Assessing the level of information technology (IT) processes performance and capability maturity in the Philippine food, beverage, and tobacco (FBT) industry using the CobiT framework.
Tugas, Florenz C.
INTRODUCTION
The advent of information technology has significantly influenced
and changed how businesses are being managed and monitored today
(Hunton, Bryant & Bagranoff, 2004). It has brought both positive and
negative impacts to the business world. As such, a term double-edged
sword is often used to describe it.
To ensure smooth management of the new business set-up, the concept
of corporate governance was redesigned to include information technology
as a major part of it. New governance and internal control frameworks
came up just for this concern to be addressed. This resulted to an
increased awareness that IT governance is a major ingredient in
achieving every organization's goal of value creation.
In spite of the availability of new governance and internal control
frameworks, many organizations still compromised their going concern
because of poor enterprise- wide governance. The collapse of Enron in
2002 and the recent 2009 Satyam scandal in India are among the proofs of
this predicament. Much more alarming is that in 2008, Satyam was the
winner of the coveted Golden Peacock Award for Corporate Governance
under Risk Management and Compliance Issues. Because of this, the
awareness for both corporate and IT governance must be heightened and
taken more seriously.
THE STATE OF THE FBT INDUSTRY
Over the last few years, the global food, beverage and tobacco
(FBT) industry group has exhibited modest growth, with growth
particularly low in the tobacco and beverage markets. The industry group
generated total revenues of $4,140.3 billion in 2005, this representing
a compound annual growth rate (CAGR) of 2.9% for the five-year period
spanning 2001-2005 (Datamonitor, 2006).
[FIGURE 1 OMITTED]
The leading revenue source for the global FBT industry group is the
sale of food products, which generated total revenues of $2,634.3
billion in 2005, equivalent to 63.6% of the overall industry value. In
comparison, beverage sales accounted for $1,035.4 billion in 2005, which
represents 25% of the industry value. However, the increasing global
population will drive demand up, while rising income levels in many
economies allow increased spending on added-value processed, packaged,
and luxury items in this category. The global consumption volumes of
tobacco are steadily falling, as the health risks become more widely
understood, although in some countries, such as India, volume growth
remains positive (Datamonitor, 2006).
But looking forward, the global FBT industry group is expected to
accelerate from its current value growth position. With an anticipated
CAGR of 3% over the 2005-2010 period, the industry is expected to reach
a value of $4,805.5 billion by the end of 2010. The drivers operating
during the last five years are set to persist for the next five
(Datamonitor, 2006).
In the Philippines, the FBT industry belongs to the industrial
sector. There are 23 publiclylisted companies under the FBT industry
(Philippine Stock Exchange (PSE), 2009). It is a highly regulated
industry particularly the tobacco companies. A study by RNCOS in New
Delhi on September 13, 2008 on the Philippine FBT Market Forecast until
2011 showed the patterns in consumption behavior in the different food
segments. The study indicated five key results about the sub-industry:
(1) because of the strong increase in consumer expenditure during 2001
to 2006, a rise of 7.5% is also expected from 2007 to 2011; (2) the
increase in the working hours of employees, increase in number of
employees and diverse eating habits has lead to a high consumption of
readyto-eat meals; (3) the demand for organic food will increase at a
growth rate of10% to 20% because of the growing middle class population;
(4) an increase in disposable incomes and demand fro imported alcoholic
beverages; and (5) there is an inadequate water supply and healthy
drinking concerns that have resulted in the growth in the bottled water
industry (Dy, Ha, Gan & Alba, 2009).
DEPENDENCE OF FBT COMPANIES ON IT
According to Siethe and King (1994), in the market where the
existence of perfect competition restricts generation of a reasonable
profit, successful implementation of IT systems plays a crucial role in
order for organizations to maintain a competitive standing.
Since all the major players in the FBT industry group source
ingredients and sell their products all over the world, the current high
oil prices are significantly increasing transportation costs by way of
inflated petroleum prices. Companies have begun to combat such problems
by driving efficiency within their regional distribution networks. By
monitoring demand within a particular global region, companies have been
able to minimize transportation, thus mitigating their exposure to these
rising costs (Datamonitor, 2006).
The use of information technology to manage its supply chain and
distribution channels can be viewed as an opportunity in this case
(Romney & Steinbart, 2008). Likewise, the heightened regulation set
by the Bureau of Internal Revenue in terms of point-of-sale (POS)
registers for FBT companies also presents an opportunity for IT to be
maximized. Because of this, to support the expected increase in consumer
expenditure, the IT infrastructure and utilization is expected to cater
to the growing volume of transaction processing to support daily
business operations.
VALUE OF INVESTING IN IT
Investing in IT aids in surpassing competition by improving
productivity, profitability, and quality of operations (Devaraj &
Kohli, 2003). Likewise, according to a study conducted by Dewan and
Kraemar (2000), when the World Bank provided assistance amounting to $1
billion annually to companies which want to invest in developing their
existing systems, it turned out that the gross domestic product (GDP)
growth of countries wherein there is a rampant utilization of IT systems
is considerably higher compared to the GDP growth of countries where
companies are non-IT users.
But according to a study conducted by Willcocks and Lester (1997),
investment in IT systems alone does not assure companies that they will
reap the full benefits that these systems promise. Instead, it is
accompanied by the danger that improper application of such could be
detrimental to the organization. With this, there is more reason for the
need to ensure IT governance more specifically to ensure its alignment
with business strategy.
IT GOVERNANCE: A FOCUS ON COBIT
According to Simonsson and Johnson (2006), the existing literature
on IT governance has inherited much from the discipline of corporate or
enterprise governance but it has been able to develop itself into a
discipline of its own (Dy, Ha, Gan & Alba, 2009). This is evidenced
by several professional groups and organizations created for the purpose
of establishing new internal control frameworks that primarily focus on
IT governance.
Information Systems Audit and Control Association (ISACA) is one of
the professional groups established for this purpose. In 1998, the
Information Systems Audit and Control Association (ISACA) established
the Information Technology Governance Institute (ITGI) to advance
international thinking and standards in directing and controlling an
enterprise's information technology (ITGI, 2007). The institute
exists to clarify and provide guidance on current and future issues
pertaining to IT governance, control, and assurance (Hunton, Bryant
&Bagranoff, 2004). The framework that this institute developed
emphasizes that an organization first sets its objectives, and then
follows a continual process in which performance is measured and
compared against those objectives. One its products is the Control
Objectives for Information and related Technology (CobiT) which provides
guidance on IT governance by setting the structure that links IT
processes, IT resources, and information to enterprise strategies and
objectives. While CobiT was once a tool primarily for auditors to use,
the increasing criticality of IT governance has caused it to evolve into
a management resource (Hunton, Bryant & Bagranoff, 2004).
Though at present, there is still lack of consensus on how IT
governance is viewed; CobiT is the most renowned framework for support
of IT governance concerns. It is based on best practice, focusing on the
processes of the IT organization and how its performance can be assessed
and monitored. This framework is maintained by an independent,
not-for-profit research institute, drawing on the expertise of its
affiliated association's members, industry experts, and control and
security professionals. Its content is based on ongoing research into IT
good practice and is continuously maintained, providing an objective and
practical resource for all types of users. It provides good practices
across a domain and process framework and presents activities in a
manageable and logical structure. However, it is important to emphasize
that CobiT framework is a model of IT governance only and not of
organization as a whole (ITGI, 2007).
CobiT defines IT activities in a generic process model with four
domains and 34 generic control processes. These domains are Plan and
Organize (PO), Acquire and Implement (AI), Deliver and Support (DS), and
Monitor and Evaluate (ME). The domains map to IT's traditional
responsibility areas of plan, build, run, and monitor (ITGI, 2007). PO
domain covers strategy and tactics, and concerns the identification of
the way IT can best contribute to the achievement of the business
objectives. AI domain addresses the aptness and likelihood of providing
solutions that will meet business needs. DS domain is concerned with the
actual or physical delivery of required services, which includes service
delivery, management of security, and continuity, service support for
users, management of data and operational facilities. ME domain
addresses performance management, monitoring of internal control,
regulatory compliance and governance. Across these four domains, CobiT
has identified 34 IT processes where links are made to the business and
IT goals that supported (ITGI, 2007). The four domains and 34 IT
processes largely represent a comprehensive dimension of an
organization's IT processes performance and capability that needs
to be managed.
[FIGURE 2 OMITTED]
Moreover, the United States (US) Securities on Exchange and
Commission (SEC) mandated the use of a standard internal control
framework established by a body or group that has gone through
due-process procedures, including the wide distribution of the framework
for public comment, and made particular mention to the Committee of
Sponsoring Organizations of the Treadway Commission (COSO) Internal
Control--Integrated Framework, which was issued in 1992. COSO is widely
accepted as the authority on internal controls and is incorporated into
policies, rules, and regulations that are used to control business
activities (Romney & Steinbart, 2008) and CobiT is the generally
accepted internal control framework for IT (ITGI, 2007). Using the CobiT
framework, an organization can devise a system of IT controls to conform
with Section 404: Management's Report on Internal Control over
Financial Reporting (Yu, Rogacion, Perez & Lichengyao, 2006).
Furthermore, the Public Company Accounting Oversight Board (PCAOB)
Auditing Standard No. 2 states that because of the frequency with which
management of public companies is expected to use COSO as the framework
for the assessment, the directions in the proposed standard are based on
the COSO framework.
VALUE OF IT GOVERNANCE
The huge amount of capital expenditures in IT systems emphasizes
the importance of proper governance in organizations. Once this is
achieved, the full potential of IT is maximized. The single most
important determinant of whether an organization will gain the full
value of IT is through an effective IT governance structure (Robinson,
2005)
Melnicoff (2002) highlighted various benefits of investing in
effective IT governance. First, it adds value to the business. Effective
IT governance takes into account the rate changes of the industry where
the business belongs. The governance could also add value by providing
the company with a competitive advantage. Another advantage involves the
concept of accountability. Lines of responsibility among different
management positions would be clear since authorizations of IT decisions
are defined. Moreover, Melnicoff (2002) provides that an effective,
business-specific IT governance model is an essential tool for
executives struggling with the challenge of leveraging the full
potential of IT as a generator of sustainable business value. It allows
top managers to readily evaluate their company's existing
governance structure and to determine if the IT environment needs to be
altered (Dy, Ha, Gan & Alba, 2009).
COBIT AND THE MATURITY MODEL
Companies need an objective measure to assess where they are and
identify where improvement is required. Answers to this are provided by
CobiT by means of benchmarking of IT process performance and capability,
expressed as maturity models, derived from the Software Engineering
Institute's Capability Maturity Model (CMM), goals and metrics of
the IT processes to define and measure their outcome and performance
based on the principles of Kaplan and Norton's balanced business
scorecard, and activity goals for getting these processes under control,
based on CobiT's control objectives (ITGI, 2007).
The three dimensions of process maturity are capability, coverage,
and control as illustrated in figure 3 (ITGI, 2007).
[FIGURE 3 OMITTED]
The three-dimension model is a way of measuring how well developed
management processes are. How well developed or capable they should be
primarily depends on the IT goals and the underlying business needs they
support. How much of that capability is actually deployed largely
depends on the return enterprise wants from the investment. On the other
hand, the degree and sophistication of controls that need to be applied
in a process are more driven by the enterprise's risk appetite and
applicable compliance requirements (ITGI, 2007).
CobiT provides maturity models to enable benchmarking and
identification of necessary capability improvements. Maturity modeling
for management and control over IT processes is based on a method of
evaluating the organization, so it can be rated from a maturity level of
non-existent (0) to optimized (5). This approach is derived from the
maturity model that the Software Engineering Institute (SEI) defined for
the maturity of software development capability. Although concepts of
the SEI approach were followed, the CobiT implementation differs
considerably from the original SEI, which was oriented toward product
engineering principles, organizations striving for excellence in these
areas and formal appraisal of maturity levels so that software
developers could be "certified" (ITGI, 2007). The maturity
models primarily focus on how well a process is managed.
The CobiT maturity levels are designed as profiles of IT processes
that an enterprise would recognize as descriptions of possible current
and future states. They are not designed for use as a threshold model,
where one cannot move to the next higher level without having fulfilled
all conditions at the lower level. The maturity models primarily focus
on how well a process is managed. With CobiT's maturity models,
unlike the original SEI CMM approach, there is no intention to measure
levels precisely or try to certify that a level has exactly been met. A
CobiT maturity assessment is likely to result in a profile where
conditions relevant to several maturity levels will be met (ITGI, 2007).
The right maturity is influenced by the enterprise's business
objectives, the operating environment and industry practices.
Specifically, the level of management maturity depends on the
enterprise's dependence on IT, its technology sophistication and
the value of information (ITGI, 2007).
BENCHMARKING
Robert Camp (1989) developed a 10-step model moving sequentially
through for phases. Kearns, along side, defined benchmarking as the
continuous process of measuring products, services, and practices
against toughest competitors or those companies recognized as industry
leaders (Moriarty, 2008). Watson (1993) views benchmarking as a
continuous process that searches for and applies significantly better
practices for the purpose of achieving superior competitive performance
(Moriarty, 2008). Yu, Rogacion, Perez and Lichengyao (2006) defined
benchmarking as a comprehensive technique that can be used to identify
operational and strategic gaps, and to look for best practices that
eliminate such gap. Benchmarking has an "internal dimension"
whereby the organization critically examines itself searching for best
practices and an "external dimension" whereby the organization
explores its industry and other relevant areas outside of its own
industry in order to identify those best practices that may be
applicable in its own operating environment (Yu, Rogacion, Perez &
Lichengyao, 2006).
Moreover, Watson (1993) provided another perspective of
benchmarking. This unconventional perspective approaches benchmarking as
a process of organizational adaptation, not adoption--not simply a
question of copying others, but learning how to improve by sharing ideas
(Moriarty, 2008).
PREVIOUS STUDIES
The 2008 IT Governance Global Status Report, a research conducted
by ITGI through PricewaterhouseCoopers (PwC), revealed that though the
importance of IT continues to increase and organizations know who can
help them implement IT governance, appreciation for the available
expertise and delivery capability is only average. But on a positive
note, 92% of IT users are aware of problems with the use of IT and the
need to do something about them and 88% of the same IT user community
recognizes the IT governance is the solution.
Moreover, separate studies on IT practices conducted by Yu,
Rogacion, Perez and Lichengyao (2006) and Acosta, Samson, Tan and Tecson
(2009) yielded maturity scores of 2.97 and 2.70 for listed expanded and
non-expanded commercial banks and selected life insurance companies in
the Philippines, respectively.
Yu, Rogacion, Perez and Lichengyao (2006) developed a 167-item that
was taken from the four domain and 34 IT processes of the CobiT
framework with the level of perceived importance as an added dimension
to at least compensate, indirectly, for the level of centrality of IT to
business operations and the level of IT to business strategy. The level
of importance served as the weight to get a more accurate assessment of
the IT practices. The survey instrument was a product of classroom
conceptual inputs under the researcher's tutelage and was validated
with select group of IT Security and Audit Practitioners using the
Delphi Method. The results of the study were further validated by
practitioners in the banking industry and were presented to the
Accountancy department of the De La Salle University (DLSU).
Nonetheless, the following trends were identified in the study of
Yu, Rogacion, Perez and Lichengyao (2006): (1) overall fair ME domain
was due to consistency of performance; (2) fair score of the DS domain
was largely attributable to outliers; (3) high absolute score of the AI
domain was somewhat attributable to outliers; (4) consistent low
performance in the PO processes and low overall performance for the PO
domain; (5) overall industry strength in core operations processes; (6)
overall strategic weakness in strategic processes; (7) decentralization
of managing IT resources and processes leads to lower overall IT
governance maturity; and (8) poor performance in earlier domains in the
IT governance life cycle leads to poor performance in related processes
in subsequent domains.
EXCLUSION OF OUTLIERS
The study of Yu, Rogacion, Perez and Lichengyao (2006) considered
the effect of outliers in the results. Outliers are points of data that
lie outside of the range of reasonably expected values. Based on the
concept of the Capability Maturity Model Integration (CMMI), in the area
of IT governance maturity in the Philippine financial services industry,
no firms have yet to achieve the Managed and Optimized levels. The
latest appraisal dated December 15, 2005 the organizations which were
identified as having achieved the Managed level and which were
identified as candidates for the Optimized level in the future, do not
include the banks within the population of the study of Yu, Rogacion,
Perez and Lichengyao (2006). The list also did not include the companies
in the Philippine FBT industry.
RESEARCH PROBLEM AND SIGNIFICANCE
A shortcoming recognized in the previous studies conducted by Yu,
Rogacion, Perez and Lichengyao (2006) and Acosta, Samson, Tan and Tecson
(2009) was the non- conclusiveness of their findings with respect to the
industries chosen.
By making use of 22 (of which 21 responded) out of 23 (one was
excluded) publicly-listed companies in the FBT industry, this study
provides a comprehensive assessment of the current level of IT processes
performance and capability maturity.
Furthermore, this study provides answers to the following
questions:
1. What are the industry's key strengths?
2. What are the industry's weaknesses and what are the reasons
behind these?
3. How does the industry fare with respect to other industries?
4. What maturity level does the industry need to be at and how can
it get there?
Moreover, one of the short-term plans of the Philippine government
is to create a new executive office that caters specifically to the
information and communication technology issues that face the country.
This research study has the potential to provide a globally accepted
direction in terms of assessing IT management maturity levels of the
local government units and the national agencies.
ASSUMPTIONS AND SCOPE
This study is working under the assumption that the survey
instrument adopted passed instrument validation and the assessments
provided by the respondents generally represent the current states of
how IT processes are managed in their respective companies and they
aware of the level of centrality of IT to business operations and the
level of centrality of IT to business strategy. Variables not covered in
the operational framework are excluded from the scope of this study.
Likewise, quantitative techniques applied are not intended to be
mathematically rigorous but are used primarily to aid in the qualitative
analysis. Companies not publicly listed under the FBT industry are also
excluded from the scope of this study.
FRAMEWORK OF ANALYSIS
This is study is grounded on benchmarking theory by Robert Camp
(1989) and the IT processes performance and capability maturity of the
CobiT framework with the level of importance as an additional dimension
to indirectly address the level of centrality of IT to business
operations and the level of IT to business strategy.
[FIGURE 4 OMITTED]
Benchmarking takes place in two phases; (1) it begins as the search
for best practices, and (2) culminates with mapping of current practices
to these established best practices. According to Camp (1989), the
process of benchmarking is divided into 10 steps (table 1) which
progress through four phases.
The steps applicable to this research study are steps one to six,
encompassing planning, analysis, and integration phases of Camp's
general methodology. Phase four, the Action phase, constitute the use as
intended of the results of the study by the companies in the FBT
industry.
The maturity level of an organization presents a means to foresee
the future performance of an organization contained by a certain
discipline or set of disciplines. Practice has revealed that
organizations do their best when they concentrate their
process-improvement efforts on a controllable number of process areas
that entail more and more sophisticated effort as the organization
improves. A maturity level is a definite evolutionary table of process
improvement. Each maturity level evens out a significant fraction of the
organization's processes. The maturity levels are determined by the
accomplishment of the specific and general goals that relate to each
pre-defined set of process areas. There are six maturity levels, each a
layer in the base for constant process improvement (ITGI, 2007).
The first step in improving a process is to know the limits of the
process to be improved. The process could be any process and it will be
a mixture of people, tools, technologies, and methods used to finish a
job. Once the operational entity is definite, a clear understanding of
the operational entity's principle and objectives directs
improvement efforts. A lot of times, the principle and objectives are
maintained in strategic planning documents. A clear understanding of the
principle and objectives will maintain improvement efforts next to
strategic needs and will keep away from burning up significant resources
on improvement efforts that don't contribute to those needs.
Together with understanding the operational entity's objectives, it
is essential to understand how to know if objectives are achieved. The
objectives of an operational entity are defined first so that some level
of confirmation can be performed to verify that improvement efforts help
to achieve those objectives. If the operational entity requiring
improvement is known and its point is clearly understood, limits and
risks are more simply identified and attended to. The present state of
the operational entity could be measured against its obj ectives to
identify current and possible barricades to attaining those objectives.
Improvement plans would then be made and applied to deal with these
hindrances. Operational process improvement using this maturity type
model is just an organized approach to naming and addressing these
limits and risks and improving the operational entity to more
successfully attain its objective (Camp, 1989).
IT processes performance and management capability is interpreted
using six levels of maturity (figure 5) are 0 for non-existent, 1 for
initial /ad hoc, 2 repeatable but intuitive, 3 defined process, 4
managed and measurable and 5 optimized. This is best viewed as a guide
on how enterprises can evolve from a non-existent to an optimize
process.
[FIGURE 5 OMITTED]
Table 2 briefly explains each maturity level according to
CobiT's generic model of maturity (ITGI, 2007).
The advantage of a maturity model approach is that is relatively
easy for management to place itself on the scale and appreciate what is
involved if improved performance is needed. The scale includes 0 because
it is quite possible that no process exists at all. The 0 to 5 scale is
based on a simple maturity scale showing how a process evolves from a
non-existent capability to an optimized capability (ITGI, 2007).
RESEARCH METHODOLOGY
Applying the first six steps of Camp's benchmarking model, the
first step of the model is complete at this point. The second step is
the identification of participating companies. After discussing the
survey instrument in class, students in Computer Information Systems
(CIS) were grouped and tasked to identify one publicly-listed company
each group belonging to the FBT industry as a requirement for the
course. The researcher took care of other companies not chosen by the
groups.
Twenty-three publicly-listed companies composing the Philippine FBT
industry were considered. Out of the 23, one company was automatically
removed because its business office is not located in the National
Capital Region or Metro Manila. All 22 companies were invited to
participate.
Step three is the determination of data collection method and
collection of data. The design of the survey instrument was based on the
four domains and 34 processes of the CobiT framework with a level of
importance scale on the left-hand side of every item. The latter served
as the weight per process in computing the maturity score. The
researcher, with the help of CIS students, gathered primary data through
the administration of a 167-item survey instrument developed by Yu,
Rogacion, Perez and Lichengyao (2006). One company refused to
participate and two companies did not continue to answer the survey
instrument due to absence of formal IT processes in place.
Automatically, the latter two companies were given a maturity score of
0.
Step four is the determination of current maturity levels.
Accomplished survey tools were tallied per domain and summarized for
each company. Likewise, maturity scores of each company were summarized
per domain and per overall total to determine the industry's
current maturity score. Likewise, profiles of the respondents and the
participating companies were also considered in this step.
Step five involves in-depth analysis to develop recommendations.
This was accomplished by analyzing process-level and domain-level
results and drawing implications to identify opportunities for
industry-wide IT processes management maturity level improvement.
Similar to the study of Yu, Rogacion, Perez and Lichengyao (2006), the
researcher also excluded outliers. Companies that were assessed
(overall) with managed level score (4.0) or higher were considered
outliers in accordance with the appraisal conducted by CMMI in 2005.
Data collected and tabulated were tested for normality using Stata
.sktest before the obtained values and adjusted values were subjected to
t-test to determine the significance of differences between them, both
per domain and per overall maturity score, using PHStat. Since the
quantitative equivalents of the six levels in CobiT's maturity
model are all whole numbers, the overall maturity scores of both
obtained value and adjusted value were compared to the whole number
equivalent of the assessed level and likewise tested for significance of
differences using PHStat. This was done to ensure that the maturity
score as assessed is indeed the maturity level of the industry as per
CobiT's maturity model.
The conclusion and recommendations at this point were reviewed to
ascertain that overall results would be value-adding and that the
recommendations are practicable before final results were sent to the
participating companies. IT auditors' and practitioners'
validation was sought to carry out this sixth step.
RESULTS, DISCUSSION AND CONCLUSION
The respondents were composed of senior technical managers, wide
area network (WAN) and data administrators, management information
systems managers, and corporate IT managers. Based on the 2008 audited
financial reports obtained from the PSE website, the total assets of
publicly-listed companies in the FBT industry range from P237 million to
P339 billion. Of the industry's total assets of P579 billion,
98.34% was from the respondent- companies. Of the 21
respondent-companies, 18 were audited by a Big 4 firm.
The FBT industry registered a 2.52 maturity score but removing the
outliers as employed in the study of Yu, Rogacion, Perez and Lichengyao
(2006), the FBT industry would have an adjusted maturity score of 2.05.
The sets of data used in computing for both means passed the normality
test. To determine the significance of differences between the overall
and per domain obtained and adjusted maturity scores, they were
subjected to two-tail t-test using 0.01 level of significance.
At 0.01 level of significance, the null hypotheses could not be
rejected. Thus, the overall and per domain obtained and adjusted means
do not significantly differ from each other. Though the removal of
outliers does not result to any significant difference in the maturity
score, such would make identification of the maturity level easier as
the adjusted maturity score is nearer to a maturity level that is
denoted by a whole number.
To ensure further that the overall obtained and adjusted means do
not significantly differ with respect to the maturity level assessed at
2.0, they were subjected to an upper-tail t-test using 0.01 level of
significance and 0.05 level of significance.
At 0.01 level of significance, the null hypotheses could not be
rejected. But at 0.05 level of significance, only the adjusted mean
hypothesis could not be rejected. It is at this point that removal of
the outliers has a significant effect in the determination of the
maturity level. The adjusted maturity level of 2.05 is closer to level
2, denoted by the whole number 2.0, than the obtained maturity level of
2.52. It is, therefore, safer to say that the FBT industry is currently
at level 2 using the adjusted mean.
As such, the adjusted figures, with lower standard deviation, would
be used in the subsequent analysis and discussion of the results.
[FIGURE 6 OMITTED]
In the PO domain, the industry scored the highest (2.42) in
managing IT human resources (PO7) and the lowest (1.52) in defining the
information architecture (PO2). The PO7 score, though not that high, can
be attributed to the local laws enforced that govern recruitment,
training, promotion, and termination practices. The PO2 score can be
attributed to the communication problems between business and IT.
In the AI domain, the industry scored the highest (2.60) in
procuring IT resources (AI5) and the lowest (2.01) in maintaining
technology infrastructure (AI3). The AI5 score can be attributed to
procurements that management is fully aware of but the AI3 score is an
indication that once these resources are procured, less emphasis is
given to their maintenance thereby reducing efficiency of use over time.
In the DS domain, the industry scored the highest (2.55) in
managing problems (DS10) and the lowest (1.58) in ensuring continuous
service (DS4). The DS10 score tends to compensate the low AI3 score;
poor maintenance means more problems to manage. Because of this,
continuous service (DS4) is compromised since most of the resources are
used up in troubleshooting.
In the ME domain, the industry scored the highest (2.12) in
ensuring regulatory compliance (ME3) and the lowest (1.51) in monitoring
and evaluating IT performance (ME1). The ME3 score, though not that
high, can be attributed to the awareness of potential financial
liability once regulations are not complied with. But this still
indicates a lack of full understanding of all issues related to these
requirements. Moreover, the low score in ME1 can be attributed to the
costs related to monitoring controls and the absence of a culture geared
toward continuous improvement.
On a domain level, the FBT industry scored the highest (2.26) in
Acquire and Implement and the lowest (1.83) in Monitor and Evaluate. The
high score in AI domain can be attributed to the anticipated compound
annual growth rate of 3% over the 2005-2010 period in the FBT industry.
This increasing demand tends to compel companies to provide solutions
that will meet business needs through IT initiatives. Slowly, these
companies should view this as an opportunity to grow and maximize the
use of their existing IT infrastructures. This result is consistent with
the study of Yu, Rogacion, Perez and Lichengyao (2006) and that of
Acosta, Samson, Tan and Tecson (2009). Banks and selected life insurance
companies scored also the highest (3.17 and 2.86, respectively) in this
domain.
The low score in the ME domain is not consistent with the maturity
scores obtained by Yu, Rogacion, Perez and Lichengyao (2006). Banks
scored 2.97 in this domain and 2.73 in the PO domain, its lowest. But
this low score is consistent with that of Acosta, Samson, Tan and Tecson
(2009). Selected life insurance companies scored 2.53 in this domain.
Though both banking and FBT industries are regulated (tobacco, in
particular), banking regulations tend to be more established,
structured, and implemented. The Bangko Sentral ng Pilipinas (BSP) which
oversees and monitors strict compliance to these regulations plays a
huge part in this. In addition, the BSP has a dedicated group that
supervises and examines solely the IT component of the banking industry.
This set-up, though may exist in the FBT industry, tends to be not
strictly followed and observed.
Moreover, analyzing the results by identifying the number of IT
processes that scored below the adjusted maturity score in each domain,
the PO domain has three out of 10 (30%), the AI domain has three out of
seven (43%), the DS domain has six out of 13 (46%), and the ME domain
has two out of four (50%). In the PO domain, these are defining the
information architecture, managing quality, and assessing and managing
IT risks. In the AI domain, these are acquiring and maintaining
architecture software and technology infrastructure, and installing and
accrediting solutions and changes. In the DS domain, these are managing
third party services, ensuring continuous service, identifying and
allocating costs, educating and training users, managing the
configuration, and managing operations. In the ME domain, these are
monitoring and evaluating IT performance and providing IT governance.
Among the generic IT processes, ME1 has the lowest score of 1.51 and AI5
has the highest score of 2.60.
The overall maturity score of FBT industry is 2.05. This is an
indication that IT processes performance and capability maturity level
in the Philippine FBT industry is repeatable but intuitive. This
maturity score is below the maturity scores of banks and selected life
insurance companies as assessed by the first two previous researches.
Banks and life insurance companies are under compliance reporting with
specific laws that make them controls and risk sensitive. Likewise, the
nature and the core of business of these two industries highly involve
processing of information and reports that are mission-critical,
sensitive, and crucial. It follows, therefore, that to be able to cope
with these, they should maximize the use of IT. The FBT industry, on the
other hand, has its core business processes in the manufacturing and the
delivery of a tangible good. Though, at present, there have been trends
of automating production lines, the industry is still in the
transitional stage in spite of companies in this industry to have been
in existence, in an average, for more than 15 years.
As companies in the FBT industry aim to a higher maturity level,
they usually just stick to a repeatable but intuitive process first.
This maturity level is only temporary as these companies may choose to
improve on their internal setup. A reason why companies undergo this
level is the absence of a concrete set of formal procedures on how
processes are performed. IT procedures are usually established by
middle- or low-level management. However, if new processes are set, then
it would only follow that the proper procedures are yet to be
established for these new processes. Having the proper IT processes is a
matter of discovery for most companies. Then they will realize that
these become the best practices. It then takes numerous revisions to the
manuals before the most effective and efficient means of executing the
process is discovered. With this, it takes a while for a company to
reach the level where a defined IT processes are already documented, in
place, and practiced.
RECOMMENDATIONS
But companies in the FBT industry may fast track reaching the next
immediate level. To move to the next level, companies need to; (1)
continually refine a common language for goal setting, stating these in
business terms so that IT process improvement measures now well
understood by senior management and enterprise stakeholders; (2) make
annual planning a crossorganizational team effort where the common goal
is maximizing IT value delivery and managing IT-related risks. This
includes regular steering group evaluation and assessment of IT
capabilities and projects that have been completed and that have,
whether or not, delivered real improvements to its performance; and (3)
develop meaningful service level agreements for both internal services
to users and external service providers.
Further, in the longer run, there is also a need to: (1) achieve
full transparency of IT activities, senior management has complete
confidence in the strategic role of IT and in how decisions are made;
(2) fully optimize the direction of IT activities toward real business
priorities, and the value being delivered to the enterprise can be
measured and steps taken on a timely basis to correct significant
deviations or problems; (3) have a standardized performance measurement
process, such as balanced scorecard, is fully understood and embraced by
the organization; (4) have the practice of continuous improvement of IT
capability embedded in the culture and this includes regular external
benchmarking and independent audits providing positive assurance to
management and that the cost of IT is monitored effectively and the
organization is able to achieve optimal IT spending through continuous
internal improvements; and (5) have an effective outsourcing of selected
services and effective negotiation with vendors such that when dealing
with external business partners or service providers, the organization
is able to demonstrate first-class performance and demand best practices
from others.
Companies should also realize that the industry's core
business is related to manufacturing goods. It is recommended,
therefore, to continue improving and investing in systems related to
manufacturing processes and streamlining production line since this is
the industry's key strength. However, with regard to its back
office operations, it is recommended to look at the possible option of
outsourcing them as they are not the core business of the industry. In
this case, companies will be more focused on allocating its budget and
resources to producing goods more efficiently and in high quality
through sophisticated automated manufacturing processes.
In addition, regulatory agencies should revisit and review existing
policies and regulations that govern the FBT industry and devise means
on how to increase compliance and adherence to those in a doable and
practicable fashion.
Finally, it is recommended that more research be conducted in this
discipline--and more on to the empirical type of research--that will
serve as a jump-off point to enrich further existing literature in
applied IT governance. Variables of key interest for future researches
range from selecting a comparable industry type to relating maturity
levels to different quantitative and qualitative factors.
REFERENCES
Acosta, M., Samson, K., Tan, C., & Tecson, K. (2009). CobiT and
Shareholder Value: A Study on Selected Life Insurance Companies in the
Philippines. Unpublished undergraduate thesis, De La Salle University.
Camp, R.C. (1989). Benchmarking: the search for best practices that
lead to superior performance. Quality Progress.
Datamonitor (2006). Global Food, Beverage, & Tobacco. Retrieved
August 1, 2009, from
http://www.marketlineinfo.com/mline_pdf/industry_example.pdf
Devaraj, S. & Kohli, R. (2003). Performance impacts of
information technology: is actual usage the missing link?. Management
Science, 46(4), 548-562. Retrieved July 25, 2009, from JSTOR database
Dewan, S. & Kraemer, K.L. (2000). Information technology and
productivity: evidence from country-level data. Management Science,
49(3), 273-289. Retrieved July 25, 2009, from JSTOR database
Dy, K., Ha, I., Gan, S. & Alba, H. (2009). Assessing IT
Governance Practices ofAlaska Milk Corporation. Unpublished
undergraduate term paper, De La Salle University.
Hunton, J.E., Bryant, S.M., & Bagranoff, N.A., (2004).
Information Technology Auditing. USA: John Wiley & Sons.
IT Governance Institute (2007). COBiT. Retrieved August 1, 2009
from www.isaca.org
IT Governance Institute (2007). IT Governance Global Status Report.
Retrieved August 1, 2009 from www.isaca.org
Moriarty, J.P. (2008). A Theory of Benchmarking. Retrieved August
1, 2009, from http://researcharchive.lincoln.ac.nz/dspace/bitstream/10182/1085/1/ moriarty_phd.pdf
Robinson, N. (2005). IT excellence starts with governance. Journal
of Investment Compliance, 6(3), 45-49. Retrieved July 25, 2009, from
Emerald database
Siethe, V. & King, R. K. (1994). Development of measures to
assess the extent to which an information technology application
provides competitive advantage. Management Science, 4(12), 1601- 1627.
Retrieved July 25, 2009, from JSTOR database
Various audited financial statements (2009). Retrieved July 25,
2009 from www.pse.com.ph
Willcocks, L.P. & Lester, S. (1997). In search of information
technology productive: assessment issues. The Journal of the Operational
Research Society, 48(11), 1082-1094. Retrieved July 25, 2009, from JSTOR
database
Yu, W., Rogacion, K., Perez, K., & Lichengyao, P. (2006).
Benchmarking IT Governance Practices Among Listed Expanded and
Non-Expanded Commercial Banks in the Philippines. Unpublished
undergraduate thesis, De La Salle University.
Florenz C. Tugas, De La Salle University
Table 1: 10-step benchmarking model developed by Camp
Phase 1--Planning
1. Identify what is to be benchmarked.
2. Identify comparative companies.
Phase 2--Analysis
3. Determine data collection method and collect data.
4. Determine current performance levels.
Phase 3--Integration
5. Project future performance levels.
6. Communicate benchmarking findings and gain acceptance.
Phase 4--Action
7. Establish functional goals.
8. Develop action goals.
9. Implement specific actions and monitor progress.
10. Recalibrate benchmarks.
Table 2: Generic Maturity Model
0 Non-existent Complete lack of any recognizable processes.
The enterprise has not even recognized that
there is an issue to be addressed.
1 Initial/Ad hoc There is evidence that the enterprise has
recognized that the issues exist and need to
be addressed. There are, however, no
standardized processes; instead, there are ad
hoc approaches that tend to be applied on an
individual or case-by-case basis. The overall
approach to management is disorganized.
2 Repeatable but Processes have developed to the stage where
intuitive similar procedures are followed by different
people undertaking the same task. There is no
formal training or communication of standard
procedures, and responsibility is left to the
individual. There is a high degree of reliance
on the knowledge of individuals and,
therefore, errors are likely.
3 Defined process Procedures have been standardized and
documented, and communicated through training.
It is mandated that these processes should be
followed: however, it is unlikely that
deviations will be detected. The procedures
themselves are not sophisticated but are the
formalization of existing practices.
4 Managed and Management monitors compliance with procedures
measurable and takes action where processes appear not to
be working effectively. Processes are under
constant improvement and provide good
practice. Automation and tools are used in a
limited or fragmented way.
5 Optimized Processes have been refined to a level of good
practice, based on the results of continuous
improvement and maturity modeling with other
enterprises. IT is used in an integrated way
to automate the workflow, providing tools to
improve quality and effectiveness, making the
enterprise quick to adapt.
Table 3: Overall and per domain mean and standard deviation
(obtained and adjusted)
Obtained Standard Adjusted
mean deviation mean
Plan and organize (PO) 2.51 1.28 2.09
Acquire and implement (AI) 2.71 1.46 2.26
Deliver and support (DS) 2.46 1.41 2.02
Monitor and evaluate (ME) 2.41 1.60 1.83
Overall level 2.52 1.39 2.05
Standard
deviation
Plan and organize (PO) 1.03
Acquire and implement (AI) 1.23
Deliver and support (DS) 1.15
Monitor and evaluate (ME) 1.16
Overall level 1.08
Table 4: Tests of significance overall mean and per domain mean
(obtained and adjusted)
Overall PO AI DS
t Test Statistic 1.1469 1.0951 1.0111 1.0506
Two-Tail Test
Lower Critical Value -2.7194 -2.7194 -2.7194 -2.7194
Upper Critical Value 2.7194 2.7194 2.7194 2.7194
p-Value 0.2589 0.2807 0.3186 0.3004
Do not reject the NR NR NR NR
null hypothesis (NR)
ME
t Test Statistic 1.2416
Two-Tail Test
Lower Critical Value -2.7194
Upper Critical Value 2.7194
p-Value 0.2224
Do not reject the NR
null hypothesis (NR)
Table 5: Tests of significance overall mean (obtained and adjusted)
and maturity level
Obtained Obtained Adjusted
Level of significance 0.01 0.05 0.01
t Test Statistic 1.7276 1.7276 0.1980
Upper-Tail Test
Upper Critical Value 2.5279 1.7247 2.5834
p-Value 0.0497 0.0497 0.4227
Do not reject the null NR R NR
hypothesis (NR)
Reject the null hypothesis (R)
Adjusted
Level of significance 0.05
t Test Statistic 0.1980
Upper-Tail Test
Upper Critical Value 1.7458
p-Value 0.4227
Do not reject the null NR
hypothesis (NR)
Reject the null hypothesis (R)
EXHIBITS
Exhibit A: Maturity scores (per generic process per domain)
Maturity
PLAN AND ORGANIZE Score
PO1 Define a Strategic IT Plan 2.25
PO2 Define the Information Architecture 1.52
PO3 Determine Technological Direction 2.15
PO4 Define the IT Processes, Organization 2.4
and Relationships
PO5 Manage the IT Investment 2.26
PO6 Communicate Management Aims and Direction 2.3
PO7 Manage IT Human Resources 2.42
PO8 Manage Quality 1.67
PO9 Assess and Manage IT Risks 1.79
PO10 Manage Projects 2.15
ACQUIRE AND IMPLEMENT
AI1 Identify Automated Solutions 2.48
AI2 Acquire and Maintain Application Software 2.07
AI3 Acquire and Maintain Technology Infrastructure 2.01
AI4 Enable Operations and Use 2.26
AI5 Procure IT Resources 2.6
AI6 Manage Changes 2.35
AI7 Install and Accredit Solutions and Changes 2.07
DELIVER AND SUPPORT
DS1 Define and Manage Service Levels 2.19
DS2 Manage Third-Party Services 1.91
DS3 Manage Performance and Capacity 2.03
DS4 Ensure Continuous Service 1.58
DS5 Ensure Systems Security 2.28
DS6 Identify and Allocate Costs 1.83
DS7 Educate and Train Users 1.68
DS8 Manage Service Desk and Incidents 2.15
DS9 Manage the Configuration 1.89
DS10 Manage Problems 2.55
DS11 Manage Data 2.12
DS12 Manage the Physical Environment 2.03
DS13 Manage Operations 2.01
MONITOR AND EVALUATE
ME1 Monitor and Evaluate IT Performance 1.51
ME2 Monitor and Evaluate Internal Control 1.94
ME3 Ensure Regulatory Compliance 2.12
ME4 Provide IT Governance 1.76
Exhibit B: Participating companies
FBT Company Office Address
AgriNurture, Inc. 35 Gasan St., Masambong, San Francisco Del
Monte, Quezon City
Alaska Milk Corporation 6F Corinthian Plaza, 121 Paseo de Roxas,
Makati City
Alliance Tuna Suite 1205 East Tower, PSE Center, Exchange
International, Inc. Road, Ortigas Center, Pasig City
Bogo-Medellin Milling 30F Citibank Tower, 8741 Paseo de Roxas,
Company, Inc. Makati City
Central Azucarera de J. Cojuangco & Sons Bldg., 119 dela Rosa cor
Tarlac, Inc. Palanca, Jr. Sts., Legaspi Village, Makati
City
Cosmos Bottling 1890 Paz Guazon Ave., Otis, Paco, Manila
Corporation City
Ginebra San Miguel, 3F & 6F, San Miguel Properties Center, St.
Inc. Francis Ave., Mandaluyong City
Jollibee Foods 10F Jollibee Plaza Bldg., Emerald Ave.,
Corporation Ortigas Center, Pasig City
Liberty Flour Mills, Liberty Bldg., 835 Arnaiz Ave., Makati City
Inc.
Pepsi-Cola Products Km. 29 National Road, Tunasan, Muntinlupa
Philippines, Inc. City
Philippine Tobacco 802 A. Bonifacio St., Balintawak, Quezon
Flue-Curing & Redrying City
Corporation
RFM Corporation RFM Corporate Center, Pioneer St.,
Mandaluyong City
Roxas and Company, Inc. 6F Cacho Gonzalez Bldg., 101 Aguirre St.,
Legaspi Village, Makati City
Roxas Holdings, Inc 6F Cacho Gonzalez Bldg., 101 Aguirre St.,
Legaspi Village, Makati City
San Miguel Brewery, 40 San Miguel Ave., Mandaluyong City
Inc.
San Miguel Corporation SMC Complex, 40 San Miguel Ave., Mandaluyong
City
San Miguel Pure Foods JMT Corporate Condominium, ADB Ave., Ortigas
Company, Inc. Center, Pasig City
Swift Foods, Inc. 8F, RFM Corporate Center, Pioneer St.,
Mandaluyong City
Tanduay Holdings, Inc. 348 Nepomuceno St., San Miguel District,
Manila City
Universal Robina 43F Robinson Equitable Tower, ADB Ave.,
Corporation Ortigas Center, Pasig City
Vitarich Corporation Unit 30 2F, Facility Center, 548 Shaw Blvd.,
Mandaluyong City
Exhibit C: Participating IT experts
Name IT-related certification
Villuerbanne C. Ave CPA, CISA
Caroline D. Guadana CPA, CISA
Christian P. Soriano CPA, CISA
