Copyright 2005 Information Systems Audit and Control Association. All rights reserved. www.isaca.org.

Linking Business Goals to

IT Goals and COBIT Processes
By Wim Van Grembergen, Steven De Haes and Jan Moons

nformation technology has become pervasive in todays

dynamic and often turbulent business environments. While,
in the past, business executives could delegate, ignore or
avoid IT decisions, this is now impossible in most sectors and
industries. In this context, many organizations have started
with the implementation of IT governance to achieve the fusion
between business and IT and to obtain the needed IT
involvement of senior management.1 IT governance can be
defined as the leadership and organizational structures and
processes that ensure that IT sustains and extends the
organizations strategy and objectives.2 As described in this
definition, a crucial element of IT governance is achieving a
better link between business and IT, also referred to as strategic
alignment. However, this relationship is complex and addresses
aligning business goals to IT goals and processes.
To gain a more thorough and pragmatic understanding of
how business goals drive IT goals in different industries and
how the IT goals are supported by IT processes, the IT
Governance Institute (ITGI) assigned a research project to the
ITAG Research Institute of the University of Antwerp
Management School (www.uams.be/itag).
This article summarizes results and conclusions of the first
phase of this research. The material will be refined in further
research initiatives during 2005. It appears that defining the
link between business goals and IT goals was not always an
easy exercise for interviewees and that many of the identified
goals were very high-level and generic.

Pilot Study Methodology

To achieve more insight into the complex relationship
among business goals, IT goals and IT processes, eight
different industries were analyzed: financial, health,
government, retail, pharmaceutical, utilities, IT services and
consulting, and transportation. Within each industry, interviews
were conducted with an IT manager, a business manager and a
senior consultant/expert of the sector. During these interviews,
questionnaires were used to identify the most important
business goals and the IT goals contributing to those goals. In
addition, COBIT processes were identified that support the
achievement of the reported IT goals. These relationships were
summarized for each industry in two matrices and supplemented
with background information on the major characteristics, value
drivers and risk drivers of the industry under review.
The reported results regarding the characteristics and the
value and risk drivers are a synthesis of the answers of the
interviewees and, consequently, their perception. The IT

goals/business goals matrices are based on the information

collected during the interviews. Whenever IT and/or business
goals were similar, they are labelled by one unique term. The
IT goals/COBIT matrices are based on the input of the
interviewed consultants and, when necessary, are
complemented by the researchers. For reasons of conciseness
and manageability, the list of COBIT processes is reduced to the
15 most important COBIT processes as selected in 2001 by the
Information Systems Audit and Control Association.

Specific Research Results

As an example, this section will summarize the results of
two sectors from which well-balanced results were obtained:
the financial and the pharmaceutical sectors. For each sector,
the most important characteristics and value and risk drivers
are described. Next, two matrices are shown, one presenting
the links between business goals and IT goals (figures 1
and 3) and one between COBIT processes and IT goals
(figures 2 and 4). Reading these matrices in combination
enables a better understanding of how IT processes support
IT goals, which in turn support business goals. In the matrices,
a distinction is made between primary (P) and secondary (S)
relationships.
The Financial Sector
Characteristics of the financial sector include:
Very high transaction volumes with little hard-copy evidence
Complex data processing for each transaction
Stringent security measures for each transaction dictated by
law and the nature of the data
Criticality of availability of systems and datamost IT
systems have to be available 24/7. This had been a
discriminating feature between financial institutions but now
is a basic requirement.
Increasing emphasis on timely processing or straight-through
processingthe immediate and automated processing of an
entire transaction
High reliance on IT, perhaps more so than in any other
sector/industry
High IT budgets often accounting for approximately 15
percent of the entire annual company budget
Not a first mover in IT but an early follower. Adopting
technologies that have not yet matured might backfire in this
highly visible sector.
Highly regulated by national and international laws and
standards, such as Basel II

INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 4, 2005

IT
G

oa

ls
De
v
a f elop
oc in
u
Fu s o g in
lf
n n
de illin info ovat
pa g S rm ive
rtm LA a IT
en s w tion se
Inc
ts it
rea
h b securvice
sin
us rit s w
Int
g
ine y
ith
ss
of egra IT de
dif tio
p
art
fer n a
m
en nd
e
IT
dis t IT con nt ef
d
f
as
s
ter epar olid icien
t
cy
r
IT
me atio
ec
go
ov
nts n
ve
e
ry
rn a
a
nd
nc
IT
e/I
bu
me
Ts
sin
as
tra
es
u re
sc
teg
Lo
st
on
ic
we
os
tin
ali
rin
ati
uit
g
gc
sfy
nm
y
os
en
Ma
Ba
t
t
se
of
kin
l
tra
gI
II r
ns
Tm
eq
ac
uir
Op
ea
tio
em
tim
su
np
ra b
en
izi
roc
ts
ng
le
es
the
Ra
s
ing
pid
IT
inf
de
ra s
ve
Re
lop
tru
du
ctu
me
cin
re
nt
ge
of
Sta
xte
ne
w
nd
rn a
I
ard
Ts
ls
taf
e rv
izi
ng
f
ice
IT
s
sy
ste
ms

Figure 1IT Goals, Business Goals Matrix

Business Goals
Achieving compliance with Basel II regulations
Improving competitiveness through IT
Improving customer orientation and service
Postmerger integration and consolidation
Reducing operational cost
Reducing transaction cost
Risk management
Shortening service development life cycle
Tailoring solutions for different target groups

S
P
P

P
P
S

P
P
P
S
S

S
S
P

S
P
S
S
S
S
P
S
S

P
P
P
P
S

P
P

S
S
S
P
S

P
S
P
P

S
P
S
S

P = Primary
S = Secondary

IT

Go

ls
De
v
a f elop
oc in
u
Fu s o g in
lf
n n
de illin info ovat
pa g S rm ive
rtm LA a IT
en s w tion se
Inc
ts it
rea
h b securvice
sin
us rit s w
Int
g
ine y
ith
ss
of egra IT de
dif tio
p
art
fer n a
m
en nd
e
IT
dis t IT con nt ef
d
f
as
s
ter epar olid icien
t
cy
rec
IT
me atio
go
ov
nts n
ve
e
ry
rna
a
nd
nc
IT
e/I
bu
me
Ts
sin
as
tra
es
ure
sc
teg
Lo
st
on
ic
we
os
tin
ali
rin
ati
uit
gn
gc
sfy
y
m
os
en
Ma
Ba
t
t
se
of
kin
l
tra
gI
II r
n
Tm
eq
sa
uir
Op
cti
ea
em
on
tim
su
rab
en
pro
izi
ts
ng
le
ce
ss
the
Ra
ing
pid
IT
inf
de
ras
ve
Re
lop
tru
du
ctu
me
cin
re
nt
ge
of
Sta
xte
ne
w
nd
rna
I
ard
Ts
ls
taf
erv
izi
ng
f
ice
IT
s
sy
ste
ms

Figure 2IT Goals, COBIT Processes Matrix

Plan and Organize

1 Define a strategic IT plan
3 Determine technological direction
5 Manage the IT investment
9 Assess risks
10 Manage projects

P
P
S
P

S
S
S

S
P
S

S
P
P
P

S
P
P
P

P
P
S
S

P
P

P
P
P
P
P

S
S
S

P
S
S
S

P
P
S

P
P
P
S
S

S
S
S
S

S
S
S
S

Acquire and Implement

1 Identify automated solutions
2 Acquire and maintain application software
5 Install and accredit systems
6 Manage changes

S
S

S
S
S

S
P
S
S

S
S
S

Deliver and Support

1 Define and manage service levels
4 Ensure continuous service
5 Ensure systems security
10 Manage problems and incidents
11 Manage data

P
S

S
S
S
S

P
P
S
S

Monitor and Evaluate

1 Monitor the processes

Value and Risk Drivers

of the Financial Sector
Value drivers:
Diminishing transaction costsBecause of higher
transaction volumes, even small improvements may lead to
substantial cost reductions.
Introduction of new and innovative services, such as
e-banking
Increasing emphasis on customer orientation instead of
product orientation
Risk drivers
Security breachesBecause high-visibility security

P = Primary
S = Secondary

breaches, whether small or large, are widely noticed, they

inevitably have important implications.
High-liability factorThe huge amounts of money being
processed by the financial institutions lead to high liability,
and even apparently insignificant mistakes can lead to
considerable losses.
Many changes in a short span of timePressured by evertightening legislation (e.g., Basel II and Sarbanes-Oxley)
and competition (e.g., the introduction of Internet banking
applications), the financial sector has been forced to make
many changes to its IT architecture in a relatively short
period of time.

INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 4, 2005

The Pharmaceutical Sector

Characteristics of the pharmaceutical sector include:
Large market capitalization
Considerable growth rateFive years ago, the sector had a
yearly growth rate of 23 percent and currently has a yearly
growth of about 9 percent.
Importance of research and development (R&D)
High reliance of R&D on ITMost pharmaceutical
companies have a large investment in IT. A respondent
mentioned that approximately 19 percent of the
organizations sales revenue is invested in IT. In these
companies, IT is not considered an overhead but a crucial
enabler of business activities.
Importance of engineering new molecules
Highly regulatedThe US Food and Drug Administration
(FDA), for example, has an enormous set of rules with which
pharmaceutical companies have to comply, impacting both
R&D and sales.
Value and risk drivers of the pharmaceutical sector include:
Value drivers:
Improved development programsBecause the core
business of most pharmaceutical companies is creating and
marketing new molecules, one of the most important value
drivers is creating a more efficient molecule development
program.
OutsourcingMany pharmaceutical companies are
outsourcing the design of new molecules to smaller
bioengineering entities.
Patent creationPatents are necessary to protect R&D
investments.
Protection of informationWith only a few molecules
discovered per year, confidentiality and protection of the
information regarding these molecules is paramount.
Risk drivers:
Regulatory controlIn an attempt by government agencies
to guarantee the quality of the molecules, rules and
regulations are imposed for every aspect of the
development process. This often inhibits creativity.
Regulations also have an impact on IT systems. For
example, all scientific data regarding pharmaceutical
products have to be preserved for at least 30 years, which

may hinder the upgrade to more modern systems.

Increased R&D budget
Diminished yields on R&DIt becomes more and more
difficult to engineer successful molecules. While R&D
provides a multitude of molecules, only very few make it to
the manufacturing stage. Even the most successful
companies produce only around three to four new
molecules per year. The risk that the huge R&D investment
does not deliver the expected results is very real.
Leakage of information to competitors
International price differences of drugs

General Research Results

After analysis of all sectors, it was found that 46 percent of
all business goals and 37 percent of all IT goals provided by the
interviewees could be considered specific to their sector, i.e.,
they are not equally important for all other sectors. Examples
are achieving compliance with Basel II regulations as a
specific business goal for the financial sector and taking IT
measures to satisfy FDA requirements as a specific IT goal for
the pharmaceutical sector. On the other hand, more than 50
percent of all goals are generic, such as improving customer
orientation and service, IT disaster recovery and business
continuity and standardizing IT systems.
The business goals and IT goals that were mentioned most
frequently are summarized in figure 5. The links between
those business and IT goals are set by the researchers as an
example; they are not based on the input of the interviewees. It
appears that the most frequently mentioned business goals are
rather high-level and generic. The IT goals are at a lower level
but still generic.
The matrix in figure 6 maps the five most frequently
mentioned IT goals to the 15 most important COBIT processes.
These links are again filled out by the development team as an
example.

Conclusions
This eight-sector research project provides a view of the
links between business and IT goals, and the relationships
between COBIT processes and IT goals. It appears that defining

IT
Go
als
Ce
ntr
ali
za
De
tio
no
innvelo
fc
ov pin
on
a
tro
Ed tive g an
l
d
u
wi cati app imp over
th ng lic le
ne pe ati me IT s
y
w rs on nt
a
Im
o
s ing stem
pro pplic nne
s
ne
ati l to
vin
w
on wo
an
gI
s
d
Tc
rk
Inv
eff
os
es
ici
te
tig
en
ffic
ati
tly
ien
ng
IT
cy
I
T
dis
off
as
sh
ter
ori
ng
rec
Pr
po
ote
ov
ss
ery
cti
ibi
ng
an
liti
db
da
es
Sta
ta
u
s
nd
an
ine
ard
ds
ss
izi
ys
Ta
c
on
tem
ng
k
tin
IT
FD ing I
s
uit
sy
Ar Tm
y
ste
eq e
ms
uir asu
em re
en s to
ts
sa
tis
fy

Figure 3IT Goals, Business Goals Matrix

Business Goals
Achieving compliance with FDA regulations
Defending patents
Developing new molecules
Future-proofing the organization
Improving operational excellence
Improving organizational structure
Improving R&D processes
Increasing revenue
Networking and strategic alliances
Protecting of information

S
P
S

P
P

S
S

S
P
S

S
P
S

P
S
P
S

INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 4 2005

S
S
P
S

S
P

S
S

P = Primary
S = Secondary

ls
oa

ntr
Ce

IT
G

ali
za
De
tio
no
innvelo
fc
ov pin
on
ati g a
tro
ve nd
Ed
lo
uc
a
im
ve
p
wi ati
th ng plica plem r IT
sy
ne pe
t
ion en
ste
w
r
s
s ting
Im
a
ms
pro ppli onne
ne
ca l t
v in
w
tio o w
an
gI
ns or
d
Tc
Inv
ke
os
es
ffic
te
tig
ien
ffic
ati
t
i
ly
ng
en
IT
cy
IT
dis
off
as
sh
t er
ori
ng
re c
Pr
po
ov
ote
ery
ss
cti
ibi
an
ng
liti
d
d
es
Sta
bu
ata
s
nd
ine
an
ard
ds
ss
i
ys
co
zin
Ta
t
n
e
g
k
tin
ms
IT
uit
FD ing I
sy
y
Ar Tm
ste
eq e
ms
uir asu
e m re
en s to
ts
sa
tis
fy

Figure 4IT Goals, COBIT Processes Matrix

Plan and Organize

1 Define a strategic IT plan
3 Determine technological direction
5 Manage the IT investment
9 Assess risks
10 Manage projects

P
S
S

P
P

P
S
S

P
S
S

S
S
S
S

Acquire and Implement

1 Identify automated solutions
2 Acquire and maintain application software
5 Install and accredit systems
6 Manage changes

P
P
P
P

S
S
S
S

Deliver and Support

1 Define and manage service levels
4 Ensure continuous service
5 Ensure systems security
10 Manage problems and incidents
11 Manage data

S
S
S

S
S
S

Monitor and Evaluate

S

S
S
P

vin
gI
Tc
os
dis
td
as
eli
ter
ve
r
IT
ec
ry
go
ov
ery
ve
rna
a
nd
nc
Pr
e/I
bu
ote
sin
Ts
cti
es
tra
ng
sc
teg
da
Sta
on
ta
ic
nd
tin
ali
an
ard
uit
ds
gn
y
izi
m
y
ste
en
ng
t
ms
IT
sy
ste
ms
IT

S
P
P
S
S

P
S

S
S
P

P = Primary
S = Secondary

the link among business goals, IT goals and IT processes was a

difficult exercise for the interviewees, and that many of the
mentioned business and IT goals were generic. The given
examples of linking IT processes to IT goals and business
goals can provide guidance for in-house COBIT
implementations, more specifically in defining those IT
processes on which to focus.
Conclusions are tentative because they are based on a
limited set of arbitrarily chosen interviewees per sector. To
accredit more value to the results, a more detailed study is
needed based on in-depth case studies and a larger number of
respondents. Detailed research could provide more insight in
the cascade starting from high-level strategic business goals to
lower-level operational IT goals and processes. This cascade
would more closely represent a real-life business scenario.

Endnotes
1

S
S
S

S
S

P
S
S

P = Primary
S = Secondary

Related Reading

Business Goals
Being a caring organization for employees
Improving customer orientation and service
Improving operational excellence
Increasing profitability
Reducing operational cost

S
S
S
S

Information Systems Control Journal, volume 1, 2004. Weill,

P.; J.W. Ross; IT Governance: How Top Performers Manage
IT Decision Rights for Superior Results, Harvard Business
School Press, 2004.
2
IT Governance Institute, Board Briefing on IT Governance,
2nd Edition, 2003

pro
Im

IT

Go

als

1 Monitor the processes

Van Grembergen, W.; Strategies for Information Technology

Governance, Idea Group Publishing, 2003. Van Grembergen,
W.; S. De Haes; IT Governance and Its Mechanisms,

Broadbent, M.; P. Weill; Leveraging the New Infrastructure:

How Market Leaders Capitalize on Information Technology,
1998
Benson, J. R.; From Business Strategy to IT Action: Right
Decisions for a Better Bottom Line, 2004
Van Grembergen, W.; Strategies for Information Technology
Governance, 2004
IT Governance Institute, IT Governance Global Status Report,
2004

Authors Note:
Thanks to Erik Guldentops for sharing his ideas on the
ITAG Research Institute project and placing it in the context of
the further COBIT developments. The results of the research are
owned by ITGI and will be leveraged to improve the COBIT
framework, more specifically in linking COBIT processes to IT
goals and the IT goals to the business objectives and
governance processes that drive them.
Wim Van Grembergen
is professor and chair of the Information Systems Management
Department at the Economics and Management Faculty of the
University of Antwerp (Belgium) and executive professor at
the University of Antwerp Management School (UAMS)
(Belgium). Van Grembergen is engaged in the continuous

INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 4, 2005

IT
co
st
isa
de
ste
liv
rr
e ry
IT
ec
go
ov
ery
ve
rn a
a
n
nc
Pr
db
e/I
ote
us
Ts
cti
ine
tra
ng
ss
teg
da
Sta
co
ta
ic
nti
nd
a
a
nu
lig
nd
ard
ity
nm
sy
izi
s
en
ng
tem
t
IT
s
sy
ste
ms
IT
d

oa

Im
p

IT
G

ro v
ing

ls

Figure 6Most Frequently Mentioned IT Goals and COBIT Processes

Plan and Organize

1 Define a strategic IT plan
3 Determine technological direction
5 Manage the IT investment
9 Assess risks
10 Manage projects

P
S
P

P
P

P
P
P
P
P

P
P
S

Acquire and Implement

1 Identify automated solutions
2 Acquire and maintain application software
5 Install and accredit systems
6 Manage changes

S
S
S
S

S
S
S

P
P
S
S

S
S
S
P
P

Deliver and Support

1 Define and manage service levels
4 Ensure continuous service
5 Ensure systems security
10 Manage problems and incidents
11 Manage data

P
P
P
P

Monitor and Evaluate

1 Monitor the processes

development of the COBIT framework. He is also a member of

the Academic Relations Task Force of ISACA and is currently
conducting research projects for ISACA on IT governance. Van
Grembergen is a frequent speaker at academic and professional
meetings and conferences and has served in a consulting
capacity to a number of firms. He is a member of the board of
directors of IT companies, including an IT consultancy firm
and an IT firm servicing a Belgian financial group. Recently
he established at UAMS the ITAG Research Institute, which
aims to contribute to the understanding of IT alignment and
governance through research and dissemination of the
knowledge via publications, conferences and seminars
(www.uams.be/itag). He can be contacted at
wim.vangrembergen@ua.ac.be.
Steven De Haes
is responsible for the Information Systems Management
executive programs at UAMS. He is engaged in research in the
domain of IT governance and conducts research in this

P = Primary
S = Secondary

capacity for ISACA. Currently, he is preparing a Ph.D. on the

practices and mechanisms of IT governance. He has published
several articles on IT governance, most recently in the
Information Systems Control Journal, the Journal for
Information Technology Case Studies and Applications
(JITCA), and the proceedings of the Hawaiian International
Conference on System Sciences (HICSS). He can be contacted
at steven.dehaes@ua.ac.be.
Jan Moons
is research assistant at the Management Information Systems
Department of the University of Antwerp. He has several
teaching assignments and is working on a Ph.D. in this domain.
He is engaged in specific research assignments of the ITAG
Research Institute of the University of Antwerp Management
School.

Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by the Information Systems Audit and Control Association, Inc.. Membership in the association, a voluntary
organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal.
Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of the Information Systems Audit
and Control Association and/or the IT Governance Institute and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journal
does not attest to the originality of authors' content.
Copyright 2004 by Information Systems Audit and Control Association Inc., formerly the EDP Auditors Association. All rights reserved. ISCATM Information Systems Control AssociationTM
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the
association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles
owned by the Information Systems Audit and Control Association Inc., for a flat fee of US $2.50 per article plus 25 per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume,
and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the
association or the copyright owner is expressly prohibited.
www.isaca.org

INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 4, 2005