Proceedings of the 51st Hawaii International Conference on Sciences | 2018

Using the Viable System Model to Study IT Governance Dynamics: Evidence from a Single Case Study

Tim Huygh Steven De Haes University of Antwerp, University of Antwerp, Antwerp, Belgium Antwerp, Belgium [email protected] [email protected]

Abstract nonexistent or inappropriate IT governance. IT This paper presents a single descriptive case study in governance failure is for instance mentioned in which the viable system model (VSM) is used as a relation to information security breaches and IT theoretical lens to model an ’s investment failure [10], [11]. In summary, contemporary IT governance system. The case contemporary have clear incentives to presented herein was selected specifically for being a strive for effective IT governance, especially if their digitized company of which we knew that a lot of effort dependency on IT is high. was put recently in their IT governance system. We find that the case company’s IT governance system This study aims to explore an effort to bring in more maps well to the structure and underlying logic of the theory and prescriptive guidance in the area of IT VSM. This paper contributes to the literature by governance. More specifically, the goal of this study providing an empirical justification exemplar on the is to gauge the applicability of using the viable system applicability of systemic thinking in general, and the model (based on the theory of VSM in specific, for modelling enterprise governance ) as a lens to study the IT governance and management of IT. construct, by presenting a descriptive case study that leverages this lens. As a result, this study proposes to view IT governance as a complex system. Complex 1. Introduction exist in a dynamically changing environment that demands dynamically responding behavior, i.e. It is a well-established fact that organizations are they must possess the ability to adapt to their becoming more and more dependent on IT. As a result environment [12], for instance due to digital of continuous technological progression, disruption. Following Conant & Ashby [13], in order organizations are faced with a plenitude of IT-related to be able to control a (complex) system, there must be opportunities that might be helpful in increasing their a model of the system that is to be controlled, and this operational efficiency and/or generating competitive model must contain all important aspects of that advantage [1]. Digital disruption is all around us, and system. In the present paper, the viable system model, many organizations are actively thinking about such grounded in (management) cybernetics, will be used transformations [2]. Disruptive technologies can as a lens for modelling the governance and impact models, or even entire sectors in short management of IT. This way, cybernetics is used as a timeframes [3]. Given an increasing dependency on kernel theory, providing a strong theoretical IT, decision-makers are faced with more IT-related foundation. If we propose the VSM to be applicable decisions [4]. Disciplines like IT management and IT for modelling a governance and management of IT governance surfaced to assist decision-makers with system, a prescriptive account will be provided these issues [5], [6]. It has been stressed many times following the VSM logic on which functions should that the effective use of IT and the creation of business be included in any IT governance system and how they value from IT relies heavily on good IT governance should be interrelated, as well as the dynamics that [4], [7]–[9]. Specifically, IT governance is said to have emerge within such a system. The larger descriptive a substantial impact on the value generated from IT body of IT governance literature can then be used as assets and IT investments. As Weill & Ross [7, pp. 3– good practices to operationalize said necessary and 4] put it: “effective IT governance is the single most sufficient functions, following the prescriptions important predictor of the value an organization provided by the VSM, in an appropriate context (e.g. generates from IT.” Next to the potential benefits of SME context, inter-organizational context etc.). good IT governance, there are also potential risks to

URI: http://hdl.handle.net/10125/50501 Page 4880 ISBN: 978-0-9981331-1-9 (CC BY-NC-ND 4.0) In the IT governance body of knowledge, many The VSM has been applied in IS research before [14]. different mechanisms are reported, such as strategy While the VSM is traditionally used to model committees, steering committees, a portfolio organizations (i.e. taking the organization as “system- management process, etc. [7], [23]–[25]. Early debates in-focus”), IS research applied the VSM to a of merely framed IT governance as a choice between the socio-technical systems. Examples include a project centralization or decentralization (or a combination of management system [15], complex system both) of IT-related decision-making, and the architecture [12], a supply chain system [16], conditions under which a certain arrangement was information security [17], and IT governance [18]– chosen [26]–[28]. The experience however, has [20]. Indeed, the VSM has been used in relation to IT proven that reality is more complex, and research into governance before, albeit strictly conceptually. The ‘holistic’ IT governance has been gathering present research builds on these previously-proposed momentum over the last decade [4], [7], [8], [23], [24], ideas. Specifically, this paper presents an empirical [29], [30]. Specifically, contemporary research states justification exemplar of the application of the VSM that IT governance can be implemented using a for modelling an organization’s contemporary holistic set of structures, processes, and governance and management of IT system and relational/communication mechanisms [24], [30]. It is explicitly describes the observed dynamics in terms of exactly this holistic nature of IT governance as a set of the underlying logic of the VSM. mechanisms that lends itself well to the application of systemic thinking. Additionally, taking a (complex) The remainder of this paper is structured as follows. systems approach, the dynamic nature of IT Section 2 contains the theoretical background for this governance systems is acknowledged. This study research, ending with a theoretical justification of the therefore proposes a dynamic way of looking at the IT applicability of systemic thinking and the VSM for governance concept, while still acknowledging the modelling a governance and management of IT holistic state-of-the-art view that sees IT governance system. The third section discusses the research design as a set of practices. and provides some information on how the case study was conducted. Section 4 presents aspects of the case 2.2. Systemic thinking and the viable system company’s contemporary governance and model management of IT system, using the VSM as a theoretical lens. This section also includes a discussion A system consists of a set of interrelated elements [31] of the dynamics of the case company’s contemporary and is designed to serve a purpose [32]. This set of governance and management of IT system, related to interrelated elements exists in the “system domain”, the underlying logic of the VSM. Finally, the fifth which separates the system from the “environment”. section presents some limitations and opportunities for However, communication can take place between the future research. system and the environment [32]. Complex systems exist in a dynamically changing environment that 2. Theoretical background demands dynamically responding behavior, i.e. they must possess the ability to adapt to their environment 2.1. IT governance [12]. Systemic thinking advocates a holistic view on the whole system as a set of elements and the analysis IT governance should be treated as a focal area of of the relationships between these elements [33], as [4], [7]. Van Grembergen & De these may lead to emergent properties that are even Haes [21, p. 3] define the concept as “an integral part more important than the individual elements of corporate governance and addresses the definition themselves [34]. and implementation of processes, structures and relational mechanisms in the organization that enable Flood & Jackson [35] discuss a number of systemic both business and IT people to execute their methodologies to study (complex) systems. One of responsibilities in support of business/IT alignment these methodologies is the viable system view or and the creation of business value from IT-enabled “neurocybernetic metaphor”. This methodology business investments”. Over time, IT governance emphasizes active learning and control and is therefore gained momentum due to more companies becoming particularly useful for systems that are operating in increasingly dependent on IT for their strategic and highly uncertain environments. Systemic operational business activities [4], [22]. methodologies generally rely heavily on visual representation. The Viable System Model (VSM) is the visual representation of the viable system view or

Page 4881 “neurocybernetic metaphor”. developed Variety is a measure of complexity [37]. and described the VSM in his seminal trilogy, under The ability to continuously cope with this

the general heading of “The managerial cybernetics of variety implies to be viable. Ashby’s law organization” [36]–[39]. The VSM is theoretically of requisite variety is a fundamental grounded in and cybernetics. Building underlying principle of the VSM. The law on prior work in the field of cybernetics, Beer is states that only variety can absorb variety talking about “” [40], which [47, p. 207]. In other words, the variety of simply refers to applying cybernetic principles to the the controlling element should be at least management of organizations, and states that: as great as the variety of the element that is “cybernetics is the science of effective organization” (Requisite) Variety to be controlled. Therefore, variety [38, p. ix]. As a result, the VSM can be referred to as engineering takes place at each “a theory of organization” [41, p. 40]. Stafford Beer “communication channel” of the VSM. is considered to be the first to translate cybernetic Recursion refers to the fact that “any principles to the field of management, ultimately viable system contains, and is contained in, resulting in the VSM [42]. Beer’s motivation is a viable system” [37, p. 118]. Each stemming from the fact that traditional ways of embedded viable system will deal with its thinking about the management of organizations do local environment, which is a subset of the not embrace the key concept of viability [38]. Recursion total environment of the system-in-focus [45]. This enables consistent modelling at Table 1 first presents the key underlying concepts of different levels of granularity. the VSM. Viability can be seen as the ultimate Transduction applies to the underlying concept of the VSM. It means that the communication links of the VSM. It system is able to continue achieving its purpose, implies that the communication between despite being exposed to complexity/change. The five two entities should be translated into terms systems (i.e. systems 1 through 5; discussed in the that the receiving entity understands, while second part of the table) are the necessary and Transduction preserving the intended variety [38]. sufficient subsystems that enable viability. These VSM systems systems are interconnected through variety loops System 1 is composed of all relevant (discussed in the third part of the table) to enable operations that implement the purpose of variety engineering (i.e. achieving requisite variety). the system, and all local managerial The concept of recursion is also important in variety activity related to running these operations. engineering (i.e. it enables variety engineering at System 1 of the system-in-focus is System 1 different levels of granularity), and therefore, therefore the combination of all embedded ultimately in achieving viability. In terms of variety viable systems [37], [38]. engineering, transduction is concerned with variety System 2 coordinates the system 1 preservation while translating the message into terms activities of the system-in-focus, as well as that the receiving entity understands. their embedded operations at the next lower-level recursion [37]. It represents a

Table 1. VSM systems, variety loops, and key System 2 process of auto-regulation to deal with underlying concepts oscillations. VSM key underlying concepts System 3 controls the operation of the The system is capable to maintain itself/its system-in-focus (i.e. system 1; all identity [43]. This is closely related to the embedded viable systems) [38]. It is concept of variety, as a system is said to be responsible for keeping the autonomy of System 3 viable when it is able to continuously cope all S1-units in balance with the overall with the variety to which it is imposed [44]. cohesion of the system-in-focus [41]. Therefore, a system can only be viable if it System 3* is the audit or monitoring

Viability has its own problem-solving capacity [45]. channel, and links all operational units Indeed, for viable systems it is important to directly to system 3, bypassing their local detect environmental changes quickly and management units, enabling system 3 to adapt in a way to meet the variety to which System 3* System obtain information directly from it is exposed at any given time [46]. operations [38].

Page 4882 management of IT will as regarded acomplex IT of be management and governance the paper, this of context the In and IT governance 2.3. Theoretical parallels between the VSM in anchored rigorously effectivestructures and [34] communication control dynamicmodel to support thedesign and diagnosis of summarize, a is seenTo that it VSM the be can

System 3 – System 4 Algedonic Communication with VSM Command axis System 5 System 4 homeostat channel the environment communication channels/ communication present the system the overall of purpose direction, values, and system between act of the relationship This homeostat represents multiple recursions. over attentio immediate the requires that any information algedonicThe channel filter to used is out [38][37], . with environment) its (i.e. total system 4 its embedded environments), and through with (i.e. system 1 through its environment system The [38][37], channel intervention an and measurement), accountability (i.e. channel performance a resource bargaining loop make decisions. variety through the ability to command and with requisite metasystem the providing axis command The purpose for system the of S syst the of environment total with the communication in external engaged is it Additionally, viabilitywere if they undetected be to [45] the system’s threaten potentially could system’s the in threats 4 System i.e. itis i.e. (system 4) (system ystem creat 5 setting its overall direction, values, and and values, direction, its overall setting

” 5 used raise to alarm. also It can span

[48] , to ensure compatibility with the the with compatibility ensure to , .

(system 3) and “ and 3) (system em - . I in - scans for scans

. in the theory of cybernetics of theory the -

- - in t is directly monitored by by t ismonitored directly focus es in - focus communicates with focus communicates

-

lly, it consists of of consists it Specifically, - focus and maintain and focus and and focus n of system 5 [37], [38]5 system n of

[38]

environment, which [38]

opportunities and .

contributes to to contributes variety loops .

the the is responsible responsible is s the future the

the identity the identity balancing , an an , . “

the the

” . ,

, loops) in relation to in relation loops) structural of part the VSM (i.e. systems and variety table at thelevel ( conceptual 1 the of concepts underlying IT mitigating simultaneously while IT, from value business is governance ultimate of IT purpose The governance. IT of purpose the think about to requires also view systemic a Taking structures, processes, and relat governance asset aholisticwhich of IT sees in linewith research contemporary in domain the entirely is which construct, governance IT the on view system.

) Table Table , also translate also Transduction Recursion (Requisite) Viability

variety furthermore

2 Taking a systemic view warrants a holistic holistic view warrants a systemic a Taking VSM underlying concepts and the and concepts underlying VSM An IT governance system needs to be able able be to needs system governance IT An at the business domain the business at organizational level, level, at the corporate other. communicateand to IT with clearly each is crucial IT and business between understanding shared , [8] value business and governance IT between generally to considered be a mediator alignment, business/IT ensure to order In level, task at the project context organizational the within granularity should occur at d IT of management and governance The IT and disturbances these control to the system is variety Requisite IT of management and governance variety/complexity of source major a is Digital disruption value business ensuring disruption digital to subject is that environment and opportunities in threats strategic potential actively detect to . Theoretical parallels between the VSM Theoretical parallels the VSM between - r r enabled business value business enabled elevance to IT to elevance governance elevance to IT to elevance governance continuously - related risks. related

VSM systems and the and systems VSM

well to the construct of IT governance governance IT of construct the to well

generally generally and IT governance . For instance, at the inter at instance, For . [23] [4],

IT governance.IT presents the relevance of the the delivery of IT deliverythe of , [3]

[4]

Table Table of part First [49]

VSM VSM to be able to continue . ensuring ensuring seen as optimizing the the optimizing as seen

in the realm of the . This enables business business enables . This then then Furtherm ifferent levels of - in specific level, at the level, project - level, etc. ional mechanisms ional

. the capability of of capability the

the delivery the of

a ore, the key key the ore,

( ae4883 Page

- viz. viz. business business enabled

2 ).

Table Table

[3] This This - .

, . Algedonic Communication with Command VSM System 5 System 4 System 3* System 3 System 2 System 1 channel the environment axis and the relevance policies. incidents (e.g. security breach). Raise alarm disclosure). assets governance IT (i.e. transparency or IT its managing and governing is organization the way the on stakeholders i instance: For IT enforcing and measurement, , performance IT IT IT. of role follow this that logically policies governance IT maintaining and defining (e.g. as “IT a strategic partner”) organization the for IT of role the Defining assets. digital of future technologies emerging scanning, Technology security audit etc.) IT “command axis”). and management, performancemeasurement, r include responsibilities assets digital of set total the controlling for Responsible IT management project for Prince2 standardsrelated frameworks or (e.g. could for instance be digital of) (classes coordinationThe different between assets. future and operations) a distinctionmade current is between (i.e. Often, assets. be the digital of set to argued be can IT of management and governance the of the of purpose implementation The communication channels/variety loops - related audrelated enforcing IT enforcing

management

in the case of IT case the in of

its (e.g. project audit, audit, project its (e.g.

to IT governance

- (i.e. S1) related policiesrelated (cfr. assets. Self assets. achieved by using IT byusing achieved nforming external external nforming

). , keeping up with with up keeping

(i.e. projects)IT anticipating .

, as well as , as - or ITIL foror regulation regulation Specific - - - esource related related r related related elated

the the -

study at the organi the at study transcr and fullywere fashion. recorded All interviews guidelines) by Yin [50] byYin guidelines) required. in and research goal casewas study method for deemed appropriate our organization system IT of management and governance This paper employs case study study to research the 3.1. Research approach methodology3. Research • werestakeholders interviewed: following the study, case this of course the Over 3.2. Intervie documents) company and (interviews triangulation data as well as IT), and business (both interviewees multiple interview protocol, recording the interviews, and using an Reliability of was ensured development through the review ensure to validity the report research construct Eachwas interview in asemi conducted • was maintained Over the course of the case study, achain of evidence • •

The CIO, who is ultimately responsible for the for responsible ultimately is who CIO, The different business domains business different the over coordinating well as as , planning technologi emerging on following include role this of responsibilities main The IT. and business between function domains. The EA is positioned as a bridge enterpriseThe architect of the internal service the for blueprint system. governance the IT governance system. governance IT the andprojects, ismajor therefore stakeholder a in IT for budget IT largest the has domain business managing“payroll services”. of This The director governanceover the IT processes. watching of mainwith responsibility the function, T system. IT of management S3 – S4 he IT governance manager. This is a business business a is This manager. governance IT he - ibed

depth study of the phenomenon of interes of phenomenon the of study depth homeostat budget and planning strategic IT The caseThe study process (and related research . The CIO was the sponsor of this case case this of sponsor was the CIO The . .

, using, the atheoretical VSM as lens. The , as , wees . and key interviewees interviewees key and

it is applicable if a more extensive more extensive if a applicable it is zation, with whom four meetings meetings four whom with zation,

contemporary

He the originally developed was used for

.

- long and es governance and and governance setting the IT the IT setting

were asked this research - ae4884 Page structured structured

in a real in areal term term - t is t is

up up IT to to . .

were planned. Snowball sampling of other relevant 4.2. Acerta’s IT governance practices mapped interviewees was achieved through the CIO. The goal to the VSM systems and variety loops was to include key stakeholders in the governance and management of IT system, and to get a balanced Analyzing the information extracted during case study perspective between the business and IT. The three research, we were able to map Acerta’s governance other interviewees were only interviewed once. Each and management of IT practices to the VSM systems interview lasted between 45 and 90 minutes. and variety loops, in two different recursions (i.e. Contradictory evidence in different interviews was corporate level, and business domain level). Table 3 verified with other stakeholders and ultimately with presents examples of this for the corporate level. the CIO. Based on all of the collected evidence, the case company’s governance and management of IT Table 3. Examples of corporate-level IT system was then modelled according to the VSM governance practices at Acerta (recursion 0) blueprint. Examples of VSM systems manifest at Acerta

Activity Steering Committee (ASC) for each 4. Results business domain in charge of the management of business domain IT assets.

In the following sections, we will briefly discuss (1) System 1 Acerta’s background, (2) the mapping of Acerta’s

governance and management of IT practices to the Forum (EAF) for VSM structure, and (3) the dynamics of Acerta’s IT coordinating the different business domain governance system using the underlying logic of the IT assets, and supporting change

VSM. System 2 management for internal stakeholders.

4.1. Introducing Acerta Enforcing hard legal & corporate IT-related requirements (e.g. IT-security requirements enforced by the risk committee, i.e. using the Acerta is an HR services provider in Belgium that command axis). specializes in advice, computerization and processing System 3 of administrative processes for payroll, social security, Externalized IT audit and IT crisis child benefits and branch formalities. Therefore, simulations. Acerta’s customers are enterprises of all sizes, and self-employed workers. Acerta has more than 1,300

employees spread across 38 offices in Belgium. The 3* System firm had a turnover of just over 160 million euros in Enterprise Architecture Forum (EAF) 2015. Acerta is not a publicly listed company. Instead, following up on emerging technologies and it is owned by two shareholders who each own 50% of their potential applications for Acerta. the shares. In 2015, Acerta’s total IT budget was 49 million euros. The estimate for 2016 is with 48 million System 4 euros approximately the same. The tendency since Board-level IT oversight: yearly 2012 is that Acerta’s IT budget lies between 40 and 50 presentation of the IT strategy to the million euros, as this can be supported by their by the CIO, and IT- contemporary cost structure. In 2015, ca. 70% of the related information part of monthly IT budget was used to “run the business” (i.e. “to keep performance reports (cfr. transduction). The the lights on”, including operational costs and small supervisory board also established a board- System 5 maintenance projects to maintain the existing level monitoring committee (and attached portfolio), while ca. 30% was used to “change the steering committee) for “new wages business” (i.e. projects for “new IT”, both smaller and engine”, a major strategic IT project. strategic). Again, the estimates for 2016 are Examples of VSM variety loops manifest at approximately the same. In terms of IT costs, ca. 30% Acerta

of Acerta’s total expenses are IT-related. Therefore, IT strategic planning and setting the IT Acerta is very dependent on IT, especially on highly budget (long term plan) between EAF and S4 reliable operating systems. Acerta does however not - executive committee, overviewed by the claim to be a front-runner in the continuous S3 supervisory board. application of emerging technologies (i.e. “new IT”). homeostat

Page 4885 4.3. Studying IT governance at Acerta using Examples of VSM variety loops manifest at the VSM’s key underlying concepts Acerta Portfolio management and prioritization of 4.3.1. A recursive view on Acerta’s governance and projects, overviewed by the managing S4 management of IT - director of each business domain. S3

homeostat The VSM warrants a recursive view on a system. In this paper, we take Acerta’s corporate IT governance system as recursion 0, while recursion -1 would then A clear flow in the recursions can be identified. In deal with IT governance at the business domain level. Acerta’s corporate IT governance system (recursion Following the fractal nature of the VSM, each 0), the identity of the system is held by the board of recursion consists of exactly the same building blocks. directors, which is taken into account by the executive However, the operationalization of these elements will committee during IT strategic planning and IT be different (as the focus of the recursion is different). budgeting (viz. corporate variety loop S3-S4). Each Each recursion will deal with a different level of ASC then translates what is being asked at executive granularity. Therefore, new practices will be used to committee-level to their specific business domain deal with the issues at a certain level. Accordingly, (recursion -1). The assigned part of the IT budget is when moving down in recursions, we enter more and also a given constraint for each business domain, for more in the area of IT management. We have briefly instance during their specific IT portfolio management explored the governance and management of IT at the and prioritization. In turn, the playing field of the MSC corporate level in Table 3. Examples of practices at the and PSCs that belong to a business domain is also business domain level, mapped to the VSM systems determined by the business domain ASC, directly and variety loops, are presented in Table 4. This influencing the tasks at that level. We observed several clearly indicates the applicability of the concept of links between recursion 0 and recursion -1 recursion to Acerta’s governance and management of (organizational and business domain level IT system. respectively) at Acerta. First, the managing director of each business domain (S5 at each recursion -1) is also Table 4. Examples of business domain-level IT part of the executive committee (S3 at recursion 0), governance practices at Acerta (recursion -1) which enables them to represent their specific business Examples of VSM systems manifest at Acerta domain (or subsystem) at the corporate level. Second, the enterprise architect (S2 at each recursion -1), who Project steering committees (PSC) for steering projects and maintenance steering is also the chair of the domain council of his/her committees (MSC) for governing business domain (S4 at each recursion -1), is also part of the EAF at the corporate level (S2/S4 at recursion

System 1 maintenance budgets and priorities. 0), where they operationalize the coordination and intelligence functions of the VSM, bringing together Release management for the coordination and smooth transitioning from “change” to the information they have from within their respective “run”. business domains. Third, the algedonic channel (viz. the communication channel used to filter out any System 2 information that requires the immediate attention of the metasystem) can be sourced in a PSC (S1 at Activity Steering Committee (ASC), among other things responsible for the division of recursion -1) and run its way back up to the executive the business domain's IT budget according committee and even the supervisory board to categories: investments, projects, (metasystem at recursion 0). This will happen when System 3 functional maintenance, and break & fix. things go awry in a certain project. Another algedonic channel instance can be found in IT operations. When Domain council, chaired by the business domain enterprise architect. This structure an incident classified as “very high” occurs (which for instance discusses new application will then most likely be sourced in recursion -2), the opportunities within the context of a system will automatically send System 4 business domain. an e-mail to the entire executive committee. Finally, business cases for investments can be brought from a Business domain managing director, who translates Acerta’s overall direction, values, business domain’s ASC (S3 at recursion -1) to the and purpose to the specific business domain. executive committee or even the supervisory board at the corporate level. This happens when the IT budget System 5

Page 4886 is insufficient but the investment is considered to be of areas as well. Several IT governance structures have major strategic importance for Acerta. variable meeting frequencies, depending on the complexity they have to deal with. For instance, the These examples indicate that the underlying concept domain council within a given business domain tends of recursion can be seen at work in Acerta’s to meet more frequently when there are more, or more governance and management of IT system. As complex, projects in the pipeline. A PSC tends to do previously discussed, variety engineering should work the same thing depending on the phase the project is at different levels of granularity (i.e. recursions). in. At the corporate level, the same was observed for Nevertheless, the observer needs to decide on a scope the EAF, whose meeting frequency was recently of interest, which in our case consisted of the corporate increased from every two weeks to every week, as it level as well as the business domain level. was acknowledged that Acerta is currently in the process of undergoing some major strategic changes. 4.3.2. IT governance dynamics: Enabling viability Additionally, most IT governance structures are not through variety engineering only dynamic in meeting frequencies, but also in composition depending on the issues that need to be The establishment of the supervisory board-level discussed. A domain council for instance tends to monitoring committee for the “new wages engine” invite IT architects that are specialists in the technical strategic IT project is an indication of the dynamic aspects underlying the issues that are on the agenda for responding behavior of Acerta’s IT governance a given meeting. We also observed more dedicated system (a trait that is a requirement for viability), as enterprise architects for the more important business this shows the tendency of the metasystem to respond domains (in terms of IT budget). The enterprise dynamically to changes in operational variety. architect was introduced as a new role within Acerta’ Specifically, we see that if the complexity/variety of contemporary governance and management of IT S1 increases (in this case a very complex project in the system. It was acknowledged that there was a need for pipeline), the metasystem responds to be able to deal a coordination mechanism that enabled the with this increased variety (in this case by increasing consistency of the whole, resulting in the the variety of response of system 5, mainly implementation of the EAF. From a VSM point of operationalized through the supervisory board at view, this corporate S2 mechanism is needed for Acerta, by adding a dedicated monitoring committee, variety attenuation by the executive committee as well as a steering committee to deal with the higher (corporate S3), as it works through mutual self- overhead (because of the co-sourcing relation). When adjustments (and therefore does not require formal probed if such a board-level monitoring structure intervention – otherwise it would be a S3 mechanism would be kept in use when the project was finished, that uses the command axis). A final point of dynamic the CIO said: “there is a 99% chance that it will not, behavior in Acerta’s IT governance pertains to their but it could definitely be back on the table when business case process. The contents of business cases another major project arises.” This is indeed an at Acerta appears to be a function of the investment example of dynamic responding behavior of Acerta’s size and type (e.g. formal business cases are only metasystem in the realm of the governance and drafted for projects and investments), as well as the management of IT. Seeing as the VSM is a dynamic trigger event (e.g. business cases for legal/compliance model, it is important to recognize that IT governance projects are drafted in less detail). is a dynamic system. To put it in the words of the IT governance manager: “It should be avoided that the IT All previous examples clearly show that Acerta’s governance framework is unable to adapt to changing governance and management of IT system is not “set circumstances. It should not be fully prescribed in in stone”. Rather, it is dynamic in reacting to internal detail, as it should also take into account that there are and external disturbances. This trait is the dynamic differences between the different business domains for adaptation capability (i.e. variety engineering) that instance. Nevertheless, it always remains a hard enables long-term viability. requirement that all of the IT governance structures bring together business and IT people, to enable them 4.4. Conclusions and implications working together closely, in order to safeguard business/IT alignment and close collaboration.” This paper presented Acerta’s contemporary governance and management of IT system through the Dynamic behavior in response to changes in lens of the Viable System Model. The goal was to complexity/variety were observed for Acerta’s provide an empirical exemplar that would point in the governance and management of IT system in other direction of the applicability of the VSM for modelling

Page 4887 IT governance. We found that Acerta’s contemporary conducted in order to present good-practice IT IT governance system maps well to the structure and governance solutions for a certain context (e.g. inter- logic of the VSM. Therefore, we propose that the VSM organizational, SME etc.), extensively using might provide an interesting blueprint to model practitioner knowledge as well as the IT governance governance and management of IT systems. body of knowledge, while rigorously adhering to the Specifically, we propose that the VSM can provide a VSM structure and concepts. prescriptive account on which functions should be included in any IT governance system and how they References should be interrelated, as well as the dynamics that emerge within such a system. This way, the VSM can [1] K. C. Laudon and J. P. Laudon, Management be used to provide theoretical underpinnings (using Information Systems, 14/E. Pearson, 2015. (management) cybernetics as a kernel theory) for IT [2] E. Valentine and G. Stewart, “Enterprise Business governance research, which enables theory building Technology Governance: Three Competencies to and the deduction of theory-based propositions. Build Board Digital Leadership Capability,” in Therefore, this paper can also be seen as an 2015 48th Hawaii International Conference on exploratory step in the process of building a theory for System Sciences, 2015, pp. 4513–4522. IT governance. [3] E. Valentine and G. Stewart, “The emerging role of the in enterprise business All of the IT governance practices that we extracted technology governance,” Int. J. Discl. Gov., vol. 10, no. 4, pp. 346–362, Apr. 2013. from the interviews could be mapped to the VSM [4] S. De Haes and W. Van Grembergen, Enterprise systems and variety loops, at different levels of governance of information technology, second recursion. This resulted in the observation that Acerta edition. Springer, 2015. operationalized the five necessary and sufficient VSM [5] R. R. Peterson, “Integration Strategies and Tactics systems in at least two recursions (i.e. corporate level for Information Technology Governance,” in and business domain level governance and Developing Successful ICT Strategies, H. Rahman, management of IT). Furthermore, this case study Ed. IGI Global, 2004, pp. 240–280. discussed the application of key VSM concepts (e.g. [6] ISACA, “COBIT 5: A Business Framework for recursion and variety/complexity engineering to the Governance and Management of Enterprise IT,” 2012. enable viability) in Acerta’s governance and [7] P. Weill and J. W. Ross, IT Governance: How Top management of IT system. Acerta’s system was found Performers Manage IT Decision Rights for to be dynamic in response to changes in Superior Results. Harvard Business Press, 2004. variety/complexity, as is required in terms of the [8] S. P.-J. Wu, D. W. Straub, and T.-P. Liang, “How VSM. The case study presented in this paper can information technology governance mechanisms therefore be seen as a good-practice exemplar of how and strategic alignment influence organizational a real-world governance and management of IT performance: insights from a matched survey of system should work, using the VSM as a theoretical business and IT managers,” MIS Q., vol. 39, no. 2, lens. 2015. [9] G. S. Kearns and R. Sabherwal, “Strategic Alignment Between Business and Information 5. Limitations and opportunities for future Technology: A Knowledge-Based View of research Behaviors, Outcome, and Consequences,” Journal of Management Information Systems. Routledge, 09-Dec-2007. Future research steps might include a longitudinal [10] W. Raghupathi, “Corporate Governance of IT: A analysis of the transformation of an IT governance Framework For Development,” Commun. ACM, system, e.g. through action research. The prior vol. 50, no. 8, pp. 94–99, Aug. 2007. situation can then be compared to the new situation [11] T. H. Davenport, “Putting the enterprise into the (which was designed according to the VSM) in terms enterprise system.,” Harv. Bus. Rev., vol. 76, no. of IT governance effectiveness. Alternatively, 4, pp. 121–131, Jan. 1998. [12] C. Herring and S. Kaplan, “The viable system “extreme case” research can be conducted, by architecture,” in Proceedings of the 34th Annual theoretically sampling on maximal variation on (a) Hawaii International Conference on System certain dependent variable(s). Potential differences in Sciences, 2001, p. 10. IT governance effectiveness can then be related to [13] R. C. Conant and W. R. Ashby, “Every good potential differences at the level of regulator of a system must be a model of that implementation/operationalization of the VSM system,” Int. J. Syst. Sci., vol. 1, no. 2, pp. 89–97, systems. Finally, design science research can be Mar. 1970. [14] J. Richter and D. Basten, “Applications of the

Page 4888 Viable Systems Model in IS Research -- A no. 2, pp. 179–193, Jun. 2009. Comprehensive Overview and Analysis,” in 2014 [30] R. R. Peterson, “Crafting Information Technology 47th Hawaii International Conference on System Governance,” Inf. Syst. Manag., vol. 21, no. 4, pp. Sciences, 2014, pp. 4589–4598. 7–22, Sep. 2004. [15] G. Karayaz, C. B. Keating, and M. Henrie, [31] L. von Bertalanffy, General System Theory. New “Designing Systems,” in York: George Brazillier Inc., 1968. 2011 44th Hawaii International Conference on [32] M. Yolles, Management Systems. London: System Sciences, 2011, pp. 1–10. Financial Times Ltd., 1999. [16] M. Laumann and C. Rosenkranz, “Analysing [33] G. Preece, D. Shaw, and H. Hayashi, “Using the Information Flows for Controlling Activities Viable System Model (VSM) to structure within Supply Chains: An Arvato (Bertelsmann) information processing complexity in disaster Business Case,” ECIS 2008 Proceedings. 2008. response,” Eur. J. Oper. Res., vol. 224, no. 1, pp. [17] G. B. Gokhale and D. A. Banks, “Organisational 209–218, Jan. 2013. Information Security: A Viable System [34] R. Espejo and A. Reyes, Organizational Systems: Perspective,” in AISM, 2004. Managing Complexity with the Viable System [18] J. Peppard, “The Application of the Viable Model. Springer-Verlag Berlin Heidelberg, 2011. Systems Model to Information Technology [35] R. L. Flood and M. C. Jackson, Creative problem Governance,” ICIS 2005 Proceedings. 2005. solving. Chichester: Wiley, 1991. [19] E. Lewis and G. Millar, “The Viable Governance [36] S. Beer, Brain of the firm. London: Allen Lane, Model - A Theoretical Model for the Governance 1972. of IT,” in 2009 42nd Hawaii International [37] S. Beer, The heart of enterprise. John Wiley & Conference on System Sciences, 2009, pp. 1–10. Sons, 1979. [20] R. Skeivys, “Governance of IT and cybernetics,” [38] S. Beer, Diagnosing the system for organizations. in Norbert Wiener in the 21st Century (21CW), West Sussex: John Wiley & Sons, 1985. 2016 IEEE Conference on, 2016, pp. 46–49. [39] S. Beer, Brain of the firm, second edition. [21] W. Van Grembergen and S. De Haes, Enterprise Chichester: John Wiley, 1981. Governance of Information Technology: Achieving [40] S. Beer, Cybernetics and Management. London: Strategic Alignment and Value. Springer, 2009. The English Universities Press, 1959. [22] R. Nolan and F. McFarlan, “Information [41] R. Anderton, “The need for formal development of technology and the board of directors,” Harv. Bus. the VSM,” in The Viable System Model: Rev., vol. 83, no. 10, p. 96–+, Oct. 2005. Interpretations and Applications of Stafford Beer’s [23] A. Prasad, P. Green, and J. Heales, “On IT VSM, R. Espejo and R. Harnden, Eds. John Wiley governance structures and their effectiveness in & Sons, 1989, pp. 39–50. collaborative organizational structures,” Int. J. [42] J. Mingers and L. White, “A review of the recent Account. Inf. Syst., vol. 13, no. 3, pp. 199–220, contribution of systems thinking to operational Sep. 2012. research and management science,” Eur. J. Oper. [24] S. De Haes and W. Van Grembergen, “An Res., vol. 207, no. 3, pp. 1147–1161, Dec. 2010. Exploratory Study into IT Governance [43] D. R. Shaw, B. Snowdon, C. P. Holland, P. Implementations and its Impact on Business/IT Kawalek, and B. Warboys, “The viable systems Alignment,” Inf. Syst. Manag., vol. 26, no. 2, pp. model applied to a smart network: the case of the 123–137, Apr. 2009. UK electricity market,” J. Inf. Technol., vol. 19, [25] R. Huang, R. W. Zmud, and R. L. Price, no. 4, pp. 270–280, Oct. 2004. “Influencing the effectiveness of IT governance [44] M. C. Jackson, Systems methodology for the practices through steering committees and management sciences. New York: Plenum Press, communication policies,” Eur. J. Inf. Syst., vol. 1991. 19, no. 3, pp. 288–302, Mar. 2010. [45] R. Espejo, “The VSM revisited,” in The Viable [26] C. V. Brown, “Examining the Emergence of System Model: Interpretations and Applications of Hybrid IS Governance Solutions: Evidence From a Stafford Beer’s VSM, R. Espejo and R. Harnden, Single Case Site,” Inf. Syst. Res., vol. 8, no. 1, pp. Eds. John Wiley & Sons, 1989, pp. 77–100. 69–94, Mar. 1997. [46] Y. A. Pollalis and N. K. Dimitriou, “Knowledge [27] V. Sambamurthy and R. Zmud, “Arrangements for management in virtual enterprises: A systemic Information Technology Governance: A Theory of multi-methodology towards the strategic use of Multiple Contingencies,” Management information,” Int. J. Inf. Manage., vol. 28, no. 4, Information Systems Quarterly, vol. 23, no. 2. pp. 305–321, Aug. 2008. 1999. [47] W. Ashby, An Introduction to Cybernetics. [28] C. V. Brown and J. S. Renwick, “Alignment of the London: Chapman & Hall, 1956. IS organization,” ACM SIGMIS Database, vol. 27, [48] R. Espejo and A. Gill, “The Viable System Model no. 4, pp. 25–33, Sep. 1996. as a Framework for Understanding [29] S. Ali and P. Green, “Effective information Organizations.” 1997. technology (IT) governance mechanisms: An IT [49] D. S. Preston and E. Karahanna, “Antecedents of outsourcing perspective,” Inf. Syst. Front., vol. 14, IS Strategic Alignment: A Nomological Network,”

Page 4889 Inf. Syst. Res., vol. 20, no. 2, pp. 159–179, Jun. 2009. [50] R. K. Yin, Case Study Research: Design and Methods, 5th edition. SAGE Publications, Inc., 2014.

Page 4890