Copyright © 2007 ISACA. All rights reserved. www.isaca.org.

How Does the Business Drive IT?

Identifying, Prioritising and Linking Business and IT Goals
By Wim Van Grembergen, Steven De Haes and Hilde Van Brempt

I
n today’s complex and constantly changing business world,
the governance of information technology (IT) and the
alignment of IT to the business are high on the agenda of
executive management. Strategic planning based on the
alignment of IT goals to business goals is a key component in
business/IT alignment. It is important that an organisation
start with a clear view on its corporate mission and a
thorough definition of its supporting strategy and business
goals. Then, these need to be translated into goals for the IT
department, which are the basis for the IT strategy. Finally,
the supporting IT processes must be carefully planned to
translate the IT strategy into action. For these planning efforts,
companies may be looking for guidance to identify the set of
important business goals and IT goals and determine how
they interrelate.
The IT Governance Institute (ITGI)’s research on this
subject was illustrated by a previous article1 in the Information
Systems Control Journal and led to the publication of a set of
generally applicable business goals for IT and associated IT
goals in COBIT 4.0. Extensive follow-up research was
performed to gain more insight into this set of business and
IT goals and their linkage. This article presents the results of
the follow-up research project in which experts in different
sectors were asked to validate, prioritise and link a set of
business goals and IT goals. This research resulted in a
significant improvement of the business goals for IT and
associated IT goals in COBIT 4.1.
For the prioritisation and linking of the goals, a Delphi
method was used. This method is based on a structured
process for collecting and distilling knowledge from a group
of experts by means of several feedback rounds. A team of
experts was asked to prioritise a list of business and IT goals
by using a ranking technique, and the averaged results were
returned to them. Different rounds were performed to achieve
consensus amongst the experts on which were the important
goals and how the business goals linked to the IT goals.
The ISACA database was used as a major source for
identifying subject experts. In total, the participants were 158
business and IT professionals (managers and auditors) from
companies in one of the sectors previously mentioned and
with more than 150 employees. One of the assumptions was
that these experts have sufficient knowledge on both IT and
business goals. Figure 1 presents the expert team’s
composition by sector and geographic area.
Figure 1—Expert Team Composition
Expert Team per Sector
Retail Transportation: 16
Financial: 38

Government, Utilities,
Research Background Healthcare: 39
This research project was based on the findings of a pilot Manufacturing,
study that resulted in a list of 20 generic business goals and Pharmaceutical: 25
28 generic IT goals, published in COBIT 4.0. The objective of
this research was to:
• Validate these lists for completeness, consistency and clarity IT Professional Service,
Telco, Media: 40
• Gain more insight into goals’ priorities for different sectors
• Examine the relationship between IT goals and business goals
In practice, every enterprise has its own distinct sets of Expert Team per Geography
business and IT goals. Priorities within these sets differ Australia: 7
depending on a variety of internal and external factors, such Asia: 28
as company size, market position, degree of IT dependency,
industry and geography. This project chose an industry North America: 51
approach and started with a pilot study in the financial sector
that was then replicated in the following four sectors: Africa: 14
• Manufacturing and pharmaceuticals
• IT professional services, telecommunications and media
• Government, utilities (energy, oil and gas) and healthcare Middle East: 18 Latin America: 3
• Retail and transportation
Europe: 37

I N F O R M AT I O N S Y S T E M S C O N T RO L J O U R NA L , VO L U M E 6 , 2 0 0 7 1
 Findings
The following findings resulted from the study.
Identification of Business and IT Goals
The outcome of the exercise was an in-depth understanding
of business goals and IT goals, and how they interrelate.
During the research, the original list of IT goals and business
goals (published in COBIT 4.0) was reviewed multiple times
and evolved to a generic list of 17 (IT-related) business goals
and 18 IT goals. Overlaps, inconsistencies and ambiguities
amongst the different goals were reduced to a minimum. The
goals turned out to be generically defined and applicable
across all sectors. Figure 2 presents the final list of business
and IT goals, categorised by their corresponding balanced
scorecard (BSC) perspectives. The generically defined goals
provide a guideline to help companies identify their set of
important business and IT goals. In practice, enterprises will
need to develop their own subset, but they can do this
efficiently by:
• Starting from these generic business and IT goals
• Updating them for enterprise specifics (strategy,
infrastructure, etc.)
• Adding measures to track goal achievement
Top 10 Business and IT Goals
Both lists of business and IT goals have been prioritised
over five different sectors. Figure 3 presents the top 10 most
important business and IT goals, consolidated over all sectors.
Apart from some minor exceptions, the separate lists of the
different sectors include the same business goals and IT goals
in their individual top 10 lists. This proves that there is a very
high degree of consensus that these 10 goals are, generically
Figure 2—Validated Lists of Business Goals and IT Goals
Business Goals
Financial (Corporate) Perspective
• Manage (IT-related) business risks.
• Provide a good return on investment of (IT-enabled)
business investments.
• Improve financial transparency.
• Comply with external laws and regulations.
Customer Perspective
• Improve customer orientation and service.
• Establish service continuity and availability.
• Offer competitive products and services.
• Achieve cost optimisation of service delivery.
• Create agility in responding to changing business requirements. efficient automated solutions.
• Obtain reliable and useful information for strategic decision • Accomplish proper use of applications, information and technology
making.
Internal Perspective
• Improve and maintain business process functionality.
• Improve and maintain operational and staff productivity.
• Enable and manage business change.
• Comply with internal policies.
• Optimise business process costs.
Learning and Growth Perspective
• Acquire, develop and maintain skilled and motivated people.
• Identify, enable and manage product and business innovation. • Acquire knowledge and expertise in emerging technologies for business
2 I N F O R M AT I O N S Y S T E M S C O N T RO L J O U R NA L , VO L U M E 6 , 2 0 0 7
speaking, the most important business goals and IT goals.
Filtering the results per company size and geography
confirmed the stability of these top 10 lists of goals.
Financial and Customer-oriented Goals2
Although priorities may differ from sector to sector, in
general, business goals categorised in the customer and
financial perspective of the BSC score high in the ranked list,
whilst the internal and learning and growth perspective goals
receive lower scores overall. As an example, the customer-
oriented business goals ‘improve customer orientation and
service’ and ‘establish service continuity and availability’ and
the financial-oriented business goals ‘comply with external
laws and regulations’ and ‘manage IT-related business risks’
make up the top four in the generic list and are also
systematically ranked high to very high in the individual lists
by sector, geography and company size.
This trend is confirmed in the IT goals list. The IT goals for
the related IT BSC perspective’s corporate and user are higher
in the list than those for the learning and growth perspective.
For example, the corporate contribution-related goals ‘align the
IT strategy to the business strategy’ and ‘provide IT
compliance with laws and regulations’ and the user-oriented
goals ‘make sure that IT services are reliable and secure’ and
‘provide service offerings and service levels in line with
business requirements’ are systematically ranked high for the
different sectors, geographies and company sizes.
It is remarkable that the future-oriented business goal for
acquiring and maintaining the necessary skills only just makes
it in the top 10 list of business goals (number 8), and that its IT
counterpart goal, ‘acquire, develop and maintain IT skills that
respond to the IT strategy’, falls out of the top 10 most
important IT goals.
IT Goals
Corporate Contribution
• Offer transparency and understanding of IT cost, benefits and risks.
• Provide IT compliance with laws and regulations.
• Account for and protect all IT assets.
• Drive commitment and support of executive management.
• Improve IT’s cost-efficiency.
• Align the IT strategy to the business strategy.
User Orientation
• Make sure that IT services are reliable and secure.
• Provide service offerings and service levels in line with business
requirements.
• Translate business functional and control requirements in effective and
solutions.
Operational Excellence
• Maintain the security (confidentiality, integrity and availability) of
information and processing infrastructure.
• Deliver projects on time and on budget, meeting quality standards.
• Optimise the IT infrastructure, resources and capabilities.
• Provide IT agility (in responding to changing business needs).
• Seamlessly integrate applications and technology solutions into
business processes.
Future Orientation
• Acquire, develop and maintain IT skills that respond to the IT strategy.
innovation and optimisation.
• Ensure that IT demonstrates continuous improvement and readiness
for future change.
 Figure 3—Top 10 List of Business Goals and IT Goals
Top 10 Prioritised Business Goals
1. Improve customer orientation and service.
2. Comply with external laws and regulations.
3. Establish service continuity and availability.
4. Manage (IT-related) business risks.
5. Offer competitive products and services.
6. Improve and maintain business process functionality.
7. Provide a good return on investment of (IT-enabled)
business investments.
8. Acquire, develop and maintain skilled and motivated
people.
9. Create agility in responding to changing business
requirements.
10. Obtain reliable and useful information for strategic
decision making.
The Role of Sector-specific Characteristics
Although a relatively high degree of general consensus was
found regarding the top 10 business and IT goals, a number of
sector-specific characteristics were identified.
In the IT professional services sector, its high dependency
on IT skills is confirmed with a higher ranking for the goal
‘acquire, develop and maintain IT skills that respond to the IT
strategy’. Another important asset (differentiator) for
companies operating in this sector is (knowledge of) advanced
technology, which explains the higher importance of ‘identify,
enable and manage product and business innovation’. On the
other hand, the business goals ‘establish service continuity and
availability’ and ‘improve and maintain business process
functionality’ score lower compared to most other sectors. This
may be explained due to a lower focus (and lower budgets) on
their own internal processes whilst most efforts go to customer
services.
Typical for the government/utilities/healthcare sector is that
internal policies are to be strictly followed, which is confirmed by
the highly ranked goals ‘improve financial transparency’ (number
6) and ‘comply with internal policies’ (number 9), respectively
nine and seven places higher than for the other sectors. This is
even reinforced in the utilities sector, which may be a consequence
of the specific market situation (monopoly/oligopoly) requiring a
controlled environment. Further, because of this sector’s nonprofit
orientation, cost-optimisation-related goals, such as ‘provide a
good return on investment of (IT-enabled) business investments’
and ‘achieve cost optimisation of service delivery’ score lower in
the importance list. This specificity of the sector can also explain
the low ranking of ‘offer competitive products and services’,
which is ranked 10 places lower compared to the other sectors.
Another characteristic of governmental institutions is that they are
trying to increase their focus on providing adequate customer
(citizen) service, which is confirmed by the high priority for the
customer-oriented goals ‘improve customer orientation and goals’
and ‘establish service continuity and availability’.
The retail and transportation sector is characterised by low
profit margins, which explains the higher ranking for goals
such as ‘optimise business process costs’. Customer loyalty is
also seen as one of the challenges in this sector, and initiatives
are undertaken to deal with this. This is translated into the top
four of most important business goals, which are all customer-
oriented. This is also the only sector where the business goal
for compliance with external laws and regulations is not in the
top three, indicating that compliance is not yet a top priority in
the retail and transportation sector.
I N F O R M AT I O N S Y S T E M S C O N T RO L J O U R NA L , VO L U M E 6 , 2 0 0 7
Top 10 Prioritised IT Goals
1. Align the IT strategy to the business strategy.
2. Maintain the security (confidentiality, integrity and availability) of
information and processing infrastructure.
3. Make sure that IT services are reliable and secure.
4. Provide service offerings and service levels in line with business
requirements.
5. Provide IT compliance with laws and regulations.
6. Translate business functional and control requirements in
effective and efficient automated solutions.
7. Deliver projects on time and on budget, meeting quality
standards.
8. Drive commitment and support of executive management.
9. Improve IT’s cost-efficiency.
10. Account for and protect all IT assets.
The Role of Size and Geography
When comparing the differences amongst geographic
locations or company size, fewer variations were identified.
This may indicate that sector-related characteristics have a
higher impact on setting priorities. Still, some minor but
interesting differences were identified. For example, larger
organisations tend to pay more attention to business goals such
as ‘comply with external laws and regulations’ and ‘manage
(IT-related) business risks’ than smaller organisations do. In
Europe, the Middle East and Africa, the IT goal ‘acquire,
develop and maintain IT skills that respond to the IT strategy’
appears to be less important compared to other regions in the
world.
Generic IT Goals
Another finding is that, in general, the level of agreement
amongst the experts for the list of prioritised business goals is
lower than the level of agreement for prioritised IT goals. An
explanation may be found in the fact that business goals may
differ more depending upon some external or internal factors,
such as sector-specific characteristics, company size, geography
and others, whilst IT goals’ prioritisation may follow a more
generic pattern and is less influenced by these aspects.
Different Levels of Linking Relations
This research also contains detailed findings on how the IT
goals can support business goals. Figure 4 shows how IT goals
are related to business goals. From this matrix, it becomes
(visually) clear that some goals are defined on a higher level
compared to others. For example the IT goal ‘align the IT
strategy to the business strategy’ supports all business goals in
a primary (P) or secondary (S) manner, indicating that its
scope is broadly defined and covers multiple areas of IT
responsibilities. On the other hand, business goal number 15,
‘improve financial transparency’, and IT goal number 13,
‘offer transparency and understanding of IT cost, benefits and
risks’, show only a primary relationship to each other,
confirming their similar and narrowly defined scope.
Practical Application of the Results
Preliminary results of this research have already been taken
into consideration for the continuous Control Objectives for
Information and related Technology (COBIT) developments,
and they contain valuable new opportunities for further updates
and follow-up research. The results of this research provide
practical guidance for professionals in the attempt to build a
cascade of business goals and IT goals for their specific
3
 Figure 4—Linking IT Goals to Business Goals

7. Provide a good return on investment of (IT-enabled) business investments.

10. Obtain reliable and useful information for strategic decision making.
9. Create agility in responding to changing business requirements.

17. Identify, enable and manage product and business innovation.

8. Acquire, develop and maintain skilled and motivated people.

14. Improve and maintain operational and staff productivity.

2. Provide compliancy with external laws and regulations.

6. Improve and maintain business process functionality.

11. Achieve cost optimisation of service delivery.

3. Establish service continuity and availability.

16. Provide compliancy with internal policies.

1. Improve customer orientation and service.

5. Offer competitive products and services.

13. Enable and manage business change.

4. Manage (IT-related) business risks.

12.Optimise business process costs.

15. Improve financial transparency.

Business Goals
IT Goals
1. Align the IT strategy to the business strategy. P S S P P P S S P P S S P S S S P
2. Maintain the security (confidentiality, integrity and availability) of information and processing infrastructure. P P P P S S P
3. Make sure that IT services are reliable and secure. P P P P S S S S S S S S
4. Provide service offerings and service levels in line with business requirements. P P S P P S S S S S S S S S
5. Provide IT compliancy with laws and regulations. S P P S S S P
6. Translate business functional and control requirements in effective and efficient automated solutions. S S S S P S S S S S S S S S
7. Deliver projects on time and on budget meeting quality standards. S S S S S S S S S S
8. Drive commitment and support of executive management. S S S S S S S S S S
9. Improve IT’s cost-efficiency. S P P P S
10. Account for and protect all IT assets. S S S S S S
11. Acquire, develop and maintain IT skills that respond to the IT strategy. S S P S S S S S
12. Provide IT agility (in responding to changing business needs). S S S S P P S
13. Offer transparency and understanding of IT cost, benefits and risks. S S S S P
14. Optimise the IT infrastructure, resources and capabilities. S S P S P S S
15. Accomplish proper use of applications, information and technology solutions. S S S S S S S S S S S S S
16. Seamlessly integrate applications and technology solutions into business processes. S S P S S S S S S S S
17. Ensure that IT demonstrates continuous improvement and readiness for future change. S S S P S P
18. Acquire knowledge and expertise in emerging technologies for business innovation and optimisation. S S P S S S S P

organisations. Enterprises can do that efficiently by starting impact, the associated goals are called ‘Corporate
from these generic business and IT goals, selecting what Contribution’ and ‘User Perspective’.
applies to them and updating it for enterprise-specific
situations. This will be a good starting point toward Wim Van Grembergen
implementing IT governance. is a professor in the information systems management
department of the University of Antwerp and an executive
Acknowledgements professor at the University of Antwerp Management School.
This research project was commissioned by ITGI and was He is also academic director of the ITAG Research Institute.
performed by the Information Technology Alignment and Van Grembergen has been involved in research and
Governance (ITAG) Research Institute of the University of development activities for several COBIT products.
Antwerp Management School (UAMS) in Belgium. ITGI also
provided the necessary contact information from the ISACA Steven De Haes
member database for building the expert team. The authors and is responsible for the information systems management
researchers are grateful for the valuable support of the COBIT executive programmes at the University of Antwerp
Steering Committee and would like to thank Erik Guldentops Management School. He is managing director of the ITAG
who initiated this research and provided many ideas on IT Research Institute and is currently finalising a Ph.D. in IT
governance. Thanks also go the expert team members for governance. De Haes has also been involved in research and
taking the time during several rounds to provide valuable development activities for several COBIT products.
answers and feedback on the questionnaires.
Hilde Van Brempt
Endnote is senior researcher for the ITAG Research Institute. She has
1
Van Grembergen W.; S. De Haes; J. Moons; ‘IT Governance: many years of experience in large organisations and is now
Linking Business Goals to IT Goals and COBIT Processes’, involved in organising and executing international research
Information Systems Control Journal, vol. 4, 2005 programmes. She is currently starting a Ph.D. research project
2
Because IT may not have a direct financial and customer on IT governance and IT skills.

4 I N F O R M AT I O N S Y S T E M S C O N T RO L J O U R NA L , VO L U M E 6 , 2 0 0 7
 Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by the Information Systems Audit and Control Association, Inc.. Membership in the association, a voluntary
organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal.

Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of the Information Systems Audit
and Control Association and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journal
does not attest to the originality of authors' content.

© Copyright 2004 by Information Systems Audit and Control Association Inc., formerly the EDP Auditors Association. All rights reserved. ISCATM Information Systems Control AssociationTM

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the
association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles
owned by the Information Systems Audit and Control Association Inc., for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume,
and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the
association or the copyright owner is expressly prohibited.

www.isaca.org

I N F O R M AT I O N S Y S T E M S C O N T RO L J O U R NA L , VO L U M E 6 , 2 0 0 7 5