Performance Measurement of Information Technology Governance: a Case Study

Established in 2001, XYZ Cargo is a Freight Forwarder Service Company specialized in the logistic transportation located in Jakarta. XYZ Cargo has broad experiences in both ocean freight and air freight service and has more than sixty agents of partnership around the world. XYZ Cargo has implemented Information Technology (IT) that covers all key aspects of business processes of the enterprise. It has an impact on the strategic and competitive advantages of its success. Many organizations have started implementing IT governance in order to achieve the collaboration between business and IT. The purpose of this research is to get an overview of performance measurement of the currently-running IT Governance with several aspects to consider such as effectiveness, efficiency, functional unit of information technology within an organization, data integrity, safeguarding assets, reliability, confidentiality, availability, and security. The analytical tool used in this research is the COBIT 5 standard procedure by ISACA. The result of IT Governance based on COBIT 5 in domain EDM, shows average values at the level of 2.0 until 2.7 (managed process) for EDM01, EDM02, EDM03 and 1.3 until 1.7 (performed process) for EDM04, EDM05.


Introduction
In private enterprise, the board, in conjunction with the senior management team, has the responsibility of implementing governance principles so as to ensure the effectiveness of organizational processes and investments [1,2].Obtaining accurate information as soon as possible is recognized by organizations as an important tool for competitive survival and is considered as one of the most important strategic resources [3].In the global context of rapid changes and fast communication, informa-tion has become a strategic asset, and information technology (IT) is an important contributor to the success of the economy [4][5][6].Enterprises understand the growing importance of IT and consider it as a treasure in enhancing their competitive position and adding value to their business.In addition, IT usage provides benefits at several levels of businesses, government and society [7,8].
Many organizations make huge investments in IT to secure or maintain competitive advantages [9].IT enabled business investment projects are still believed to present the possibility of higher rates of return on investment than traditional types of investments [10].The success of many organizations depends on how effectively they manage and control IT to ensure that the expected rewards are realized.Effective IT governance ge-nerates real business benefits such as enhanced re-putation, trust, product leadership, and reduced costs.As examples, IBM implemented supply chain improvements that saved US $12 billion by reducing inventory levels and the UK Royal Mail adopted business and accounting systems that re-sulted in a positive profitability change of £3 mil-lion per day [11,12].
Thus, this paper aims to investigate the governance structure of the IT function by defining its structures, processes and mechanisms.All of these will be used to define decision making rights and responsibility about main IT issues, control and monitoring mechanism of the effectiveness of such decisions.COBIT 5 was used as a guideline to assess all the processes within the IT function, and for identifying a structure for a governance framework for the company setting, an investigation was done on the IT units in the selected IT function [13].

IT Governance
Information Technology Governance Institute (IT-GI) defined IT Governance as "it is the responsibility of the board of directors and executive management.It is an integral part of enterprise governance and consists of the leadership and organizational structures and processes that ensure the organization's IT sustains and extends the organization's strategies and objectives" [14].IT governance is the structure of relationships, processes and mechanisms used to develop, direct and control IT strategy and resources so as to best achieve the goals and objectives of an enterprise.It is a set of processes aimed at adding value to an organization while balancing the risk and return aspects associated with IT investments [15].
Gartner defines IT governance as the set of processes that ensure the effective and efficient use of IT enabling an organization to achieve its goals.IT is an integral part of enterprise governance and consists of the leadership and organizational structures and processes that ensure the organization's IT sustains and extends the organization's strategies and objectives.Doughty defines IT governance to be a framework that supports the effective and efficient management of information resources (e.g.people, funding and information) to facilitate the achievement of corporate objectives.The focus is on the measurement and management of IT performance to ensure that the risks and costs associated with IT are appropriately controlled [16].
Gartner states that IT governance addresses two major topics: IT demand governance ("doing the right thing") and IT supply-side governance ("doing things right").The focus of this paper is on COBIT 5 framework and how it covers both the governance and management of IT [17].

The COBIT 5 Process Reference Model
One of the guiding principles in COBIT is the distinction made between governance and management.Every enterprise would be expected to implements the governance processes to provide comprehensive in the governance and management processes to provide management of enterprise IT.Considering the processes at the governance or management system that act as the enterprises, the difference between types of processes lies within the objectives of the processes:

Governance processes
Governance processes deal with the stakeholder governance objectives such as value delivery, risk optimization and resource optimization, and including practices and activities aimed at evaluating strategic options, providing direction to IT and monitoring the outcome (Evaluate, direct and mo-nitor [EDM]-in line with the ISO/IEC 38500 standard concepts).

Management processes
As like as the definition of management, practices and activities in management processes cover the responsibility areas of PBRM (plan, build, run or monitor) enterprise IT, and they have to provide end-to-end coverage of IT [18].COBIT 5 is not prescriptive, but as explained as the previous passage, the advocates of the enterprises implement to governance and management processes such that the key areas are covered, as shown in Figure 1.An enterprise can organize its processes as it sees fit, as long as the basic governance and management objectives are covered.Smaller enterprises may have fewer processes; larger and more complex enterprises may have many processes, all to cover the same objectives.The COBIT 5 process reference model as the successor of the COBIT 4.1 process model, with the Risk IT and Val IT process models integrated as well.Figure 2 shows the complete set of 37 governance and management processes within COBIT 5 [18].According to [19,20] the six levels of the COBIT 5 Process Capability Model are shown in Table 1.

Methods
This research uses literature study by conducting early survey of analyzing vision and mission, goals and objectives as the company's strategic plan.Where the strategic plan are the strategies, policies related to the management of IT investments and field observations.The analytical tool that used in this study was the standard procedure COBIT, which issued by ISACA (Information systems Audit and Control Association).The data can be obtained by distributing questionnaires.
Data from questionnaires were gathered by distributing the questionnaires to every department in the XYZ Cargo.The respondents consisted of 5 respondents of the top management and 35 respondents as representatives of every department in the XYZ Cargo.The overall respondents participated were 40 respondents.
Report as the result of questionnaires is distributed, where the collected data was processed to be calculated based on the Process Capability Model level calculation.The results of the audit contains the findings of the present (current Process Capability Model level) and hope in the future (expected Process Capability Model level).The next steps are calculating the gap analysis in order to analyze the interpretation of the current and ex- pected Process Capability Model level and providing recommendation lists of the corrective actions to overcome gap, to achieve the improvements in IT governance.Figure 3 shows the step by step performance measurement of IT governance [21].

Results and Analysis
This chapter according to [18], [22], the author analyzes general control with the COBIT 5 framework approach.The authors analyzes more on the environment that occurs within the IT department at XYZ Cargo, including its employees, equipment, physical security, regulations, etc.The focuses of the Evaluate, Direct and Monitor (EDM) domain are as follow: to ensure governance framework setting and maintenance (EDM01); to ensure the benefits delivery (EDM02); to ensure the risk optimization (EDM03); to ensure resource optimization (EDM04); to ensure the stakeholder transparency (EDM05).

EDM01 Ensure Governance Framework Setting and Maintenance
Process description analyzes and articulates the requirements of the governance of IT enterprises to maintain the effectiveness of their structures, principles, processes and practices, with the clarity of responsibilities and authority to achieve the enterprises' missions, goals, and objectives.Purpose Statement Process provides a consistent approach integrated and aligned with the enterprise governance approach.To ensure that IT-related decisions are made in line with the enterprise's strategies and objectives, this process is effectively and transparently overseen.Compliance with legal and regulatory requirements is confirmed and the governance requirements for board members are met.Table 2 shows the Process Capability Domain EDM01 in ensuring the governance framework setting and maintenance.There is awareness of IT governance issues.IT governance activities and performance indicators including IT planning, delivery and monitoring processes are under development.The selected IT processes are determined based on individuals' decisions.The average of its management process is shown at the level of 2.7.

EDM02 Ensure Benefits Delivery
Process description optimizes the contribution value of the business processes, IT services, and IT assets as results of investments made at acceptable costs.Process purpose statement provides optimal value of IT-enabled initiatives, services and assets, cost-efficient delivery of solutions and services, and a reliable and accurate mapping of cost and benefit expectation so that the business' needs can be effectively and efficiently supported.Table 3 shows the Process Capability Domain EDM02 in ensuring the benefits delivery.
Monitoring is implemented and metrics are chosen on a case-by-case basis, according to the needs of specific IT projects and processes.Moni- The process is not placed or it cannot reach its objective.At this level the process has no objective to achieve.For this reason this level has no attribute.Level 1: Performed process.
The process is in place and achieves its own purpose.This level has only "Process Performance" as process attribute.Level 2: Managed process.
The process is implemented following a series of activities such as planning, monitoring and adjusting activities.The outcomes are established, controlled and maintained.This level has "Performance Management" and "Work Product Management" as process attributes.Level 3: Established process.
The previous level is now implemented following a defined process that allows the achievement of the process outcomes.This level has "Process Definition" and "Process Deployment" as process attributes.Level 4: Predictable process.
This level implements processes within a defined boundary that allows the achievement of the processes outcomes.This level has "Process Management" and "Process Control" as process attributes.Level 5: Optimizing process.
This level implements processes in the way that makes it possible to achieve relevant, current and projected business goals.This level has "Process Innovation" and "Process Optimization" as process attributes.toring is generally implemented reactively to incidents that caused loss or embarrassment to the organization.The average of its management process is shown at the level of 2.3.

EDM03 Ensure Risk Optimization
Process description ensures that the enterprise's risk factors are tolerable, articulated and communicated, and that those risk factors to the enterprise related to the use of IT are well-identified and managed.Process purpose statement ensures that IT-related enterprise risk does not exceed risk appetite and risk tolerance, the impact of IT risk to enterprise value is identified and managed, and the potential for compliance failures is minimized.Table 4 shows the Process Capability Domain EDM 03 in ensuring the risk optimization.The risk management is usually at a high level and is typically applied only to major projects or in response to problems.The average of its management process is shown at the level of 2.0.

EDM04 Ensure Resource Optimization
Process description ensures that adequate and sufficient IT-related capabilities (people, process and technology) are available to support enterprise objectives effectively at the optimal cost.Process purpose statement ensures that the resource needs of the enterprise are met in an optimal manner, IT costs are optimized, and the likelihood of benefit realization and the readiness for future change is increased.Table 5 shows the Process Capability Domain EDM04 in ensuring resource optimization.
There is a tactical approach to hiring and managing resource monitoring driven by project-spe-cific needs, rather than by the balance of internal and external availability of skilled staff.Informal training takes place for new personnel, who then receive training on an as-required basis.The average of its process performance is shown at the level of 1.7.

EDM05 Ensure Stakeholder Transparency
Process description ensures that the IT enterprises' performance and conformance measurement and reporting are transparent, including stakeholders approvement of the goals, metrics, and the necessary remedial actions.Process purpose statement makes sure that the communication with stakeholders is effective and in time, also that the basis for reporting is established to increase performance.Further, it identifies areas for improvement and confirms that IT-related objectives and strategies are in line with the enterprise's strategy.Table 6 shows the Process Capability Domain EDM05 in ensuring the Stakeholder Transparency.
Management is reactive in addressing the requirements of the information control environment.Policies, procedures, and standards are developed and communicated on an ad hoc basis as driven by issues especially when the development, communication, and compliance processes are still informal, and inconsistent.The average of its management process is shown at the level of 1.3.
Table 7 and Figure 4 shows Performance level Process Capability Domain in performing Evaluate, Direct and Monitor.

Conclusion
The conclusion that can be drawn from the research is that the IT governance at the XYZ Cargo has

Figure 1 .
Figure 1.COBIT 5 Governance and Management Key Areas

Figure 3 .
Step by Step Performance Measurement of IT Governance

TABLE 2 PROCESS
CAPABILITY DOMAIN EDM01 IN ENSURING THE GOVERNANCE FRAMEWORK SETTING AND MAINTENANCE still not run optimally because they have not reached what is expected later process capability within each IT process contained in the domain EDM01 to ensure the governance framework setting and maintenance on average was at 2.7, EDM02 to ensure the benefits delivery on average is at 2.3 and EDM03 to ensure the risk optimization on average at 2.0.Performance levels of EDM01, EDM02 and EDM03 are still at level 2 (managed process).EDM04 domain to ensure the resource optimization on average is at level 1.7 while EDM05 domain to ensure the stakeholder transparency on average is at level 1.3.Performance levels of EDM04 and EDM 05 are still at level 1 (performed process).Therefore, the performance of IT governance processes in XYZ Cargo has a repeated pattern in conducting activities related to the management of information technology governance.Yet, it is not well defined and formalized thus, it still happens inconsistently.