Managing In-Company IT Standardization: A Design Theory

Today’s companies rely heavily on in-company information technology standards (ICITS) to reduce costs, ensure flexibility, and facilitate the planning, implementation, and operation of IT systems. Steering and managing ICITS has proven to be challenging, revealing the need for efficient governance mechanisms. But even though prior research demonstrates the challenges of ICITS, viable advice on how to implement ICITS is scarce. In this paper, we develop an organizational design theory for the management of ICITS based on the framework of organizational control theory. We conducted a critical case study to identify basic goals, constitutive elements, and fundamental mechanisms of a working ICITS management. The resulting design goals and principles were then evaluated and further refined in the light of additional expert interviews. With our work, we wish to extend the body of theoretical knowledge on the management of ICITS and help practitioners master the various challenges occurring in this domain.


Introduction
Standardization has become an established approach for organizations to coordinate and organize their resources and processes to ensure product and service quality and to raise work efficiency (Choi et al., 2019;Kondo, 2000;Wüllenweber et al., 2008). Companies operating worldwide in particular rely heavily on standards to leverage economies of scale through uniform business processes. Thus, it is not surprising that also most information technology (IT) departments pursue standardization (Curran, 2010). The objects of standardization include network technologies, operating systems, database systems, applications, or IT management processes. The importance of in-company standards for IT departments has increased steadily over time, due to the growth and increasing costs of IT in almost all departments in large organizations. Also, the implementation of automated and standardized processes can help to reduce the complexity of technological environments, resulting in a better control of cost (Foorthuis et al., 2016). A survey by the Boston Consulting Group indicates that organizations with a well standardized IT infrastructure can decrease IT infrastructure costs by 15% and overall IT costs by 33% . Another survey of IT leaders from across the world finds that they rate in-company IT standards (ICITS) as one of the three most valuable activities in their companies (Curran, 2010). While the academic discourse mainly refers to terms like IS company standards (van Wessel et al., 2005) or corporate IT standardization (van Wessel, 2010), ICITS can be applied at different levels and organizational units within companies. They can apply to a company as a whole or only to certain parts of it, e.g., in the case of larger corporations. For this reason, we use the terms company and organization interchangeably in this article.

3
The implementation of ICITS is a costly endeavor involving activities such as the identification of areas that require standardization, the specification and documentation of standards, their approval, the training of staff, the monitoring of their usage, and the resultant reporting. Noncompliance is a major risk when implementing ICITS and it may affect an organization very negatively. Non-compliance prevents ICITS from having positive effects on the complexity of IT architectures and processes. This in turn means that intended cost savings cannot be realized. In addition, responsible managers lose credibility and respect due to their failure to enforce ICITS. Eventually, IT staff may be negatively impacted in terms of morale and commitment. Organizations therefore try their best to enforce compliance with organizational IT standards, but often without success. While reliable data on non-compliance with organizational IT standards is generally difficult to obtain, some data suggests that more than 50% of employees use certain IT components without approval of their respective IT departments (Silic, 2015). Herath and Rao (2009) state that employees' negligence and non-compliance are often responsible for failing security policies. Prior research suggests that this adoption problem is multifaceted with causes on both the individual and organizational level (Emmerich et al., 1999;Liang et al., 2012). While these causes are increasingly wellunderstood and documented through models of ICITS success and adoption Müller et al., 2015), practitioners and researchers alike still struggle finding the right approach to successfully manage ICITS.
Despite the practical importance of ICITS, little, and rather fragmented, research has been carried out on standards within organizations' IT departments so far (De Vries et al., 2006;van Wessel et al., 2005). Besides the richer body of knowledge on non-organizational, industry-related IT standards, such as standards set by international consortia and official bodies (e.g. ISO norms, government standards) (Backhouse et al., 2006;Schmidt & Werle, 1998), only few studies investigate aspects of ICITS. Managerial recommendations are also fragmentary and isolated, making it difficult to understand and anticipate which set of managerial approaches can lead to a sustainable and successful standardization initiative. Moreover, such recommendations often lack theoretical underpinnings and justification.
We address this gap by proposing an organizational design theory describing the constituent elements and mechanisms of an effective and efficient management of ICITS. Design theories in Information Systems are prescriptive theories that integrate different aspects into design paths with the goal to design a process that is more effective and feasible (Ngai et al., 2009;Walls et al., 1992). Our theory includes fundamental design goals, basic ICITS management principles, and explanations (in the form of propositions) of how these principles lead to the attainment of the aforementioned goals. The theory thereby offers researchers a more comprehensive understanding of how ICITS can unfold their potential. At the same time, it serves as a guideline for practitioners in their endeavor to implement ICITS.
We conceptualize the problem of ICITS management as a process of planning and controlling activities enforcing compliant behavior of IT staff, so that ICITS are actually used in a beneficial manner. Accordingly, we chose organizational control theory (OCT) (Ouchi, 1978(Ouchi, , 1979(Ouchi, , 1980 for our problem analysis and as a theoretical foundation of subsequent design activities. OCT allows us to capture the domain of ICITS as a control problem where individual behavior needs to be aligned so that organizational and individual goals match and desired behavior is enforced. As the reasons for deviant behavior and low adoption rates in the area of ICITS can be diverse (Chua et al., 2014;Dittes et al., 2015) and many of these reasons are not yet well understood, we decided to first explore the problem in more depth before developing our design theory. Therefore, we started with a critical interview study that allowed us to understand the multifaceted phenomenon of ICITS. Based on the insights gained from this interview study, we developed a first version of our design theory, which was later evaluated and refined through a series of interviews with subject-matter experts from different companies and industries.
The remainder of this paper is structured as follows. Section 2 presents related work on ICITS, conceptualizes ICITS as an organizational control problem, and describes how OCT was used as a theoretical lens for our work. Section 3 outlines the research method applied and describes the critical case we used for exploring the problem. In Sect. 4, we present our design theory and in Sect. 5, we present the results of its evaluation. In Sect. 6, we discuss our findings, summarize the paper, and give an outlook on future research.

In-Company IT Standardization as an Organizational Control Process
Following Dittes et al. (2015), we define an ICITS as any formal rule or guideline within organizations based on a clear motivation aimed at harmonizing tangible and intangible objects related to or consisting of information technology within that organization. Van Wessel (2010) defines three abstract domains for ICITS: technological standards (e.g. standards determining the brand and type of servers in data centers), data standards (e.g. specific data structures and their semantics), and process standards (e.g. security guidelines or project management processes). While these domains differ significantly in terms of their content, their management is fairly similar. They all require the same activities such as definition, approval, communication, use, monitoring, and maintenance. Moreover, they all offer a significant potential for complexity and cost reduction, because low degrees of standardization lead to a need for more staff with specific knowledge and more specific operational and management processes, e.g., in the case of operating systems for installing security patches, running backups, updating the systems etc. Independent from these domains, ICITS may further be categorized according to their form.
In this sense, ICITS may occur as: a) a reference to external standards (e.g. ISO norms or standard software) adopted by the organization, b) a modified version of an external standard, c) a subset of an external standard; d) a reproduction of (parts of) other external documents, or e) a self-written standard (De Vries, 1999, p. 231). The implementation of ICITS is often more difficult than companies expect, as revealed by reports about failed implementation attempts or significant problems when it comes to actually benefitting from implemented IT standards (Jun & Cai, 2003;Zhu & Fu, 2009). ICITS often come along with great uncertainties regarding their costs and benefits and thereby also with uncertainties regarding adequate planning and control strategies (Weitzel, 2003, p. 64). One traditional problem facing standardization and standards usage in organizations is that of demonstrating its contribution to the organization's overall success (Hesser & Inklaar, 1998). This issue naturally results in motivational barriers. Accordingly, studies indicate that many ICITS efforts often fail due to low acceptance rates among staff, and that adherence to the relevant standards tends to be superficial (Russo et al., 1996). As stated by Bird (1998), companies' standardization efforts often leave too much room for employees to use non-standard components, emphasizing the importance of a proper enforcement of ICITS. Given these motivational, planning and controlling challenges, we argue that ICITS can best be conceptualized as an organizational control problem. Organizational control theory is particularly well-suited for capturing the phenomenon of ICITS because ICITS failures are an immediate result of a misalignment of organizational (ICITS) goals and individual usage behaviour. A working management of ICITS must avoid deviant usage behaviour and foster higher ICITS adoption rates.
The problem of misaligned goals and behavioural patterns has long been explored in academic research. Given the insight that organizations' and their employees' goals partially diverge (Barnard, 1968), it has been regarded as worth investigating how to effectively direct individuals' efforts towards organizational goals (Flamholtz, 1983). Throughout this paper, the term "organizational control" shall denote "mechanisms (both processes and techniques) designed to increase the probability that people will behave in ways that lead to the attainment of organizational objectives." (Flamholtz et al., 1985, p. 38).
Organizational control has traditionally been divided into three types: formal outcome control, formal behavior control, and informal clan control (Ouchi, 1978(Ouchi, , 1979(Ouchi, , 1980. Formal control is realized through formal mechanisms, including project plans, test protocols, and reports. In contrast, informal control works through social events, social norms, and peer pressure (Kirsch, 2004, p. 378). In the case of ICITS, tasks are usually very clearly specified through process guidelines, handbooks specifying the standards, etc., which suggests that formal control mechanisms are most suitable in this case.
Individual control types are usually not used in isolation. Rather, they tend to be combined to achieve complex goals (Tiwana, 2010;Turner & Makhija, 2006), while showing significant synergy effects (Cardinal et al., 2004;Kirsch, 1996). Accordingly, the analysis and evaluation of different control types should be done collectively to avoid conflicts that may weaken the desired effect (Kirsch, 2004;Tiwana, 2010). Flamholtz et al. and's (1985, p. 38) integrative framework (a modified version of which is depicted in Fig. 1) is not only one of the most influential models of organizational control, but it is also among the few frameworks that consider the above-mentioned insights by integrating several control types.
As depicted in Fig. 1, the framework describes a core control system surrounded by a control context, consisting of organizational structure, culture, and the organization's external environment. While the core control system is supposed to provide control mechanisms to directly influence the employees' behavior, the control context contains mechanisms with indirect control functions (Flamholtz et al., 1985, p. 38). Corresponding to the fact that this model focuses on the control of human agents rather than of machine processes, the operational subsystem at the center of the core control process comprises "human systems within an organization, at the individual, group and organizational levels of analysis" (Flamholtz et al., 1985, p. 38). The processes illustrated by the arrows in Fig. 1 can be summarized as follows: First, the planning component generates standards that are communicated to the operational subsystem and form the basis of an evaluation-reward mechanism. Adherence to these standards is monitored and measured, leading to advice on corrective action for the operational subsystem and generating input for the execution of the evaluationreward mechanism. The feedback provided to the operational subsystem is also fed back to the planning component for adjustment of generated standards. The elements of the control context can have a facilitating or an inhibiting influence on the core control system's effectiveness, depending on whether the configurations of the contextual component provide an environment conducive to the communication, acceptance, and monitoring of ICITS. For instance, given appropriate context configurations, organizational control has even been found to potentially strengthen employees' trust in the organization, contrary to what had been suggested in previous literature, thus enhancing employee performance not only directly through forms of coercion, but also indirectly through enhanced trust (Verburg et al., 2018). The organizational culture element also influences in how far the core control mechanisms are realized in terms of formal behavior control or informal clan control.
In the remainder of this paper, we take Flamholtz's framework as premise and conceptual foundation for our design theory of the management of ICITS.

Research Method
Prior literature on ICITS reports on successful ICITS management in different firms that varies significantly in terms of processes, structures and policies. Therefore, we posit that there is no general ICITS approach for all firms. Instead, our research is built on the presupposition that there are general, crucial characteristics of ICITS implementations shared across different IT organizations. For this reason, our theoretical model will offer guidelines to practitioners for the design of their ICITS while leaving enough room for firm-specific adaptations.
In doing so, our research includes the following core components of an information systems design theory: To specify the (1) purpose and scope of our design theory, we clearly defined a set of four design goals as the boundaries of our work. These goals capture the specific organizational challenges of ICITS and how these translate into specific desired end states. Thereby, we abstract from a narrow, idiosyncratic problem and refer to a class of problems the design theory can solve. (2) Principles of form and function define how solutions based on the design theory work. They describe an abstract architecture for solving a class of problems. We describe eight design principles for successful ICITS management, which are consistent with OCT's core propositions.
(3) The design principles are supported by testable propositions. These propositions are truth statements about the theory and can be tested against their validity on instantiation of the solution artifact. We formulate fourteen testable propositions for our ICITS approach that basically link design principles to design goals, thus explaining how the design theory is supposed to address ICITS related challenges. (4) Finally, justificatory knowledge refers to kernel theories underlying the design theory. This knowledge is relevant with respect to the understanding of the design of an artifact and its working. In our case, we use OCT as a kernel theory informing our design.
Our research was conducted in three phases that allowed us to (1) identify challenges and design goals for a successful ICITS management by means of an exploratory interview study (see Sect. 3.1 for details), (2) develop a design theory Analytical framework for this study derived from organizational control theory (based on Flamholtz et al., 1985) for ICITS management, consisting of design principles and corresponding testable propositions, based on the design goals identified in phase 1 and an analysis of relevant ICITS literature, and (3) evaluate the design theory through a round of confirmatory expert interviews (see Sect. 3.2 for details).

The Case of a Large Automotive Manufacturer
While the difficulties of implementing successful ICITS has often been stressed in the literature, little is known about the detailed intricacies of this problem. In order to deepen our knowledge on the specific causes of ICITS success and failure, the first phase of our research consisted of a case study of a large automotive manufacturer from Germany. This critical case was chosen because it displays a very complex IT/IS architecture with thousands of IT infrastructure elements, applications and processes. Moreover, it was complex in terms of organization and governance with a highly distributed IT organization dispersed over multiple countries, legal entities and organizational units. Not surprisingly, ICITS is a major challenge for this organization. Several far-reaching ICITS initiatives cover large parts of the enterprise architecture. Some of them were successful, some of them were partially successful and some of them may be considered a failure. Therefore, studying this firm allowed us to compare different embedded cases, which gives us the opportunity to distinguish successful managerial practices from less successful ones.
In this case study, we conducted 11 interviews with professionals from the organization's IT departments at different levels of hierarchy (Table 1). The interviews took 45 to 60 min each and were conducted in German. Hereby, minutes were taken and important quotes and statements were written down. As proposed by Weston et al. (2001), the interview minutes were reviewed by the interviewees to avoid a wrong or incomplete description of the interview content. After the interviewees had confirmed their interview statements, all statements and quotes relevant regarding ICITS challenges were stored in a database for the purpose of coding and categorization. Based on an in-depth analysis of the coded interviews, we identified six core challenges for IT standardization. We then generalized these findings to derive a set of four design goals (Sect. 4.1). These design goals define the purpose and scope of our design theory. Based on the developed design goals, OCT, and relevant further literature, we went on to develop a set of design principles and formulated corresponding testable propositions.

Evaluation
In the final phase, we evaluated our design theory in a confirmatory interview round with subject-matter experts from practice. In this round, we reached out to 126 experts that we identified through personal and professional networks (e.g. XING). The acquisition through professional networks was based on several keyword searches. We targeted professionals with job descriptions including the terms IT standardization, IT architecture or IT governance. Additionally, for the purpose of the design theory, we exclusively focused on experts from companies of middle to large size. We conducted telephone interviews with seven of these experts after which results converged and no further insights could be generated ("theoretical saturation"). These participants have a work background in several different industries. All of them are currently employed in either middle or top management positions. Table 2 shows some detailed information about the participants.
The interviews lasted approximately 40 to 60 min each and started with exploratory, open-ended questions on major challenges and success factors of ICITS as well as current ICITS practices in the expert's organization. We then presented the participants with the design goals and asked them IT architect Supportive role in several standardization projects in the past 9 IT architect Experience with the development, implementation, and acceptance of architecture standards as consultant and committee leader 10 IT architecture manager No active involvement in IT standardization projects yet, only passive experience 11 Enterprise architecture manager Supportive role in standardization projects and manager of standardization processes 1 3 for an evaluation, using a five-point Likert scale measuring the participants' degree of agreement with each design goal. We repeated this process for the design principles and testable propositions.
We concluded with open-ended questions on strengths and weaknesses of the current design as well as on the participants' personal and professional background. Furthermore, in each section, participants were given the chance to suggest further design goals, design principles, testable propositions, and add comments. As in the exploratory interview round, the transcripts were recorded, transcribed and reviewed by the interviewees to avoid wrong or incomplete descriptions of the interview content, and after that, all relevant quotes from the sections involving openended questions were collected in a database, coded, and categorized. The results of the analysis of the coded quotes will be presented in Sect. 5.

Design Theory
In the following, we will discuss our design theory's final components, ground them in OCT and illustrate them with narratives from our critical case and quotes from our interviews with subject-matter experts. The purpose and scope of our design theory is specified in Sect. 4.1. Principles of form and function and the corresponding testable propositions are presented in Sect. 4.2.

Boundaries and Design Goals
The purpose of our design theory is to help organizations to successfully implement ICITS standards through an effective management approach. Our approach is applicable within the boundaries of medium to large companies with medium to high complexity IT/IS landscapes. We explicitly exclude smaller organizations and less complex IT/IS architectures for two reasons. First, in smaller organization, the degree of division of labor and specialization is usually lower which requires less complex role models and processes. For instance, in smaller organizations it will be hard to install dedicated ICITS managers or establish complex lifecycle models of ICITS. Second, certain challenges are more prevalent with more complex architectures. For instance, the problem of architectural transparency is a lot less relevant for simple architectures. Consequently, ICITS management in the context of complex architectures requires more processes for establishing transparency and monitoring progress. Along similar lines, our design theory's applicability is restricted to organizations that display a certain level of IT management maturity. In particular, we assume that organizations have (a) a working and to some extent standardized project management, (b) a working enterprise architecture management (EAM) that provides a minimum of architectural transparency and control, and (c) an established governance framework the ICITS management can be built on. Within the framework of these boundary conditions, our design theory is supposed to address four different design goals (Table 3) that have been identified through our empirical work. In the following, these design goals as well as some central factors hindering their achievements will be introduced with references to representative points from our first round of interviews.
One of the most frequently mentioned reasons why companies promote standardization initiatives is the reduction of IT costs. Cost reductions are expected due to a reduction of the number of IT staff, the reduction of the number of necessary licenses, and the advantage resulting from a stronger position towards suppliers, namely, scale effects resulting from the reduction of ordered products. Accordingly, a study by the Boston Consulting Group  also shows that standardizing organizational IT can decrease IT infrastructure costs by up to 33%. However, the goal of cost reduction was generally perceived not to be reached yet. Rather, a poor communication and adherence to standards has so far resulted in project delays, as finished systems that turned out not to meet certain standards could not be handed over to the organization. A further goal of IT standardization is increasing organizational flexibility by significantly decreasing the introduction effort for new applications. As Tiwana and Konsynski (2010) point out: "Paradoxically […] rigidity in IT architectures (e.g. standardization to increase modularity) increases IT agility" (p. 299). However, as noted by some interviewees, agility through standards can only be properly realized if the standards themselves can be quickly adjusted to market dynamics. Accordingly, the need was expressed for faster cycles of standard definition and introduction.
Another major goal of IT standardization is reducing IT complexity due to less hardware and software heterogeneity and lower maintenance and support effort, resulting in better IT manageability and controllability. As Boh and Yellin (2006) maintain: "By standardizing across different technologies, vendors, platforms, and application architectures, organizations can potentially reduce the complexity of their operations, control the number of skills required to maintain their IT systems […]" (p. 166). Furthermore, ICITS were generally perceived to foster fail-safety due to a higher validation of systems, and troubleshooting as well as various other kinds of changes were reported as considerably easier.
Lastly, IT standardization aims to improve the quality of IT services by reducing the number of errors during implementation and utilization of new software. Additionally, it significantly fosters customer satisfaction. In fact, a successful mapping of customer requirements on ICITS was frequently mentioned both as one of the major goals of ICITS and as a criterion for the success of ICITS implementation. However, a tendency to accommodate customer wishes at all costs was also perceived as an inhibitory factor by some.

Design Principles and Testable Propositions
In this sub-section, we present and explain the principles of form and function of our design theory (Table 4). For each principle, we specify the design goals the respective principle aims at and derive corresponding testable propositions.

Design Principle 1: Establish Dedicated Steering and Monitoring of ICITS
OCT teaches us that observing ICITS adoption (not necessarily individual behavior) and measuring ICITS outcome will likely have a positive impact on individuals' compliant behavior (OCT construct Measurement). Moreover, this monitoring is the basis for any form of deviance analysis and definition of counteractions. As a formal control mechanism, monitoring can be time-consuming and complicated as data has to be collected, analyzed, and conclusions have to be drawn. While some required data collection can certainly be automated, some may not. Given the fact that medium to large IT organizations often maintain dozens (if not hundreds) of different ICITS for IT infrastructure, applications, and processes, we conclude that a dedicated organizational instance should be responsible for steering and monitoring activities. We therefore propose: DP1. There is a structural element within the organization that is responsible for steering and monitoring (the usage of) ICITS.
Dedicated ICITS steering and monitoring presumably allows for controlling key standardization aspects such as cost-benefit relation, standard diffusion, and standard adoption. DP1 therefore directly aims at DG3 (enhanced IT manageability and controllability). Furthermore, dedicated ICITS steering and monitoring is expected to allow monitoring the behavior of users of standards, reveal critical areas which require action. DP1 therefore also directly aims at DG4 (improved quality of IT services). Accordingly, we formulate the following testable propositions for DP1: TP1a. Dedicated ICITS steering and monitoring improve IT manageability and controllability. TP1b. Dedicated ICITS steering and monitoring improve the quality of IT services.

DP2. Introduce a Standard Lifecycle Concept
Advanced organizations ensure that standards are regularly checked in terms of up-to-dateness. ICITS that are no longer current or useful are discontinued and eventually removed from the ICITS catalogue. From the perspective of OCT this represents a reaction to changing environmental conditions and requires regular planning and adjustment of goals (OCT constructs External Environment, Planning). We therefore posit that ICITS run through a series of lifecycle phases:

DP2. The management of ICITS is based on a structured lifecycle model that describes ICITS' phases from initiation to shutdown.
In the ICITS context, we distinguish four phases of a standard lifecycle based on Dittes et al., (2014, p. 36). In the first phase, a standard is initiated, conceptualized and approved. In the second phase, the standard is introduced, and IT staff is prepared to use it. During this phase, benefit communication and convincing users as well as stakeholders are pivotal. During the next phase, the ICITS is used by IT staff. At the same time, utilization is monitored and -if necessary -audits are carried out to enforce compliance. Support and maintenance might also be necessary. The discontinuation and shutdown phase includes information of IT staff as well as the initiation of subsequent ICITS that can replace the discontinued standard. Here, responsible roles might start a new ICITS development process.
Introducing a lifecycle concept can not only ensure that the maintenance and discontinuation of standards are taken seriously. It also serves as a general framework for the management of ICITS. Moreover, a lifecycle concept is expected to ensure a consistent management of ICITS thus increasing general transparency, which eventually allows managers to better oversee ICITS. DP2 is therefore directed at DG3 (enhanced IT manageability and controllability), and we posit the following testable proposition: TP2. Introducing a standard lifecycle concept improves IT manageability and controllability.

DP3. Link Individual and Organizational Goals
As already outlined earlier, a key hindrance for ICITS success is the lack of acceptance of ICITS by IT staff. OCT suggests that such a lacking motivation of pursuing organizational goals can be alleviated through aligning them with individual goals, e.g. through rewards and/or other mechanisms (OCT construct Evaluation-Reward). Management by objectives (MBO) allows for passing goals down the organizational hierarchy and motivates employees to reach business goals as they become linked to their own (Bell, 1980, p. 20). MBO further increases awareness for business objectives and improves results and communicative performance (Shetty & Carlisle, 1974, p. 159). Münstermann et al. (2010) further identify incentives as a key instrument in reaching ICITS success. To support a standard oriented management by objectives approach, we thereby propose the implementation of an incentive system for standard users, including positive and negative sanction mechanisms: Positive sanctions should be used to encourage specific user behavior. In practice, positive sanctions may simply be not using negative sanctions. Negative sanctions should increase the individual cost of deviant behavior. Noncompliance to IT standards should be possible but only at exceedingly high individual costs. Such an incentive system supports the implementation of control mechanisms to reveal critical compliance issues and help to initiate countermeasures. Thus, we posit:

DP3. Incentives and sanctions for the utilization of/noncompliance with ICITS are defined, communicated, and applied.
We expect such incentives and sanctions to increase acceptance rate and adoption, which is a necessary precondition for ICITS to unfold their potential. Beyond this, incentives and sanctions make it easier for responsible managers to enforce compliance thus making it easier and less effortful to manage and control standards. DP3 thereby promotes DG3 (enhanced IT manageability and controllability). Standard-oriented MBO is further expected to counteract employees' deviant behavior towards ICITS. DP3 thus also promotes DG4 (improved quality of IT services). We therefore formulate the following testable propositions: TP3a. Linking individual and organizational goals improve IT manageability and controllability. TP3b. Linking individual and organizational goals improve the quality of IT services.

DP4. Anticipate Technical Change and Handle it Quickly
IT standards are subject to constant technical change (Hanseth & Braa, 2001), organizations need to make a continuous effort to maintain the technical usefulness and integrity of an IT standard throughout its lifecycle. Moreover, changes regarding an IT standard induce further changes in its environment (Allen et al., 2013;Hanseth & Braa, 2001). This requires supervision of the standard itself and its technical environment. Another aspect related to technical change management is system up-to-dateness. Organizations need to constantly challenge the task-technology fit of IT standards.
The literature on task-technology fit and technology acceptance suggests that task performance is influenced by the degree to which technology appropriately meets the task's requirements and the user's demands (Goodhue, 1995;Venkatesh & Davis, 2000;Zigurs & Buckland, 1998). We thus posit:

DP4. Technical change resulting in the need for an update of ICITS is anticipated and handled quickly.
Anticipating technical change and handling it quickly is expected to reduce the response time for technical change management. DP4 thereby aims at DG2 (increased organizational flexibility). Furthermore, anticipating technical change and handling it quickly presumably reduces the cost and effort of technical change management. DP4 thus promotes DG3 (enhanced IT manageability and controllability). We therefore formulate the following testable propositions: TP4a. Quickly anticipating and handling technical change leads to higher organizational flexibility. TP4b. Anticipating and handling technical change improves IT manageability and controllability.

DP5. Push all Relevant Information to the Users
An open communication culture in which knowledge is made available to users has positive impacts on individual productivity (Andres & Zmud, 2002, p. 62). Along similar lines, OCT stresses the role of culture for organizational control systems (OCT construct Organizational Culture). As our first round of interviews additionally revealed, "passive" organizational communication mechanisms were perceived as a major reason for insufficient knowledge on the user side. Participants stated that they were often confronted with situations in which they had to take initiative (e.g., access the newest manual) to get necessary information about IT standards rather than being provided with it in the first place. We argue that organizations should reduce effort on the user side and establish active (push-oriented) communication mechanisms. This concerns information about the introduction of new standards, associated individual and organizational benefits, aspects of usage, and areas of application. As our design theory aims at medium to large-sized organizations, we assume that intranet networks are already installed and relatively stable, thereby serving as a foundation for sharing knowledge through multiple channels such as email, brochures, manuals, meetings, and workshops. We thus posit:

DP5. Those affected by an IT standard should be provided with all relevant information regarding its utilization and benefits, so that users do not have to ask for information first.
Pushing all relevant standard information to the users is expected to counteract faulty user behavior and, thereby, the creation of unnecessary costs and deficient IT services. DP5 thus targets DG1 (IT cost reduction) and DG4 (improved quality of IT services). Pushing all relevant information to the users also presumably reduces the effort and resistance on the user side, thus promoting DG3 (enhanced IT manageability and controllability). We therefore posit the following testable propositions: TP5a. Pushing all relevant standard information to the users reduces business costs. TP5b. Pushing all relevant standard information to the users improves IT manageability and controllability. TP5c. Pushing all relevant standard information to the users improves the quality of IT services.

DP6. Integrate Standard Management into Existing Processes and Structures
Implementing IT standard management as we propose in this paper has interdependencies with existing business operations (e.g. new process standards) and managerial decision-making (e.g. which standards should be introduced regarding which processes). OCT also suggests, that working control systems require a careful consideration of organizational structure (OCT construct Organizational Structure). Structural integration helps realizing additional coordination capacities in the context of high-level interdependency between IT, business, and standard management (Puranam et al., 2009). Process integration further enables an organization to steer and coordinate activities across internal borders (Rai et al., 2015). For instance, existing structures such as IT executive meetings can be adjusted with relative ease by including standards managers in order for IT management decisions regarding standardization topics to not contradict those of standard management (Dittes et al., 2014). We thus posit:

DP6. Standard management is integrated into the organization to corroborate the significance of ICITS within the organization and avoid contradictory decision-making.
Integrating standard management into existing processes and structures is expected to improve standard decisionmaking, procedural integrity, and structural integration. DP6 thus aims at DG3 (IT manageability and controllability), and we formulate the following testable proposition: TP6. Integrating standard management into existing processes and structures improves IT manageability and controllability.

DP7. Establish a Role Concept with Clear Responsibilities
Approaching OCT from the perspective of organizational roles, Collins (1982) argues that in order to achieve effective social control, it is necessary to communicate and internalize role expectations (OCT construct Organizational Structure). Literature in this field further suggests that people identify with the social norms and expectations associated with roles and aim to satisfy these expectations (Biddle, 1986). Moreover, prescribed roles reinforce stability and predictability of the organizational structure (Rogers, 1983, p. 349). Moreover, an effective implementation of a role concept improves accountability, which plays a significant part in reducing non-compliance to policies (Vance et al., 2013(Vance et al., , 2015. We therefore posit:

DP7. There is be a clear definition of all relevant roles in the ICITS process.
Establishing a role concept with clear responsibilities is expected to lead to better personal accountability and to help employees understand their obligations. DP7 therefore aims at DG3 (IT manageability and controllability). We thus posit the following testable proposition:

DP8. Minimize the Number of Component Standards
In our first round of interviews, it already became clear that the sheer number of standards can become a significant problem regarding the overall process of the implementation of ICITS. Participants did not only emphasize the high number of standards they were confronted with, but also mentioned that they were sometimes "uncertain which component standards work together." While this issue is related to DP5 (Push all relevant information to the users), the extent of difficulties regarding unnecessary standard redundancy merits its separate treatment. The participants further suggested platform standardization as a potential solution for these transparency issues. We therefore posit:

DP8. The number of standards for single, small components is minimized. Platform standards covering a significant functional range are used instead.
Minimizing the number of component standards is expected to decrease redundancy caused by functionally overlapping standards and to reduce the likelihood of dysfunctional integration of standards. DP8 therefore promotes DG1 (IT cost reduction). Minimizing the number of component standards also presumably increases the procedural transparency for users and improves the functional interaction of standards. DP8 therefore also aims at DG4 (quality of IT services). We thus posit the following testable propositions:

Evaluation Results of Design Goals
In general, the participants expressed strong agreement 1 with the design goals. This is reflected by average values (AVG) of agreement with the design goals ranging from 4.29 to 4.86 on a scale from 1 (full disagreement) to 5 (full agreement), and a maximum standard deviation (STD) of 0.95 as shown in Table 6. All participants noted that the current design goals cover all relevant objectives of ICITS and no participant named any additional ICITS goal not covered by the current design. Most experts further emphasized that the design goals strongly represent the practitioner's perspective.
With respect to DG1, it was confirmed that IT cost reduction is a major driving point for organizations to initiate ICITS projects. The participants proposed increased hardand software homogeneity and realization of economies of scale as the main reasons for this.
Participants further commented that the degree to which ICITS reduce IT costs strongly depends on the current IT management maturity and the ability to bundle know-how on employees in ICITS steering positions, as hypothesized above. DG2 has the lowest average value with 4.29 and the highest standard deviation at 0.95. The interviewees acknowledged that organizations aim to increase flexibility through, e.g., simplified application landscapes, even though this may come at the cost of individual flexibility. DG3 and DG4 had the highest agreement throughout all interviews. Table 6 summarizes the quantitative parts of the design goals' evaluation.

Evaluation Results of Design Principles and their Testable Propositions
In this section, we first discuss the general feedback regarding strengths and weaknesses of the current design and examine the evaluation results for each design principle and its testable propositions in detail.
Regarding the strengths of the current design, most interviewees agreed that the current DPs are complete in the sense that they provide guidance in all relevant areas of ICITS. One participant commented that the DPs "have a good level of granularity while still covering all relevant aspects of [ICITS]". A further strength identified by the interviewees consists in the relevancy of each DP for the ICITS process as well as the fact that the DPs guide organizations in efficient steering and managing of ICITS projects. Furthermore, there was a consensus that the DPs are applicable to any organizational context as long as the necessary decision-making and steering functions to get top management support for ICITS are guaranteed and as long as the specifics of an organization are not neglected during DP8 X the implementation of the DPs. The clear structure of the DPs was also positively noted. None of the interviewees named any overall weaknesses of the presented DPs. However, we noticed issues with the wording of some DPs -in particular the term 'dedicated' for DP1 as well as the lack of a clear reference to redundancy in the title of DP7 caused confusion for some participants. We also noticed an issue with the evaluation design. In particular, we used applicability and adequacy as a combined criterion for evaluating each design principle. It seems that these two constructs target different aspects as most participants answered the item 'applicability and adequacy' in two separate parts. The first part referred to whether the design principle can be applied in practice and the second part to whether it accurately supports ICITS. The experts further pointed out that our current design overlooks some interdependencies between design principles and design goals, which provides an interesting avenue for future research.

Evaluation Results of DP1 and its Testable Propositions
The experts generally agreed that DP1 is purposeful and relevant (Avg: 4.71). They also agreed with it being applicable and adequate for supporting ICITS (Avg: 4.71). One participant pointed out that the applicability of DP1 depends on an organization's management capabilities and size. This person suggested that while it makes sense to define responsibilities for standard steering and monitoring in large organizations, medium-sized organizations may choose to do so by defining appropriate roles for employees rather than establishing a dedicated institution. This suggests that we may need to address differences between medium and large organizations when defining DP1. Two interviewees further expressed that there is a general risk of overregulation. One of them said that "especially in Germany there is a regulation frenzy" that needs to be considered when organizations decide how to implement DP1.
The evaluation of the testable propositions for DP1 affirmed their validity with an average rating of 4.29 to 4.43 and a maximum standard deviation of 0.76. Participants agreed that dedicated steering and monitoring supports the control of key standardization aspects and hence improves IT manageability and controllability (TP1a). In particular, experts from large organizations commonly described that they already use dedicated standard steering and monitoring (e.g. in the form of standard offices) and stated that it significantly reduces ICITS management complexity. They further validated that monitoring standard user behavior counteracts noncompliance and positively influences the quality of IT services (TP1b). Most experts agreed that performance indicators can be used to quickly evaluate key ICITS aspects.
One participant mentioned key performance indicators to be a prerequisite for controlling the ICITS process. Another participant pointed out that DP1 can lead to overall business IT cost reduction if implemented thoroughly and efficiently.

Evaluation Results of DP2 and its Testable Propositions
All participants fully agreed that a standard lifecycle concept is purposeful and relevant for successful ICITS. They also generally confirmed the applicability and adequacy of DP2 (Avg: 4.71). However, only few of the experts were aware of a standard lifecycle in their organization. Instead, they commonly referred to general patterns of the introduction and the use of IT standards in their companies. Most of them argued that the IT standard lifecycle varies significantly depending on its organizational purpose. Some participants further stated that their organization follows ITIL (Information Technology Infrastructure Library) definitions and ISO norms rather than having an abstract lifecycle for IT standards.
With reference to TP2, the average rating is 4.71 with a standard deviation of 0.49. The experts acknowledge that a standard lifecycle concept helps with the awareness of phase-specific challenges as well as establishing standardization as an ongoing process, and thereby positively influences IT manageability and controllability. One participant commented that understanding the lifecycle of an IT standard is a critical requirement for large scale ICITS. Three participants further stated that DP2 allows for better planning of organizational resources.

Evaluation Results of DP3 and its Testable Propositions
One participant did not evaluate DP3 due to lacking experience with the management by objective (MBO) approach. The remaining experts fully agreed with the purpose and relevancy of DP3 and generally confirmed its applicability and adequacy (Avg: 4.33). One expert expressed doubts regarding the applicability of an incentive system with positive sanctions for standard compliance and hence gave lower ratings for all items of DP3 and its testable propositions, except purpose and relevancy. With reference to the testable propositions, five participants confirmed the validity of TP3a stating that standardoriented MBO fosters the linkage of individual and organizational goals (Avg: 4.00). They agreed that it leads to better understanding of organizational ICITS goals and increasing the motivation of employees to work towards them, thereby positively influencing IT manageability and controllability. They further confirmed that including employees and lower management into the definition of ICITS objectives as well as introducing an incentive system counteracts employees' deviant behavior towards IT standards and therefore positively affects the quality of IT services (TP3b). Two participants said that their organizations run mandatory enterprisewide application control.

Evaluation Results of DP4 and its Testable Propositions
Six of the seven interviewees fully agreed with the purpose and relevancy (Avg: 4.86) as well as applicability and adequacy (Avg: 4.57) of DP4. One participant criticized the applicability of DP4 and described that most organizations avoid change until no longer possible. While it may be true that organizations avoid change, we believe this emphasizes the purpose and relevancy of DP4 as it speaks to the exact problem of organizations avoiding change rather than handling it in a timely manner. TP4b had the lowest rating of all testable propositions (Avg: 3.70). As mentioned above, one participant fully disagreed with the need for organizations to welcome change, arguing that in practice, organizations tend to preserve systems that are deemed to work well. Another participant stayed neutral towards TP4b as this person was not convinced that the overall cost-savings of anticipating technical change outweigh the cost for establishing anticipatory change management. The other five participants expressed their approval of TP4b. TP4a, on the other hand, received overall acceptance with an average of 4.57.

Evaluation Results of DP5 and its Testable Propositions
All experts considered DP5 to be purposeful and relevant for ICITS and confirmed its applicability and adequacy (Avg: 4.71). They named communication as a major driver for process transparency. The interviewees regarded all three testable propositions as valid. They agreed that organizations should provide their employees with all relevant information regarding the use of new IT standards as well as their individual and organizational benefits. They generally confirmed that this counteracts faulty user behavior, thus leading to reduced business IT costs (TP5a) and improved quality of IT services (TP5c). One participant mentioned that employees should receive regular training (e.g. regular workshops) to prevent misuse of standards and user frustration. The experts further agreed that DP5 reduces the effort for obtaining necessary information on the user side and counteracts resistance to standards, thereby supporting IT manageability and controllability (TP5b). However, they emphasized that organizations need to avoid flooding their employees with irrelevant information when implementing DP5. According to the participants, organizations need to make use of efficient communication channels when providing employees with information and avoid providing too much unnecessary information as standard resistance may increase otherwise. All participants described that their organizations communicate information about new IT standards but most of them stated that there is no communication of the benefits of standards. Additionally, they commented that information about new IT standards is usually kept to basic user instructions.

Evaluation Results of DP6 and its Testable Propositions
All experts expressed full agreement with the purpose and relevancy of DP6 for successful ICITS. Most experts pointed out that (management) integration is a key topic of ICITS. There was general consent that it is applicable and adequate for supporting the ICITS process in organizations (Avg: 4.57). Most participants acknowledged the integration of current business and IT management with standard management as a mandatory precondition for ICITS. They also validated that existing processes and structures -such as executive meetings -should be complemented with IT management mechanisms to avoid contradictory decision making, ensure the integrity of IT (standard) related processes, improve structural integration, and thereby ultimately enhance IT manageability and controllability (TP6). One participant suggested that DP6 also positively influences cost reduction as integrated decision-making avoids faulty process design and therefore prevents processes from failing.

Evaluation Results of DP7 and its Testable Propositions
The interviewees fully agreed with DP7 being purposeful and relevant for ICITS. They also confirmed that a role concept with clear responsibilities is applicable in practice and supports organizational ICITS. The experts validated that a role concept leads to better personal accountability and helps employees understand their obligation, thus improving IT manageability and controllability (TP7). Most participants further agreed that roles need to be clearly defined to keep the ICITS process transparent. One participant commented that DP7 addresses the quality of IT services (DG4), arguing that clear role definitions lead to a higher compliance to IT standards as people can be held accountable for their actions.

Evaluation Results of DP8 and its Testable Propositions
The experts fully confirmed the purpose and relevancy of DP8. They generally agreed with its applicability and 1 3 adequacy (Avg: 4.86). They stated that avoiding unnecessary redundancy is an important aspect of keeping ICITS processes transparent for users. However, there seem to be some issues with the exact phrasing of DP8, as most experts initially misunderstood it and thought that it promotes a reduction of ICITS rather than controlling unnecessary redundancy.
With reference to TP8a, the participants agreed that by minimizing small component standards and controlling unnecessary standard redundancy, functional overlaps and integration errors can be reduced, thus leading to reduced IT costs. They also agreed that decreasing the number of component standards increases process transparency for users, improves the functional interaction of standards, and thereby improves the quality of IT services (TP8b). The interviewees pointed out that the successful implementation of DP8 critically depends on the maturity of the large standards replacing old standards. One participant further mentioned that DP8 enhances IT manageability and controllability (DG3) as it reduces the complexity of the IT landscape. Another participant suggested that by reducing the number of standards in an organization, standards can be replaced with less effort and it becomes easier for employees to focus on certain standards. That person concluded that this leads to lower reaction times for the ICITS support staff, thus increasing organizational flexibility (DG2). Table 7 summarizes the quantitative parts of the evaluation of the design principles and their testable propositions.

Discussion and Conclusion
The aim of this paper was to develop a design theory for the management and governance of organizational IT standards. The theory is grounded on Organizational Control Theory, additional relevant literature, as well as on an exploratory and a confirmatory interview study. Based on our qualitative exploratory study at a large automotive manufacturing organization, we posited four design goals indicating that IT standardization should be managed so as to lower business costs, increase organizational flexibility, enhance IT manageability and controllability, and improve the quality of IT processes and services. Based on these goals and an analysis of relevant literature, we developed eight design principles with corresponding testable propositions that can be applied in practice in order to manage organizational IT standardization. Finally, the resulting design theory was evaluated through a quantitative and qualitative interviews study involving subject-matter experts from different companies and industries.
Our research contributes to theory as well as practice: To the best of our knowledge, our work is the first design theory to provide a detailed, holistic management framework for organizational IT standardization. While previous studies about the management of IT standardization mostly concern non-organizational, industry-related standards set by higher authorities, investigations of in-company IT standards are fragmented and do not provide a holistic set of managerial recommendations. Furthermore, existing recommendations regarding ICITS mostly lack any theoretical underpinnings. Our theory, in contrast, showcases the adaptability of OCT in the context of ICITS, thus adding to the theory's validity and generalizability. The holistic nature of our theory, its empirical foundations, and its theoretical underpinnings together form a valuable contribution to the existing body of theoretical knowledge on the management of ICITS.
Further, we provide hands-on management mechanisms to guide future standardization endeavors in practice. Applying our design principles in practice, organizations can better understand IT standardization, minimize deviant behavior towards organizational IT standards and thus decrease costs, enhance flexibility, ensure manageability and improve the service quality of the organizational IT. However, our research also revealed that companies should not blindly follow and implement these principles. Instead, the proper way of applying our theory to specific organizations varies with several factors, including the following: size of the organization, organizational IT maturity, degree of IT standardization, and organizational attitude towards change. In what follows, we will address the role of each of these factors.
First, while our theory only addresses medium to large sized companies, there may still be significant implementation differences between medium and large companies. For instance, it may not be necessary for medium-sized companies to introduce an incentive system if the organization size allows for relatively easy control of standard compliance. On the other hand, an incentive system might be necessary for controlling standard compliance in large companies. The responsible authorities in large companies may, for instance, consider regular application scans in order to guarantee adherence to IT standards. Furthermore, it may be efficient for large companies to employ members who are fully dedicated to steering and monitoring standards, while medium-sized companies may assign these responsibilities to existing roles.
A second factor we anticipate affecting our theory's implementation is organizational IT maturity. We expect organizations with high IT maturity (e.g., high expertise in IT governance, high level of IT integration, experience with ICITS) to already use some of our design principles and also to have processes as well as structures in place that facilitate the implementation of the other design principles. We assume this is particularly likely for DP1 (steering and monitoring), DP2 (lifecycle concept), DP4 (technical change standard change management), and DP7 (clear role concept).
Third, we hypothesize that the degree of organizational IT standardization influences the ease of implementation as well as the acceptance of the design principles. In particular, organizations with a high degree of standard diffusion are likely to already use some of our design principles in practice and implement further ones more efficiently. Additionally, we suspect acceptance of standards and corresponding management processes to be higher since employees are already used to IT standards and recognize their importance.
Finally, we consider an organization's attitude towards change as a fourth factor influencing the ease of implementing the principles. That is, we expect organizations that promote organizational change and motivate employees to give them feedback about current management practices to experience less resistance to ICITS.
Our research underlies certain limitations. Since the evaluation of our design theory is still in an early phase, we were not yet able to observe all our current design principles fully applied in practice, as recommended by Gregor and Jones (2007). Additionally, we are not yet in a position to confidently attribute individual weights concerning the importance of each design principle. Accordingly, we plan to further evaluate our theory by developing a measurement model and conducting a study using quantitative methods in order to determine the importance of each design principle for organizational IT standardization. Another avenue for future research that we are currently planning to pursue concerns an empirical investigation of interdependencies both among the design goals and among the design principles.
Funding Open Access funding enabled and organized by Projekt DEAL.

Declarations
Kevin Rehring is Acting Chief Information Security Officer (CISO) & Enterprise Architect at DVV -Duisburger Versorgungs-und Verkehrsgesellschaft mbH. He obtained his doctorate from the University of Duisburg-Essen, Germany in 2021, where he did research in the area of enterprise architecture management and augmented reality as well as smart city and IoT.