N., & Rathod, U. (2006). Defining „Success‟ for Software Projects: An Exploratory

Revelation. International Journal of Project Management , 24, 358-370.

Agerfalk, P. J., & B. F. (2006). Flexible and Distributed Software Processes: Old Petunias in

New Bowls? Communications of the ACM , 49 (10), 26-34.

Aggarwal, H. (2010). Critical Success Factors in IT Alignment in Public Sector Petroleum

Industry of India. International Journal of Innovation, Management and Technology , 1

(1), 56-63.

Al Qassimi, N., & Rusu, L. (2015). IT Governance in a Public Organization in a Developing

Country: A Case Study of a Governmental Organization. Procedia Computer Science ,

64, 450-56.

Aladwani, A. M. (2002). An Integrated Performance Model of Information Systems Projects.

Journal of Management Information Systems , 19 (1), 187-212.

Ali, S., & Green, P. (2009). Effective Information Technology (IT) Governance Mechanisms:

An IT Outsourcing Perspective. Information Systems Frontiers , 14 (2), 179-193.

Ali, S., & Green, P. (2007). IT Governance Mechanisms in Public Sector Organisations: An

Australian Context. Journal of Global Information Management , 15 (4), 41-63.

Allassani, W. (2013). The Impact of IT Governance onIT Projects: The Case of the Ghana

Rural Bank Computerization and Inter-connectivity Project. Journal of Information

Systems and Technology Management , 10 (2), 271-286.

Alqahtani, A. S. (2017). Critical Success Factors In Implementing ITIL in the Ministry of

Education in Saudi Arabia: An Exploratory Study. International Journal of Advanced

Computer Science and Applications , 8 (4), 230-240.

Alreemy, Z., Chang, V., Walters, R., & Wills, G. (2016). Critical Success Factors (CSFs) for

Information Technology Governance (ITG). International Journal of Information

Management , 36 (6), 907-916.

Alvesson, M., & Deetz, S. (2000). Doing Critical Management Research. London: SAGE

PUBLICATIONS.

Anand, M., Sahay, B. S., & Saha, S. (2005). Balanced Scorecard in Indian Companies.

VIKALPA , 30 (2), 11-25.

213

Andersen, K. N., Henriksen, H. Z., Medaglia, R., Danziger, J. N., Sannarnes, M. K., &

Enemærke, M. (2010). Fads and Facts of E-Government: A Review of Impacts of E-

government (2003–2009). International Journal of Public Administration , 33 (11), 564-

579.

Antony, J., & Fergusson, C. (2004). Six Sigma in the Software Industry: Results from a Pilot

Study. Managerial Auditing Journal , 19 (8), 1025-1032.

Avison, D., Jones, J., Powell, P., & Wilson, D. (2004). Using and Validating the Strategic

Alignment Model. The Journal of Strategic Information Systems , 13 (3), 223-246.

Avital, M., & Vandenbosch, B. (2002). Ownership Interaction: A Key Ingredient of

Information Technology Performance," Sprouts: Working Papers on Information

Environments, Systems andOrganizations, Case Western Reserve.

Bakari, J. K. (2007). A Holistic Approach for Managing ICT Security in Non-Commercial

Organizations: A Case in a Developing Country. Unpublished Doctoral Thesis.

Stockholm University.

Beath, C. (1991). Supporting the Information Technology Champion. MIS Quarterly , 15 (3),

355-373.

Beaumaster, S. (2002). Local Government IT Implementation Issues: A Challenge for Public

Administration. Proceedings of the 35th Hawaii International Conference on System

Sciences.

Belassi, W., & Tukel, O. I. (1996). A New Framework for Determining Critical

Success/failure Factors in Projects. International Journal of Project Management , 14 (3),

141-152.

Benbasat, I., & Zmud, R. W. (2003). The Identity Crisis within the IS Discipline: Defining

and Communicating the Discipline's Core Properties. MIS Quarterly , 27 (2), 183-194.

Benbasat, I., Goldstein, D. K., & Mead, M. (1987). The Case Research Strategy in Studies of

Information Systems. MIS Quarterly , 11 (3), 369-386.

Bermejo, P. H., Tonelli, A. O., Zambalde, A. L., Santos, P. A., & Zuppo, L. (2014).

Evaluating IT governance practices and business and IT outcomes: A quantitative

exploratory study in Brazilian companies. Procedia Technology , 16, 849-857.

Bharadwaj, A. (2000). A Resource-based Perspective on Information Technology Capability

and Firm Performance: An Empirical Investigation. MIS Quarterly , 24 (1), 69-96.

Bianchi, I. S., & Sousa, R. D. (2016). IT Governance Mechanisms in Higher Education.

Procedia Computer Science , 100, 941-946.

214

Bird, F. (2001). Good Governance: A Philosophical Discussion of the Responsibilities and

Practices of Organizational Governors. Canadian Journal of Administrative Sciences , 18

(4), 298-312.

Black, K. (2010). Business Statistics: Contemporary Decision Making (6 ed.). John Wiley &

Sons.

Boehm, B. (1991). Software Risk Management: Principles and Practices. IEEE Software , 8

(1), 32-41.

Bollen, K. A., & Long, J. S. (1993). Testing Structural Equation Models (1 ed.). SAGE

PUBLICATIONS.

Bouchard, T. J. (1976). Unobtrusive Measures: An Inventory of Uses. Sociological Methods

& Research , 4 (3), 267-300.

Bowen, P. L., Cheung, M.-Y. D., & Rohde, F. H. (2007). Enhancing IT Governance

Practices: A Model and Case Study of an Organization's Efforts. International Journal of

Accounting Information Systems , 8, 191-221.

Boyne, G. A. (2002). Public and Private Management : What's the Difference? Journal of

Management Studies , 39, 97-122.

Brandtner, P., Helfert, M., Auingera, A., & Gaubinger, K. (2015). Conducting Focus Froup

Research in a Design Science Project: Application in Developing a Process Model for the

Front End of Innovation. Systems, Signs & Actions , 9 (1), 26-55.

Brewer, M. (2000). Research Design and Issues of Validity. In H. T. Reis, & C. M. Judd,

Handbook of Research Methods in Social and Personality Psychology. Cambridge

University Press.

Brown, A. E., & Grant, G. G. (2005). Framing the Frameworks: A Review of IT Governance

Research. Communications of the Association for Information Systems , 15, 696-712.

Brown, C. V. (1997). Examining the Emergence of Hybrid IS governance Solutions:

Evidence from a Single Case Site. Information Systems Research , 8 (1), 69-95.

Brown, C. V., & Magil, S. L. (1998). Reconceptualizing the Context-Design Issue for the

Information Systems Function. Organization Science , 9 (2), 176-194.

Bryman, A. (2006). Qualitative Research , 6 (1), 97-113.

Bünten, S., Josh, A. i., De Haes, S., & Van Grembergen, W. (2014). Understanding the

Association between IT Governance Maturity and IT Governance Disclosure.

International Journal of IT/Business Alignment and Governance (IJITBAG) , 5 (1), 16-33

Caiden, N., & Wildavsky, A. B. (1980). Planning and Budgeting in Poor Countries.

Transaction Publisher.

215

Campbell, D. T., & Fiske, D. W. (1959). Convergent and Discriminant Validation by the

Multitrait-multimethod Matrix. Psychol Bull , 56 (2), 81-105.

Campbell, J., McDonald, C., & Sethibe, T. (2010). Public and Private Sector IT Governance:

Identifying Contextual Differences. Australasian Journal of Information Systems , 16 (2).

Cartlidge, A. C., Hanna, A. H., Rudd, C., Macfarlane, I., Windebank, J., & Rance, S. (2007).

An Introductory Overview of ITIL V3. The UK Chapter of the itSMF.

Caudle, S. L., Gorr, W. L., & Newcomer, K. E. (1991). Key Information Systems

Management Issues for the Public Sector. MIS Quarterly , 15 (2), 171-188.

Chen, D. Q., Mocker, M., Preston, D. S., & Teubner, A. (2010). Information System

Strategy: Reconceptualization, Measurement, and Implications. MIS Quarterly , 34 (2),

233-259.

ChePa, N., Jnr, B. A., Haizan Nor, R. N., & Masrah, M. A. (2015). Risk Assessment of IT

Governance: A Systematic Literature Review. Journal of Theoretical and Applied

Information Technology , 71 (2), 18-193.

CIPFA and IFAC. (2013). Good Governance in the Public Sector-Consultation Draft for an

International Framework. Retrieved from

http://www.ifac.org/system/files/publications/files/Good-Governance-in-the-Public-

Sector.pdf

Clementi, S., & Carvalho, T. C. (2006). Methodology for IT Governance Assessment and

Design. In R. Suomi, R. Cabral, J. F. Hampe, A. Heikkilä, J. Järveläinen, & E.

Koskivaara (Eds.), Project E-Society: Building Bricks (Vol. 226, pp. 189-202). IFIP

Advances in Information and Communication Technology.

Cohen, J. (1988). Statistical Power Analysis for the Behavioural Sciences (2 ed.). Lawrence

Erlbaum Associates.

Coltman, T., Tallon, P., Sharma, R., & Queiroz, M. (2015). Strategic IT Alignment: Twenty-

five Years on. Journal of Information Technology , 30 (2), 91-100.

Cook, T. D., & Campbell, D. (1979). Quasi-experimentation: Design and Analysis Issues for

Field Settings. Chicago: Rand McNally College Publishing Company.

Cooper, D. R., & Schindler, P. S. (2006). Marketing Research. New York:

McGrawHill/Irwin.

Creswell, J. W. (2009). Research Design: Qualitative, quantitative and Mixed Methods

Research Approaches (3 ed.). SAGE Publications.

Cross, N. (2001). Designerly Ways of Knowing: Design Discipline versus Design Science.

Design Issues , 17 (3), 49-55.

216

Csaszar, F., & Clemons, E. (2006). Governance of the IT Function: Valuing Agility and

Quality of Training, Cooperation and Communications. In Proceedings of the 39th

Hawaii International Conference on System Sciences.

Dahlberg, T., & Lahdelma, P. (2007). IT Governance Maturity and IT Outsourcing Degree:

An Exploratory Study. In Proceedings of the 40th Annual Hawaii International

Conference on System Sciences.

Dahlbom, B. (1996). The New Informatics. Scandinavian Journal of Information Systems , 8

(2), 29-48.

Davis, F. D. (1989). Perceived Usefulness, Perceived Ease of Use, and User Acceptance of

Information Technology. MIS Quarterly , 13 (3), 319-340.

Dawes, S. S., Pardo, T. A., Simon, S., Cresswell, A. M., LaVigne, M. F., Andersen, D. F., et

al. (2004). Making Smart IT Choices: Understanding Value and Risk in Government IT

Investments (2 ed.). Center for Technology in Government.

Dawson, G. S., Denford, J. S., Williams, C. K., Preston, D., & Desouza, K. (2016). An

Examination of Effective IT Governance in the Public Sector Using the Legal View of

Agency Theory. Journal of Management Information Systems , 33 (4), 1180-1208.

De Haes, S., & Van Grembergen, W. (2009). An Exploratory Study into IT Governance

Implementations and its Impact on Business/IT Alignment. Information Systems

Management , 26 (2), 123-137.

De Haes, S., & Van Grembergen, W. (2008). An Exploratory Study into the Design of an IT

Governance Minimum Baseline through Delphi Research. Communications of the

Association of the Information Systems , 22 (24), 443-458.

De Haes, S., & Van Grembergen, W. (2006). Information Technology Governance Best

Practices in Belgian Organisations. Proceedings of the 39th Hawaii International

Conference on System Sciences.

De Maere, K., & Kutzschenbach, M. v. (2017). CIO Perspectives on Organizational Learning

within the Context of IT Governance. International Journal of IT/Business Alignment and

Governance (IJITBAG) , 8 (1), 32-47.

Debreceny, R., & Gray, G. L. (2009). IT Governance and Process Maturity: A Field Study.

Proceedings of the 42nd Hawaii International Conference on System Sciences.

Dickinson, R. A., Ferguson, C. R., & Sircar, S. (1984). Critical Success Factors and Small

Business. American Journal of Small Business , 8 (3), 49-57.

Dintrans, P., Anand, A., Ponnuveetil, M., & Vijayakrishnan, J. (2013). Maximizing Business

Value Through Effective IT Governance. Retrieved 12 31, 2013, from

217

http://www.cognizant.com: http://www.cognizant.com/InsightsWhitepapers/Maximizing-

Business-Value-Through-Effective-IT-Governance.pdf

EGD. (2005). E-Government Strategy and 5-Year Plan for the Federal Government.

Retrieved 05 10, 2011, from http://202.83.164.28:9080/egdsite05/downloads/E-

Government%20Strategy%20and%205-Year%20Plan%20(19[1].06.2005).pdf

Ein-Dor, P., & Segev, E. (1978). Organizational Context and the Success of Management

Information Systems. Management Science , 24 (10), 1064-1077.

Eisenhardt, K. M. (1989). Building Theories from Case Study Research. Academy of

Management Review , 14 (4), 532-550.

Elephant, P. (2008). The Benefits of ITIL. Retrieved August 12, 2012, from

http://www.pinkelephant.com/articles/TheBenefitsOfITILv26.pdf

Esteves, J. (2004). Definition and Analysis of Critical Success Factors for ERP

Implementation Projects. Doctoral Thesis, Universitat Polite`cnica de Catalunya,

Barcelona.

Ewusi-Mensah, K. (1997). Critical Issues in Abandoned Information Systems Development

Projects. Communications for ACM , 40 (9), 74-80.

Fornell, C., & Larcker, D. (1981). Structural Equation Models with Unobservable Variables

and Measurement Error. Journal of Marketing Research , 18 (1), 39-50.

Fowler, F. J. (2002). Survey Research Methods. SAGE PUBLICATIONS.

Freeman, R. E. (1994). Strategic Management: A Stakeholder Approach. Pitman, Boston,

MA.

Garrity, J. T. (1963). Top Management and Computer Profits. Harvard Business Review , 41

(4), 6-13.

Gefen, D., & Straub, D. (2005). A Practical Guide to Factorial Validity Using PLS-Graph:

Tutorial and Annotated Example. Communications of the Association for Information

Systems , 16 (25), 91-109.

Gheorghe, M. (2011). Risk Management in IT Governance Framework. Economia Seria

Management , 14 (2), 545-552.

Gilbert, D., Balestrini, P., & Littleboy, D. (2004). Barriers and Benefits in the Adoption of E-

government. International Journal of Public Sector Management , 17 (4), 286-301.

Ginzberg, M. J. (1980). An Organizational Contingencies View of Accounting and

Information Systems Implementation. Accounting, Organizations and Society , 5 (4), 369-

382.

218

Gómez, B., Bermejo, B., & Juiz, C. (2017). IT Governance and Its Implementation Based on

a Detailed Framework of IT Governance (dFogIT) in Public Enterprises. In L. i. Rusu, &

G. Viscus (Eds.), Information Technology Governance in Public Organizations (Vol. 38,

pp. 133-155). Springer International Publishing.

Gregg, D. G., Kulkarni, U. R., & Vinz´e, A. S. (2001). Understanding the Philosophical

Underpinnings of Software Engineering Research in Information Systems. Information

Systems Frontiers , 3 (2), 169-183.

Gregor, S., & Jones, D. (2007). The Anatomy of a Design Theory. Journal of the Association

for Information Systems , 8 (5), 312-335.

Gregor, S., Martin, M., Fernandez, W., Stern, S., & Vitale, M. (2006). The Transformational

Dimension in the Realization of Business Value from Information Technology. The

Journal of Strategic Information Systems , 15 (3), 249-270.

Guldentops, E. (2004). Key Success Factors for Implementing IT Governance: Let's Not Wait

for Regulators to Tell Us What to Do. Information Systems Control Journal , 2.

Guldentops, E., Van Grembergen, W., & De Haes, S. (2002). Control and Governance

Maturity Survey: Establishing a Reference Benchmark and a Self-assessment Tool.

Information Systems Control Journal.

Haider, Z., Shuwen, C., & Bux Bur, M. (2016). E-Government Project Obstacles in Pakistan.

International Journal of Computer Theory and Engineering , 8 (5), 362-371.

Hair, J. F., Black, B., Babin, B., Anderson, R. E., & Tatham, R. L. (2006). Multivariate Data

Analysis (6 ed.). Prentice Hall.

Han, W. M., & Huang, S. J. (2007). An Empirical Analysis of Risk Components and

Performance on Software Projects. The Journal of Systems and Software , 80, 42-50.

Henderson, J. C., & Cooprider, J. G. (1990). Dimensions of I/S Planning and Design Aids: A

Functional Model of CASE Technology. Information Systems Research , 1 (3), 227-254.

Henderson, J. C., & Lee, S. (1992). Managing I/S Design Teams: A Control Theories

Perspective. 38 (6), 757-777.

Henderson, J. C., & Venkatraman, N. (1993). Strategic Alignment: Leveraging Information

Technology for Transforming Organizations. IBM Systems Journal , 32 (1), 4-16.

Heras-Saizarbitoria, I., & Boiral, O. (2013). ISO 9001 and ISO 14001: Towards a Research

Agenda on Management System Standards. 15 (1), 47-65.

Hevner, A. R., March, S. T., Park, J., & Ram, S. (2004). Design Science in Information

Systems Research. MIS Quarterly , 28 (1), 75-105.

219

Hiekkanen, K. (2015). The Impact of IT Governance Practices on Strategic Alignment.

International Journal of IT/Business Alignment and Governance , 6 (2), 1-13.

Hinde, S. (2005). Why Do So Many Major IT Projects Fail? Computer Fraud & Security ,

2005 (1), 15-17.

Hindin, M. J. (2007). Role Theory. In G. Ritzer, Blackwell Encyclopedia of Sociology (pp.

3959-3962). Blackwell Publishing.

Hoch, D., & Payan, M. (2008). Establishing Good IT Governance in the Public Sector.

Retrieved 5 5, 2011, from McKinsey and Company:

http://www.mckinsey.de/downloads/publikation/transforming_government/2008/0803_T

G_it_governance.pdf

Huang, R., Zmud, R. W., & Price, R. L. (2010). Influencing the Effectiveness of IT

governance through Steering Committees and Communication Policies. European

Journal of Information Systems , 19 (3), 288-302.

Hudson, M., Smart, A., & Bourne, M. (2001). Theory and Practice in SME Performance

Measurement Systems. International Journal of operations & Production Management ,

21 (8), 1096-1115.

Irani, Z., & Love, P. E. (2001). The Propagation of Technology Management Taxonomies for

Evaluating Information Systems. Journal of Management Information Systems , 17 (3),

161-177.

ISACA. (2012). COBIT 5 for Information Security. Retrieved 9 1, 2012, from

www.isaca.org: https://www.isaca.org/COBIT/Documents/COBIT-5-for-Information-

Security-Introduction.pdf

ISO/IEC 38500:2015. (2015). Information technology -- Governance of IT for the

organization. Retrieved 2 25, 2017, from International Organization for Standardization:

https://www.iso.org/standard/62816.html

ITGI. (2003). Board Briefing on IT Governance (2 ed.).

ITGI. (2007). Exective Summary Framework. Retrieved May 20, 2011, from www.isaca.org:

http://www.isaca.org/Knowledge-Center/cobit/Documents/COBIT4.pdf

ITGI. (2005). IT Governance Using COBIT and Val IT: Student Book. IT Governance

Institute.

ITGI. (2009). ITGI Enables IS0/IEC 38500:2008 Adoption. Retrieved December 18, 2012,

from http://www.galegale.com.br/downloads/2009-

ITGI%20Enables%20ISOIEC%2038500-2008%20Adoption.pdf

220

ITIL. (2007). Information Technology Infrastructure Library (ITIL) Guide. Retrieved 3 14,

2013, from http://www.itinfo.am/eng/information-technology-infrastructure-library-

guide/#chapter4

Ives, B., & Jarvenpaa, S. L. (1991). Applications of Global Information Technology: Key

Issues for Management. MIS Quarterly , 15 (1), 33-49.

Jick, T. D. (1979). Mixing Qualitative and Quantitative Methods: Triangulation in Action.

Administrative Science Quarterly , 24 (4), 602-611.

Johnson, J. (1995). Chaos: The Dollar Drain of IT Project Failures. Applic. Dev. Trends , 2

(1), 41-47.

Juiz, C., Guerrero, C., & Lera, I. (2014). Implementing GoodGovernance Principles for the

Public Sector in Information Technology Governance Frameworks. Open Journal of

Accounting , 3, 9-27.

Jun, L., Qiuzhen, W., & Qingguo, M. (2011). The Effects of Project Uncertainty and Risk

Management on IS Development Project Performance: A Vendor Perspective.

International Journal of Project Management , 29, 923-933.

Kaplan, B., & Maxwell, J. A. (1994). Qualitative Research Methods for Evaluating Computer

Information Systems. In J. G. Anderson, C. E. Aydin, & S. J. Jay (Eds.), Evaluating

Health Care Information Systems: Methods and Applications. SAGE PUBLICATIONS.

Keen, P. G., & Scott Morton, M. S. (1978). Decision Support Systems: An Organizational

Perspective. Massachusetts: Addison-Wesley Series on Decision Support.

Keil, M., Cule, P., Lyytinen, K., & Schmidt, R. (1998). A Framework for Identifying

Software Project Risks. Communication ACM , 14 (2), 76-83.

Khan, K. S., Kunz, R., Kleijnen, J., & Antes, G. (2003). Five Steps to Conducting a

Systematic Review. Journal of the Royal Society of Medicine , 96 (3), 118-121.

King. (1983). Centralized vs Decentralized Computing: Organizational Considerations and

Management Options. ACM Computing Surveys.

King, W. R. (1978). Strategic Planning for Management Information Systems. MIS Quarterly

, 2 (1), 27-37.

Kitchenham, B. (2004). Procedures for Performing Systematic Reviews. Retrieved 11 30,

2012, from http://www.inf.ufsc.br/~aldo.vw/kitchenham.pdf

Klecun, E., & Cornford, T. (2005). A Critical Approach to Evaluation. European Journal of

Information Systems , 14, 229-243.

221

Kleiber, P. B. (2004). Focus Groups: More than a Method of Qualitative Inquiry. In K. B.

deMarrais, & S. D. Lapan (Eds.), Foundations of Research: Methods of Inquiry in

Education and the Social Sciences (pp. 87-102). London: Lawrence Erlbaum.

Kolsaker, A., & Lee-Kelley, L. (2008). Citizens‟ Attitudes towards E-government and E-

governance: A UK Study. International Journal of Public Sector Management , 21 (7),

723-738.

Kothari, C. R. (2004). Research Methodology: Methods and Techniques. New Delhi: New

Age Publications.

Kraiger, K., Ford, I., & Salas, E. (1993). Application of Cognitive, Skill-based, and Affective

Theories of Learning Outcomes to New Methods of Training Evaluation. Journal

ofApplied Psychology , 78, 311-328.

Kruger, C. J., & Snyman, M. M. (2002). Interdependency between Strategic Management and

the Formulation of an Information and Communication Technology Strategy. South

African Journal of Information Management , 4 (2).

Kundi, G. M., Shah, B., & Nawaz, A. (2008). Digital Pakistan: opportunities & challenges.

Journal of Information Systems and Technology Management , 5 (2), 365-390.

Kurti, I., Baroll, E., & Sevran, K. i. (2013). Critical Success Factors for Business – IT

Alignment: A Review of Current Research. Romanian Economic and Business Review , 8

(3), 79-97.

Lancaster, G. (2005). Research Methods in Management: A Concise Introduction to Research

in Management and Business Consultancy. Burlington: Elsevier Butterworth-Heinemann.

Lane, J.-E. (2000). The Public Sector: Concepts, Models and Approaches (3 ed.). SAGE

PUBLICATIONS.

Larsen, M. H., Pedersen, M. K., & Viborg, A. K. (2006). IT Governance: Reviewing 17 IT

Governance Tools and Analysing the Case of Novozymes A/S. Proceedings of the 39th

Hawaii International Conference on System Sciences.

Lawry, R., Waddell, D., & Singh, M. (2007). Roles,Responsibilities and Futures of Chief

Information Officers (CIOs) in the Public Sector. Proceedings of European and

Mediterranean Conference on Information Systems.

Lazic, M., Heinzl, A., & Neff, A. (2011). IT Governance Impact Model: How Mature IT

Governance Affects Business Performance. Retrieved 2012, from sprouts.aisnet.org:

http://sprouts.aisnet.org/11-147

222

Lee, C.-H., Lee, J.-H., Park, J.-S., & Jeong, K.-Y. (2008). A Study of the Causal Relationship

Between IT Governance Inhibitors and Its Success in Korea Enterprises. Proceedings of

the 41st Hawaii International Conference on System Sciences.

Liu, Q., & Ridley, G. (2005). IT Control in the Australian Public Sector: An International

Comparison. Thirteenth European Conference on Information Systems.

Luftman, J. (2000). Assessing Business-IT Alignment Maturity. Communications of the

Association for Information Systems , 4, 1-50.

Luftman, J. N., Papp, R., & Brier, T. (1999). Enablers and Inhibitors of Business-IT

Alignment. Communications of the Association for Information Systems , 1 (11), 1-33.

Marais, W. J., & Kruger, C. J. (2005). Implementation of an Information System Within a

Bureaucratic Environment: An Understanding of the Human Issues. South African

Journal of Information Management , 7 (1).

March, S. T., & Smith, G. F. (1995). Design and Natural Science Research on Information

Technology. Decision Support Systems , 15, 251-266.

Marcoulides, G. A., & Saunders, C. (2006). Editor‟s Comments – PLS: A Silver Bullet? MIS

Quarterly , 30 (2), iii-ix.

Marshall, C., & Rossman, G. B. (1999). Designing Qualitative Research (3 ed.). London:

SAGE PUBLICATIONS.

Maxwell, J. A. (2013). Qualitative Research Design: An Interactive Approach (Applied

Social Research Methods) (3 ed.). SAGE Publications.

McFarlan, F. W., & McKenney, J. L. (1983). Corporate Information Systems Management:

The Issues Facing Senior Executives. IRWIN.

McKay, J., & Marshall, P. (2005). A Review of Design Science in Information Systems. 16th

Australasian Conference on Information Systems. Sydney.

McKay, J., & Marshall, P. (2007). Science, Design, and Design Science: Seeking Clarity to

Move Design Science Research Forward in Information Systems. 18th Australasian

Conference on Information Systems. Toowoomba.

Meijer, M., & Smalley, M. (2010). ISO/IEC 38500 – BiSL – ASL: A Comparison. Retrieved 5

13, 11, from http://aslbislfoundation.org/en/?wpfb_dl=650

Mimba, N., Helden, G., & Tillema, S. (2007). Public Sector Performance Measurement in

Developing Countries. Journal of Accounting and Organisational Change , 3, 192-208.

MOIT. (2017). Digital Paksiatn Policy 2017. Retrieved May 10, 2017, from

http://moit.gov.pk/policies/DPP-2017v5.pdf

223

Moore, M. H. (1997). Creating Public Value: Strategic Management in Government. Harvard

University Press.

Moore, M. H. (1995). Creating Public Value: Strategic Management in Government. Harvard

University Press.

Morse, J. M. (1991). Approaches to Qualitative-Quantitative Methodological Triangulation.

Nursing Research , 40 (2), 120-123.

MOST. (2000). IT Policy and Action Plan. Retrieved February 10, 2010, from Ministry of

Information Technology website:

http://www.moit.gov.pk/gop/index.php?q=aHR0cDovLzE5Mi4xNjguNzAuMTM2L21va

XQvdXNlcmZpbGVzMS9maWxlL3BvbGljaWVzL1Bha2lzdGFuJTIwSVQlMjBQb2xp

Y3klMjAlMjBBY3Rpb24lMjBQbGFuJTIwMjAwMC5wZGY%3D

Muller, R., & Turner, J. (2005). The Project Manager‟s Leadership Style as a Success Factor

on Projects: A Literature Review. Project Management Journal , 36 (2), 49-61.

Mutagahywa, B., Kinyeki, C., & Ulanga, J. (2007). A Review of E-Government Related

Interventions in PSRP Phase I and Advice on a Strategy Framework Towards PSRP II.

Myers, M. D. (2008). Qualitative Research in Business and Management. London: SAGE

PUBLICATIONS.

Nadvi, K., & Waltring, F. (2004). Making Sense of Global Standards. In H. Schmitz, Local

Enterprises in the Global Economy: Issues of Governance and Upgrading.

Ndou, V. (2004). E-governance for Develpoing Countries: Opportunities and Challenges. The

Electronic Journal on Information Systems in Developing Countries , 18 (1), 1-24.

Nenickova, H. (2011). Critical Success Factors for ITIL Best Practices Usage. Economics

and Management.

Nfuka, E. N., & Rusu, L. (2010). Critical Success Factors for Effective IT Governance in the

Public Sector Organizations in a Developing Country: The Case of Tanzania. 18th

European Conference on Information Systems.

Nfuka, E. N., & Rusu, L. (2013). Critical Success Framework for Implementing Effective IT

Governance in Tanzanian Public Sector Organizations. Journal of Global Information

Technology Management , 16 (3), 53-77.

Nfuka, E. N., & Rusu, L. (2011). The Effect of Critical Success Factors on IT governance

Performance. Industrial Management and Data Systems , 111 (9), 1418-1448.

Nfuka, E. N., Rusu, L., Johannesson, P., & Mutagahywa, B. (2009). The State of IT

Governance in Organizations from the Public Sector in a Developing Country. 42nd

Hawaii International Conference on System Sciences, (pp. 1-12).

224

Nicoll, P. (2005). What Lies Ahead for Public Sector Governance? (Applied Corporate

Governance). Keeping Good Companies , 57, 19-26.

Norreklit, H. (2000). The Balance on the Balanced Scorecard a Critical Analysis of Some of

Its Assumptions. Management Accounting Research , 11 (1), 65-88.

Norris, D. F., & Moon, M. J. (2005). Advancing E-Government at the Grassroots: Tortoise or

Hare? Public Administration Review , 65 (1), 64–75.

Oates, B. J. (2006). Researching Information Systems and Computing. New Delhi: Sage

Publications.

O'Donohue, B., Pye, G., & Warren, M. J. (2006). Improving ICT Governance in Australian

Companies. 17th Australasian Conference on Information Systems.

Olve, N.-G., Petri, C.-J., Roy, J., & Roy, S. (2003). Making Scorecards Actionable:

Balancing Strategy and Control. New York: John Wiley & Sons.

Otley, D. (1999). Performance Management: A Framework for Management Control Systems

Research. Management Accounting Research , 10 (4), 363-382.

Oyemade, R. (2012). Effective IT Governance Through the Three Lines of Defense, Risk IT

and COBIT. ISACA Journal , 1.

Pandey, I. M. (2005). Balanced Scorecard: Myth and Reality. VIKALPA , 30 (1), 51-66.

Pang, M.-S., Lee, G., & DeLone, W. H. (2014). IT Resources, Organizational Capabilities,

and Value Creation in Public-sector Organizations: A Public-value Management

Perspective. Journal of Information Technology , 29 (3), 187-205.

Parent, M., & Reich, B. H. (2009). Governing Information Technology Risk. California

Management Review , 51 (3), 134-152.

Park, J., Lee, J.-N., Lee, O.-K. D., & Koo, Y. (2017). Alignment Between Internal and

External IT Governance and Its Effects on Distinctive Firm Performance: An Extended

Resource-Based View. IEEE Transactions on Engineering Management , 64 (3), 351-

364.

Patton, M. Q. (1987). How to Use Qualitative Methods in Evaluation. SAGE

PUBLICATIONS.

Payne, G., & Payne, J. (2004). Key Concepts in Social Research. SAGE PUBLICATIONS.

Peffers, K., Tuunanen, T., Rothenberger, M. A., & Chatterjee, S. (2008). A Design Science

Research Methodology for Information Systems Research. Journal of Management

Information Systems , 24 (3), 45-78.

Pelt, M. V. (2009). IT Governance in Federal Project Management. Retrieved 3 2, 2012,

from

225

http://s3.amazonaws.com/chssweb/documents/1057/original/Van_Pelt_final.pdf?1304691

548

Peng, D. X., & Lai, F. (2012). Using Partial Least Squares in Operations Management

Research: A Practical Guideline and Summary of Past Research. Journal of Operations

Management , 30, 467-480.

Pereira, R., & Silva, M. M. (2012). A Literature Review: Gudielines and Contingency Factors

for IT Governance. European, Mediterranean & Middle Eastern Conference on

Information Systems.

Peterson, R. R. (2001). Configurations and Coordination for Golobal Information

TechnologyGovernance: Complex Designs in a Transactional European Context.

Proceedings of the 34th Hawaii International Conference on System Sciences.

Peterson, R. R. (2004). Crafting Information Technology Governance for Today‟s Turbulent

Environment. Information Systems Management , 21 (4), 7-21.

Pinto, J., & Slevin, P. (1989). Critical Success Factors in R & D Projects. Research

Technology Management , 32 (1), 31-36.

PMI. (2004). A Guide to the Project Management Body of Knowledge (PMBOK Guide) (4

ed.). Newtown Square, Pennsylvania: Project Management Institute, Inc.

Pollard, C. E., & Cater-Steel, A. (2009). Justifications, Strategies, and Critical Success

Factors in Successful ITIL Implementations in U.S. and Australian Companies: An

Exploratory Study. Information Systems Management , 26 (2), 164-175.

Post, G. V., Kagan, A., & Keim, R. T. (1999). A Structural Equation Evaluation of CASE

Tools Attributes. Journal of Management Information Systems , 15 (4), 215-234.

Prasad, A., Heales, J., & Green, P. (2010). A Capabilities-based Approach to Obtaining a

Deeper Understanding of Information Technology Governance Effectiveness: Evidence

from IT Steering Committees. International Journal of Accounting Information Systems ,

11 (3), 214-232.

Pratchett, L., & Wingfield, M. (1996). Petty Bureaucracy and Woolly-Minded Liberalism? ?

The Changing Ethos of Local Government Officers. Public Administration Review , 74,

639-656.

Pries-Heje, J., Baskerville, R., & Venable, J. (2008). Strategies for Design Science Research

Evaluation. In Proceedings of the 2008 European Conference on Information Systems.

Prietula, M. J., & Simon, H. A. (1989). The Experts in Your Midst. Harvard Business Review

, 67 (1), 120–124.

226

PTA. (2017). Telecom Indicators. Retrieved March 20, 2017, from

http://www.pta.gov.pk/index.php?option=com_content&task=view&id=269&Itemid=658

Purao, S., & Storey, V. C. (2008). Evaluating the Adoption Potential of Design Science

Efforts: The Case of APSARA. Decision Support Systems , 44 (2), 369-381.

PwC & ITGI. (2006). IT Governance in Practice: Insight from Leading CIOs. Retrieved 12

18, 2012, from http://www.pwc.com/ca/en/technology-consulting/technology-

advisory/information-technology-governance.jhtml

Qaisar, N., & khan, G. A. (2010). E-Government Challenges in Public Sector: A case study

of Pakistan. International Journal of Computer Science Issues , 7 (5), 310-317.

Rai, A., & Al-Hindi, H. (2000). The Effects of Development Process Modeling and Task

Uncertainty on Development Quality Performance. Information & Management , 37 (6),

335-346.

Rai, A., Lang, S., & Welker, B. (2002). Assessing the Validity of IS Success Models: An

Empirical Test and Theoretical Analysis. Information Systems Research , 13 (1), 50-69.

Rainey, H., Backoff, R., & Levine, C. (1976). Comparing Public and Private Organizations.

Public Administration Review , 233-244.

Rau, K. G. (2004). Effective Governance of IT: Design Objectives, Roles, and Relationships.

Information Systems Management , 21 (4), 35-42.

Ravichandran, T. (1999). Software Reusability as Synchronous Innovation: A Test of Four

Theoretical Models. European Journal of Information Systems , 8 (3), 183-199.

Ravichandran, T., & Rai, A. (2000). Quality Management in Systems Development: An

Organizational System Perspective. MIS Quarterly , 24 (3), 381-416.

Razak, R. A., & Zakaria, M. S. (2014). The Critical Success Factors for Effective ICT

Governance in Malaysian Public Sector: A Delphi Study. International Journal of Social,

Behavioral, Educational, Economic, Business and Industrial Engineering , 8 (11), 3512-

3515.

Ribbers, P. M., Peterson, R. R., & Parker, M. M. (2002). Designing Information Technology

Governance Processes: Diagnosing Contemporary Practices and Competing Theories.

Proceedings of the 35th Hawaii International Conference on System Sciences.

Rocheleau, B., & Wu, L. (2002). Public Versus Private Information Systems: Do they Differ

in Important Ways? A Review and Empirical Test. The American Review of Public

Administration , 32 (4), 379-397.

Rockart, J. F. (1979). Chief Executives Define their Own Data Needs. Harvard Business

Review , 57 (2), 81-93.

227

Rohm, H. (2006). A Balancing Act. Perform , 2 (2), 1-8.

Rohner, R. P. (1977). Advantages of the Comparative Method of Anthropology. Cross-

Cultural Research , 12 (2), 117-144.

Rouyet-Ruiz, J. (2008). COBIT as a Tool for IT Governance: Between Auditing and IT

Governance. The European Journal for the Informatics Professional , 9 (1), 40-43.

Royer, I., & Zarlowaski, P. (1999). Research design. In R.-A. Thietart, Doing management

Research: A Comprehensive Guide (pp. 111-131). London: SAGE PUBLICATIONS.

Sambamurthy, V., & Zmud, R. W. (1999). Arrangements for Information Technology

Governance: A Theory of Multiple Contingencies. MIS Quarterly , 23 (2), 261-290.

Schlosser, F., Wagner, H. T., & Coltman, T. (2012). Reconsidering the Dimensions of

Business-IT Alignment. 45th Hawaii International Conference on System Sciences.

Schoderbek, P. P., Schoderbek, C. G., & Kefalas, A. G. (1990). Management Systems:

Conceptual Considerations. Richard D Irwin.

Selig, G. J. (2008). Implementing IT Governance: A Practical Guide to Global Best Practice

in IT Management. New York: Van Haren Publishing.

Selig, G. J. (2016). IT Governance-An Integrated Framework and Roadmap: How to Plan,

Deploy and Sustain for Improved Effectiveness. Journal of International Technology and

Information Management , 25 (1), 55-76.

Serafeimidis, V., & Smithson, S. (2000). Information System Evaluation in Practice: A Case

Study of Organizational Change. Journal of Information Technology , 15 (2), 93-105.

Sethibe, T., Campbell, J., & McDonald, C. (2007). IT Governance in Public and Private

Sector Organizations: Examining the Differences and Defining Future Research

Directions. In Proceedings of 18th Australasian Conference on Information Systems.

Simon, H. A. (1969). The Sciences of the Artificial. MIT Press.

Simonsson, M., & Johnson, P. (2008). The IT Organization Modeling and Assessment Tool:

Correlating IT Governance Maturity with the Effect of IT. Hawaii International

Conference on System Sciences, Proceedings of the 41st Annual.

Simonsson, M., Johnson, P., & Ekstedt, M. (2010). The Effect of IT Governance Maturity on

IT Governance Performance. Information Systems Management , 27 (1), 10-24.

Simonsson, M., Johnson, P., & Wijkström, H. (2007). Model-Based IT Governance Maturity

Assessments with COBIT. European Conference on Information Systems.

Slevin, D. P., & Pinto, J. K. (1986). The Project Implementation Profile: New Tool for

Project Managers. Project Management Journal , 17 (4), 57-70.

228

Spittler, J. R., & McCracken, C. J. (1996). Effective Project Management in Bureaucracies.

Transactions of AACE International , 1-10.

Standish Group. (1995). The CHAOS Report. Retrieved 3 2, 2008, from

http://www.csus.edu/indiv/v/velianitis/161/ChaosReport.pdf

Straub, D. W., David, G., & Marie-Claude, B. (2005). Quantitative Research. In D. Avison,

& J. Pries-Heje (Eds.), Research in Information Systems: A handbook for research

supervisors and their students (pp. 221-238). Amsterdam: Elsevier.

Sun, Y., & Kantor, P. B. (2006). Cross-Evaluation: A New Model for Information System

Evaluation. Journal of the American Society for Information Science and Technology , 57

(5), 614-628.

Swanson, K., McComb, D., Smith, J., & McCubbrey, D. (1991). The Application Software

Factory: Applying Total Quality Techniques to Dystems Development. MIS Quarterly ,

15 (4), 566–579.

Tan, W., Cater-Steel, A., & Toleman, M. (2009). Implementing IT Service Management: A

Case Study Focussing on CSFs. Journal of Computer Information Systems , 50 (2), 1-12.

Tan, W.-G., Cater-Steel, A., & Toleman, M. (2007). Implementing Centralised IT Service

Management: Drawing Lessons from the Public Sector. 18 th Australasian Conference on

Information Systems. Toowoomba.

Teddlie, C., & Yu, F. (2007). Mixed Methods Sampling: A Typology With Examples.

Journal of Mixed Methods Research , 1 (1), 77-100.

Teo, S., & Ang, J. (1999). Critical Success Factors in the Alignment of IS Plans with

Business Plans. International Journal of Information Management , 19, 173-185.

Teo, T. S., & King, W. R. (1996). Assessing the Impact of Integrating Business Planning and

IS Planning. Information & Management , 30 (1996), 309-321.

Trochim, W., & Donnelly, J. P. (2007). The Research Methods Knowledge Base (3 ed.).

Atomic Dog.

UNDP. (2017). Human Development Report. Retrieved March 20, 2017, from

http://hdr.undp.org/sites/default/files/2016_human_development_report.pdf

United Nation. (2001). Statistical Yearbook. New York: United Nation.

Upfold, C. T., & Sewry, D. A. (2005). An Investigation of Information Security in Small and

Medium Enterprises (SME's) in the Eastern Cape. Rhodes University.

Urbach, N., & Ahlemann, F. (2010). Structural Equation Modeling in Information Systems

Research Using Partial Least Squares. Journal of IT Theory & Application , 11 (2), 5-40.

229

Vaishnavi, V., & Kuechler, B. (2007). Design Science Research in Information Systems.

Journal of Association for Information Systems.

Van Aken, J. E. (2004). Management Research based on the Paradigm of the Design

Sciences: The Quest for the Field Tested and Grounded Technological Rules. Journal of

Management Studies , 41 (2), 219-246.

Van Grembergen, W. (2002). Introduction to the Minitrack IT Governance and Its

Mechansims. Proceedings of the 35th Hawaii International Conference on System

Sciences (HICSS).

Van Grembergen, W., & De Haes, S. (2005). COBIT's Management Guidelines Revisited:

The KGIs/KPIs Cascade. IT Governance Institute Publication , 6.

Van Grembergen, W., & De Haes, S. (2005). Measuring and Improving Information

Technology Governance through the Balanced Scorecard. Information Systems Control

Journal , 2.

Van Grembergen, W., De Haes, S., & Guldentops, E. (2004). Structures, Processes and

Relational Mechanisms for IT Governance. In W. Van Grembergen (Ed.), Strategies for

Information Technology Governance. Hershey: IDEA GROUP PUBLISHING.

Venable, J. (2006). A Framework for Design Science Research Activities. In Proceedings of

the 2006 Information Resource Management Association Conference.

Venkatraman, N., Henderson, J. C., & Oldach, S. (1993). Continuous Strategic Alignment:

Exploiting Information Technology Capabilities for Competitive Success. European

Management Journal , 11 (2), 139-149.

Walford, R. B. (1990). Information Networks: A Design and Implementation Methodology.

Addison-Wesley.

Walls, J. G., Widmeyer, G. R., & El Sawy, O. A. (1992). Building an Information System

Design Theory for Vigilant EIS. Information Systems Research , 3 (1), 36-59.

Ward, J., & Peppard, J. (2002). Strategic Planning for Information Systems (3 ed.). Wiley,

Chichester.

Warland, C., & Ridley, G. (2005). Awareness of IT Control Frameworks in an Australian

State Government: A Qualitative Case Study. In Proceedings of the 38th Hawaii

International Conference on System Sciences.

Wateridge, J. F. (1995). IT Projects: A Basis for Success. International Journal of Project

Management , 13 (3), 169-172.

Webb, P., Pollard, C., & Ridley, G. (2006). Attempting to Define IT Governance: Wisdom or

Folly? Proceedings of the 39th Hawaii International Conference on System Sciences.

230

Weill, P. (2004). Don't Just Lead, Govern: How Top-Performing Firms Govern IT. MIS

Quarterly Executive , 3 (1), 1-17.

Weill, P., & Broadbent, M. (1998). Leveraging the New Infrastructure: How Market Leaders

Capitalize on Information Technology. Harvard Business Review Press.

Weill, P., & Ross, J. W. (2004). IT Governance: How Top Performers Manage IT Decision

Rights for Superior Results. Boston: Harvard Business School Press.

Whittaker, B. (1999). What went Wrong? Unsuccessful Information Technology Projects.

Information Management & Computer Security , 7 (1), 23-29.

Wiedenhoft, G. C., Luciano, E. M., & Magnagnagno, O. A. (2017). Information Technology

Governance in Public Organizations: Identifying Mechanisms that Meet its Goals While

Respecting Principles. Journal of Information Systems and Technology Management , 14

(1), 69-87.

Wold, H. (1985). Partial Least Squares. In S. Kotz, & L. N. Johnson (Eds.), Encyclopedia of

Statistical Sciences (Vol. 6, pp. 581-591). New York: Wiley.

Worthen, B. (2005). ITIL Power. Retrieved April 10, 2006, from

http://www.cio.com/archive/090105/itil_frameworks.html?page=1

Xia, W., & Lee, G. (2004). Grasping the Complexity of IS Development Projects.

Communications of the ACM , 47 (5), 69-74.

Yin, R. K. (2003). Case Study Research: Design and Methods (4 ed., Vol. 5). SAGE

PUBLICATIONS.

Zahedi, F. (1987). Reliability of Information Systems Based on Critical Suscess Factors

Formulation. MIS Quarterly , 11 (2), 187-203.

Zhang, P., Zhao, K., & Kumar, R. L. (2016). Impact of IT Governance and IT Capability on

Firm Performance. Information Systems Management , 33 (4), 357-373.

Zhang, S., & Le Fever, H. (2013). An Examination of the Practicability of COBIT

Framework and the Proposal of a COBIT-BSC Model. Journal of Economics, Business

and Management , 1 (4), 391-395.

231

Appendices

Appendix-I

34 IT Processes of COBIT scattered into four domains

Plan and Organize (PO) PO1-Define a strategic IT plan

PO2-Define the information architecture

PO3-Determine technological direction

PO4-Define the IT processes, organization and relationships

PO5-Manage the IT investment

PO6-Communicate management aims and direction

PO7-Manage IT human resources

PO8-Manage quality

PO9-Assess and manage IT risks PO10-Manage projects

Deliver and Support (DS) DS1-Define and manage service levels

DS2-Manage third party services

DS3-Manage performance and capacity

DS4-Ensure continuous service DS5-Ensure systems security

DS6-Indentify and allocate costs

DS7-Educate and train users DS8-Manage service desk and incidents

DS9-Manage the configuration

DS10-Manage problems

DS11-Manage data DS12-Manage the physical environment

DS13-Manage operations

Acquire and Implement (AI) AI1-Identify automated solutions

AI2-Acquire and maintain application software

AI3-Acquire and maintain technology

infrastructure AI4-Enable operation and use

AI5-Procure IT resources

AI6-Manage changes AI7-Install and Accredit solutions and changes

Monitor and Evaluate (ME) ME1-Monitor and evaluate IT performance

ME2-Monitor and evaluate internal control

ME3-Ensure compliance with external

requirements ME4-Provide IT governance

Appendix-II

Fifteen most important and more relevant public sector IT processes of COBIT

Plan and Organize (PO)

PO1-Define a strategic IT plan

PO3-Determine technological direction

PO4-Define the IT processes, organization and relationships

PO5-Manage the IT investment

PO6-Communicate management aims and direction

PO9-Assess and manage IT risks

PO10-Manage projects

Deliver and Support (DS)

DS1-Define and manage service levels

DS4-Ensure continuous service

DS5-Ensure systems security DS11-Manage data

Acquire and Implement (AI) AI1-Identify automated solutions

AI2-Acquire and maintain application software

AI6-Manage changes

Monitor and Evaluate (ME) ME1-Monitor and evaluate IT performance

232

Appendix-III

Generic maturity model of COBIT

0 Non-existent Complete lack of any recognizable processes. The enterprise has not

even recognized that there is an issue to be addressed.

1 Initial/Ad Hoc There is evidence that the enterprise has recognized that the issues

exist and need to be addressed. There are, however, no standardized

processes; instead, there are ad hoc approaches that tend to be applied

on an individual or case-by-case basis. The overall approach to

management is disorganized.

2 Repeatable but

Intuitive

Processes have developed to the stage where similar procedures are

followed by different people undertaking the same task. There is no

formal training or communication of standard procedures, and

responsibility is left to the individual. There is a high degree of

reliance on the knowledge of individuals and, therefore, errors are

likely.

3 Defined Process Procedures have been standardized and documented, and

communicated through training. It is mandated that these processes

should be followed; however, it is unlikely that deviations will be

detected. The procedures themselves are not sophisticated but are the

formalization of existing practices.

4 Managed and

Measurable

Management monitors and measures compliance with procedures and

takes action where processes appear not to be working effectively.

Processes are under constant improvement and provide good practice.

Automation and tools are used in a limited or fragmented way.

5 Optimized Processes have been refined to a level of good practice, based on the

results of continuous improvement and maturity modeling with other

enterprises. IT is used in an integrated way to automate the workflow,

providing tools to improve quality and effectiveness, making the

enterprise quick to adapt.

233

Appendix-IV

Q1. Up to what extent, the following IT governance practices in terms of CSFs are effective in your

organization towards the strategic use of IT?

1. Not at all effective, 2. Slightly effective 3. Moderately effective, 4. Effective, 5. Very effective

IT governance practice in terms of CSF Effectiveness

(1-5)

Top management support

Alignment between IT and business strategy

IT demonstrates leadership

Adequate stakeholders involvement

Effective communication between IT and business

Regulatory environment and compliance requirements

Existing governance and transparency

Organizational culture

Financial support

Adequate IT skills and staff

Performance measurement and aligned incentives

Change management and exception handling

Well prioritized IT Projects

Clear IT strategy, principles & policies

Clear roles and responsibilities

IT governance awareness and understanding

IT structures to ensure accountability and flexibility to the IT organizational needs

Risk identification and mitigation process

Standardized and managed IT infrastructure & applications to optimize costs and

information flow

IT skills and knowledge of business executives/personnel

Business skills and knowledge of IT executives/personnel

Mutual trust and respect between business and IT executives/personnel


Q2. Which IT governance practices in terms of CSFs given above are actually

implemented/excercised in your organization and how? You can also add, delete and change/update

above given practices according to your business setting.

234

Appendix-V

IT Governance Practices

On five point Likert scale, 1 (strongly disagree) to 5 (strongly agree)

Item Source

IT Leadership

Effective IT leadership competencies for managing IT projects

IT leadership‟s understanding of business goals/imperatives and

actionable IT intervention

Management team‟s understanding of IT opportunities and

contribution

(Nfuka & Rusu,

2011)

Senior Management Involvement and Support

Senior management support to strategic use of IT

Senior management action-oriented involvement in IT projects

High-level political support to strategic use of IT

IT-related resources prioritization

(Nfuka & Rusu,

2011)

IT/Business Communication and Partnership

Shared understanding of business IT goals, strategies and

imperatives

Business and IT cooperation formally/informally

IT governance mechanisms‟ transparency to managers

Business involvement in IT initiatives and vice versa

Frequent communication between business and IT

(Nfuka & Rusu,

2011)

Engagement of Key Stakeholders

Building collaborative relationships with key stakeholders

Creating shared understanding among key stakeholders on common

agenda

Stakeholders‟ active participation in IT planning and

implementation of shared resources/services

(Nfuka & Rusu,

2011)

Defined, Aligned and Cascaded IT and Business Strategies

Alignment of IT business goals, strategy and operations

A well-communicated IT strategy and policy down to all levels of

organization

Well-aligned and prioritized IT projects

Active participation of IT people in corporate strategy and business

people in IT strategy planning

Aligned IT to required reforms in public sector

(Nfuka & Rusu,

2011)

IT Structures for Responsiveness and Accountability

Participatory designed and widely communicated IT governance

mechanisms on IT structure with a focus on partnership ownership

and accountability

Having active IT steering committees that oversee IT investment,

prioritization and operations

Having IT project committee to oversee/monitor the project

activities and outcome

(Nfuka & Rusu,

2011)

235

IT head on executive management and reporting to CEO

Clear and adequate role and responsibilities/categories

Policies and Guidelines for Optimal Acquisition and Use of IT

Effective IT processes guidelines for management and IT projects‟

staff/users

Implementing an IT governance and control framework

IT project governance/management methodologies

Clear IT budget control, reporting and responsible usage

Enforced IT-governance-related policies and guidelines

(Nfuka & Rusu,

2011)

Risk Identification and Mitigation Mechanism

Presence of comprehensive set of metrics for identification and

mitigation of business risks


mitigation of resource risks


mitigation of technology risks

(Keil et al., 1998)

Standardized and Managed IT Infrastructure and Applications

Effective provision and management of IT facilities

Standardized and sharable IT infrastructure and applications

Provision of efficient and reliable services to IT projects‟ staff

(Nfuka & Rusu,

2011)

IT Governance Awareness and Training

Provision of governance of IT training to IT/business management

and experts for cost effective management and optimal use of IT

projects‟ resources

Provision of governance of IT awareness to users for optimal and

cost-effective use of IT projects‟ resources

Incorporation of change management in IT governance best

practices awareness and training

(Nfuka & Rusu,

2011)

Competitive IT Professionals

A focus on attracting and retaining core IT/business competencies

related to planning, development and management of IT projects

Recognition and encouragement of IT innovations, appropriateness

and excellence

Skilled IT personnel as working capital of successful IT projects &

operations

(Nfuka & Rusu,

2011)

Performance Measures and Benchmarks

Clearly set IT projects‟ targets in organizational operations,

customer/public excellence, skills/innovation and corporate

contribution

Clearly set, active and monitored performance measures for

organizational and public value of IT projects

Demonstration of IT projects „success/contribution

Performance-aligned rewards and penalties

(Nfuka & Rusu,

2011)

236

Task Outcomes

On seven-point Likert scale, 1 (extremely low) to 7 (extremely high)

Item Source

Efficiency of operations

Adherence to schedules

Adherence to budgets

Amount of produced work

Quality of produced work

Effectiveness of interactions with consultants

Ability to meet its goals

(Henderson & Lee,

1992)

Organizational Outcomes

On seven-point Likert scales, 1 (strongly disagree) to 7 (strongly agree)

Item Source

Cost reduction and efficiency gains (Gregor et al., 2006;

Ndou, 2004)

Improved quality of decision-making (Gregor et al., 2006;

Ndou, 2004)

Transparency, anticorruption and accountability (Bhatnagar & Singh,

2010; Ndou, 2004)

Useful links with other organizations (Gregor et al., 2006;

Ndou, 2004)

Improved quality of service delivery to businesses and customers (Ndou, 2004)

Enhanced employees‟ productivity (Gregor et al., 2006)

Public Outcomes

On seven-point Likert scales, 1 (not at all) to 7 (to a great extent)

Item Source

Cost and time saving using e-services (Gilbert et al., 2004;

Kolsaker & Lee-Kelley,

2008; Wang & Liao,

2008)

Better information, knowledgeable about government policy (Kolsaker & Lee-Kelley,

2008; Grimsley &

Meehan, 2007; Thomas

& Streib, 2003)

Efficient method of communicating with government (Kolsaker & Lee-Kelley,

2008)

Involving, exerting influence in the democratic process (Kolsaker & Lee-Kelley,

2008; Grimsley &

Meehan, 2007)

Network and community creation (Ndou, 2004)

237

Appendix-VI

1. A proposed set of activities to implement the relevant practice in your organization is given below. Please review each activity for its

suiatbility to impelement the relevant practice in your business setting. You can also add, delete and change/update activities according to your

business setting.

2. Please also choose a suitable role and approperiate IT resource to execute each activity as per your business settings from the list given below.

Role (R) Executives (E), Business (B), IT Management (ITM), IT Operations (ITO), Compliance, audit, risk and security (CARS)

IT Resource (S)

Applications (AP), Information (IN), Infrastructure (IF), People (PP)

Guiding practice Proposed activities Improved activities R S

1. IT/business

communication and partnership

1.1 Establish viable IT/business communication and partnership practice


1.3 Develop shared understanding among IT/business personnel on


1.4 Make IT related decisions with the same criteria used by the business

1.5 Educate business management regarding the importance of partnering

with IT

1.6 Assure active conflict resolution

2. Engagement of key stakeholders

2.1 Identify key stakeholders with clear roles and responsibilities

2.2 Consult and involve key stakeholders in IT plan preparation and

implementation

2.3 Create shared understanding among key stakeholders on shared


2.4 Provide assurance to satisfy stakeholder concerns

2.5 Analyse the potential contribution of key stakeholders

3. IT leadership 3.1 Provide a clear and top level mandate to lead and manage IT and

238

transformation program

3.2 Persuade IT leadership on articulation a vision for the role of IT in

organization

3.3 Encourage IT leadership on business imperatives and viable IT

intervention






4.1 Establish senior management role in IT decision-making and monitoring

processes

4.2 Demonstrate viable business value proposition from IT for senior management, board and politicians‟ support

4.3 Convince senior management on delegating viable authority for decision-

making and control over resources





strategies

5.1 Involve IT/business personnel in IT/business strategic planning




5.5 Integrate IT effectively into related public sector reforms




6.1 Establish clear and appropriate IT roles and responsibilities

6.2 Establish the role of CIO or IT head to report directly to executive head


6.4 Establish IT project steering committee to prioritize and manage IT

projects



optimal acquisition and use

of IT

7.1 Establish needed IT processes and governance framework

7.2 Establish clear mechanism for IT budget control and reporting


7.4 Establish cost-effective and responsible use of IT resources

7.5 Establish ownership and efficient use of IT applications

239

7.6 Establish IT governance policies & guidelines for IT value creation and

preservation

7.7.Determine and implement required change management


8. IT governance awareness

and training

8.1 Determine drivers and state of IT governance practices

8.2 Determine required mindset change and best practices


8.4 Establish knowledge management mechanism

8.5 Reduce employees resistance

9. Competitive IT professionals

9.1 Attract, develop and retain skilled IT personnel for IT/business success


9.3 Establish and motivate aligned IT innovation and practices



managed IT infrastructure and applications

10.1 Provide and leverage IT facilities rationally

10.2 Standardize and share IT infrastructure effectively

10.3 Standardize, integrate and manage IT applications prudently

10.4 Determine and actively manage services offered by the third parties

10.5 Benchmark and provide efficient IT services in and across organizations

10.6 Establish research activities for new and innovative IT services

11. Performance measures and benchmarks




11.4 Evaluate and demonstrate business value of IT


11.6 Establish performance aligned rewards and penalties

240

Appendix-VII

Q. Up to what extent, do you perceive that the following improved activities are effective and easy to implement in your business setting?

1. Not at all 2. Slightly 3. Moderately, 4. Satisfactorily, 5. Very satisfactorily

Guiding practice Improved activities Perceived

effectiveness

(1-5)

Ease of

implementation

(1-5)

1. IT/business

communication and

partnership

1.1 Formalize viable IT/business communication and partnership practice

1.2 Train/involve business personnel in IT initiatives and IT personnel in business imperatives

1.3 Develop shared understanding among IT/business personnel on IT/business goals and

imperatives

1.4 Convince business management on IT/business partnership


stakeholders

2.1 Identify key stakeholders and establish appropriate roles & responsibilities

2.2 Involve key stakeholders in IT/business plans preparation and implementation

2.3 Create shared understanding among key stakeholders on shared IT/business goals and

imperatives

2.4 Analyze and report the potential contribution of key stakeholders

3. IT leadership 3.1 Establish clear and top level mandate to lead and manage overall transformation program





241



4.1 Establish senior management role in strategic IT decision-making, resource prioritization

and monitoring processes

4.2 Demonstrate viable business value proposition of IT to get support of senior management,

politicians and sponsor

4.3 Convince senior management to delegate viable authority over resources

4.4 Convince senior management to provide required resources for IT/business success




strategies

5.1 Involve IT/business personnel in strategic IT/business planning



5.4 Prioritize and align IT projects with business goals and imperatives

5.5 Incorporate IT effectively into required public sector reforms



responsiveness and

accountability

6.1 Establish clear and appropriate IT roles and responsibilities

6.2 Establish the role of CIO or IT head to report directly to the executive head

6.3 Establish IT steering committee with balanced representation of IT/business executives

6.4 Establish IT project steering committee to prioritize and manage IT projects


7. Policies and guidelines

for optimal acquisition

and use of IT

7.1 Establish needed IT processes and governance framework

7.2 Establish transparent IT/business budget control and reporting


7.4 Establish ownership and ensure effective use of IT infrastructure & applications


242

7.6 Determine and implement required change management


8. IT governance


8.1 Determine drivers and state of IT governance practices

8.2 Determine and fix required mindset change and best practices


8.4 Create IT governance awareness among employees through top management

announcements

9. Competitive IT

professionals

9.1 Attract, develop and retain skilled IT personnel for IT/business success


9.3 Establish and motivate aligned IT/business innovation and practices



managed IT

infrastructure and

applications

10.1 Standardize and share IT infrastructure effectively

10.2 Standardize, integrate and manage IT applications effectively

10.3 Define and manage SLAs effectively

10.4 Benchmark and provide efficient IT facilities in and across organizations

10.5 Encourage research activities for new and innovative IT services

11. Performance

measures and

benchmarks




11.4 Evaluate and demonstrate business value proposition of IT




243

Appendix-VIII

1. Please provide your expert opinion on the suitability of each of the following elements of the proposed framework (attached). You can add,

delete and change elements of the proposed framework according to your business setting and the context of PakPSOs.

a) Environment

b) Organization

c) Activities

d) Roles

e) IT resouces

Q2. Please also provide your comments for the further improvement of the framework.

244

Appendix-IX

Q1. Up to what extent, the proposed framework (attached) fulfills the following evaluation criteria in your organizational setting?

Criteria for evaluation 1 2 3 4 5

Formal description to meet the need for no ambiguity Very

ambiguous

ambiguous Fair Good Very good

Definable activities through understandability of the

framework

Not at all

understandable

Slightly

understandable

Understandable Very

understandable

Extremely

understandable

Completeness of the framework to ensure no additional

activities are needed

Very poor

Poor Marginal

Good

Very good

Activities to be capable of implementation Not at all

implementable

Slightly

implementable

Implementable Very

implementable

Extremely

implementable

Usability via measuring ease of use Very difficult Difficult Easy Very easy Extremely

Easy

Fit by measuring the usefulness of the framework in the

organization

Not at all

useful

Slightly useful Useful Very useful Extremely

useful

Q2: Please also provide your opinion on each of the above stated criteria regarding the evaluation of the proposed framework in your

organization.

245

Appendix-X

Cross Loading

V1 V2 V3 V4 V5 V6 V7 V8 V9 V10 V11 V12 Task Outcomes

Organizational Outcomes

Public Outcomes

V1.1 0.8920 0.5590 0.2359 0.6568 0.3700 0.2719 0.2853 0.1333 0.4572 0.5089 0.4522 0.4739 0.6612 0.4014 0.6193

V1.2 0.9070 0.4802 0.1852 0.5945 0.3861 0.2918 0.4353 0.2246 0.5096 0.4540 0.4289 0.4915 0.6416 0.3898 0.6368

V1.3 0.8383 0.4942 0.1427 0.4582 0.3860 0.3233 0.3040 0.1597 0.4107 0.4247 0.4506 0.5369 0.5460 0.2951 0.4932

V2.1 0.4153 0.7403 0.2643 0.4916 0.2590 0.2332 0.1895 0.2137 0.3327 0.4295 0.3553 0.2963 0.4846 0.2920 0.4630

V2.2 0.3671 0.7848 0.2758 0.4302 0.3052 0.1174 0.2860 0.1725 0.3060 0.3250 0.3396 0.2394 0.4954 0.2565 0.4172

V2.3 0.3956 0.7817 0.2416 0.3725 0.3188 0.2485 0.2607 0.1907 0.4006 0.3268 0.3175 0.4085 0.5131 0.2565 0.4352

V2.4 0.5573 0.7743 0.4619 0.5311 0.5273 0.3998 0.4276 0.3724 0.6402 0.5648 0.5539 0.5305 0.6911 0.5103 0.6311

V3.1 0.2905 0.4334 0.9043 0.3575 0.3543 0.1136 0.1962 0.3099 0.4193 0.5298 0.4091 0.2741 0.5634 0.4631 0.5717

V3.2 0.1910 0.3715 0.8797 0.3755 0.3132 0.0996 0.1344 0.2881 0.4047 0.5083 0.3780 0.2242 0.5260 0.4333 0.5845

V3.3 0.0494 0.2693 0.8784 0.1975 0.2299 0.0850 0.0887 0.2001 0.2936 0.4677 0.2736 0.1699 0.3939 0.3571 0.4501

V3.4 0.1638 0.3329 0.8629 0.2718 0.2862 0.0545 0.2030 0.2311 0.3271 0.5128 0.2943 0.1871 0.4403 0.3567 0.4663

V3.5 0.2231 0.4366 0.8818 0.3441 0.3747 0.1671 0.2016 0.2533 0.4575 0.5081 0.4593 0.2903 0.5216 0.4403 0.5255

V4.1 0.6627 0.5806 0.3718 0.9182 0.4767 0.3940 0.4399 0.3265 0.5858 0.5975 0.6029 0.4953 0.7478 0.4936 0.7076

V4.2 0.5479 0.5131 0.3228 0.9202 0.4348 0.4202 0.4821 0.3012 0.5800 0.5496 0.5367 0.5167 0.6969 0.5052 0.7076

V4.3 0.5914 0.5674 0.2896 0.9148 0.3790 0.3790 0.4780 0.3333 0.5448 0.5399 0.5266 0.4401 0.7054 0.4537 0.6614

246

V1 V2 V3 V4 V5 V6 V7 V8 V9 V10 V11 V12 Task

Outcomes

Organizational

Outcomes

Public

Outcomes

V5.1 0.4721 0.5269 0.4200 0.4835 0.9123 0.4171 0.3152 0.3585 0.4767 0.4680 0.5942 0.4310 0.6046 0.5822 0.5582

V5.2 0.3057 0.3882 0.3190 0.3925 0.8800 0.3413 0.3008 0.3559 0.3866 0.3851 0.5305 0.3732 0.4746 0.4887 0.4528

V5.3 0.3134 0.3805 0.2854 0.3316 0.8827 0.3074 0.3240 0.2741 0.3847 0.3743 0.5049 0.2872 0.4423 0.4552 0.3957

V5.4 0.4043 0.3963 0.2022 0.3974 0.8824 0.2945 0.2872 0.2646 0.3878 0.3059 0.4652 0.3642 0.4665 0.3910 0.4287

V5.5 0.4028 0.4314 0.3352 0.4618 0.9018 0.4436 0.3931 0.3379 0.5190 0.4479 0.6049 0.3995 0.5557 0.5669 0.5441

V6.1 0.3720 0.4016 0.1545 0.4237 0.4126 0.8976 0.1640 0.3426 0.4628 0.3680 0.4709 0.5434 0.4868 0.4480 0.4381

V6.2 0.2974 0.3146 0.1751 0.4315 0.3593 0.8849 0.2069 0.3720 0.4165 0.3799 0.4572 0.5106 0.4262 0.4502 0.4128

V6.3 0.1922 0.2197 0.0374 0.3161 0.2687 0.8917 0.2789 0.2530 0.3556 0.2897 0.3924 0.4537 0.3400 0.3515 0.3145

V6.4 0.2491 0.2860 0.0713 0.3495 0.3935 0.9076 0.2602 0.2823 0.3723 0.2887 0.4268 0.5127 0.3896 0.3798 0.3228

V6.5 0.3385 0.2876 0.0714 0.3838 0.3787 0.8654 0.2375 0.2580 0.3754 0.2360 0.4331 0.4882 0.4047 0.4321 0.3526

V7.1 0.3644 0.3942 0.2002 0.5027 0.3472 0.1923 0.9164 0.3340 0.5437 0.4974 0.4993 0.2809 0.4986 0.4852 0.5002

V7.2 0.3438 0.3193 0.1724 0.4260 0.3216 0.2159 0.8893 0.3235 0.4608 0.3854 0.4093 0.3551 0.4389 0.4580 0.4398

V7.3 0.2999 0.3043 0.1628 0.3737 0.2519 0.1644 0.8761 0.2408 0.4856 0.4522 0.4003 0.2496 0.4020 0.3851 0.4031

V7.4 0.3217 0.3853 0.2120 0.5122 0.3174 0.3076 0.8843 0.2993 0.4804 0.4182 0.4363 0.3313 0.4791 0.4131 0.4751

V7.5 0.4074 0.3585 0.0936 0.4415 0.3861 0.2465 0.9023 0.2519 0.4785 0.3830 0.5039 0.2798 0.4674 0.4180 0.4626

V8.1 0.2052 0.3012 0.2329 0.3339 0.3320 0.3389 0.3036 0.8862 0.3076 0.3158 0.3314 0.2157 0.3741 0.3513 0.2905

V8.2 0.2052 0.3012 0.2329 0.3339 0.3320 0.3389 0.3036 0.8853 0.3076 0.3158 0.3314 0.2157 0.3741 0.3513 0.2905

V8.3 0.0675 0.2185 0.2983 0.1989 0.2405 0.1706 0.2089 0.8680 0.2402 0.2228 0.2220 0.0566 0.2404 0.2843 0.2601

247


Outcomes

Organizational

Outcomes

Public

Outcomes

V9.1 0.5423 0.6281 0.4017 0.6119 0.4778 0.4361 0.4932 0.3409 0.9227 0.5502 0.6439 0.4773 0.6706 0.5039 0.7187

V9.2 0.4459 0.4528 0.3440 0.5496 0.4309 0.3813 0.5020 0.2407 0.8939 0.4844 0.5406 0.4326 0.5618 0.4011 0.6603

V9.3 0.4167 0.4584 0.4310 0.5083 0.4069 0.3919 0.4847 0.3277 0.8753 0.5528 0.5265 0.3953 0.5895 0.4918 0.6490

V10.1 0.4461 0.4578 0.5633 0.5259 0.3903 0.2988 0.4166 0.3062 0.4952 0.9138 0.5109 0.3589 0.5922 0.5578 0.5799

V10.2 0.4556 0.5237 0.5330 0.5268 0.4097 0.3220 0.4177 0.3414 0.5313 0.9279 0.4713 0.3843 0.6080 0.5185 0.5868

V10.3 0.5485 0.5518 0.4951 0.6337 0.4437 0.3586 0.4834 0.2975 0.5991 0.9213 0.5683 0.4475 0.6849 0.5550 0.6788

V11.1 0.4007 0.4715 0.3084 0.5304 0.5315 0.4807 0.4288 0.2835 0.5420 0.4935 0.8962 0.3845 0.5998 0.4762 0.5620

V11.2 0.4729 0.4683 0.3483 0.5361 0.5650 0.4028 0.4349 0.3192 0.5717 0.4580 0.8761 0.3923 0.6296 0.4866 0.5975

V11.3 0.4444 0.4553 0.4389 0.5242 0.5093 0.4147 0.4622 0.3260 0.5606 0.5268 0.8543 0.4254 0.6256 0.5284 0.5800

V12.1 0.3722 0.4697 0.3502 0.3872 0.4337 0.3463 0.3560 0.2332 0.3984 0.3968 0.3837 0.6917 0.4463 0.6548 0.4190

V12.2 0.3881 0.2155 0.0025 0.3550 0.1366 0.5178 0.1205 0.0831 0.2820 0.1631 0.3480 0.6378 0.3029 0.2059 0.2665

V12.3 0.4149 0.3284 0.1697 0.3761 0.2203 0.3663 0.1788 0.0954 0.3178 0.2781 0.2241 0.7723 0.3514 0.2146 0.3320

V12.4 0.4768 0.3542 0.1278 0.4055 0.3194 0.4670 0.2285 0.1129 0.3696 0.3386 0.3414 0.8002 0.4349 0.2256 0.3954

TasOut1 0.6972 0.6525 0.2940 0.6369 0.3389 0.3054 0.2689 0.1993 0.4339 0.5410 0.4444 0.4280 0.7164 0.4507 0.5924

TasOut2 0.6947 0.6170 0.2880 0.5917 0.3807 0.2662 0.3901 0.2331 0.4626 0.4643 0.4121 0.4135 0.7391 0.4217 0.5783

TasOut3 0.5664 0.6154 0.3305 0.6741 0.4155 0.3617 0.3811 0.3001 0.5015 0.5078 0.4856 0.5257 0.7513 0.4990 0.5350

TasOut4 0.5362 0.6263 0.3676 0.7225 0.4561 0.3701 0.4873 0.3657 0.5772 0.5350 0.5297 0.4956 0.7804 0.5538 0.5786

TasOut5 0.3913 0.3885 0.4901 0.4774 0.4401 0.3988 0.4289 0.3015 0.5183 0.5022 0.6260 0.3314 0.7328 0.4092 0.7037

248


Outcomes

Organizational

Outcomes

Public

Outcomes

TasOut6 0.3628 0.4099 0.5760 0.4721 0.4874 0.3427 0.3258 0.3193 0.5223 0.4676 0.6030 0.2735 0.7316 0.4266 0.7124

TasOut7 0.3355 0.4042 0.5967 0.4058 0.4730 0.3642 0.3599 0.3296 0.4834 0.5057 0.5658 0.3182 0.671 0.4673 0.6719

OrgOut1 0.3964 0.3189 0.3130 0.4447 0.3839 0.3501 0.3533 0.2860 0.4035 0.5131 0.4625 0.3432 0.5282 0.7551 0.4438

OrgOut2 0.4319 0.3552 0.3302 0.4937 0.4189 0.3684 0.3612 0.3223 0.4097 0.4868 0.4892 0.3797 0.5589 0.8211 0.4664

OrgOut3 0.3534 0.3305 0.3626 0.3773 0.4009 0.3525 0.3503 0.3080 0.3954 0.4458 0.4321 0.3181 0.5085 0.8193 0.3893

OrgOut4 0.3000 0.3668 0.4577 0.4093 0.4824 0.3754 0.3924 0.3597 0.4108 0.4826 0.4473 0.4222 0.5500 0.8642 0.4467

OrgOut5 0.2270 0.3484 0.3931 0.3650 0.4819 0.3543 0.4460 0.2759 0.4205 0.4216 0.4678 0.4514 0.4388 0.8087 0.3901

OrgOut6 0.2963 0.4283 0.3716 0.4323 0.5117 0.4260 0.4005 0.3118 0.4404 0.4719 0.4165 0.5083 0.4251 0.7039 0.4392

PubOut1 0.7071 0.5247 0.2914 0.6929 0.4239 0.3314 0.3071 0.1501 0.4646 0.4862 0.4722 0.3988 0.6397 0.3915 0.7094

PubOut2 0.6811 0.5635 0.3263 0.7268 0.3956 0.3092 0.4449 0.1998 0.5472 0.5371 0.4797 0.4892 0.6308 0.4207 0.7570

PubOut3 0.4901 0.5571 0.5757 0.5592 0.4842 0.3837 0.4012 0.3552 0.6793 0.5531 0.5783 0.4139 0.7346 0.4318 0.8562

PubOut4 0.3868 0.4147 0.5224 0.5118 0.3722 0.2630 0.4380 0.2960 0.6371 0.5068 0.4890 0.3254 0.6405 0.4024 0.7963

PubOut5 0.3198 0.4680 0.6052 0.4350 0.4275 0.3417 0.4025 0.2868 0.6035 0.5229 0.5586 0.3280 0.6295 0.4562 0.7561