Proceedings of the 39th Hawaii International Conference on System Sciences - 2006

IT Governance: Reviewing 17 IT Governance Tools

and Analysing the Case of Novozymes A/S

Michael Holm Larsen Mogens Kühn Pedersen Kim Viborg Andersen

holmlarsen@gmail.com Copenhagen Business School Copenhagen Business School
mk.inf@cbs.dk andersen@cbs.dk

Abstract
Aligning business and IT objectives has been
Complexity in information technology debated for decades among academics and
architectures and infrastructures, and an increasing practitioners (e.g. Sambamurthy & Zmud 1999, ITGI
need for executives to verify and secure value 2001), however, discussions has been intensified
generation processes in private as well as public within the last 5 years (e.g. Robbins 2004, Weill &
organisations, call for an increasing awareness and Ross 2005, Brown & Grant 2005) due to corporate
understanding of Corporate Governance in general scandals like WorldCom, Enron, Arthur Andersen,
and IT Governance in particular. etc. Based on the cited literature in this paper, no
The paper investigates how IT Governance is similar comparison of IT Governance approaches are
adopted in the case company Novozymes A/S, which is available. Further in positioning the research, it is
a biotech-based world leader in industrial enzymes concluded that research into in-depth case studies as
and microorganisms. Based on a review of 17 IT well as providing an overview of IT Governance tools
Governance Tools, the paper analyses the challenges are needed. The research question in this paper is:
of the adopted IT Governance arrangements and what is an appropriate tool for IT Governance case
mechanisms. Finally, the paper point to future analysis, and what is the status of IT Governance in
development directions in order to further unfold the Novozymes A/S? This leads to an analysis of the
potential of IT Governance at Novozymes A/S. applied IT Governance at Novozymes A/S pointing to
relevant development issues.
The structure of the paper is as follows. The .
1. Introduction second section is a methodology section evaluating
different IT Governance tools and identifying the tool
The Information Technology Governance Institute to be applied for the case analysis. The third section
defines IT governance as “the leadership, contains the analysis of IT Governance performance
organizational structures, and processes that ensure at Novozymes A/S, and the fourth section evaluates
that the enterprise’s IT sustains and extends the the alignment of the IT Governance practice with
enterprise’s strategies and objectives”. Additionally, strategy, organisaiton, behaviour and relevant metrics
they state that “While governance developments have using the IT Governance Design Framework for
primarily been driven by the need for the transparency structuring the analysis. Section five concludes the
of enterprise risks and the protection of shareholder paper and draws up a set of recommendations to
value, the pervasive use of technology has created a further development of IT Governance at Novozymes
critical dependency on IT that calls for a specific A/S.
focus on IT governance” (ITGI 2003:1). IT
Governance reflects broader corporate governance 2. Methodology and Selection of an IT
principles (OECD 2004). Corporate Governance and Governance Tool for Case Analysis
IT Governance both pursue an ongoing questioning of
the organisation’s governance model’s sufficiency in As the paper is a case analysis of IT Governance at
minimising risks and maximising returns (Hamaker & Novozymes A/S, the paper will address the following
Hutton 2004). IT governance may also be defined as issues:
specifying the decision rights and accountability • Select evaluation criteria
frameworks to encourage desirable behaviour in using • Review of potential IT governance tools.
IT (Weill & Ross 2004:2).

0-7695-2507-5/06/$20.00 (C) 2006 IEEE 1

 Proceedings of the 39th Hawaii International Conference on System Sciences - 2006

• Assessment of potential IT Governance organisations may realize a number of benefits

tools. (Spafford 2003).
• Case evaluation applying the selected tool. During the past two decades, a variety of standard
• Development of recommendation derived IT governance frameworks and different assessment
from the analysis. methods for evaluating IT impact and performance
has emerged. In this section 17 tools are considered
Each of these issues will be dealt with in separate and evaluated. Some tools have developed into a set
sections. In this paper there will be no demarcation of guidelines, others into methods or best practices,
between methods, methodologies, techniques, and and again others into de facto or de jure standards.
tools of IT Governance, and all will, though The reason for this listing and the subsequent
simplistic, be referred to as tools. evaluation is to obtain a comprehensive basis for
The data collection rest upon a presentation and assessing the case company’s IT Governance. Also,
interview with IT manager Lars Refslund, the listing provides an interesting overview of
Novozymes A/S, and secondary data from annual implementation frameworks of IT Governance
reports and Novozymes A/S’ corporate website in initiatives. Moreover, the listing shows the main
addition to that the researchers have been acquainted differences between the tools and hereby how
with the organisation for more than a decade. differently IT Governance initiatives may be pursued
and adopted. Through a survey of literature the
2.1. Evaluation Criteria following 17 tools were found:
ITIL: Information Technology Infrastructure
The final selection of an IT Governance tool Library (ITIL) is the world-wide de facto standard in
depends upon which tool provides the better Service Management (Behr et al. 2004). ITIL
framework for evaluating the alignment of the IT provides a comprehensive, consistent volume of best
Governance structure with the business. Therefore, it practices drawn from the collective experience of
is of great importance in any management discipline thousands of IT practitioners around the world
in scoping a project or activity that appropriate tools (Niessink & van Vliet 2001). ITIL focuses on critical
for appropriate business problems are applied. business processes and disciplines needed for
In relation to the definition of IT Governance of delivering high-quality services. Out of the ITIL
Weill & Ross (2004) a specification of the decision framework, the British Standard BS15000 has
rights and accountability frameworks are vital in emerged. BS15000 is the world’s first standard for
determining IT Governance effectiveness. Hence, a managing IT services. All activity is classified under
crucial evaluation criterion is that a tool addresses two broad umbrellas, i.e. Service Management and
decision-making processes. In addition to this, Service Delivery. This approach defines IT quality as
another important evaluation criterion is that the tool the level of alignment between IT services and actual
is used to the entire business system as the unit of business needs (Niessink & van Vliet 2000). As a
analysis in order to avoid sub-optimisation. IT result, organizations can mature their best practices
Governance tools may however also be related to without regard to specific technologies.
other processes in the organisation. Core business COBIT: Control Objectives for Information and
processes and support processes are therefore added Related Technology (COBIT) has been developed as
as classes. Moreover, tools may also be related to a generally applicable and accepted standard for good
subsets of the business system. Procedures, activities Information Technology (IT) security and control
and organisational units are therefore included as practices (Lainhart 2000). The tools include: (1)
classes. Consequently, the dimensions of the Performance Measurement elements, i.e. outcome
evaluation are process type and organisational entity, measures and performance drivers for all IT
resulting in a 3-by-4 IT Governance classification processes, (2) A list of Critical Success Factors (CSF)
matrix. that provides succinct, non-technical best practices for
each IT process, and (3) Maturity Models to assist in
2.2. Review of IT Governance Tools benchmarking and decision-making for capability
improvements.
At a very broad level, organizations can approach ASL: Application Services Library (ASL) is a
governance on an ad hoc basis and create their own collection of best practice guidance for managing
frameworks, or they can adopt standards that have application development and maintenance. It is the
been developed and perfected through the combined public domain standard for application management,
experience of hundreds of organizations and people. separate from the IT Infrastructure Library (ITIL), but
By adopting a standard IT governance framework, linked to it in terms of adherence to standards for

2
 Proceedings of the 39th Hawaii International Conference on System Sciences - 2006

managing processes and providing a coherent, maturity of the whole service organisation covering
rigorous, public domain set of guidance (Bastiaens the service delivery process, i.e. including all
2004, van der Pols 2004). ASL is a part of the IT activities involved in creating the result for the
Service Management (ITSM) Library. ASL customer, starting from identifying the needs of the
recognises three types of control, i.e. functional, customer until evaluation the delivered services
application and technical control. Where Information (Niessink et al. 2005). The model is delimited from
Technology Infrastructure Library (ITIL) is a covering the development of new services.
generally accepted standard for organizing technical SAS70: SAS70 is an auditing standard designed to
management, the Application Services Library (ASL) enable an independent auditor to evaluate and issue an
offers a framework for the organization of application opinion on a service organization’s controls.
management (Meijer 2003). Statement on Auditing Standards, No. 70 (SAS70) for
Six Sigma: Six sigma stands for Six Standard Service Organizations, is an internationally
Deviations from mean. The Six Sigma methodology recognized auditing standard developed by the
provides the techniques and tools to improve the American Institute of Certified Public Accountants
capability and reduce the defects in any process. The (AICPA). A SAS70 audit (www.sas70.com) is widely
Six Sigma methodology improves any existing recognized, because it represents that a service
business process by constantly reviewing and re- organization has been through an in-depth audit by an
tuning the process (Hammer 2002). To achieve this independent accounting and auditing firm of their
(cf. Puzdek 2003), Six Sigma uses a methodology control activities, which generally include controls
known as DMAIC (Define opportunities, Measure over information technology and related processes.
performance, Analyze opportunity, Improve Organisations must demonstrate that they have
performance, Control performance). Customer adequate controls and safeguards when they host or
requirements, design quality, metrics and measures, process data belonging to their customers. Control
employee involvement and continuous improvement objectives and control activities should also be
are main elements of Six Sigma Process organized in a manner that allows the user auditor and
Improvement. user organisation to identify which controls support
CMM/CMMI: The Capability Maturity Model the assertions in the user organization’s financial
(CMM) is a methodology used to develop and refine statements, e.g. existence, occurrence, completeness,
an organization’s software development process. The valuation, etc.
model describes a five-level evolutionary path of ISO 17799: The ISO 17799 or the counterpart of
increasingly organized and systematically more British Standard BS 7799 is a standard for
mature processes. CMM was developed and is information security including a comprehensive set of
promoted by the Software Engineering Institute (SEI), controls and best practices in information security.
a research and development center sponsored by the The standard is intended to serve as a single reference
U.S. Department of Defense (DoD). The CMM point for identifying a range of controls needed for
suggests 5 Maturity Levels of Software Processes most situations where information systems are used in
(Mathiassen & Sørensen 1996), i.e. the initial, industry and commerce. Compliance with ISO 17799
repeatable, defined, managed and optimizing level. and BS7799 ensures that an organisation has
CMM is through the years developed further established a certain compliance level for each of the
integrating the different activities, i.e. CMM ten categories covered (Ma & Pearson 2005), i.e.
Ingetration (CMMI). Whereas CMM is based on the security policy, security organisation, asset
classical waterfall model, CMMI is addressing classification and control, personnel security, physical
iterative development and is being more result- and environmental security, communications and
oriented. operations management, access control, systems
IT Service CMM: IT Service CMM is a maturity development and maintenance, business continuity
growth model aimed at IT Service providers (Niessink management, and compliance (ISO 2000, BS 2002).
2003). IT Service CMM is a development of the SOX: The Sarbanes-Oxley Act of 2002 (often
CMM for software development and incorporates shortened to SOX) is legislation enacted to protect
similar maturity stages. Moreover, the IT Service shareholders and the general public from accounting
CMM originates from the efforts to develop a quality errors and fraudulent practices in the organization
improvement framework in order for service (SOX 2002). The legislation not only affects the
organisations to improve service quality (Niessink & financial side of corporations, but also affects the IT
van Vliet 1998). The model does not measure the departments whose job is to store a corporation’s
maturity of individual services, projects or electronic records. The Sarbanes-Oxley Act states that
organisational units. Rather, the model measures the all business records (Alles et al. 2004), including

3
 Proceedings of the 39th Hawaii International Conference on System Sciences - 2006

electronic records and electronic messages, must be IT Due Diligence: Sisco (2002b) states that the
saved for not less than five years. The consequences due diligence objective needs to be clearly defined.
for non-compliance are fines, imprisonment, or both. Sisco (2002b) suggests that an IT due diligence plan
Hence, Sarbanes-Oxley compliance induces should be broken down to seven parts, i.e.: (1)
significant implications for the IT function (Moore & Current IT operation, (2) Risks and risk avoidance
Swartz 2003). The Sarbanes-Oxley requirements are plans, (3) Financial plan (expected cost and budget to
increasingly integrated with enterprise risk continue operation), (4) Capital investment
management initiatives (Beasley et a. 2004, Sammer requirements, (5) Leverage opportunities and
2004). recommended plans, (6) Transition plan, (7) The due
SysTrust: The SysTrust service is an assurance diligence report.
service that was jointly developed by the American IT Governance Review: Weill & Ross (2004)
Institute of Certified Public Accountants (AICPA) suggest that an IT Governance review contains the
and the Canadian Institute of Chartered Accountants following activities (1) Mapping the organisations
(CICA). It is designed to increase the comfort of current governance with the tools of a Governance
management, customers, and business partners with Design Framework (GDF) and a Governance
systems that support a business or particular activity Arrangements Matrix (GAM). (2) Comparing the
(Pacini et al. 2000). In a SysTrust engagement GDF and GAM, (3) Auditing IT Governance
(McPhie 2000), the practitioner evaluates and tests Mechanisms, (4) Designing the To-Be Governance
whether or not a specific system is reliable when Structure, (5) Transform to the To-Be version of the
measured against three essential principles: GDF and GAM of the organisation, and focus on
availability, security, and integrity. communicating, teaching, convincing, refining, and
PRINCE2: PRINCE, which stands for Projects IN measuring the success of IT Governance. Alternative
Controlled Environments, is a project management mechanisms for design of IT Governance scenarios
method covering the organisation, management and are proposed by Meyer (2004).
control of projects. PRINCE was first developed as a IT Governance Assessment: Weill & Ross
UK Government standard for IT project management. (2004:119) suggest a framework for assessing IT
Since its introduction, PRINCE has become widely Governance Performance. As IT Governance is
used in both the public and private sectors and is now defined as specifying the decision rights and
the UK’s de facto standard for project management. accountability framework to encourage desirable
Although PRINCE was originally developed for the behaviour in IT usage (Weill & Ross 2004),
needs of IT projects, the method has also been used governance performance must then be assessed as
on many non-IT projects. The latest version of the how well the governance arrangements encourage
method, PRINCE2, is designed to incorporate the desirable behaviours, i.e. how well the organisation
requirements of existing users and to enhance the achieves it’s desired performance goals. Hence, the
method towards a generic, best practice approach for framework proposes that IT Governance should
the management of all types of projects (OGC 2005). address five important factors, which are: enterprise
IT Audit: Sisco (2002) argues that an IT review setting, governance arrangements, governance
should contain three main areas to focus the awareness, governance performance, and financial
evaluation, i.e.: (1) Technology: identifying capability performance.
to meet company needs, stability, capacity and IT Governance Checklist: Damianides (2005)
scalability, security, and risks. (2) IT organization: suggests a checklist for IT Governance containing a
expertise and depth needed to support the business set of 44 diagnostic questions. For each of the
needs, management, morale, capacity, and risks. (3) questions the extent to with the it relates to (a) IT
IT processes: change management, software licenses, Value Delivery, (b) IT Strategic Alignment, (c), Risk
project management, policies and procedures Management, and/or (d) Performance, is specified.
regarding technology, and tracking and measuring The questionnaire contains 3 subgroups, i.e. to
performance. As a technology organization has many uncover IT issues, to find out how management
functional parts, a quantification of the IT addresses the IT issue, and to self-assessment of IT
organisational structure will include (Sisco 2002): (a) Governance practice with regard to the board and
Infrastructure. Networks, i.e. LAN, WAN, and management.
desktop support. (b) Business applications. Research IT Governance Assessment Process (ITGAP)
& development, and support, including installation Model: Peterson (2004) suggests a four stage process
services, professional services, help desk, computer for assessing IT Governance. The Process contain the
center operations, technology assets, business following steps (1) describe and assess IT Governance
processes and procedures. value drivers, (2) describe and assess the

4
 Proceedings of the 39th Hawaii International Conference on System Sciences - 2006

differentiation of IT decision making authority for the design of IT Governance by addressing the
portfolio of IT activities, (3) describe and assess the insufficiencies of the current IT Governance structure.
capabilities of IT Governance, and (4) describe and The IT Governance Assessment is a measurement of
assess IT value realisation. the current state of IT Governance Performance – but
without the design element. Also the IT Governance
2.3. Evaluating the IT Governance Tools Assessment does not include a thorough alignment
discussion as the IT Governance Review due to the
The table below classifies the 17 IT Governance GDF. However, the analysis is somewhat broader
tools in relation to a specific process type and with addressing e.g. the IT intensity, the IT Governance
respect to a certain organisational entity. Although, an Awareness and relating these findings to the financial
IT governance tool may relate to more areas and performance of the organisation.
processes, the dominating scope and process, Based on the above findings an IT Governance
respectively, is marked. Based on the review of the Review will be conducted in the following analysis,
individual tools, the classification is the following: where the IT Governance Design Framework will
structure an analysis of the degree of alignment of the
•SAS70 • COBIT
• IT Governance
Review
IT Governance mechanisms in relation the strategy,
Decision-
• IT Governance
Assessment organisation, behaviour and relevant metrics.
Making • IT Governance
Processes Checklist
• IT Governance
Assessment Process
Model
3. Assessing IT Governance at Novozymes
• ITIL / BS15000 • CMM / CMMI • Six Sigma • IT Service CMM
A/S
Core
• IT Audut
Business
Processes
• IT Due Diligence
3.1. Company Background

• ISO 17799 / BS7799 • ASL • SOX

Novozymes A/S is the biotech-based world leader
Support
• SysTrust • PRINCE2
in enzymes and microorganisms. Novozymes A/S has
Processes
with a net turnover of 1 billion US dollar currently
44% of the world marked in industrial enzymes,
Process Type / Procedure Activity Business Unit Business System
Organisational which are used in industries such as detergents,
Entity
textile, baking, etc. Novozymes A/S delivers enzymes
Table 1: Classification of IT Governance Tools. and microorganism solutions to enable their
customers to produce higher quality products more
As the intention is to investigate decision-making efficiently in 40 different industries and 130
processes in the entire business system, only the four countries. With more than 100 types of enzymes and
tools with the “IT Governance” name are likely microorganisms and not less than 700 different
candidates for further evaluation. However, the IT products Novozymes A/S has the largest product
Governance Checklist does not lead to a sufficient portfolio in the world.
comprehensive analysis, but is valuable as an Novozymes A/S employs approximately 4.000
indicator for a pre-analysis of IT Governance. The persons, of which half are located in Denmark.
ITGAP of Peterson (2004) is to some extent Novozymes A/S has production sites in Denmark, US
comparable with the IT Governance Assessment of and China, and sales organisations scattered around
Weill & Ross (2004). Although, Peterson (2004) the world. Novozymes uses the ambitious aspiration
states that the ITGAP assessment model has been of “Unlocking the Magic of Nature” in relation to the
used with more than 50 large multi-division corporate name.
companies, these studies are not documented in public Historically, Novozymes A/S was a central
material, which on the other hand is the case of the IT business unit in Novo Nordisk A/S called Enzyme
Governance Assessment tool of Weill & Ross (2004). Business. However, in November 2000 Novozymes
Also, the empirical basis of the IT Governance A/S was demerged from Novo Nordisk A/S and
Assessment tool is broader. Hence, only the became an independent company. As an independent
difference between IT Governance Assessment and IT publicity listed company, Novozymes A/S is still a
Governance Review needs to be clarified. part of the Novo Group A/S, which is a holding
As the description of the two tools presented in company containing independent companies with the
section 2.2 shows there are some overlap between same core values. Novozymes A/S has due to
them. The IT Governance Review is a thorough reengineering activities in the late 1990’ies become a
analysis of the existing IT Governance arrangements process oriented company, cf. Larsen & Bjørn-
and mechanisms in an organisation leading to a future Andersen (2001).

5
 Proceedings of the 39th Hawaii International Conference on System Sciences - 2006

At Novozymes A/S all major business processes

3.2. Governance Arrangements are supported by SAP. Moreover, Novozymes A/S
has systems for internet sales (named E-Solution),
The IT Governance Structure of Novozymes A/S is customer relationship management (named Pivotal),
described in the following. The Executive projects and development (named Proman), etc.
Management (ExM) meets 4 times a year, half a day, Novozymes A/S relies on 2 main suppliers, i.e. the
to discuss information technology, and during these sister company Novo Nordisk IT A/S and Siemens
sessions they are called an Application Strategy A/S. The collaboration with the long-term vendors are
Group (ASG), though it is the same people. Each IT governed by service level agreements, but the
project is headed by a steering group and a project relationships are though long-term not governed by
manager, who is hold accountable for project further IT governance structures.
delivery, deployment and follow up, and who is
related to the Project Office (PO). The Project
Management Office (PMO) may be classified as an 4. The IT Governance Design
advanced PMO integrating a comprehensive project
management capability to achieve business objectives The IT Governance Design Framework is a model
(cf. Hill 2005), based on a set of predefined criteria for relating the IT Governance arrangements and
(Sherer 2004). On infrastructure and architecture mechanisms to enterprise strategy and organisation
issues, the Infrastructure Strategy Board (ISB) has the including the IT organisation and the desirable
decisive power. behaviour, and business performance goals including
The governance arrangements describe which IT metrics and accountability, cf. Weill & Ross
archetypes are used for each key IT decision (cf. (2004). Designing a governance structure is to a large
Weill & Ross 2004) in Novozymes A/S. The findings extent an alignment discussion, where the purpose is
are presented in the following figure. to align or harmonise all elements and assure that all
linkages are valid and effective. It is therefore of
IT Decision: IT IT IT Business IT interest to assess which and how harmonisation
Application
Principles Architecture Infrastructure
Strategies Needs
Investment
initiatives are implemented in stead of just describing
Archetype: Input Decision Input Decision Input Decision Input Decision Input Decision the individual elements in the framework.
Business Policies ASG ASG ASG
Monarchy
4.1. Aligning Enterprise Strategy and
IT
Monarchy
ISB ISB Program
Office Desirable Behaviour
Feudal
The Novozymes Touch, i.e. the Vision,
Personality, Values, Commitments and Fundamentals
Federal LOB LOB LOB LOB LOB
of Novozymes A/S (see www.novozymes.com), is the
timeless prerequisite for strategy formulation.
Duopoly
Although, these statements are very abstract in nature,
they also provide explicit and operational guidance on
Anarchy Funda-
mentals
how desirable behaviour is expected within the
organisational context of Novozymes A/S.
Figure 1: IT Governance Arrangement Matrix Examples of fundamentals that directly relate to
(GAM) of Novozymes A/S. governance of the organisation by addressing
Keys: Line of Business (LOB), Application Strategy accountabilities, action plans for business
Group (ASG), Infrastructure Strategy Board (ISB). performance, feedback mechanisms on performance,
and reporting are:
Inputs to IT principles come from the Line of • Each unit must have a clear definition of
Business (LoB) and from the corporate Fundamentals where accountabilities and decision powers
and policies, which are approved by top management. reside.
The Fundamentals was originally developed 10 years • Each unit must have an action plan to ensure
ago in the employees’ self-organised union, but improvement of its business performance and
although the Fundamentals were consolidated in a working climate.
corporate context, the initiative is classified as an • Every manager requiring reporting from
anarchy due to its origin. The proposals in the table others must explain the actual use of the
are elaborated in the following section. reports and the added value.

6
 Proceedings of the 39th Hawaii International Conference on System Sciences - 2006

IT decisions are derived from the business Marshall & McKay (2004) acknowledge this
strategy. The business strategy is here presented as a approach as good IT Governance practice. Moreover,
Strategy Map representing the four Focus Area the PO verifies that the proposed project supports the
Drivers (FADs). IT Strategy, and that IT resources and capabilities are
available. Priorities of the proposals are then set by
Novozymes Strategy map 2004-2006 the ASG/ExM group resulting in a prioritised list of
Live The NZ Touch Strategic objectives
Generate value IT projects.
Project and resource planning and execution.
Strong free
iv .
c t rg

One company culture

The IT projects are traditionally planned by relating

Fi spe
cash flow
pe O

pe
na c
e

based on The NZ Touch

rs &

r
n c tiv
pe ple

the activities to resources e.g. using GANTT charts.

ia e
l
o
Pe

High
An organization
prepared for the
profitability Double digit
sales growth
Simulation is used to obtain the best possible match.
Internationalization
future
Moreover, these tools are used for following up on

External
Internal

Liberating
progress of execution and delivered results. Only
capacity for growth
opportunities Performance through
Support to our use
of biotechnology
projects larger than 2 mio. DKK are considered.
innovation and
Turning innovation New enzyme partnerships Projects with a lower expected total cost base are
supply process
into growth
addressed in relation to maintenance. Approximately,

pe et
e
Pr s pe
pe

iv
One company brand

rs rk
oc c t

80% of the Novozymes’ IT department’s resources

ct
pe Ma
r

Building profitable based on The NZ Touch

es ive

business in new areas

s

are allocated towards projects. The remaining

Excellence in operations Stakeholders’ preferred partner
resources are allocated to maintenance and up-coming
activities.
Figure 2: Strategy Map of Novozymes A/S. The project portfolio review process. The review
Source: Novozymes 2005 process involves project managers, the Project Office
(PO), and the ASG. For each review a standardised
The FADs represent the perspectives of people and process is followed identifying, e.g. Scope, business
organisation, process, market, and financials, and justification, Compliance with IT strategies and
result in four IT documents, which are Strategy & standards, Time schedule and milestones, Cost-benefit
Direction, Governance, Capabilities & Sourcing, and and Risk analysis, Impact assessment, Vendor
Products and Services. selection, and Software, hardware and architecture.
Hence, the implementation of The Novozymes An important task is the identification of project
Touch and actions in the above mentioned four interdependencies in order to avoid overlap, waste of
documents contribute to the alignment of Enterprise resources, and in order to identify synergies.
Strategy and Desirable Behaviour in Novozymes A/S. Production support. The production support and
helpdisk assure corporate-wide maintenance of
4.2. Aligning IT Governance Arrangements systems. The Line of Business (LoB) sets the
and Mechanisms priorities of System Investigation Requests (SIRs),
and the SIR solutions are controlled by the IT
Different IT Governance mechanisms are department. The IT department has true 24-hours
implemented in order to conform to IT Governance service. This is organised after the principle “Follow
arrangements and the IT Strategy, i.e.: the Sun”, meaning that depending on the time of day,
• The predetermined structure of the strategy SIRs are serviced by the IT people in China, Denmark
process (presented in section 4.1) or USA, respectively, and handed over effectively
• The IT project approval process after normal office hours if the task requests an
• Project and resource planning and execution ongoing activity.
• The project portfolio review process
• Production support 4.3. Aligning Business Performance Goals and
These issues are elaborated in the following. IT Metrics and Accountabilities
The IT project approval process. The initiative
to create an IT project origins primarily from the Line How do metrics and accountabilities support
of Business (LoB) or secondary from the IT business performance goals? Novozymes A/S has
Department. Each IT project proposal is sent to the introduced the triple bottom line in 1999 with the
Project Office (PO) for further elaboration and purpose of not only focusing on the traditional
analysis. For each proposal a detailed and financial bottom line, but to balance it against the
standardised business case is developed and related to social and environmental bottom lines in order to
one or more Focus Area Drivers (FAD) in the ensure sustainable growth.
Business Strategy. Based on a empirical study,

7
 Proceedings of the 39th Hawaii International Conference on System Sciences - 2006

Through several years, the Novo Group has performance goals and metrics and accountabilities
developed and validated an internal management and are aligned.
control system that goes beyond financial reporting.
The system embraces three elements: 4.4. Aligning Enterprise Strategy and IT
Organisational audit, Facilitations, and Triple bottom Governance Arrangements
line reporting. These internal management and control
systems are elaborated in the following. The main tasks of the Board of Directors are to:
Organisational Audit. The organisational audit • Ensure the right executive management and
measures the extent to which the manning and organisation of the company.
organisation of a business unit are adjusted to present • Supervise financial performance of the com-
and future business requirements. Specific measures pany, and supervise executive management's
are: performance and integrity.
• The extent to which market and technology • Participate in managing the company by
changes are currently identified and providing direction to executive management,
incorporated into a unit's business strategy and and participate in determining the strategies of
into unit's goals and business plan. the company and approve major business
• The extent to which staff qualifications and plans and decisions.
organisation of work are suited for As the board is ultimately responsible for corporate
implementing this business strategy and plan. development, is has been decided that certain issues
• The extent to which candidates are developed that were formerly pure management items, now are
to take on key positions in the organisation. being dealt with at board meetings too. Consequently,
Facilitations. A facilitation measures the degree to these items are now discussed among board and
which a unit lives up to the individual elements of management. Novozymes A/S has put their meeting
what is referred to as The Novo Way of Management, frequency and contents of board meetings on the
i.e.: Internet for public orientation. The calendar and
• Corporate core values. contents are structured in accordance with the three
• Corporate commitments to international requirements of The Danish Public Companies Act,
standards and conventions. and showing that the intention is to spend an equally
• Corporate policies (e.g. with regard to amount of time addressing each of the three
communications and information technology). requirements of management/organisation,
• Corporate code of conduct concerning the way operations/ financials, and strategy.
business is done. Novozymes A/S strives continuously for more
Triple bottom line reporting. In the openness and transparency. This is also in line with
environmental and social reporting, the extent to what is considered as good corporate governance.
which the individual unit locally and the company Implementation of effective IT Governance is
globally fulfil their declared goals in respect of however time and resource consuming, cf. Rau
environmental and social performance is measured. (2004). Hence, it is concluded that Enterprise Strategy
Examples of measures are: consumption of energy, and IT Governance Arrangements are aligned.
water, and raw materials, amounts of waste water and
solid waste, emissions to air, applied gene technology, 4.5. Aligning IT Governance Arrangements
extent and nature of animal testing, compliance with and Business Performance Goals
human rights, creation of working places, training and
development of employees, and working environment IT Governance frameworks rely on a dominant
(physical and psychological). premise that the organisation to a large extent is stable
For all three management control systems, and that all activities can be planned (Patel et al.
concrete actions are defined to improve the situation, 2002). However, most organisations find themselves
and the implementation of actions is verified. – or at least parts of the organisation - as emergent.
The Chairman of the Board of Directors at This fact needs to be addressed in the governance
Novozymes A/S, Henrik Gürtler, assesses that the arrangements and mechanisms, measurements and
results of these three measurements and management detailed measures. Though some frameworks seek
reporting on operations as well as drafting of overall dynamic perspectives of the organisation, this is
strategies for future periods combine to give a solid seldom sufficient to grasp the complexity of the
impression of where the business is today and of the modern business environment.
credibility and soundness of future plans for corporate
development. Hence, it is concluded that business

8
 Proceedings of the 39th Hawaii International Conference on System Sciences - 2006

Novozymes A/S addresses this issue of the • Develop and implement an IT Governance
emergent organisation through evaluations. In order to structure, i.e. arrangements and mechanisms,
improve the quality of the work between the with regard to external business partners in
management and the board, they have developed a general, cf. Larsen & Klischewski (2004), and
more qualitative assessment of the work of the board, long-term IT vendors in particular.
the management, and the interaction and cooperation • Develop and implement a complete IT project
within and between these two entities. In December delivery model containing assessments and
2001 it was decided to deploy a self-developed follow-ups on outcome value and performance
system to evaluate performance in board and of delivered IT solutions in addition to the
management work as from 2002. The system entails current time and cost assessments.
that: • Consider a combination of more IT
• the individual member of management governance tools, cf. section 2.2 and Niessink
evaluates his own and his fellow & van Vliet (2001), in optimising the IT
management members' performance in Governance process.
relation to the cooperation with the board. • Cascade IT governance arrangements and
• the individual member of management mechanisms down through the organisation to
evaluates the board's performance in the embrace the emergent organisation, cf. Patel
cooperation. (2002) and Van Grembergen (2000).
• the individual board member evaluates his • Coordinate and integrate IT Governance
own and his fellow board members' practice with other asset governance practices
performance in relation to the cooperation (i.e. HR, IP, facilities, etc.), and generate value
with management. from this multiple asset governance approach
• the individual board member (cf. Classman 2000, and Weill & Ross 2004).
evaluates management's performance in the With implementation of these initiatives
cooperation. Novozymes A/S might be even more prepared to meet
• management and board give a total evaluation the challenges of generating value from “unlocking
of the cooperation between management and the magic of nature”.
board.
The board and management evaluate the results 6. Conclusion and Future Research
and (if needed) agree on changes of work processes,
course of board meetings, behaviour, performance, The paper addresses the issues of optimising
etc. that could make future management-board profits and reducing risks by focusing on decision-
cooperation more constructive, efficient, challenging making processes and accountability frameworks.
and forward-looking - to the benefit of Novozymes This paper reviews 17 IT Governance tools, and
A/S. Hence, each year, concrete actions are defined to selects one assessment tool most appropriate for case
improve the situation. The implementation of actions evaluation. An IT Governance Assessment is carried
is verified and documented in the minute book. out concluding that IT Governance Arrangements and
This evaluation is considered to be quite unique Mechanisms to a large extent are aligned with
and to go far beyond what other companies' boards- strategy, organisation, behaviour and relevant metrics.
management teams do to optimise their collaboration. The study is a single case study, and therefore the
On an individual IT project level, projects are findings will in principle only be applicable for the
evaluated based on time and cost/resource measures. case organisation, although the findings may have a
However, the final delivery of IT solutions is not more general nature and broader scope of
evaluated based upon the solutions output quality and applicability.
performance, cf. IT manager Lars Refslund. The contribution of this paper is a) providing an
Consequently, the delivery model seems partial, and overview of potential IT Governance approaches, i.e.
might be optimised based on these conditions. a “toolbox”, b) providing an evaluation method, i.e. a
Therefore, IT Governance Arrangements to a large IT Governance tool screening framework, consisting
extent are aligned with Business Performance Goals, of relevant classification parameters in order to
though the reviewing process might be optimised. address the variation and demarcations between the
approaches, and c) providing a rich case study with
5. Recommendations potential general recommendations.
Learning from the case analysis shows that though
Recommendations for enhancing the current IT the organisations is considered to be fairly mature
Governance practice at Novozymes A/S are: with regard to adopting IT governance, several

9
 Proceedings of the 39th Hawaii International Conference on System Sciences - 2006

development directions can be pointed out, which [13] ISO (2000). BS ISO/IEC 17799:2000 Information
have practical as well as scientific relevance. technology. Code of practice for information security
Future research may go into unfolding the IT management. International Standard Organisation.
Governance structures with external partners, in [14] ITGI (2001). Information Security Governance:
addition to investigating the implications for IT Guidance for Boards of Directors and Executive
Governance arrangements and mechanisms in Management. Information Systems Audit and Control
balancing the current versus the emergent Foundation, Information Technology Governance
organisation. Institute. Available at http://www.itpi.org.
[15] ITGI (2003). Board Briefing on IT Governance, 2nd
6. Reference Edition. Information Technology Governance Institute.
Available at http://www.itpi.org.
[1] Alles, M. & Kogan, A. & Vasarhelyi, M. (2004). The
Law of Unintended Consequences? Assessing the [16] Lainhart IV, J.W. (2000). COBIT[TM]: A
Costs, Benefits and Outcomes of the Sarbanes-Oxley Methodology for Managing and Controlling
Act. Information Systems Control Journal. Vol. 1. Information and Information Technology Risks and
Vulnerabilities. Journal of Information Systems,
[2] Bastiaens,B. (2004). Professional Application December.
Management. The ITSM Journal. Vol. 1, March 1, p.
2, 4. [17] Larsen, M.H. & Bjørn-Andersen, N. (2001). From
Reengineering to Process Management – A
[3] Beasley, M.S. & Clune, R. & Hermanson, D.R. (2004). Longitudinal Study of BPR in a Danish Manufacturing
Enterprise Risk Management and the Internal Audit
Company. Proceedings of the 34th Hawaii
Function. North Carolina State University and
International Conference on System Sciences (HICSS
Kennesaw State University. Working Paper. 34). January 3-6, 2001, Island of Maui, Hawaii, USA.
December.
[18] Larsen, M.H. & Klischewski, R. (2004). Process
[4] Behr, K. & Kim, G. & Spafford, G. (2004). The Ownership Challenges in IT-Enabled Transformation
Visible Ops Handbook: Starting ITIL in 4 Practical of Interorganizational Business Processes. Proceedings
Steps. Information Technology Process Institute. of the 37th Hawaii International Conference on System
[5] Brown, A.E. & Grant, G.G. (2005). Framing the Sciences (HICSS 37). January 5-8, The Big Island of
Frameworks: A Review of IT Governance Research. Hawaii, Hawaii, USA.
Communications of the AIS. Vol. 15, Article 38. [19] Ma, Q. & Pearson, J.M. (2005). ISO 17799: “Best
[6] BS (2002). BS7799-2:2002 Information Security Practices” in Information Security Management?
Management. Specification with guidance for use. Communications of the AIS. Vol. 15, Article 32.
British Standard. [20] Mainelli, M. (2005). Standard Differences:
[7] Dallas, S. & Bell, M. (2004). IT Governance Requires Differentiation through Standardisation?” (ISO9001,
Decision-Making Guidelines. Gartner, January 19, SAS70 and management systems), Journal of Risk
Business Issues. Available at www.gartner.com. Finance, Volume 6(1), January, pp. 71-78.

[8] Damianides, M. (2005). Sarbanes-Oxley and IT [21] Marshall, P. & McKay, J. (2004). Strategic IT
Governance: New Guidance on IT Control and Planning, Evaluation and benefits Management: The
Compliance. Information Systems Management. Basis for Effective IT Governance. The Australian
Winther, pp. 77-85. Journal of Information Systems. 11(2).

[9] Glassman, D. (2000). Joining the New Economy. [22] Mathiassen, L. & Sørensen, C. (1996). The Capability
Journal of Applied Corporate Finance. Vol. 13(3), Fall, Maturity Model and CASE. Information Systems
p. 116. Journal, Vol. 6.

[10] Hamaker, S. & Hutton, A. (2004). Principles of IT [23] McPhie, D. (2000). AICPA/CICA SYSTRUST[TM]
Governance. Information Systems Control Journal, Principles and Criteria. Journal of Information
Volume 2, ISACA. Systems. American institute of Certified Public
Accountants, Canadian Institute of Chartered
[11] Hammer, M. (2002). Process Management and the Accountants. December 22.
Future of Six Sigma. MIT Sloan Management Review.
Winter 2002, Vol. 43(2), pp. 26–32. [24] Meijer, M. (2003). Application Service Library (ASL)
and CMM. bITa Monitor – The journal of IT
[12] Hill, G.M. (2004). Evolving the Project Management Alignment and Business IT Alignment, Vol. 1(1),
Office: A Competency Continuum. Information March, pp. 21-26.
Systems Management. Fall, pp. 45-51.

10
 Proceedings of the 39th Hawaii International Conference on System Sciences - 2006

[25] Meyer, N.D. (2004). Systemic IS Governance: An [40] Robbins, S. (2004). IS Governance. Information
Introduction. Information Systems Management. Fall, Systems Management. Fall, pp. 81-82.
pp. 23-34.
[41] Sambamurthy, V. & Zmud, R.W. (1999).
[26] Moore, F. & Swartz, N. (2003). Keeping an eye on Arrangements for Information Technology
Sarbanes-Oxley. Information Management Journal. Governance: a theory of multiple contingencies. MIS
37(6), p. 20. Quarterly. Vol. 23(2), pp. 261-290.
[27] Niessink, F. & Clerc, V. & Tijdink, T. & van Vliet, H. [42] Sammer, J. (2004). Companies migrating from SOX
(2005). The IT Service Capability Maturity Model. “myopia” to risk management. Compliance Week
CIBIT Consultants | Educators, Bilthoven, and Vrije (November): 1, 26-28.
University, The Netherlands. Technical Report.
January. [43] Sherer, S.A. (2004). IS Project Selection: The Role of
Strategic Vision and IT Governance. Proceedings of
[28] Niessink, F. & van Vliet, H. (1998). Towards Mature the 37th Hawaii International Conference on System
IT Services. Software Process - Improvement and Sciences (HICSS 37).
Practice, Volume 4(2), June, pp. 55-71.
[44] Sisco, M. (2002). Technology review is at the core of
[29] Niessink, F. & van Vliet, H. (2000). Software an IT assessment. TechRepublic.
Maintenance from a Service Perspective. Journal of
Software Maintenance: Research and Practice, Vol. [45] Sisco, M. (2002b). Acquisition - IT Due Diligence.
12(2), March/April, pp. 103-120. Publisher: Mike Sisco. ISBN / eBook ID:
MDE_Due_Diligence. March.
[30] Niessink, F. & van Vliet, H. (2001). Measurement
Program Success Factors Revisited. Information and [46] SOX (2002). Sarbanes-Oxley Act, Public Law No.
Software Technology, Vol. 43(10), August, pp. 617- 107-204. Washington, DC: Government Printing
628. Office.

[31] Niessink, F. (2003). IT Service CMM in a Nutshell. [47] Spafford, G. (2003). The Benefits of Standard IT
bITa Monitor – The journal of IT Alignment and Governance Frameworks. IT Management. April 22.
Business IT Alignment, Vol. 1(1), March, pp. 27-31. [48] Van Der Pols, R. (2004). ASL - A framework for
[32] Novozymes (2005). Stock Exchange Announcement. application management. Van Haren Publishing. ISBN
Group financial statement, first quarter 2005, April 28. 90-77212-05-1.

[33] OECD (2004). OECD Principles of Corporate [49] Van Grembergen, W. (2000). The Balanced Scorecard
Governance: 2004. Organisation for Economic Co- and IT Governance. Information Systems Control
operation and Development. Available at Journal.
http://www.oecd.org/document/49/0,2340,en_2649_34 [50] Weill, P. & Ross, J. (2005). A Matrixed Approach to
813_31530865_1_1_1_1,00.html. Designing IT Governance. MIT Sloan Management
[34] OGC (2005). Managing Successful Projects with Review. Winter, 46(2), pp. 26-34.
PRINCE2. Office of Government Commerce. June. [51] Weill, P. & Ross, J.W. (2004). IT Governance – How
ISBN 0113309465. Top Performers Manage IT Decision Rights for
[35] Pacini, C. & Ludwig, S.E. & Hillison, W. & Sinason, Superior Results. Harvard Business School Press.
D. & Higgins, L. (2000). SysTrust and Third-Party Boston. Massachusetts.
Risk. Journal of Accountancy. August 1.
[36] Patel, N.V. (2002). Emergent forms of IT Governance
to support Global e-business models. Journal of
Information Technology Theory and Application.
[37] Peterson, R. (2004). Crafting Information Technology
Governance. Information Systems Management. Fall,
pp. 7-22.
[38] Puzdek, T. (2003). The Six Sigma Handbook – A
complete Guide for Green Belts, Black belts, and
managers at All Levels. McGraw-Hill.
[39] Rau, K.G. (2004). Effective Governance of IT: Design,
Objectives, Roles, and Relationships. Information
Systems Journal. Fall, pp. 35-42.

11