Copyright 2005 Information Systems Audit and Control Association. All rights reserved. www.isaca.org.

Measuring and Improving IT Governance

Through the Balanced Scorecard
By Wim Van Grembergen and Steven De Haes

T
he US Sarbanes-Oxley Act has brought about an management. IT management is focused on the daily effective
enhanced attention to enterprise (corporate) governance. and efficient supply of IT services and IT operations. IT
Consequently, IT governance is also on the agenda as governance, in turn, is much broader and concentrates on
corporate governance and IT governance focus on related performing and transforming IT to meet present and future
issues, and IT governance performance greatly impacts the demands of the business and the business customers.5
organisations ability to achieve its objectives. In their To implement IT governance in practice, an IT governance
publications on measuring the performance of corporate framework can be deployed composed of a mixture of various
boards, M.J. Epstein and M.J. Roy state that governance structures, processes and relational mechanisms (figure 1).
concerns relate to practices of both corporate boards and Structures involve the existence of responsible functions, such
senior managers and the question being asked is whether the as IT executives and accounts, and a diversity of IT
decision-making process and the decisions themselves are committees. Processes refer to strategic IT decision-making
made in the interest of shareholders, employees, and other and monitoring such as strategic information systems planning
stakeholders or whether they are primarily in the interests of and the balanced scorecard. The relational mechanisms include
the executives.1 This can be translated into specific IT business/IT participation and partnerships, strategic dialogue
governance issues. IT governance concerns relate to IT and shared learning. When designing IT governance, it is
practices of boards and senior managers. The question is important to recognise that it is contingent upon a variety of
whether IT structures, processes, relational mechanisms and IT sometimes conflicting internal and external factors. Therefore,
decisions are made in the interest of shareholders and other determining the right mechanisms is a complex endeavour and
stakeholders, or primarily in the executives interests. what works for one company does not necessarily work for
Currently, many enterprises are implementing IT another, even if they work in the same sector.6
governance structures, processes and relational mechanisms to
achieve a better fusion of business and IT. A crucial question is
how well are they doing? In other words, how do the Figure 1Main Elements of an
implemented IT governance practices rate? Drawing on IT Governance Framework
Epstein and Roy and previous work on the IT balanced
scorecard (BSC),2 an IT governance BSC will be developed in
Structures Processes
this paper.
To set the context, IT governance issues and balanced
scorecard concepts will first be discussed. After that, a
balanced scorecard will be introduced as a performance IT Governance
measurement system for IT governance enabling strategies for
improvement.
Relational Mechanisms
IT Governance Issues
IT governance is increasingly gaining attention in the
business and IT arena. In Gartners Top Ten CIO Management
Priorities for 2003, Improving IT Governance is for the first Balanced Scorecard Approach
time included and ranked third. This emerging interest is also The use of the BSC has become widespread as a
shown by recent publications.3 performance measurement and management system. The
IT governance can be defined as the organizational capacity fundamental premise of the BSC approach, introduced by R.S.
exercised by the board, executive management and IT Kaplan and D.P. Norton on the enterprise level,7 is that the
management to control the formulation and implementation of evaluation of a firm should not be restricted to a traditional
IT strategy and ensure the fusion of business and IT.4 Primary financial evaluation, but should be supplemented with
focus is on the responsibility of the board and executive measures concerning customer satisfaction, internal processes,
management. It is indicated that IT management is also and learning and growth. Results achieved within these
involved in the governance process. However, a clear additional perspectives should assure future financial results
difference must be made between IT governance and IT and drive the organisation toward its strategic goals while

INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 2, 2005

keeping all four perspectives in balance. For this balanced improve both governance and corporate transparency.9 Figure 3
measurement framework, Kaplan and Norton proposed a three- shows typical examples of metrics for a board balanced
layer structure for each of the four perspectives: mission, scorecard as proposed by Epstein and Roy. The financial
objectives, and measures from which targets are to be set and perspective demonstrates how the board is contributing to
initiatives are to be launched to reach a better rate. To leverage success in the financial dimension. The stakeholders perspective
the scorecard as a management instrument, it should be reports on how the board achieves ethical and legal compliance.
enhanced with cause-and-effect relationships among measures. The internal process perspective identifies processes to be
These relationships are articulated by two types of measures: implemented to ensure optimal board functioning. The learning
outcome measures and performance drivers. A well-developed and growth perspective captures measures regarding activities
scorecard should contain a good mix of these two metrics. needed to develop and learn for the future.
Outcome measures without performance drivers do not
communicate how they are to be achieved. Performance Figure 3Examples of Metrics
drivers without outcome measures may lead to significant for a Board Balanced Scorecard
investment without a measurement indicating whether the Perspective Objective Example Metrics
chosen strategy is effective. Financial Long-term financial Return on investment
BSC concepts have been applied to the IT function and its success Stock price
processes. For IT as an internal service provider, the generic Short-term financial Success of change
perspectives should be changed accordingly. Figure 2 displays success
examples of metrics of an IT balanced scorecard developed Long-term success of
changes
and implemented by an international financial group.8 The
Stakeholders Ethical behaviour and Number of ethical/legal
corporate contribution perspective evaluates the performance legal compliance violations
of the IT organisation from the viewpoint of executive Corporate governance Number of voluntary
management. The customer orientation perspective evaluates and accountability disclosures
the performance of IT from the viewpoint of internal business Management of Number of meetings with
users. The operational excellence perspective provides the stakeholders needs stakeholders
performance of the IT processes from the viewpoint of IT Internal Risk and crisis Number of risk audits
processes management performed
management. The future perspective shows the readiness for Performance evaluation Number of board members
future challenges of the IT organisation itself. systems owning stock
Review of strategic plans Number of hours spent
Figure 2Examples of Metrics Functioning of the board on strategic issues
for an IT Balanced Scorecard Overall attendance at
meetings
Perspective Objective Example Metrics Learning Succession for CEO Interim CEO identified
Corporate Business/IT alignment Operational budget approval and growth Composition of the board Percent of directors
Value delivery Business unit performance Skills and knowledge financially literate
Cost management Attainment of expense and Existence of training
Risk management recovery targets programs
Intercompany synergy Results of internal audits (Adapted from Epstein, M.J.; M.J. Roy; How Does Your Board Rate?, Strategic Finance,
Single system solutions February, p. 25-31, 2004)
Customer Customer satisfaction Business unit survey
Competitive costs ratings
Development performance Attainment of unit cost Developing an IT Governance
Operational performance targets
Major project scores Balanced Scorecard
Attainment of targeted levels In previous paragraphs, it was demonstrated that the
Operational Development process Function point measures balanced scorecard concept can be applied to the IT function
excellence Operational process Change management and the board. By using the balanced scorecard to its full
Process maturity effectiveness extent, it enables IT management and the board to achieve
Enterprise architecture Level of IT processes their objectives. The BSC is not only a performance
State of the infrastructure
assessment management system but also, at the same time, a management
Future Human resource Staff turnover system when causal relationships between metrics are properly
management Satisfaction survey scores implemented. This can be illustrated with the board BSC of
Employee satisfaction Implementation of learned figure 3. A better composition of the board with improved
Knowledge management lessons financial literacy of its members (learning and growth
(Adapted from Grembergen, W.; R. Saull; S. De Haes; Linking the IT Balanced Scorecard perspective) may lead to a better review of strategic plans
to the Business Objectives at a Major Canadian Financial Group, Journal of Information
Technology Cases and Applications, 2003)
(internal processes perspective), better management of
stakeholders needs (stakeholders perspective) and ultimately
to higher long-term financial results (financial perspective).
In recent publications, Epstein and Roy have developed a
Building on these BSC applications, a scorecard has been
board balanced scorecard. They see the board BSC as an
developed for the IT governance process. It makes sense for
opportunity for companies and their boards to dramatically
CIOs, executive managers and board members that, through

INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 2, 2005

 such a scorecard, they can oversee the IT governance contributed to meeting that outcome. The outcomes that are to
processhow well it is doing and how it can be improved. be scored include cost-effective use of IT, effective use of IT
Figure 4 displays the mission statements, objectives and for growth, effective use of IT for asset utilisation and
corresponding measures for the four dimensions: corporate effective use of IT for business flexibility. Based on the scores,
contribution perspective, stakeholders perspective, operational a weighted governance performance can be calculated.
excellence perspective and future perspective. Strategic match of major IT projects, percentage of
The ultimate goal of the development and implementation development capacity engaged in strategic projects and
of an IT governance process is attaining the fusion of business percentage of business goals supported by IT goals are specific
and IT and, consequently, achieving better financial results. strategic alignment concerns.
Therefore, it is logical that the IT governance BSC starts with Measuring the strategic match of IT projects can be done
a corporate contribution perspective. As shown in figure 4, the through a scoring technique as introduced by information
other three perspectives have a causal relationship with economics.12 Typical scores are attributed from zero to five,
corporate contribution and, amongst each other, cause-and- whereby zero means no match at all and five a perfect match
effect relationships. Overall, completed IT governance of the IT project with the business strategy. In the value
education (future orientation) may enhance the level of delivery area, business unit performance measurement refers
IT/business planning (operational excellence), which in turn to the business results of the individual lines of business.
may improve stakeholders satisfaction (stakeholders Indeed, the ultimate responsibility for achieving and measuring
orientation) and have a positive effect on the strategic match of the business value rests with the business units.13 Alternative
major IT projects (corporate contribution). The metrics of the metrics for value delivery assessment are the traditional
main elements of IT governance (figure 1)structures, financial evaluations, such as the return on investment (ROI),
processes and relational mechanismscan be found in the net present value (NPV), internal rate of return (IRR) and
operational excellence and future orientation perspectives. payback period (PB). A major concern of senior management
is the level of the IT costs and their recovery, respectively
Figure 4IT Governance Scorecard Perspectives measured through ratio IT costs/total turnover and percentage
and Their Cause-and-effect Relationships of IT costs charged back to the business. Regarding the risk
management objective, a high level of security and disaster
Corporate Contribution recovery should be attained respectively measured by
Ensuring maximum profit
through IT with reasonable risk
Cause thenumber of implemented IT security initiatives and security
Strategic alignment Effect breaches and the attainment of disaster recovery plans. The
Value delivery
Risk management audit performance is measured through the number of IT audits
Stakeholders performed and reported shortcomings.
Measuring up to stakeholders Future Orientation
expectations Building foundations for
Stakeholders satisfaction IT Governance IT governance delivery
Management of Skills and knowledge
stakeholders needs IT/business partnerships Figure 5Corporate Contribution
Legal and ethical compliance

Perspective Corporate Contribution

Operational Excellence Mission Ensuring maximum profit while mitigating IT-related risks
Ensuring effective and
sustained IT governance Objectives Strategic Alignment
Structures Measures Weighted governance performance
Processes
Maturity Strategic match of major IT projects
Percentage of development capacity
engaged in strategic projects
Percentage of business goals supported by
IT goals
Metrics for an IT Governance BSC
Value Delivery
The corporate contribution dimension evaluates the Measures Business unit performance management
performance of the IT governance process. A well-balanced IT Business value of major IT projects based
governance process must enhance business profit through IT on ROI, NPV, IRR, PB
while mitigating the risk related to IT (mission). The key Ratio IT costs/total turnover
issues, as depicted in figure 5, are strategic alignment, value IT costs charged back to the business
delivery and risk management. These three issues are seen by Risk Management
Measures Number of new implemented IT security
the IT Governance Institute as main concerns of IT initiatives and security breaches
governance.10 The main measurement challenge is within the Attainment of disaster recovery plans
area of strategic alignment. As an overall metric, a weighted Number of IT audits performed and
governance performance measure as developed by Weill and reported shortcomings
Ross is proposed.11 This governance performance measure is
based on the scores of a quick self-assessment of at least 10 Figure 6 portrays the objectives of the stakeholders
senior managers. They have to score on a scale from one (not perspective: stakeholder satisfaction, management of
successful) to five (very successful) how important a particular stakeholder needs and legal/ethical compliance. This
governance outcome is and how well IT governance perspective evaluates the IT governance process from the

INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 2, 2005

 A crucial IT process in this context is manage changes as
Figure 6Stakeholders defined by Control Objectives for Information and related
Technology (COBIT), the internationally accepted IT control
Perspective Stakeholders Orientation framework.16 The objective of the manage changes process is
Mission Measuring up to stakeholders expectations to minimise the likelihood of disruption, unauthorised
Objectives Stakeholder Satisfaction alterations and errors, and in this senseif this process is
Measures Stakeholders satisfaction surveys on fixed
times
properly implemented with authorised system changes and a
Number of complaints of stakeholders tracking system of changesit is a crucial supportive
Index of availability of systems and mechanism for Sarbanes-Oxley compliance. A specific metric
applications for IT adherence to Sarbanes-Oxley can be the maturity level
Management of Stakeholder Needs of the manage changes process, evaluated on the basis of the
Measures Number of meetings with stakeholders maturity model as defined in the management guidelines of
Clear communication in place with CEO and
board members
COBIT.17 Figure 7 illustrates maturity levels 0 and 5 of the
Index of CEO/board involvement in new and manage changes process.
major IT initiatives
Number of major IT projects within SLA Figure 7Maturity Levels for
Legal and Ethical Compliance Manage Changes Process
Measures IT adherence to Sarbanes-Oxley Act Level 0: Nonexistent
IT adherence to privacy regulations There is no defined change management process, and changes can be
Adherence to IT code of ethics/IT code made with virtually no control. There is no awareness that change can
of conduct be disruptive for both IT and business operations and no awareness
of the benefits of good change management.
stakeholders viewpoint including the board of directors, CEO
Level 5: Optimised
and executive management, CIO and IT management, business The change management process is regularly reviewed and updated
and IT users, customers, shareholders and community. to keep in line with the best practices. Configuration information is
It is important to point out that the scope of this computer-based and provides version control. Software distribution
stakeholders perspective is much broader than the customer is automated, and remote monitoring capabilities are available.
perspective as described in the IT balanced scorecard (figure 2). Configuration and release management and tracking of changes is
sophisticated and includes tools to detect unauthorised and
The broader scope is derived from the board scorecard (figure unlicensed software. IT change management is integrated with
3). In relation to stakeholders satisfaction, the scores on business change management to ensure that IT is an enabler to
satisfaction surveys (stakeholders satisfaction survey on fixed increasing productivity and creating new business opportunities for
times) for the aforementioned categories of stakeholders can be the organisation.
used. (Source: ITGI, COBIT, 2000)
This can also be applied to the number of complaints of
stakeholders. An overall specific metric for business users is The operational excellence perspective identifies the key IT
the index of availability of systems and applications. governance practicesstructures and processesto be
The management of stakeholders needs is assessed through implemented and their corresponding metrics. As previously
a set of performance metrics, including measurements for the defined, structures refer to the existence of responsible functions
various stakeholder groups (number of meetings with and committees, and processes refer to decision-making and
stakeholders), more specific measurements for the board and monitoring. Major IT governance structures and processes, as
CEO (clear communication in place with CEO/board members identified by Peterson18 and Van Grembergen,19 are shown in
and index of CEO/board involvement in new and major IT figure 8. The operational excellence card of figure 9 gives a
initiatives), and specific measurements for the business users variety of metrics for IT governance structures and processes,
(number of major IT projects within SLA). Service level including an overall IT governance maturity measurement. For
agreements (SLAs) are an important governance instrument for the structures area, three specific metrics regarding IT
enforcing levels of IT service that are acceptable by users and committees are retained: the number of meetings of IT strategy
attainable by their IT department and/or external providers.14 committee and IT steering committees, the composition of IT
The third objective within the stakeholders perspective is committees, and the overall attendance of IT committees.
legal and ethical compliance. Epstein and Roy state, The Taking the criticality of IT into account, boards should
companys reporting strategy is a powerful driver of manage IT with high commitment and accuracy as they do
stakeholder satisfaction, so accountable companies should with other critical areas, such as audit, compensation and
provide transparent reporting to their internal and external acquisitions. An instrument for achieving this is an IT strategy
stakeholders.15 Accountability and transparency can be committee that supports the board in carrying out its IT
enhanced through adherence to government and IT community governance duties.20
regulations. On the other hand, the detailed implementation of the
The Sarbanes-Oxley Act, for example, focuses on the IT/business strategies is the responsibility of executive
control and security of a companys financial systems and, management assisted by a variety of steering committees
consequently, its supporting IT processes (see IT Control overseeing major projects and managing priorities. Considering
Objectives for Sarbanes-Oxley, www.isaca.org). the importance of the IT strategy committee and the IT steering

INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 2, 2005

 committee, these committees need a careful and close should probably strive to a higher IT governance level than a
monitoring through the aforementioned measures. Besides concrete factory, for example. To give an indication, a
meeting frequency and attendance, profile and IT literacy should worldwide survey found that the average maturity for the 34
be monitored to ensure that the right people are members. COBIT IT processes was around 2.0.26
The ideal composition of an IT strategy committee includes The future orientation scorecard reports on the building of
a board member as chairman, other board members, nonboard foundations for governance delivery focusing on relational
independent members and ex-officio representation of key mechanisms, the third leg of the IT governance tripod
executives.21 Whether the CIO or a member of executive (figure 1). Relational mechanisms such as business/IT
management is on board is an indication of how important IT co-location, partnership rewards and incentives, shared
is considered within the organisation. The metric examples of understanding of business/IT objectives, cross-functional
the processes objective are focused on the level of and business/IT training, and cross-functional business/IT job
involvement in IT/business planning, the use of scorecards, the rotation are of primordial importance. IT governance structures
coverage by COBIT and the IT Infrastructure Library (ITIL), and processes may be in place, but when IT and business
and the maturity levels of the IT processes. The level of IT professionals do not understand each other and do not share
strategy planning and business planning can be monitored by the business/IT-related problems, a successful fusion between
the effective use of strategic models, such as the competitive areas will not be achieved. Implementing the right relational
forces model and the value chain of M. Porter22 and the
strategic alignment model of J.C. Henderson and N.
Venkatraman.23 As already illustrated in this article, the Figure 8IT Governance Structures and Processes
balanced scorecard can be an effective management
instrument. The existence of an IT balanced scorecard and a Structures Processes
business balanced scorecard is very supportive for achieving a Tactics IT executives and accounts IT decision-making
Committees and councils IT monitoring
link between IT and business objectives. Establishing such a
Mechanisms Roles and responsibilities Balanced scorecards
cascade of scorecards with rolling up and aggregating metrics IT strategy committee Strategic IT planning
of the IT scorecard in the business balanced scorecard may IT steering committee COBIT and ITIL
help to realise the ultimate link between IT and business.24 IT organisation structure Service level agreements
This cascade mechanism can also be used between the IT CIO on board Information economics
scorecard and scorecards on a lower level for the different IT Project steering committees Maturity models
processes (metric: number of IT processes through a (Adapted from Peterson, R.R.; Integration Strategies and Tactics for
Information Technology Governance, and Van Grembergen, W.; S. De Haes;
scorecard). Outcome measures (key goal indicators) and E. Guldentops; Structures, Processes and Relational Mechanisms for IT
performance drivers (key performance indicators) can be found Governance, Strategies for Information Technology Governance, Idea Group
in the management guidelines of COBIT for the 34 identified IT Publishing, 2004)
processes as well as the corresponding maturity models
(metric: maturity levels of IT processes). The control
objectives of COBIT indicate for the different IT processes
what has to be accomplished, whereas other standards, such as Figure 9Operational Excellence
ITIL, describe in detail how specific IT processes can be Perspective Operational Excellence
organised and managed. Regarding COBIT and ITIL, two Mission Ensuring effective and sustained IT governance
metrics are included: the number of IT processes covered by Objectives Structures
COBIT and ITIL. The percentage of IT goals supported by IT Measures Number of meetings of IT strategy
processes is related to the corporate contribution measure of committee and IT steering committees
Composition of IT committees
percentage of business goals supported by IT processes. A Overall attendance of IT committees
clear causal relationship between both metrics exists: if IT CIO on board or member of executive
goals are not properly supported by IT processes, insufficient management
IT support for the business may result. The operational Processes
excellence card concludes with an IT governance maturity Measures Level of IT strategy planning and business
evaluation. Overall level of the IT governance process maturity planning
Number of hours spent on IT/business
can be assessed through the IT governance maturity model of strategic issues
ITGI as reproduced in figure 10. Such a maturity model Existence of an IT balanced scorecard and
provides a method for scoring that enables an organisation to a business balanced scorecard
grade itself from nonexistent (level 0) to optimised (level 5). Number of IT processes measured
Maturity models, such as the ITGI model of figure 10 and through a scorecard
Number of IT processes covered by COBIT
others such as the one developed by J. Luftman,25 have to Number of IT processes covered by ITIL
comply with the basic principles of maturity measurement: one Maturity levels of IT processes
can only go to a higher maturity when all conditions described Percentage of IT goals supported by
in a certain level are fulfilled. The question of which level an IT processes
organisation should target is, of course, dependent on the Maturity
nature of the business; a business within the banking sector Measures Overall level of the IT governance process
maturity

INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 2, 2005

 Figure 10IT Governance Maturity Model Figure 11Future Orientation
0 Nonexistent Perspective Future Orientation
There is no senior management oversight of IT-related activities. Mission Ensuring effective and sustained IT governance
1 Initial/ad hoc Objectives Skills and Knowledge
The concept of IT governance does not exist formally, and oversight Measures Number and level of cross-functional
is based mostly on a case-by-case basis. The governance of IT business/IT training sessions
depends on the initiative and experience of the IT management team. Number of overall IT governance training
The measurement of IT performance is only within the IT function. sessions
2 Repeatable but intuitive Percentage completed IT governance
There is a realisation that more formalised oversight of IT is required. education per skill type
Regular governance practices take place but rely mostly on the Number of IT governance presentations for
initiative of the IT management team. Problems identified are tackled CEO and board members
on a project basis with teams formed as necessary to undertake Level and use of IT governance knowledge
improvements. management system
3 Defined process IT/Business Partnership
An organisational and process framework has been defined for Measures Percentage of senior managers IT-literate
oversight and management of IT activities and is being introduced in Percentage of IT managers business-literate
the organisation as a basis for IT governance. The board has issued Level of business perception of IT value
guidance, which has been developed into specific procedures for
management. alignment. Level of business perception of IT value can be
4 Managed and measurable measured through scores from one (IT perceived as a cost) to
Target-setting has developed to a fairly sophisticated stage with
relationships between outcome goals in business terms, and IT
five (IT seen as a driver/enabler).
process improvement measures are now well understood. Real results Discussion and Conclusion
have been communicated to management in the form of a balanced Drawing on previous work on balanced scorecards
scorecard. measuring the IT function and the board performance, a
5 Optimised generic IT governance balanced scorecard was developed in
IT governance practices have developed into a sophisticated approach
using effective and efficient techniques. There is true transparency of
this paper. A particular challenge was to construct a scorecard
IT activities, and the board feels in control of the IS strategy. IT adequately capturing the performance of the IT governance
activities have been optimally directed toward real business priorities. process along with the differences with the IT BSC and the
(Adapted from ITGI, Board Briefing on IT Governance, 2nd Edition,
board BSC. The corporate contribution perspective of the
2003, www.itgi.org) proposed IT governance BSC matches with that of the IT
function. Indeed, the ultimate goal of both scorecards is
obtaining better corporate financial results. The main
mechanisms is the crucial enabler for better governance
differences are that the other perspectives focus completely on
structures and processes (operational excellence perspective),
the IT governance process and some of the metrics of the IT
higher stakeholder satisfaction (stakeholders perspective), and
governance BSC will be rolled up and/or aggregated in the IT
ultimately a higher governance performance (corporate
BSC. This is also true for the board BSC, which will certainly
contribution perspective). Figure 11 displays the two distinct
import some relevant IT governance measures.
objectives of the future orientation perspective: skills and
Improving IT governance performance is the main reason
knowledge and IT/business partnership. Within the skills and
for building and implementing an IT governance scorecard. It
knowledge area, the cross-functional education and training
must be clear that measuring is not enough; the scorecard must
metrics are predominant: number and level of cross-functional
be implemented as a management system. When the
business/IT training sessions, number of overall IT governance
measurements indicate that there are major problems with risk
training sessions, and percentage of completed IT governance
management (corporate contribution), a strategy may be to
education per skill type. A specific and important measure is
adequately improve the disaster recovery planning (DRP)
the number of IT governance presentations for CEO and board
through a COBIT and ITIL implementation of this process
members, capturing the communication efforts between the IT
(operational excellence), which in turn may need cross-
management team and its business hierarchy. Level and use of
sectional business/IT training in COBIT, ITIL and DRP
the IT governance knowledge management system refers to an
(future orientation).
intranet that all employees can access for seeking and sharing
With an IT governance balanced scorecard, organisations
knowledge on the IT governance practices within the
can empower their board, CEO, CIO, executive management,
organisation. IT/business partnership objectives report on the
and the business and IT participants by providing them the
IT and business literacy of respectively senior business
information that is needed to act and achieve a better fusion
managers (percentage of senior managers IT-literate) and the
between business and IT and, consequently, reach better
IT team (percentage of IT managers business-literate). The
results. In this sense, the IT governance scorecard can play an
importance of these two metrics is confirmed by T. Teo and J.
important role in an overall program that should be in place to
Angs study,27 where the knowledgeability of IT management
enhance corporate governance.
and top executives about business and IT was found to be two
crucial critical success factors in business/IT planning

INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 2, 2005

 Currently, many organisations are introducing and Transforming the Balanced Scorecard from Performance
implementing IT governance processes. Using the proposed Measurement to Strategic Management: Part II, Accounting
generic IT governance BSC may help them to realise a Horizons, vol. 15, no.2, July, p. 147-160, 2001.
successful implementation. Further research may focus on how 8
Van Grembergen, W.; S. De Haes; I. Amelinckx; Using
IT governance cards are built and implemented in practice and COBIT and the Balanced Scorecard as Instruments for
what the cost and benefits are of such an implementation. Service Level Management, Information Systems Control
Journal, volume 4, 2003. Van Grembergen, W.; R. Saull;
Endnotes S. De Haes; Linking the IT Balanced Scorecard to the
1
Epstein, M.J.; M.J. Roy; Measuring and Improving the Business Objectives at a Major Canadian Financial Group,
Performance of Corporate Boards, The Society of Journal of Information Technology Cases and
Management Accountants of Canada, 2002, Applications, 2003.
www.cma-canada.org. Epstein, M.J.; M.J. Roy;
9
Op. cit., Epstein and Roy
How Does Your Board Rate?, Strategic Finance,
10
Op. cit., ITGI, 2003
February, p. 25-31, 2004.
11
Op. cit., Weill and Ross
2
Van Grembergen, W.; R. Van Bruggen; Measuring and
12
Parker, M.; Strategic Transformation and Information
Improving Corporate Information Technology Through the Technology, Upper Saddle River (NJ), Prentice Hall, 1996
Balanced Scorecard Technique, Proceedings of the
13
Op. cit., Van Grembergen et al., 2003
European Conference on Information Technology, Delft,
14
Ibid.
The Netherlands, 1997. Graeser, V.; L. Willcocks; N.
15
Op. cit., Epstein and Roy
Pisanias; Developing the IT Scorecard, Business
16
ITGI, COBIT Control Objectives, 2000, www.itgi.org
Intelligence, Wimbledon, London, 1998. Van Der Zee, J.;
17
ITGI, COBIT Management Guidelines, 2000, www.itgi.org
B. De Jong; Alignment Is Not Enough: Integrating
18
Op. cit., Peterson
Business and Information Technology Management With the
19
Op. cit., Van Grembergen et al., 2004
Balanced Business Scorecard, Journal of Management
20
Op. cit., ITGI, 2003
Information Systems, 16(2), 1999.
21
Ibid.
3
Duffy, J.; IT Governance and Business Value Part I: IT
22
Porter, M.; Competitive Advantage: Creating and Sustaining
GovernanceAn Issue of Critical Importance, IDC Superior Performance, Free Press (NY), 1998. Porter, M.;
document #27291, 2002a. Duffy, J.; IT Governance and Strategy and the Internet, Harvard Business Review,
Business Value Part 2: Whos Responsible for What?, IDC March 2001.
document # 27807, 2002b. ITGI, Board Briefing on IT
23
Henderson J.C.; N. Venkatraman; Strategic Alignment:
Governance, 2nd Edition, 2003, www.itgi.org. Van Leveraging Information Technology for Transforming
Grembergen, W. (ed); Strategies for Information Technology Organizations, IBM Systems Journal, vol. 32, no. 1, 1993
Governance, Idea Group Publishing, 2004. Weill, P; J. Ross;
24
Op. cit., Van Grembergen et al., 2003
Dont Just Lead, Govern: Empowering Effective Enterprise
25
Luftman, J; Assessing Business-IT Alignment Maturity,
Use of Information Technology, Harvard Business School Communications of AIS, # 4, 2000
Press, Boston, 2004.
26
Guldentops, E.; W. Van Grembergen; S. De Haes; Control
4
Van Grembergen, W.; Introduction to the Minitrack: IT and Governance Maturity Survey: Establishing a Reference
Governance and Its Mechanisms, Proceedings of the 35th Benchmark and a Self-assessment Tool, Information
Hawaii International Conference on Systems Sciences Systems Control Journal, vol. 6, 2002
(HICSS), 2002
27
Teo, T.; J. Ang; Critical Success Factors in the Alignment
5
Peterson, R.R.; Integration Strategies and Tactics for of IS Plans with Business Plans, International Journal of
Information Technology Governance, Strategies for Management Information, # 19, 1999
Information Technology Governance, edited by W. Van
Grembergen, Idea Group Publishing, p. 37-80, 2004 Wim Van Grembergen
6
Van Grembergen, W.; S. De Haes; E. Guldentops; is professor and chair of the Information Systems Management
Structures, Processes and Relational Mechanisms for IT Department at the Economics and Management Faculty of the
Governance, Strategies for Information Technology University of Antwerp (UA) and executive professor at the
Governance, edited by W. Van Grembergen, Idea Group University of Antwerp Management School (UAMS). Van
Publishing, 2004, p. 1-37 Grembergen is engaged in the continuous development of the
7
Kaplan, R.S.; D. P. Norton; The Balanced Scorecard: COBIT framework. He is also member of the Academic
Translating Strategy into Action, Harvard Business School Relations Task Force of ISACA and is currently conducting a
Press, Boston, 1996. Kaplan, R.S.; D.P. Norton; Having research project for ISACA on IT governance. Van
Trouble with Your Strategy? Then Map It, Harvard Grembergen is a frequent speaker at academic and professional
Business Review, September-October, p. 167- 176, 2000. meetings and conferences and has served in a consulting
Kaplan, R.S.; D.P. Norton; Transforming the Balanced capacity to a number of firms. He is a member of the board of
Scorecard from Performance Measurement to Strategic directors of IT companies, including an IT consultancy firm
Management: Part I, Accounting Horizons, Vol. 15, No.1, and an IT firm servicing a Belgian financial group. Recently,
March, p. 87-104, 2001. Kaplan, R.S.; D.P. Norton; he established at UAMS the ITAG Research Institute, which

INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 2, 2005

aims to contribute to the understanding Research Availability
of IT alignment and governance through research and As part of a broader research project that will address the five
dissemination of the knowledge via publications, conferences domains of IT governance, the IT Governance Institute (ITGI)
and seminars (www.uams.be/itag). He can be contacted at recently completed a major global benchmarking survey of 200
[email protected]. IT professionals. The areas addressed are return on investment
(ROI), performance measurement, information risk
Steven De Haes management, IT alignment and IT resources. Lighthouse
is responsible for the Information Systems Management Global, a London-based management consultancy, carried out
executive programs at the University of Antwerp Management the survey portion of the project. The survey covered 14
School (UAMS). He is engaged in research in the domains of countries in North and South America, Asia-Pacific and
IT governance and conducts research in this capacity for ITGI. Europe. Toward the end of the second quarter and in the third
Currently, he is preparing a Ph.D. on the practices and quarter of 2005, ITGI will publish a series of reports based on
mechanisms of IT governance. He has published several the survey results. One volume in the series, by this article's
articles on IT governance, most recently in the Information authors, will further expand on the balanced scorecard to
Systems Control Journal, the Journal for Information address the performance measurement domain of IT
Technology Case Studies and Applications (JITCA) and the governance. Please check www.itgi.org for the latest
proceedings of the Hawaiian International Conference on information on the reports' availability.
System Sciences (HICSS). He can be contacted at
[email protected].

Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by the Information Systems Audit and Control Association, Inc.. Membership in the association, a voluntary
organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal.

Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of the Information Systems Audit
and Control Association and/or the IT Governance Institute and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journal
does not attest to the originality of authors' content.

Copyright 2005 by Information Systems Audit and Control Association Inc., formerly the EDP Auditors Association. All rights reserved. ISCATM Information Systems Control AssociationTM

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the
association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles
owned by the Information Systems Audit and Control Association Inc., for a flat fee of US $2.50 per article plus 25 per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume,
and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the
association or the copyright owner is expressly prohibited.

www.isaca.org

INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 2, 2005