IT Governance and Process Maturity: A Field Study Roger Debreceny Shidler College of Business University of Hawaii at MƗnoa rogersd@hawaii.edu Glen L Gray College of Business and Economics California State University at Northridge glen.gray@csun.edu Abstract An important element of IT governance is the provision of robust IT capability. The concept of process capability maturity provides a useful methodology for the measurement and analysis of the state of IT capability. The COBIT IT Governance framework provides both a measurement methodology and IT process structure that provides a foundation for the measurement of process capability maturity across the lifecycle of IT investment. This study reports the results of a large-scale field study of process maturity in 51 organizations in eight developed and developing countries. 1. Introduction IT governance is the tension between the exercise of decision rights, as a subset of corporate governance, and the design and execution of structures and processes to implement organizational objectives [1-3]. Arguably the most complete definition is from the IT Governance Institute, viz: the responsibility of executives and the board of directors, consisting of the leadership, organizational structures and processes that ensures the enterprises IT sustains and extends the organizations strategy and objectives[1]. Much of the discourse on IT Governance has been on the exercise of decision-making rights and the structuring of IT organizational forms [4, 5]. There has been recent attention to a broader range of attributes of IT governance including the determinants of IT investment decision making [6], strategic [7] and business/IT alignment [8]. An important attribute of IT Governance within this view, is the development and maintenance of the capability to perform key IT processes. The IT function working with the rest of the organization must build a variety of capabilities to meet organizational strategic objectives. These capabilities bring together internal and external human resources, software applications, hardware, and other resources in a systematic fashion to achieve a desired outcome. These outcomes may be strategic in nature, such as the determination of future direction for the IT function, tactical such as providing customer service from a help-desk or problem management, or operational in installing a systematic process for backup and storage of data. Unfortunately, there is little empirical evidence on the state of process maturity, narrowly, and IT capability, more broadly. The objective of this paper, then, is to take a first step in quantifying the level of process maturity across the IT lifecycle. Nor is there substantiation of which aspects of IT governance are associated with process implementation. We seek to bridge this clear gap in the research literature. We address the nexus between key IT governance attributes and IT process implementation. We draw on the well-established literature on process maturity, particularly the Capability Maturity Model (CMM), as the foundation for our analysis of process implementation. We investigate and identify the key attributes of IT governance. We then bring these together in a large field study. The paper proceeds as follows. In the next section, we address the nature and measurement of process reliability and maturity. We speculate on the strategic and managerial dimensions of process maturity. In the third section, we consider the particular application of process maturity methods in COBIT. The next two sections address the method and results, respectively. We discuss our results in the sixth section, set out our conclusions and call for additional research in the final section. 2. Achieving IT Process Reliability 2.1. Introduction Proceedings of the 42nd Hawaii International Conference on System Sciences - 2009 1 978-0-7695-3450-3/09 $25.00 © 2009 IEEE