Design Factors in Evaluating and Formulating IT Governance Systems in Public Organizations

The application of information technology (IT) by central and regional governments in public services is intended to efficiently and effectively improve performance and public services. However, many studies have shown the ineffective application of IT. In Gorontalo Province, this can be seen in the e-readiness value of Gorontalo Province as a prerequisite for successful IT implementation, which is still at 58.15 points, which means it is at a moderate level of readiness. This shows that implementing IT Governance in the local government of Gorontalo Province is still not optimal in terms of performance or public services. This study aims to identify the design factors that need to be considered when implementing IT Governance to achieve better public service performance. This study uses a quantitative approach based on a survey method. The results showed six models at Level 3: BAI06, BAI07, DSS01, DSS03, DSS04, and DSS05. In addition, four models were at level 4: APO12, APO13, BAI10, and DSS02. Levels 3 and 4 show that the IT governance capability of the Gorontalo provincial government in each model is still not optimal. This study recommends that the Gorontalo provincial government evaluate and formulate an effective IT Governance system by focusing on each model's IT Governance design factors to improve public service performance.


Introduction
IT Governance defines decision-making power and accountability structures to promote positive behavior in the use of information technology [1].IT Governance ensures that organizations use the best practices to organize, plan, purchase, deliver, maintain, and monitor their operations to achieve predefined objectives.However, IT Governance serves as a strategic engine for the company [2].According to Van Grembergen [3], IT governance is a managerial responsibility that controls the development and implementation of a company's strategy.Despite IT governance differences in some areas, Amali and Katili [4] emphasized fostering organizational coordination across businesses.
Ali et al. [5] stated that the various definitions of IT Governance emphasize the responsibility of executivelevel decision-makers in organizations.These definitions focus on aligning an organization's operations and technological portfolios.Weill and Ross [1] defined IT Governance as a framework for organizational decision-making that affects current and future strategies.The overall process ensures that organizational goals and objectives become an integral part of governance.
IT Governance aims to develop and ensure that the implementation of information technology fulfills set strategies by taking advantage of opportunities and controlling and reducing risks to maximize profits [6], [7].Entele [8] stated that institutions with ICT centers tend to succeed.Furthermore, according to McDonald [9], the corporate body can focus more on the organization's progressive needs by practicing good governance rather than wasting unnecessary expenses.Therefore, good governance determines the profitability of a company [1], [10].
Effective governance is crucial for organizations to generate tangible business benefits such as good reputation, trustworthiness, and reduced costs [11].This process also aims to enhance and ensure the effective use of IT resources to succeed in organizations [12].Hence, it is an option for future usage that can create value for the organization [13].According to Aven and Renn [14], a strategy for managing or governing risks is necessary to reduce various hazards associated with an organization's operations.To achieve their objectives, organizations must comprehend the concept, aspects involved in system design, execution, and the significance of governance.Amali et al. [15] reported the importance of understanding the IT Governance The application of IT in an organization's business processes is a valuable asset, and the role of IT can change employee performance [16].Further evaluation is needed to measure the effectiveness and success of organizations using IT [17], [18].Wanzer [19] stated that evaluation is the basis for implementing an effective plan capable of supplying essential knowledge and information for decision-making.IT resources must be appropriately used by organizations to accomplish their goals effectively.An evaluation's primary goal is to improve the knowledge available for decisionmaking and to help establish objectives for enhancing governance [20].According to Obuba [21], the assessment process is the cornerstone of effective management because it guarantees the accomplishment of strategic goals and provides an overview of the effectiveness and advantages of information technology for enterprises.
A preliminary study by Auditor-General South Africa [22] showed that implementing IT management does not produce good value, strategic enablers, support, or organizational risk assessment.Although IT Governance is a crucial topic in business, its precise role is unclear and frequently conflated with the tactical aspects of management.This misunderstanding is typically caused by people's limited opportunity to learn about the system design aspects at work [23].The pattern or design considerations suitable for an organization's governance system affect the success of effective governance within the system.Hence, it can complement an organization's strategic focus.
Based on the e-readiness assessment, there is no city/regency for a grade-A implementation process in the Gorontalo provincial government [24].The measurement results showed an average value of 58.15, along with grade C and the "Moderate" readiness level.Therefore, implementation readiness remains low and impacts public services by ensuring that governance is crucial and supports efficient use of resources and risk management.It also solves the problem and prioritizes organizational leadership as a determining element for successfully using information technology tools.
Preliminary studies [22], [24] identified that IT deployments were ineffective and resulted in unsatisfactory values.This shows that the implementation of IT has not been carried out by paying attention to IT governance design factors, both contextual and strategic.These factors are essential for determining the extent to which IT is implemented to an organization's needs [18].This also applies to the Gorontalo Province government, where, to date, no research has discussed the design factors of the governance system.Therefore, this research needs to be conducted to identify IT governance system design factors based on a study that identifies important factors from generic and variant perspectives in the core model and the application of its principles.This research will produce recommendations for design factor models suitable for local governments in Indonesia, especially the Gorontalo Provincial Government.
The design factor aims to determine an IT Governance system that fits an organization's needs and provides value.This includes organizational goals comprising contextual factors beyond size, geopolitical situations, and landscapes.Others have strategic design elements that reflect risk appetite as well as strategies based on resource models (outsourcing, cloud), methods (agile, DevOps), and preferred technology adoption (critical/current advantages) [18].Consequently, public organizations use this governance design component as a crucial topic to address the challenge of matching operational requirements for complex systems.For example, Curtis and Tonelli et al. stated that organizations fail to derive the strategic benefits needed for larger organizations without effective IT Governance [23], [25].

Research Methods
This is quantitative research with data collected through questionnaires and interviews with several stakeholders.This was carried out in the Gorontalo provincial government by comprehending the organizational objectives and strategic backdrop, establishing and refining the original scope, and finalizing the design of the governance system.The research questionnaire was distributed to 20 respondents.However, the questionnaire used had previously been tested on ten respondents whose results statistically showed that the instrument was valid and reliable.
To strengthen the results of the questionnaire, interviews were conducted with 4 (four) officials who had duties in the development of e-government and information technology in the government of Gorontalo Province, namely Head of the e-government Section, Head of Governance Division, Head of Infrastructure Division and Head of Application Development Division at the Office of Communication Information and Statistics of Gorontalo Province.Interviews were conducted to obtain data on IT governance activities and implementation in the Gorontalo Provincial government office environment.Furthermore, the data were analyzed using the COBIT 2019 Design Toolkit to confirm the design factors in evaluating and formulating the IT governance model.
One of the steps of the design factor is the organization's objective cascade, as shown in Figure 1.Enterprise Strategy, Risk Profile, Goals, and IT-related problems are the main variables of the governance system, and they are the only ones that can be evaluated in the IT Governance system, as illustrated in Figure 1.Four stages make up the assessment of design considerations, as shown in Figure 2. The first is to understand the context of the organization's strategy and goals, such as targets, risk profiles, and current ITrelated problems.Phases 2, 3, and 4 determine, refine, and conclude the scope of governance system design.

Results and Discussions
The results can help organizations design customized governance solutions by considering all the essential factors that fulfill the principles of dynamic governance systems.When one or more design factors are modified, the IT system's impact on enterprise governance becomes feasible and future-proof.While employing a set of design considerations as guidelines for altering and prioritizing governance system components, other principles are created to fit the demands of the business.

Enterprise Strategy
Table 1 shows that the value of Growth is four, which means that the organization's IT Governance system continues to strive for development.Overall, the availability of data center services, intracentral/local government agency networks, and the use of a central/local government agency service system has adequately supported the development of ICT.The value of innovation is also four, indicating that the organization's IT Governance system strives to provide the best service to the public, although it is still partially implemented.Public complaint services, open data, legal documentation, and information networks have provided evidence.The value of cost leadership is four because public organizations are obliged to serve the community with acceptable characteristics.Regarding service output, bureaucracy must ideally provide quality service products, specifically cost and service time, to make it easier for the user community to maintain operational excellence.Finally, the value of the client service is five because the organization focuses on providing community services.
Table 1 shows the form of the strategy carried out in the organization's business, especially in the local government of Gorontalo Province.This strategy relates to IT governance implementation issues that affect organizations.This strategy is developed in the organization by the leadership or management team of the organization, and the overall implementation of IT governance is properly fulfilled.

Enterprise Goals
Table 2 shows that the EG01-Portfolio of competitive products and services has an organizational target value of 4 from a financial perspective.This is because reforming bureaucratic governments aims to increase the quality of public services.
The quality provided is necessary for balancing the dynamics of an increasingly dynamic society.Therefore, public services in the Gorontalo Provincial Government will become more straightforward and competitive in the future.EG02-Managed business risk is four because bureaucratic reforms are significant.EG03-Compliance with external laws and regulations is five because the organization always complies with existing rules and regulations in a heavily regulated field with substantial risk, assuming it does not comply with government rules and regulations.Meanwhile, the EG04-Quality of financial information is four because the organization focuses on cost savings, efficiency, and service time to ease the user community.
The value of organizational goals from the customer perspective for the EG05-Customer-oriented service culture is five because the organization needs to provide maximum service quality to the community.Furthermore, EG06-Business-service continuity and availability are five, which means that business continuity is required to support public service activities and to implement the government system.Finally, EG07-Quality of management information is four because the organization focuses on improving public services, which runs with information security and risk management implementation.Jurnal RESTI (Rekayasa Sistem dan Teknologi Informasi) Vol.For EG08-Optimization of internal business process functionality-the value of organizational goals is four, and planning creates the functionality of the business processes through the governance system plan map.EG09-Optimization of business process costs is five, focusing on optimization and cost efficiency without compromising the quality of public services.Furthermore, EG10-Staff skills, motivation, and productivity, focusing on human resources to provide good public services, should have the ability, skills, and work motivation.Finally, EG11-Compliance with internal policies is also 5, where all organizational policies follow those of the Gorontalo provincial government.The value of organizational goals from a growth perspective for EG12-Managed digital transformation programs was 5.The organization continues to develop strategies for implementing digital technology for its activities or business processes.There are five EG13-Product and business innovation is five, where the organization tries to be more responsive to changes and environmental demands.Consequently, innovation continues to grow by conceiving, developing, and implementing new concepts that can bring about improved benefits such as lower costs, more efficiency, and more effective services.
Table 2 shows that an organization aims to align its business and IT strategies.These results clarify that the Gorontalo Provincial Government continues to develop digital transformation strategies that present opportunities for value creation.The local government of Gorontalo Province can effectively manage IT risks and ensure that activities related to information and technology align with the organization's overall business objectives.

Risk Profile
It is crucial to balance IT's role and development of IT, particularly when implementing e-government, as Table 3 contains eight risk scenario categories for maintenance, portfolio definition, and investment decision-making.Furthermore, life cycle management programs and projects have a risk rating of 12 because many large programs, such as digital infrastructure, government, economy, and society, are implemented as policies to promote digitization.Therefore, the likelihood and impact of this risk scenario are 3 and 4, respectively, with IT cost and oversight having a risk rating of 6 because of high maintenance costs.Finally, IT expertise, skills, and behavior have a risk rating of 12 because the organization lacks reliable personnel/HR in this field; hence, the impact and likelihood of this risk scenario are three and four, respectively.
The enterprise architecture has a risk rating of six because organizations need to provide adequate security controls to protect information assets from various levels of risk, according to the SNI ISO/IEC 27001.IT operational infrastructure incidents have a risk rating of 10 because errors sometimes occur, which must be repaired quickly to provide a good service to the community.Therefore, the impact of this risk scenario was five, with a likelihood of two, indicating inadequacy.Unauthorized actions have a risk rating of 16, with an effect of 4 on the data and assets owned.Software adoption problems have a risk rating of 12 and an impact of 4 because the total adaptation percentage is still widely used and has slowly shifted to open sources.Finally, hardware incidents have a risk rating of 10 because their impact on business processes in the form of public services is enormous 5.
Software failure risk rating of 12 because of information, logical, and syntactic mistakes.Because logical attacks, such as hacking and malware, significantly impact an organization's information assets and data security, they have a risk rating of Industrial action has a risk rating of nine because the possibility of the organization promoting and strengthening communication, coordination, and collaboration between supervision and industrial relations is high.Acts of nature also have a risk rating of nine because of frequent natural earthquakes that cause local disturbances to the global network connections.Technology-based innovation has a risk rating of nine because it minimizes costs, whereas infrastructure preparation requires significant money.The environment has a risk rating of nine because work culture promotes digitization in the government sector.Hence, mastery of IT is a demand needed by the organization.Finally, data and information management have a risk rating of 16 because the organization requires a commitment, specifically from the team involved in the scope approved by the management regarding its implementation.
Table 3 presents a risk profile assessment consisting of the type, amount, and priority of information risks considered acceptable and unacceptable to the organization, especially the local government of Gorontalo Province.This assessment is important, as it provides an evaluation for organizations to improve the efficiency and effectiveness of public services; therefore, transparency is a key aspect for the success and implementation of organizational risk profiles.

IT-Related Issues
According to two problems.Among other issues, a high degree of end-user computing generates a lack of monitoring and quality control over programs being created and implemented.These two concerns are of particular importance and problematic.End-user computing, which frequently results from dissatisfaction with IT solutions and services, is important, as it indicates no problems.This is related to the business departments implementing their information solutions with little or no involvement in the enterprise IT department.The importance of disobeying privacy laws is 1, which indicates that there are no issues.The inability to use or develop new technologies through I&T poses three crucial problems.Table 4 shows that several IT problems should be identified and solved by the local government of Gorontalo Province, as these problems can negatively impact the organization's growth and increase costs.These IT issues could include poor Internet connectivity or system vulnerabilities that could halt an organization's operations.Therefore, it is necessary to take a proactive approach to understand and prepare for such issues.The frustration between different IT entities across the organization because of a perception of low contribution to business value 1 2 The frustration between business departments (i.e., the IT customer) and the IT department because of failed initiatives or perception of low contribution to business value 1 2 Significant I&T-related incidents, such as data loss, security breaches, project failure, and application errors, linked to IT The gap between business and technical knowledge leads to business users and information and/or technology specialists speaking different languages 1 2 Regular issues with data quality and integration of data across various sources 2 2 High level of end-user computing, creating (among other problems) a lack of oversight and quality control over the applications that are being developed and put into operation 2 2 Business departments implement their information solutions with little or no involvement of the enterprise IT department (related to end-user computing, which often stems from dissatisfaction with IT solutions and services) Ignorance of and/or non-compliance with privacy regulations 1 2 Inability to exploit new technologies or innovate using I&T 1 2

Result of IT Governance System Design Factors
These results explain that the resulting core model design provides a customized governance solution for I&T organizations, especially the Gorontalo provincial government, by considering all the important factors (design factors).Every time a design factor changes (e.g., changes in strategy or technology), the impact of these changes on Enterprise Governance of IT (EGIT) systems must be considered.A dynamic view of EGIT can lead to viable, future-proof EGIT systems.An effective governance system must be tailored to an organization's needs using a series of design factors to adjust and prioritize IT governance system components.Therefore, the Gorontalo provincial government should start with the resulting core model and implement changes to the general framework based on the relevance and importance of the set of design factors for the design of the IT governance system.
The resulting system capability level indicates that the Gorontalo Provincial government needs to understand its organizational context and strategy based on IT governance system design factors.Therefore, the organization needs to determine the scope of the IT governance system and establish its capability level.In this case, the organization must resolve inherent priority conflicts between governance and management objectives, establish target processes for each objective, and conclude the governance system design.
In this study, the target capability level was set at a higher value (3 or 4); that is, any governance objective that scores 75 or higher indicates that its importance is 75% higher than the benchmark situation, a governance objective that scores 50 or higher requires a proficiency level of 3, any governance/management objective with a score ≥ 25 requires a proficiency level of 2, and any governance/management objective with a score <25 requires a proficiency level of 1.
Figure 3 and Table 5 present enterprise strategy, risk profile, goals, and IT-related concerns connected to the governance system architecture.The resulting technology governance system design is a process or core model with the recommended priority and capability levels.For example, governance with a score or priority above 75, 50, 25, or less than 25 requires four, three, two, and one capability levels, respectively.Based on these findings, organizations need to consider the following basic models with competency levels 3 and 4: BAI06 is related to managing changes in IT, namely, the need for quick and reliable delivery of business changes and reducing the risk of adverse effects on the integrity or stability of an organization's ever-changing and developing environment.BAI07 manages IT change acceptance and transition through agreed-upon expectations and results, such as the need to implement solutions safely.According to this plan, DSS01 (managed operations) provides operational IT products and services.DSS03 is related to problem management, namely, the need to improve services, increase client happiness and ease by minimizing operational issues, and, as part of problem-solving, determine root causes.DSS04 is related to managed continuity; we must quickly adapt to changing business operations and maintain the availability of resources and information in significant disruptions such as threats, opportunities, and requests.DSS05 manages security services by reducing the adverse effects of operational information security flaws and incidents on the organization.APO12 is associated with risk management, and we need to integrate IT-related organizational risk management with overall organizational risk management, balance the benefits and costs, and continually reduce the frequency and impact of information security incidents.APO13 is Muhammad Rifai Katili, Lanto Ningrayati Amali, Sitti Suhada Jurnal RESTI (Rekayasa Sistem dan Teknologi Informasi) Vol.related to security management and includes maintaining the frequency and effect of information security incidents within an organization's risk tolerance.BAI10 is related to configuration management and provides sufficient details regarding service assets to enable efficient management.We need to evaluate the impact of changes in handling service incidents.DSS02, which is related to service requests and incident management, namely productivity, must be increased.Disruptions are minimized through fastresolving user inquiries and incidents, and responding to incidents by resolving user requests and restoring services.

Conclusion
In conclusion, an IT governance system must support the digital transformation process to control the risks and ensure that organizational resources can be used according to needs.Organizations need to collectively consider Enterprise Strategy, Enterprise Goals, Risk Profile, and IT-related issues when adjusting governance systems to realize the most value from the use of IT.This means that organizations must start from the core model to implement changes in relevance and are essential for local governments.The results show that organizations need to pay attention to core models with capability levels 3 and 4, namely, BAI06, BAI07, DSS01, DSS03, DSS04, DSS05, APO12, APO13, BAI10, and DSS02, which are recommended for implementation by local government organizations.This core model is a component that is modified in such a way as to aim for changes that need to be made to manage IT changes, acceptance and transitioning operations and problems, continuity and security services, risk and configuration, and service requests and incidents.With these results, further research related to the measurement and analysis of design factors on other variant components, such as compliance requirements, the role of IT, and enterprise size, is needed.

Figure 1 .
Figure 1.Design Factors Include any Combination

Figure 2 .
Figure 2. Governance System Design Workflow

Figure 3 .
Figure 3. Design Governance and Management Objectives Importance

Table 1 .
Enterprise Strategy's Importance as a Design Factor

Table 2 .
Design Factor Importance of Each Enterprise Goal

Table 3 .
IT Risk Scenario Category Design Factor Risk Rating

Table 5 .
IT Governance and Management Design Summary