当前位置:首页 >> >>


Joe Peppard Cranfield School of Management Cranfield, Bedford, UK j.peppard@cranfield.ac.uk Abstract
Information technology governance has become a key issue for organizations as IT decision-making authority and responsibility is devolved away from a central IT function to local IT units and increasingly out of the remit of IT specialists altogether. Research to date has either been conceptual treatises on the issue, or recounts the structures and mechanisms that are currently in place in the organizations studied, even though these may have emerged rather than having been explicitly planned. This paper reports on research that is exploring how to describe, diagnose, and design appropriate IT governance structures. Using a participatory research design, where researchers and practitioners are both co-subjects and coresearchers in the research process, it proposes Beer’s viable systems model (VSM) as a guiding framework in considering IT governance. It illustrates how the VSM-influenced IT governance model can be used to describe, diagnose, and design an effective governance structure. Keywords: IT governance, viable systems model, participatory action research

With information systems and technology both operationally and strategically critical for organizations today, the governance of information technology has become a key issue and concern.1 This is particularly so as decisions regarding IT are devolved out of central staff functions to local operating units (Earl et al. 1996; Hodgkinson 1996) and as many decisions traditionally seen as falling within the remit of IT specialists are increasingly being made by non-IT specialists (Ross and Weill 2002). In addition, so-called business decisions, such as the decision to divest a business unit or to enter a new geographical market, can have significant implications for IT (Peppard 1999; Robertson and Powell 2001). Consequently, as more and more employees throughout the organization become involved in decision-making or have responsibility for decision-making about IT, this has implications for coordination, control, ensuring conformance to standards and policies, and identifying opportunities for synergies. To complicate matters further, employees may be located in geographically disparate locations, operating across different time zones and from different cultures. Apart from different experience and knowledge of IT, they are also likely to hold contrasting views and beliefs about IT and how it should be deployed. The challenge for organizations is to ensure coherence across all decisions that relate to or impact IT, maximizing the opportunities provided by IT while also optimizing return on IT investment.2 All this requires ensuring a consistent and desirable decision-making behavior among employees at all levels in an organization regarding IT. This is the essence of governance (Jensen and Meckling 1976) and IT governance seeks to establish a framework within the organization to foster and promote such

IT governance appeared as a key issue and concern for IT executives for the first time in the most recent survey of Society of Information Management (SIM) and Conference Board members (Luftman and McLean 2004). This survey has been undertaken at regular intervals since 1982.


This research is underpinned by this assumption. It does not seem unreasonable.
2005 — Twenty-Sixth International Conference on Information Systems 11

Breakthrough Ideas in Information Technology

desirable behaviors (Brown 1997; Peterson 2004; Sambamurthy and Zmud 1999; Weill and Ross 2004). It requires formal allocation of accountabilities and responsibilities and the creation and implementation of appropriate mechanisms (e.g., cross functional forums, charge back, policies, and liaison roles) and decision-making processes. According to recent research “effective IT governance is the single most important predictor of value an organization generates from IT” (Weill and Ross 2004, p. 4, emphasis in original). Early debates merely framed the dilemma as a choice between centralization and decentralization of computing resources (see Buchanan and Linowes 1980; George and King 1991; King 1983). The experience, however, has proven that it is more complex and research into IT governance has been gathering momentum over the last decade (see Agarwal and Sambamurthy 2002; Brown, 1997, 1999; Peterson 2004; Peterson et al. 2000; Sambamurthy and Zmud 1999; Schwartz and Hirschheim 2003; Weill and Woodham 2002; Weill and Ross 2004). While empirical studies to date typically undertake data collection in contemporary organizations and report on findings, there is an implicit assumption with these studies that either planning went into the design of governance structures in these organizations or that the governance structures that have emerged and can now be observed are appropriate and comprehensive. The reality is that most IT governance structures and mechanisms have evolved, often as a consequence of problems, rather than as the result of proactive analysis and planning. While insightful, the research literature reports on governance structures a priori, with no empirical studies having the aim of proactively developing a process to aid in the construction of an effective IT governance structure. The research reported in this paper addresses this deficiency and uses a participatory action research method to develop a framework for describing, diagnosing, and designing an IT governance structure. This research approach saw practitioners and researchers involved as both co-subjects and coresearchers in the inquiry process. The paper suggests that cybernetics provides an ideal backdrop to considering the practice of IT governance as well as aid in defining an approach and process. In particular, Beer’s (1979, 1981, 1985) viable systems model (VSM) is used as a guiding framework for describing, diagnosing and designing IT governance structures. Based on established cybernetic theory, the fundamental principle of the VSM is Ashby’s law of requisite variety, which states that only variety can destroy variety (Ashby 1956, p. 207). The purpose of this paper is to illustrate how the VSM logic was used to construct an IT governance model and its application. After an overview of the research method, the paper provides a brief review of cybernetics, introducing its concepts and principles. It then presents the viable systems model (VSM), describing its key elements and principles, and explores the application of the VSM in the context of IT governance. The paper concludes with some observations and future research directions.

Research Method
The research approach for this study followed a participatory action research methodology, as exhibited in the work of Heron (1971, 1996), Reason (1993, 1999), and Skolimoski (1994), who espouse a participatory paradigm, its ontological and epistemological foundations, its methodological implications, as well as a theory of validation. Participatory action research is an inquiry strategy that integrates experience, reflection, and action (Reason 1999), and its application and contribution to information systems practice has been explored by Breu and Peppard (2003). The research team established for this inquiry included academic researchers and practitioners from two organizations: a global telecommunications company (GlobalTelco) and an international design, engineering, and construction firm (InterDesign). The practitioner members of the inquiry team from these organizations were charged with assessing their respective organization’s existing IT governance mechanisms and recommending a new governance structure. In the late 1990s, GlobalTelco had been structured as three separate divisions, each with its own strategy, management structure, and IT infrastructure. The logic behind this approach was that it would be possible to spin-off the separate businesses at some point in the future. With technology stocks out of favor by 2002, a new CEO, and a new group strategy, this was now not considered an option and the Board was seeking to create an integrated organization. The CIO at InterDesign saw the appointment of a new CEO together with their SarbanesOxley compliance work as providing the ideal opportunity to formally address IT governance in the organization. In this organization, getting business involvement in IT decision making as well as in IT projects had traditionally been difficult. Figure 1 illustrates the overall research process that was grounded in the model of participatory action research with its emphasis on creating and validating knowledge through research cycling (Heron 1981; Reason 1999). A central tenet of the participatory paradigm is the commitment to action; both organizations involved in this study were seeking to implement the results. The process of participatory inquiry is cyclical, with knowledge being produced through an iterative cycle of interaction, reflection, and application (Heron 1981). This incorporates a four stage process: (1) the members on the research team express
12 2005 — Twenty-Sixth International Conference on Information Systems

Peppard/Viable Systems Model Applied to IT Governance

? IT governance framework ? Contrasting with existing research

Propositional knowledge

Presentational knowledge
? Concepts ? Stories and metaphors ? Using Viable Systems Model to represent governance

Practical knowledge
? IT governance framework ? Good practice ? An approach to determine optimum governance structure

Experiential knowledge

? Experiences, issues (including those identified in literature) ? Types of governance mechanisms and structures found and inquiry team experiences of them ? Problems encountered

Figure 1. Research Process of the IT Governance Project

their theories about the subject area; (2) they apply those theories to practice (e.g., through interviews with experts, pilot projects, and informal conversations with practitioners); (3) they filter the experience with the exposition of the theory to practice and extract the learning; and (4) they use the learning to improve the initial theory. The inquiry team moved through this cycle a number of times. For example, during research cycle 1, the inquiry group was focused on reaching a common view on what IT governance was (an early workshop revealed inconsistencies across the group as to what exactly IT governance was and what it entailed), as well as developing a framework that would describe the requirements and components of a governance structure. Team members’ existing knowledge and experiences of governance, its mechanisms (e.g., committees, liaison roles, charge-back), and problems resulting from inadequate governance were examined. The research team then developed some concepts that captured the issues of concern. It was during this research cycle that a member of the inquiry group from GlobalTelco suggested that Beer’s viable systems model (VSM) might provide a useful lens for framing the issues and problems previously surfaced and the skeleton of a theory that could potentially be applied to IT governance. Having partially completed a Ph.D. using the VSM, he was well versed with cybernetics and the work of Beer and able to familiarize the other team members with its principles and theorems. This proposal was subsequently debated within the research team, as a result of which its language changed, and it was agreed to use it for developing an initial IT governance framework. Practical ideas about how this framework could be applied were then surfaced and discussed and an initial diagnostic tool was jointly developed. Research cycle 2 involved undertaking diagnostic studies in GlobalTelco and InterDesign. The research team jointly designed a semi-structured interview schedule based on the conceptual framework for IT governance developed during the first cycle. Interviews were conducted by the academic members of the research team with 18 practitioners across the two sites, on their experiences with various aspects covered by the VSM-influenced IT governance framework. Data from these interviews were fed back to the research team for analysis and debate and subsequently used to populate and refine the initial models and frameworks developed during the first cycle. A third cycle involved the development of an approach to design an IT governance structure and similarly followed the format and principles of participatory action research cycling. This approach was used by both organizations in the design of their IT governance structure.

2005 — Twenty-Sixth International Conference on Information Systems


Breakthrough Ideas in Information Technology

The term cybernetics originated in 1948 when Norbert Wiener used it to name a discipline apart from, but touching upon, such established disciplines as electrical engineering, mathematics, biology, neurophysiology, anthropology, and psychology. He introduced this discipline as “the science of communication and control in the animal and machine” (to which we might now add: in society and in individual human beings). Wiener needed a new word to reflect the new concept, and adopted the Greek word kubernites meaning “steersman” to evoke the rich interactions of goals, predictions, actions, feedback and responses in systems of all kinds. Indeed, cybernetics grew out of Shannon’s (1948) information theory, which was designed to optimize the transmission of information through communication channels, and the feedback concept used in engineering control systems. Cybernetics and systems theory study essentially the same problem, that of an organization independent of the substrate in which it is embodied. Insofar as it is meaningful to make a distinction between the two approaches, systems theory has focused more on the structure of the systems and their models, whereas cybernetics has focused more on how systems function, that is, how they control and coordinate their actions, and how they communicate with their own components or with other systems. Cybernetics additionally concerns itself with the capacity for self-organization—autopoiesis. Since the structure and function of a system cannot be understood in separation, cybernetics and systems theory should be viewed as two facets of a single approach. Beer (1979) viewed cybernetics as the “the science of effective organization” and used the principles of cybernetics to address the design of organizations. He noted that organization charts don’t show how an organization really works; rather, they reflect the human need to think of social relations in terms of dominance hierarchies.

The Viable Systems Model
The viable system model (VSM) was developed in the 1950s by Beer, who first applied its principles to the steel and publishing industries. It was originally derived from his thinking about the “management” of the muscles by the brain and nervous systems, which he then applied to organizations. Beer wrote that a viable system is one that is able to maintain a separate existence and any system “that is capable to maintain its identity independently of other such organisms within a shared environment” (1979, pp. 21-22). In addition to variety, the notion of recursion is a fundamental concept of the VSM. For Beer, “any viable system contains, and is contained in, a viable system” (1979, p. 118). This means that every system contains subsystems that are able to maintain a separate existence, and that each of those viable subsystems has the same fundamental structure as the metasystem. Like any model, the VSM is a generalized model that can be used to describe any organization. Proponents of the VSM claim that all self-organizing systems conform to this model, even if participants are unaware of this. The VSM treats an organization as an information processing system as it strives to maintain balance. It provides a framework for diagnosing the structure of an organization, its ability to communicate internally and externally, and its effectiveness in controlling the deployment of its resources. A VSM always relates to a purpose; a multipurpose system requires the construction of several VSMs. According to the VSM logic, self-organizing systems have ? ? ? elements which do things (operations) elements which control3 the doer (management or metasystem) surroundings in which they function (the environment)

While the basic structure shown in Figure 2 illustrates how VSM is typically drawn, in reality the environment should go all the way around both the operation and its metasystem, and the metasystem should be embedded in the operations; for clarity, they are shown separately. The VSM has five subsystems, or functions, each having a specific task for maintaining the stability of the system. The VSM identifies these five functions as systems one through five. They are, respectively, the productive function, the coordination function, the executive function, the planning and future focus function, and the coherence function (see Figure 3). All that goes on in an organization can be described in terms of one or more of these functions.

3 Beer refers to control not in a policing or domineering sense, but as a means of taking coordinated action. The VSM emphasizes an organization’s level of “self” control that enables it to summon all its resources in coordinated action. It is the sort of control a skier exercises coming down a slope.


2005 — Twenty-Sixth International Conference on Information Systems

Peppard/Viable Systems Model Applied to IT Governance




Figure 2. Basic Structure of the Variable Systems Model (VSM)

The conventions for constructing the VSM are as follows: the “cloud” indicates the system’s environment; circles indicate core operations of the system; squares and triangles indicate regulatory functions; and the thin lines between the symbols indicate the flow of information (see Figure 3).

System 1: The Productive Function
The System 1 (S1) activities are the operations or wealth-producing parts of the enterprise. They carry out the tasks that the system is intended to accomplish (i.e., implementation of the system’s purpose). All other VSM subsystems are management—or decision-making—rather than action oriented. The relationship between these operations and the environment is the central one that all the other functions support. It is essential to create the right conditions for all the operating units to function with as much autonomy as possible. The objective of the metasystem is to provide a service to the operational units to ensure that they work together in an integrated and harmonious fashion. It seeks to optimize overall performance. There must also be safeguards to ensure that the operating units cannot threaten the overall viability of the organization of which they are a part. Therefore, ? ? They must be accountable and able to demonstrate they are working to an agreed plan. There must be pre-agreed intervention rules, which means that autonomy is forfeit under certain conditions.

System 2: The Coordination Function
System 2 (S2) is the coordination function, sometimes referred to as the “anti-oscillation function” because it keeps the different activities of the operations running smoothly and keeps them from stepping on each other’s heels. Beer (1979) provides the example of a school timetable; it is a service that ensures that a teacher has only one lecture at any one time period and that only one class uses a room at a given lesson slot. System 3: The Executive Function System 3 (S3) is the executive function, where day-to-day management responsibility lies (i.e., day-to-day monitoring of S1). It oversees the productive operations and manages their common resources, staff, capital, and budgets. Importantly, it does not make policy but interprets it for the S1s. S3 relies on information directly from the localized management through the command axis (indicated by vertical lines downward from S3) and internal data from the audit channel System 3* (S3*). In the light of the
2005 — Twenty-Sixth International Conference on Information Systems 15

Breakthrough Ideas in Information Technology

5 4 3*
Synergy Resource allocation

Central command

Coordination channel




Figure 3. Structure and Relationships of the Viable Systems Model

agreed purpose, and based on the internal information regarding the state of the operation, S3 influences S1 by direct intervention or by modification of S2. System 3 only communicates internally and it does this through four channels (see Figure 3): ? The central command channel, used for top-down communications including communications designed to assure compliance with internal and external laws, policies, and control procedures. The resource allocation channel. With this channel, management does not issue orders but discusses alternatives and negotiates the resources to fulfill them, taking into consideration the greater degree of on-the-ground information available to operating management at System 1. Communication is in both directions.


The System 2 channel provides routine coordination for System 1 activities. The System 3* channel is used when management wishes to delve deeper into the operations, for example, conduct an audit. This channel also facilitates synergy, the added efficiency which comes from working together in a cooperative fashion. Systems 2, 3, and 3* deal only with the day-to-day operations, having no capability to consider the total and future environment or reflect upon the system’s purpose or identity. These are tasks of Systems 4 and 5.

System 4: The Planning and Future Focus Function
System 4 (S4), the planning and future focus function, like System 1, is connected directly to the environment. It includes research and development, market research, new products, and strategic planning. It investigates new technologies and customer needs. It emphasizes learning not only about the environment but also what is and isn’t working in the organization. In many ways, it is akin to Simon’s (1960) notion of intelligence as scanning the environment, both internal and external, seeking to identify problems and opportunities.

System 5: The Coherence Function
System 5 (S5) is the coherence function, maintaining the organizational identity and balancing the organization’s present and future requirements. It considers the organization’s purpose or identity and is thus responsible for the direction of the whole
16 2005 — Twenty-Sixth International Conference on Information Systems

Peppard/Viable Systems Model Applied to IT Governance

system. Considering the information generated by S4, it creates policies that are conveyed to S3 for implementation by S1. S5’s second task is to monitor the balance between the long-term actions suggested by S4 and the short-term requirements articulated by S3. The functions described in the VSM do not have to correspond to job descriptions. However, Beer argued that they all must be carried out if an organization is to be viable. It is possible that the same person or collective in the organization may carry out several of the functions. This is particularly likely in smaller organizations but it is ultimately dependent on the distribution of decision-making authority—and thus the requirement for governance in the first instance. At the highest level of abstraction, viability entails a system being able to maintain its own identity. This is achieved by the interaction of a number of principles: autonomy (degree of freedom in decision-making) and adaptation (homeostatic, morphostatic, and morphogenetic); recursion (each subsystem layer contains the layers beneath it and each system is contained by the levels above it) and hierarchy (levels); invariants (key structures) and self-reference (each part of the model makes sense in terms of the other parts).

Applying the VSM in the Context of IT Governance
The objectives of the VSM have strong resonance with those of IT governance: to provide stability and coherence. Furthermore, the language of the VSM also reflects the language found in the discourse on IT governance; words such as adaptation, control, monitoring, coordination, synergy, balance, and policy, are prominent within the discourse in the IT governance literature. Given its heritage, focus, and application, this paper suggests that the VSM can help in progressing both understanding and practice in relation to IT governance. In the context of IT governance, the VSM can be used in three ways. First, descriptively, to illustrate the requirements and components of an IT governance structure. It may also act as a template for the design of an organization’s IT governance structure and provide an alternative language with which to discuss governance issues. Second, as a diagnostic tool to assess the effectiveness of an existing IT governance structure and associated mechanisms. Third, as a framework to guide the process of designing an IT governance structure. In the subsections that follow, we briefly explore each of these themes. Thus far in the paper, the VSM model has been described using Beer’s terminology. However, the research team felt that more evocative and relevant language should be used when considering the VSM in the context of IT governance. Furthermore, the labels assigned to some of the systems are somewhat dated and have been superseded by a newer and more relevant nomenclature. For example, policy had specific meaning in the 1960s—as in business policy—and is today more appropriately referred to as strategy. In the IT and computing literature, policy also has a precise meaning, referring to a guideline, standard, rule or prescription. The new terms for the VSM, agreed by the research team, were as follows: day-to-day execution of IT projects, IT operations, and service delivery (System 1); day-to-day running (coordination) of IT projects, IT operations, and service delivery (System 2); day-to-day running (i.e., resource allocation and control) (System 3) and monitoring, including identifying synergies (System 3*) of IT projects, IT operations, and service delivery; envisioning opportunities and threats (System 4); strategy, policy, and identity (System 5).

Describing IT Governance
The research team identified the distinction between decisions and activities as being extremely powerful when considering IT governance. Although related, decisions and activities are quite different but are often used interchangeably in the literature (e.g., Brown 1999; Sambamurthy and Zmud 2000). Decisions are the result of thinking processes, so-called decision-making processes. Activities result from decisions; they are the doing aspect of IT management (e.g., building systems, managing relationships, maintaining IT operations, and decommissioning applications). Traditionally, the organization of IT has been driven by this “doing” aspect of IT management.4 This has resulted in the IT function in the majority of organizations being designed around the objective of technology and application provision with required activities being located in this unit. The decision-making required to drive the performance of these activities is also traditionally made within this functional area. As discussed earlier, it is now acknowledged that many of these decisions should be made outside of the IT function. In addition, the successful delivery of IT projects, a central building block in the deployment


Indeed, much of the research in the information systems field is focused here.
2005 — Twenty-Sixth International Conference on Information Systems 17

Breakthrough Ideas in Information Technology





Figure 4. Relationship between Decision and Activity

of IT, also demands the involvement and engagement of non-IT staff in the performance of many activities as benefits to the organization only come about through change and innovation (Clegg et al. 1996; Peppard and Ward 2005; The Royal Academy of Engineering 2003). This distinction between decision and action, or thinking and doing, is at the heart of IT governance (see Figure 4). Effective governance is about establishing a framework for ensuring coherence in decision-making as well as a framework for managing the activities that result from them. Decisions pertain to choices among a selection of options, essentially deciding what to do. Often, these options must first be developed before a choice is subsequently made, for example, IS strategy development or prioritizing IT spending. Activities refer to action-oriented tasks that are performed in an organization; they represent the execution of decisions. For example, determining the prioritization of IT spend requires thinking, while implementing the selected projects is about doing (e.g., specifying requirements, developing software, managing the project). The prioritization process itself may be driven by a particular policy and/or a process, directing how this decision is made, who is involved (e.g., CEO, steering committee, or CIO), how often it is made, how it is monitored, etc. The performance of many activities are driven by policies; policies, in effect, reflect decisions already made (i.e., the decision has already been made to do something in a particular way or to perform an activity conforming to certain standards or rules). In many ways, they represent a repertoire of solutions. For example, when dealing with issues of IT security, there may be a policy in place defining exactly how it is addressed in the organization and the extent of any discretion or deviation permitted and under what circumstances such deviations are allowed. The VSM’s metasystem (System 2 through 5) corresponds to the thinking or decision-making referred to in the preceding paragraphs. The operations component (System 1) relates to the activities and tasks associated with IT service delivery, including development, implementation and maintenance of systems—the doing. The VSM provides the structure as to how the thinking and the doing relate to each other as well as the functions required, ensuring that they are closely integrated and that all the thinking and doing functions are in balance. Figure 5 illustrates a model of IT governance based on the principles and logic of the VSM. The research team categorized operations as composed of IT projects (activities involved in building systems or refreshing technical platforms and creating business change), IT operations (activities around running and maintaining the technical infrastructure), and service delivery (activities concerned with the day-to-day provisioning of IT services). Consider an example of how the VSM works in practice for IT governance. Using feedback information provided by S3, S4, assesses that it is expensive to develop systems in-house (an S1 activity falling under the category of IT project) using in-house resources. S4 determines that there is a better way, for example, buy-in packages, and formulates the policy to buy packages whenever possible. This policy then becomes enshrined in S5. The challenge for an organization is to ensure that the mechanisms are in place for this logic to occur. Mechanisms to ensure conformance to this policy must also be established otherwise it is possible that parts of the organization may still develop their own applications. In GlobalTelco, the research team encountered a situation where two of the divisions had engaged the same vendor to provide CRM software. With both projects having similar objectives, consider the learning and resource sharing that could have gone on, to say nothing of the bargaining power that they could have exhibited over the vendor. There were no mechanisms in place to identify this situation and it was only picked up as a result of an ad hoc conversation between the CIO of one of the divisions and the vendor account manager.
18 2005 — Twenty-Sixth International Conference on Information Systems

Peppard/Viable Systems Model Applied to IT Governance


Strategy, policy, and identity

Envisioning opportunities and threats

Day-to-day running of projects/operations/ service delivery Resource allocation Central command Synergy/ conformance Coordination

IT projects

IT Operations

Service delivery


Figure 5. A Model of IT Governance

1 3*



IT projects
1 1 3 2 3 Operational control (resource allocation Scheduling and coordination Policies and rules Audit and synergies

IT Operations


Figure 6. Schematic Extract of Day-to-Day Running of IT Projects and Project Operations
2005 — Twenty-Sixth International Conference on Information Systems 19

Breakthrough Ideas in Information Technology

Figure 6 illustrates in greater detail the relationship between the day-to-day running of IT projects and IT operations and the execution of associated activities. Typically, an organization will have many IT projects ongoing at any one time. Resources must be allocated to these projects (1) and there is a requirement for coordination within and across projects as well as across all operational activities (2). Any synergies that may exist across projects and activities should also be identified (3*). Policies may need to be adhered to (3) not only during the projects but also in what is built. Table 1 presents the four functions of the metasystem together with a partial listing of related decisions. These decisions were identified by the inquiry team. Through its deliberations, the research team contended that System 4 and 5 decisions were what decisions (i.e., they related to what the organizations was planning to do). The System 3, 3*, and 2 decisions were designated as how decisions (i.e., how decisions were to be executed and resultant activities managed).

Diagnosing IT Gvernance
Working from the descriptive model of IT governance, it is possible to move on to diagnose how the organization handles the objectives and requirements of each of the five functions. The research hypothesized that the set of decisions made in an organization with regard to IT (which are partially listed in Table 1) can be determined and that this set of decisions is likely to be generic across all organizations whether large or small.5 We further hypothesized that how organizations differ is the manner in which these decisions are addressed (for example, having prescribed processes and any guiding principles), who makes the decisions, how the decisions are coordinated and policed.6 In smaller organizations, it is probable that most, if not all, of these decisions may be made by one individual. In larger organizations, decision-making authority is likely to be distributed throughout the organization, hence the requirement for a governance framework. For each decision in Systems 4 and 5, a set of diagnostic questions was developed. ? ? ? ? ? Is the decision currently made? Who makes it? Should they make it? How is it made (process)? Are there any standards or policies guiding the decision-making process? Who establishes these policies? Who is responsible for execution? How is the outcome of the decision evaluated?

A further set of questions that relate specifically to the functions of the VSM in operations (System 1) were developed. ? ? ? Who/which forum has responsibility for making the decision? How is the decision made? Is there a policy in place guiding choices? What mechanisms are in place for achieving coordination (e.g., in software development work) and optimization or synergies (e.g., pooling requirements from across the organization to get better deals from suppliers) across projects or the organization? How do you ensure that policies or other standards and rules are being followed?


This analysis is based on self-assessment. At InterDesign, for example, a team composed of senior executives from both the IS department and the business worked through the VSM-influenced IT governance model, addressing each of the decisions. They concluded that while most of the decisions were being made in the organization, they were not being made by appropriate individuals or forums. For example, the decision about prioritizing IT spending was being made by the CIO rather than a forum of key business heads. There was also a complete lack of an IS strategy (the company did have an IT strategy), there were no IT principles in place, and no mechanism existed to identify and examine potential innovative use of new technologies.


This has not yet been tested. This has not yet been tested.
2005 — Twenty-Sixth International Conference on Information Systems



Peppard/Viable Systems Model Applied to IT Governance

Table 1. IT Governance and the VSM: Sample Decisions
Functions Strategy, policy and identity (5) Decisions (Smple) What is our IT governance structure? What funding level will be established for IT? What are our business strategies and objectives? What is the role of IT in the business? What are our IT principles? What is our strategy for information and systems that are required to meet business objectives? What are our policies? What IT capabilities (platform services) are required? What IT services should be outsourced? What is our strategy for business continuity? What (IT) opportunities will receive funding? What is our strategy for information (data) management, including adherence to privacy requirements? What is our strategy for technology refresh? What are the opportunities for deploying IT? What is the potential value, risks and return on these opportunities? What is the business case for the opportunity? What are the opportunities for using the external marketplace? What use are our competitors making of IT? What policy areas will be established? How are resources allocated to projects? How is the design of an IT service determined? How is software developed? How are people allocated to roles within projects? How is the business changes associated with the project be managed? How is the technical implementation of projects managed? How are technical resources sourced and procured? How are relationships with vendors managed? How is the performance of projects assessed and evaluated? How is the delivery of business benefits managed? How are new applications rolled out? How will service delivery be maintained? How will service running costs (SRC) be minimized? How will applications be retired? How will back-up be performed? How will security to ensured? How will integrity of data be guaranteed? How is technical risk minimized? How will overall operational IT performance be evaluated? How will capacity requirements be assessed? How will change management be managed and administered? How will software releases be managed? How will application services be managed? How will application and network availability be managed? How will service levels be managed and reported? How is user support delivered? How are problems managed? How is service availability managed? How is the reliability of services managed?

Envisioning opportunities and threats (4)

Day-to-day running (control, monitoring, coordination) of IT projects (3, 3*, 2)

Day-to-day running (control, monitoring, coordination) of IT operations (3, 3*, 2)

Day-to-day running (control, monitoring, coordination) of service delivery (3, 3*, 2)

2005 — Twenty-Sixth International Conference on Information Systems


Breakthrough Ideas in Information Technology

Designing an IT Governance Structure
The requirement for an IT governance structure is due to the distribution of IT decision-making throughout the organization and the need for appropriate and consistent decision-making behavior if the value derived from IT is to be maximized. The third objective of the research was to define an approach to support the design of an IT governance structure to support this objective. The functions of the VSM specify the skeleton of an effective governance structure. For each decision in the four functions, the following determinations must be made: ? ? ? ? ? ? Who has the authority to make the decision? Who is responsible for executing the decision? Are their any policies guiding the decision choice? How do we optimize/ensure synergy across all decisions? How are decisions coordinated? What monitoring is in place to ensure conformance to policy or strategy and to identify opportunities for synergy?

Addressing these questions with respect to each decision creates a framework that can then determine the blueprint for an organization’s IT governance structure. Designing an effective IT governance structure might seem like a complex process, but the evidence to date from the research team is that once it has been undertaken and all relevant questions have been addressed, it is likely to remain relatively stable over time. It also provides a basis for determining the remit of any committees or cross unit forums. For example, by searching for the appearance of an IS steering committee in the framework, it identifies the remit of this committee. Indeed, the decision regarding IT governance structure is a decision on the IT governance model; the organization has to address the following questons: Who decides on the governance structure? How is this decision made? How is the resultant decision policed? How are oversights dealt with? As competitive strategies change and new technologies emerge the IT governance structure will need to be reviewed to assess its effectiveness under these new conditions and mechanisms must exist to ensure that this occurs.

Anecdotal evidence collected as part of our research suggests that few organizations proactively design their IT governance structure; most structures and associated mechanisms have emerged over time, usually in response to problems. While providing descriptions of the current situation regarding IT governance, the research literature to date can be criticized for reporting on IT governance structures a priori. The research presented in this paper differs from previous research in that it attempts to develop an approach to assessing an organization’s existing IT governance structure as well developing a method for constructing an IT governance structure. In order to achieve these objectives a participatory action research methodology was followed. We have argued that, given its origins and objectives, the VSM provides the structure of a model for considering IT governance. The research explored how VSM can be used to provide a description of IT governance and subsequently be used to develop a diagnostic tool that organizations can use to assess the effectiveness of their existing governance structures, as well as the basis for developing an approach to guide the construction of a governance structure and establishing appropriate mechanisms. The IT governance model proved valuable within the research sites in providing a description and visual representation of IT governance, not just for executive management but also for the CIO and IT staff in the study organizations. Few models exist in the literature; most scholarly papers provide a verbal conceptual description of IT governance. Those models that do exist are at such a high-level (see Sambamurthy and Zmud 2000) that practitioner members of the inquiry team deemed them inaccessible. The VSM influence model in this paper is not only based on the principles of a proven model, but it illustrates the link between decisions and actions, or as was referred to in the paper, between thinking and doing. Together with using (information and systems), this triumvirate captures the essence of managing IS in organizations—a discussion of this point is outside the scope of this paper. Indeed, with the distribution of decision-making authority for IT within an organization, the question must be posed as to what exactly is an IS organization today. A key finding of this research is that decisions cannot be grouped and considered at a macro level, as Weill and Ross (2004) have done in their research. Within each grouping (in the case of this research, corresponding to the functions of the VSM), decisions can be made by different actors and forums, in different ways, with different mechanisms of control and coordination; there cannot


2005 — Twenty-Sixth International Conference on Information Systems

Peppard/Viable Systems Model Applied to IT Governance

be a blanket set of mechanisms established for each grouping. The analysis also stresses the importance of a governance structure to accommodate the activities resulting from decisions (projects, IT operations, and service delivery). In order to enact governance, decision-making authority and responsibility for the performance of particular activities must be vested in the roles that employees play in the organization. How this can best occur is currently being studied. The research has also identified some contingency factors that also influence behavior in an organization and consequently impact any IT governance structure that may be established. These are enterprise governance (i.e., the structure of the organization, reporting relationships, etc.), financial governance (i.e., how money is managed), performance governance (i.e., performance criteria and performance management systems), and regulatory governance (i.e., legislation). These factors are being further explored; their impact on IT governance is being examined as well as how they might be incorporated into an overall design process. We have also assumed that employees are rational in their decision-making. No consideration has been given to the sociology of organizations, particularly organizational politics, a key influencer of decision-making behavior in organizations. There may also be a reluctance of non-IT staff to either make IT decisions or to engage in IT decision-making processes.

Agarwal, R., and Sambamurthy, S. “Principles and Models for Organizing the IT Function,” MIS Quarterly Executive (1:1), 2002, pp. 1-16. Ashby, W. R. An Introduction to Cybernetics, Chapman & Hall, London, 1956. Beer, S. Brain of the Firm (2nd Edition), John Wiley, Chichester, England, 1981. Beer, S. Diagnosing the Systems for Organizations, John Wiley, Chichester, England, 1985. Beer, S. The Heart of the Enterprise, John Wiley, Chichester, England, 1979. Breu, K., and Peppard, J. “Useful Knowledge for Information Systems Practice: The Contribution of the Participatory Paradigm,” Journal of Information Technology (18), 2003, pp. 177-193. Brown, C. V. “Examining the Hybrid IS Governance Solutions: Evidence From a Single Case Study,” Information Systems Research (8:1), 1997, pp. 69-94. Brown, C. V. “Horizontal Mechanisms Under Differing IS Contexts,” MIS Quarterly (23:3), 1999, pp. 421-454. Buchanan, J. R., and Linowes, R. G. “Making Distributed Data Processing Work,” Harvard Business Review, SeptemberOctober, 1980, pp. 143-161. Clegg, C., Axtell, C., Damadoran, L., Farbey, B., Hull, R., Lloyd-Jones, R., Nicholls, J., Sell R., and Tomlinson, C. “Information Technology: A Study of Performance and the Role of Human and Organizational Factors,” Ergonomics (40:9), 1996, pp. 851-871. Earl, M. J., Edwards, B., and Feeny, D. F. “Configuring the IS Function in Complex Organizations,” in Information Management: The Organizational Dimension, M. J. Earl (Ed.), Oxford University Press, New York, 1996, pp. 201-230. George, J., and King, J. “Examining the Computing and Centralization Debate,” Communications of the ACM (34:7), 1991, pp. 63-72. Heron, J. Co-operative Inquiry: Research into the Human Condition, Sage, London, 1996. Heron, J. Experience and Method: An Inquiry into the Concept of Experiential Research, University of Surrey, Human Potential Research Project, Surrey, 1971. Heron, J. “Philosophical Basis for a New Paradigm” in Human Inquiry: A Sourcebook of New Paradigm Research, P. Reason and J. Rowan (Eds.), Wiley, Chichester, England, 1981, pp. 19-35. Hodgkinson, S. L. “The Role of the Corporate IT Function in the Federal IT Organization,” in Information Management: The Organizational Dimension, M. J. Earl (Ed), Oxford University Press, New York, 1996, pp. 247-269. Jensen, M. C., and Meckling, W. H. “Theory of the Firm, Managerial Costs and Ownership Structure,” Journal of Financial Economics (III), 1976, pp. 305-360. King, J. “Centralized vs. Decentralized Computing: Organizational Considerations and Management Options,” ACM Computing Surveys (15:4), 1983, pp. 319-349. Luftman, J., and McLean, E. R. “Key Issues for IT executives,” MIS Quarterly Executive (3:2), 2004, pp. 89-104. Peppard, J. “Information Management in the Global Enterprise: An Organizing Framework. European Journal of Information Systems (8), 1999, pp. 77-94. Peppard, J., and Ward, J. “Unlocking Sustained Business Value from IT Investments: Balancing Problem-Based and InnovationBased Implementations,” California Management Review, Fall, 2005. Peterson, R. “Crafting Information Technology Governance,” Information Systems Management, (Fall), 2004, pp. 7-22. Peterson, R., O’Callaghan, R., and Ribbers, P. “Information Technology Governance by Design: Investing Hybrid Configurations and Integration Mechanisms,” in Proceedings of the 21st International Conference on Information Systems,
2005 — Twenty-Sixth International Conference on Information Systems 23

Breakthrough Ideas in Information Technology

W. J. Orlikowski, S. Ang, P. Weill, H. C. Krcmar, and J. I. DeGross (Eds), Brisbane, Australia, December, 2000, pp. 435542. Reason, P. “Integrating Action and Reflection Through Co-operative Inquiry,” Management Learning (30:2), 1999, pp. 207-226. Reason, P. “Sacred Experience and Sacred Science,” Journal of Management Inquiry, (2:3), 1993, pp. 10-27. Robertson, S., and Powell, P. “Managing the IS Function During Mergers,” in Proceedings of the 9th European Conference on Information Systems, S. Smithson, J. Gricar, M. Podlogar, and S. Avgerinou (Eds.), Bled, Slovenia, 2001, pp. 1297-1306. Royal Academy of Engineering. The Challenges of Complex IT Projects, The Royal Academy of Engineering, London, 2003. Ross, J. W., and Weill, P. “Six IT Decisions Your IT People Shouldn’t Make,” Harvard Business Review (80:10), November 2002, pp. 85-91. Sambamurthy, V., and Zmud, R. “Arrangements for Information Technology Governance: A Theory of Multiple Contingencies,” MIS Quarterly, (23:2), 1999, pp. 261-290. Sambamurthy, V., and Zmud, R. “Research Commentary: The Organizing Logic for an Enterprise’s IT Activities in the Digital Era—A Prognosis of Practice and a Call for Research’, Information Systems Research (11:2), 2000, pp. 105-114. Schwarz, A., and Hirschheim, R. “An Extended Platform Logic Perspective of IT Governance: Management Perceptions and Activities of IT,” Journal of Strategic Information Systems (12), 2003, pp. 129-166. Shannon, C. E. “A Mathematical Theory of Communication,” Bell Systems Technology Journal (27), 1948, pp. 379-424, 623657. Simon, H. A. The New Science of Management Decisions, Harper & Row, New York, 1960. Skolimowski, H. The Participatory Mind: A New Theory of Knowledge and of the Universe, Arkana Books, London, 1994. Weill, P., and Woodham, R. “Don’t Just Lead, Govern: Implementing Effective IT Governance,” Center for Information Systems Research, Massachusetts Institute of Technology, CISR WP No. 326, 2002. Weill, P., and Ross, J. IT Governance: How Top Performers Manage IT Decision Rights for Superior Results, Harvard Business School Press, Boston, 2004. Weiner, N. Cybernetics, or Control and Communication in the Animal and the Machine, John Wiley, New York, 1948.


2005 — Twenty-Sixth International Conference on Information Systems



All rights reserved Powered by 甜梦文库 9512.net

copyright ©right 2010-2021。