Environmental Sustainability in Information Technologies Governance

: In the present day, many risk factors affect the continuity of a business. However, this situation produces a conducive atmosphere to approach alternatives that relieve this situation for organizations. Within these alternatives, environmental sustainability (ES) and information technologies governance (IT governance or ITG) stand out. Both alternatives allow organizations to address intrinsically common issues such as strategic alignment, generation of value, mechanisms for performance improvement, risk management and resource management. This article focuses on the fusion of both alternatives, determining to what extent current ITG models consider ES issues. With this purpose, the strategy followed was ﬁrstly to identify the relevant factors of ES present in the main approaches of the domain (ISO14001, GRI G4, EMAS, SGE21 and ISO26000). As a result, we identiﬁed 27 activities and 103 sub-activities of ES. Next, as the second main objective, we determined which of those factors are present in the main current ITG approaches (COBIT5, ISO38500 and WEILL & ROSS). Finally, we concluded through a quantitative study that COBIT5 is the most sustainable (i.e., the one that incorporates more ES issues) ITG approach.


Introduction
In the present day, companies are facing a high risk environment [1] characterized by global recession, uncertain competitive environments, need to reduce costs, etc. This has led organizations to incorporate alternatives that help to maintain their benefits [2,3].
At this moment, two main concepts arise in the search for these alternatives. On the one hand, environmental sustainability (hereafter, ES) is considered to be one of the three dimensions of sustainability, whose most widely recognized definition belongs to Gro Harlem Brundtland: "meets the needs of the present without compromising the ability of future generations to meet their own needs" [4]. This definition applied to ES implies achieving business development results without threatening the environment and defending the interests of future generations. Thus, ES is a tool that allows organizations to: (i) generate business value, (ii) generate capacity to support, recover and prevail, and (iii) design strategies with greater economic and ecological responsibility [2,5].
On the other hand, information technologies governance (hereafter, IT governance or ITG) can be defined as "an integral part of enterprise governance that consists of the leadership and organizational structures and processes that ensure that the organization's IT sustains and extends the organization's strategies and objectives and that it is the responsibility of the board of directors and executive management" [6]. Thus, ITG is a tool that allows organizations to: (i) improve their effectiveness and efficiency, (ii) have a competitive advantage, and (iii) maximize profitability [7].
There are many approaches today concerning ES, among which we can mention the following: • ISO14001: A standard developed by the ISO (International Organization for Standardization) whose objective is to reduce the amount of environmental impacts. It was first published in 1996 and had several versions, the last being the revision in September 2015 [8][9][10]. • GRI G4: The fourth version of the GRI (Global Reporting Initiative) guide, which offers the appropriate tools for the preparation of sustainability reports and provides the principles and indicators to measure and demonstrate the performance of an organization with respect to economic, ecological and social issues [11,12]. • EMAS: The European EMAS (Eco-Management and Audit Scheme) Regulation represents a voluntary approach that aims to increase corporate environmental performance [13,14].
Originally designed for the industrial sector, EMAS can be applied in all organizations following its revision of 2001 (Regulation (EC) No. 761/2001) in order to increase environmental performance [15][16][17] and even innovation [18]. • SGE21: An auditable and certifiable standard by FORÉTICA used to establish an ethical management system. It focuses mainly on compliance with legislation and regulations, ethical management, and social responsibility policy, and provides a code of conduct and means of review by management to achieve continuous improvement [19,20]. • ISO26000: An international standard of the ISO family, which provides guidance to organizations on the methods to implement the principles of social responsibility in the daily activities of an organization [20,21]. • ESF: The Environmental and Social Framework (ESF) enables the World Bank and borrowers to better manage environmental and social risks of projects and to improve development outcomes. The ESF offers broad and systematic coverage of environmental and social risks [22]. • SR10: Establishes the requirements of a social responsibility management system for organizations committed to the principles and recommendations on social responsibility and, in particular, those contained in the International Standard ISO26000 [23].
Similarly, there are many approaches today concerning ITG, among which we can mention the following: • COBIT5 (Control OBjectives for Information and related Technology): A reference framework for governance and IT management whose objective is to help organizations create value from IT, maintaining a balance between obtaining benefits, optimizing the level of risk and their resources [24][25][26]. • ISO38500: Constitutes a guide or tool for ITG by establishing ITG activities, such as evaluation, management and monitoring of the use of information and communication technologies [27,28]. • CALDER-MOIR: An ITG framework that provides a structural guide to implement ITG. In fact, it is a simple tool to help implement the ISO38500 standard [29]. • WEILL & ROSS: Peter Weill and Jean Ross propose an ITG framework where senior management will position the company in the desired profile through the articulation of desirable strategies and behaviors [30]. • FORRESTER: The publication of Forrester Research establishes that the implementation of good IT governance requires a framework based on three main elements: structure, process and communication [31]. • GTI4U: This model has been proposed by a group of Spanish researchers. It is based on the ISO38500 standard and has been developed to be implemented in a university environment, being also used to evaluate the overall level of maturity of the Spanish university system [32].
• SMEsITGF: An ITG framework oriented on small and medium-sized enterprises and focused on the analysis of human resource management issues [33].
Both trends (ES and ITG) have followed independent paths until now. However, several studies have recently emerged with the intent to integrate them. Thus, because of the synergy between both, the concept of sustainable IT governance (hereafter, sIT Governance) arises. That is to say, the two trends merge with the intention of contributing to the evaluation, management and monitoring of IT practices in organizational processes and activities from a ES viewpoint [34]. The aim is to reduce or minimize the environmental impact by seeking optimization of resources, strategic alignment, generation of value and risk management [35,36].
SIT Governance is a recent concept that is still in progress. It is true that the number of investigations in this field is increasing (to a lower degree in the topic itself and to a greater degree in related topics), however, there are still no specific models/standards to help organizations to implement sIT Governance. In this sense, the work of Bengtsson and Ågerfalk [37] is a well-known study showing relevant papers relating IT and the environment. Most deal with more energy efficient computers [38,39], server virtualization [39] and other technical aspects that focus on the components (e.g., [40][41][42]); without taking into account the ES from an integral and strategic point of view.
The two more relevant attempts today in merging ES and ITG into an integral and strategic sIT Governance synergy are the following:

•
The study carried out by Machado et al. [43] that includes a mapping between activities from COBIT (versions 5 and 4.1), as a representative of ITG, and activities from GRI G4, as a representative of ES. However, this work: (i) puts aside relevant ITG approximations (such as ISO38500, CALDER-MOIR, WEILL & ROSS and FORRESTER) as well as relevant ES approaches (such as ISO14001, EMAS, SGE21 and ISO26000) and (ii) performs a "grosso modo" mapping.

•
The study carried out by Merhout and O'Toole [44], where they review COBIT5, one of the most relevant ITG frameworks, to determine the degree to which it supports the ES dimension (especially in relation to the acquisition, use and disposition of IT assets). They concluded that COBIT5 clearly presents a sustainability deficit, although they do not quantify it.
From these studies, we conclude two main deficiencies: 1.
The identification of the relevant ES factors using a single approximation to such a domain without complementing it with the other points of view of the main approaches (ISO14001, GRI G4, EMAS, SGE21 and ISO26000). This situation does not allow considering all the information that could be relevant.

2.
The high-level of detail (granularity) used in the studies of ES/ITG activities. This situation does not allow specifying, for example, the detailed assignment of factors from ES to (sub) activities of ITG.
These two deficiencies are addressed in this work. The purpose is to contribute to: (i) first, identifying the specific (i.e., not general) factors of ES contained in the main ES approaches (ISO14001, GRI G4, EMAS, SGE21 and ISO26000); and (ii) second, determining to what extent these factors are already present in the main ITG approaches (COBIT, ISO38500 and WEILL & ROSS), concluding with quantitative measurements regarding the ES deficit in current ITG frameworks as a consequence. The first objective is essential since it allows considering all the information that could be relevant coming from the main current ES approaches (not only one) and with an adequate and practical level of detail (instead of a high-level of detail/granularity). The second objective, derived from the first, is equally important in order to evaluate to what extent the current ITG frameworks have an ES deficit. In fact, the study presented here will be the starting point to address the ES deficiencies detected in the ITG frameworks and/or to propose a new comprehensive sIT Governance model.
The rest of the article is organized as follows. Section 2 presents the methodology we applied to fulfill the two above-mentioned objectives, whereas Section 3 presents the results obtained for such objectives. Finally, Section 4 includes the discussion and the main conclusions according to the results obtained. Figure 1 summarizes the two main activities that we considered in order to achieve the above-mentioned objectives. The first activity consists of comparing the main ES approaches in order to identify the set of relevant ES factors (first objective). This is because current ES approaches do not address the same aspects. Thus, there are ES factors that are considered by some approach but not by all of them and, on the other hand, the same ES factor may have different names in different approaches. Only when this information has been obtained from Activity 1, can the second activity be undertaken: to compare the main ITG approaches against the set of identified relevant ES factors in order to determine their degree of compliance (second objective).  Figure 1 summarizes the two main activities that we considered in order to achieve the abovementioned objectives. The first activity consists of comparing the main ES approaches in order to identify the set of relevant ES factors (first objective). This is because current ES approaches do not address the same aspects. Thus, there are ES factors that are considered by some approach but not by all of them and, on the other hand, the same ES factor may have different names in different approaches. Only when this information has been obtained from Activity 1, can the second activity be undertaken: to compare the main ITG approaches against the set of identified relevant ES factors in order to determine their degree of compliance (second objective). We used an analytical strategy of a comparative study between models and standards [45] to address the activities shown in Figure 1. This decision was based on the absence of specialized publications regarding comparative studies of mapping activities among the models/standards related to ES and ITG. Specifically, we chose the Method of Study of Similarity between Models and Standards (MSSMS) [46] as the working method for both activities. It proposes seven phases to formalize and organize a study to find the similarities and differences between several approaches (i.e., e.g., frames, models or standards). This method has been applied in different and diverse domains: comparative analysis of maturity models in business intelligence [47], study on software outsourcing based on CMMI-ACQ [48], comparison of models and standards for implementing IT service capacity management [49] and similarity study of risk management process in software outsourcing projects [50]. Figure 2 presents the seven phases of the MSSMS method. The deployment of these phases requires the identification of the elements that make up each approach/model/standard. We applied the deductive analytical method [51] for this and a documentary analysis as data collection technique to investigate the published documents. Below is a general description of the seven MSSMS phases: Phase 1: Select the possible standards and models to be analyzed

Materials and Methods
The purpose of this phase is to choose the set of models and standards to be included in the study, setting up the criteria that support the selection (e.g., the contribution to the scope of study   We used an analytical strategy of a comparative study between models and standards [45] to address the activities shown in Figure 1. This decision was based on the absence of specialized publications regarding comparative studies of mapping activities among the models/standards related to ES and ITG. Specifically, we chose the Method of Study of Similarity between Models and Standards (MSSMS) [46] as the working method for both activities. It proposes seven phases to formalize and organize a study to find the similarities and differences between several approaches (e.g., frames, models or standards). This method has been applied in different and diverse domains: comparative analysis of maturity models in business intelligence [47], study on software outsourcing based on CMMI-ACQ [48], comparison of models and standards for implementing IT service capacity management [49] and similarity study of risk management process in software outsourcing projects [50]. Figure 2 presents the seven phases of the MSSMS method.  Figure 1 summarizes the two main activities that we considered in order to achieve the abovementioned objectives. The first activity consists of comparing the main ES approaches in order to identify the set of relevant ES factors (first objective). This is because current ES approaches do not address the same aspects. Thus, there are ES factors that are considered by some approach but not by all of them and, on the other hand, the same ES factor may have different names in different approaches. Only when this information has been obtained from Activity 1, can the second activity be undertaken: to compare the main ITG approaches against the set of identified relevant ES factors in order to determine their degree of compliance (second objective). We used an analytical strategy of a comparative study between models and standards [45] to address the activities shown in Figure 1. This decision was based on the absence of specialized publications regarding comparative studies of mapping activities among the models/standards related to ES and ITG. Specifically, we chose the Method of Study of Similarity between Models and Standards (MSSMS) [46] as the working method for both activities. It proposes seven phases to formalize and organize a study to find the similarities and differences between several approaches (i.e., e.g., frames, models or standards). This method has been applied in different and diverse domains: comparative analysis of maturity models in business intelligence [47], study on software outsourcing based on CMMI-ACQ [48], comparison of models and standards for implementing IT service capacity management [49] and similarity study of risk management process in software outsourcing projects [50]. Figure 2 presents the seven phases of the MSSMS method. The deployment of these phases requires the identification of the elements that make up each approach/model/standard. We applied the deductive analytical method [51] for this and a documentary analysis as data collection technique to investigate the published documents. Below is a general description of the seven MSSMS phases: Phase 1: Select the possible standards and models to be analyzed

Materials and Methods
The purpose of this phase is to choose the set of models and standards to be included in the study, setting up the criteria that support the selection (e.g., the contribution to the scope of study  The deployment of these phases requires the identification of the elements that make up each approach/model/standard. We applied the deductive analytical method [51] for this and a documentary analysis as data collection technique to investigate the published documents. Below is a general description of the seven MSSMS phases:

Phase 1: Select the possible standards and models to be analyzed
The purpose of this phase is to choose the set of models and standards to be included in the study, setting up the criteria that support the selection (e.g., the contribution to the scope of study and the number of user organizations). Once the criteria are defined, the documentary analysis will let us identify the bibliographic references that validate our approach selection.

Phase 2: Define the reference model
The reference model represents the selected approach providing the broadest coverage in the field of study. Considering that the comparative analysis proposed in this work is based on the structure (elements) that make up each approach, the reference model should be the one that contributes most to the field of study through its structure. It will act as the pivot for the comparative analysis, and the correspondences with the other approaches are established around it in an iterative and individual way. This phase synthesizes the approaches selected in Phase 1 through the deductive and documentary analysis, and one is selected as the reference model for the comparative analysis.

Phase 3: Select the process(es) to be analyzed
The purpose of this phase is to determine the scope of the comparison to be carried out. Thus, the comparison of the approaches selected in Phase 1 may cover all or some of their constituent processes.

Phase 4: Set the level of detail
Once the standards/models to be considered, the reference model, and the process(es) to be analyzed have been selected, what remains to be defined is what element of the structure for each approach will be used to compare; that is to say, what is going to be mapped and to what level of the structure the mapping will reach. To select the level of detail, we applied the criteria of homogeneity and granularity. The first criterion tries to avoid mapping specific elements of an approach with general elements of another, because that would produce invalid results. The second criterion defines the level of specificity of the mapping taking into account that the highest granularity in a hierarchy would be at the top of it, and the minimum granularity would be at the bottom. The level of detail should be selected considering that granularity and homogeneity are consequently related; that is, homogeneity must be met to apply the minimum granularity.

Phase 5: Create a correspondence template
This phase defines the template to be used in the next phase. This template will be based on the process(es) to be analyzed (Phase 3) and on the level of detail established in Phase 4.

Phase 6: Identify the similarities among the models
The purpose of this phase is to identify the similarities among the selected models through the elements that they have in common. Thus, this phase performs the actual comparison among the selected approaches by mapping the considered element. We used an iterative strategy for the mapping: each model/standard is mapped individually regarding the considered element of the selected reference model. Once mapped, the result is reviewed in its entirety and the following is approached in the same way.

Phase 7: Present the results
The purpose of this phase is to present the results obtained in a structured manner.

Results
We present in this section the deployment of the seven MSSMS phases ( Figure 2) to address the two activities proposed in Figure 1.

Phase 1: Select the Possible Standards and Models to be Analyzed
The criteria for the selection of the standards and models to be incorporated into the comparative study were the following: (a) those related to ES, (b) those with a relevant proponent institution, (c) those most used by organizations, and (d) those with updated information and whose documentation is available.
The following ES approaches were selected using the above-mentioned criteria: ISO14001:2015, GRI G4:2013, EMAS:2009, SGE21:2016 and ISO26000:2012. Table 1 shows the bibliographic references that support the compliance with the criteria for each approach. It is worth mentioning that we have not selected other models because they do not meet any of the aforementioned criteria. For example, ESF [22] and SR10 [23] have not been selected because they do not meet the criterion defined in (c) (i.e., they are not used by organizations despite their relative degree of dissemination). Once the ES approaches have been selected, one has to be defined as the reference model in this phase. The deductive and documentary analysis of the five selected approaches lets us gather the sufficient knowledge to select the reference approach. Table 2 shows a descriptive synthesis of the five ES approaches studied, whereas a detailed description for each approach is provided in the supplementary material by means of five tables (Table S1a-e). Each table shows the name of the phase, the name of the activity and its coding. Table 2. Descriptive synthesis of the selected ES approaches. Table  Structure ISO14001 S1a

Model/Standard
This standard is composed of six phases. Each phase is composed of several activities, which decompose in sub-activities. In total, there are 26 activities and 68 sub-activities.

GRI G4 S1b
This guide proposes two types of contents that must be included in a Sustainability Report: (i) General Basic Contents and (ii) Specific Basic Contents, whose information was excluded for not contributing to ES [53]. The General Basic Contents are composed of 59 activities, which are grouped in phases: Prepare, Connect, Supervise and Inform.

EMAS S1c
This regulation is composed of five phases. Each phase is composed of several activities, which decompose in sub-activities. In total, there are 22 activities and 49 sub-activities.

SGE21 S1d
This standard is composed of nine phases. Each phase is composed of several activities, which decompose in sub-activities. In total, there are 37 activities and 47 sub-activities.

S1e
This standard is composed of seven phases and each phase is composed of several activities: 36 in total.
ISO14001 was selected as the reference model after the analysis carried out because it provides the greatest coverage in ES issues. This decision is supported by [58], which states that this standard is the main reference for environmental management in all types of organizations in the world.

Phase 3: Select the Process(es) to be Analyzed
In this case, the processes to be considered are all those relating the dimension of ES. Therefore, all the processes included in the reference model will be analyzed.

Phase 4: Set the Level of Detail
We established the minimum level of granularity (as long as homogeneity was maintained) to ensure that the relevant ES factors were identified with a sufficient level of detail. This was to avoid the "grosso modo" issue stated in the Introduction.
It should be noted that all the ES approaches studied in this work have the same level of detail, although they use different nomenclatures. For example, where ISO 14001 talks about sub-activities, GRI G4 talks about activities. Table 3 summarizes the relevant information until now: it shows, for each approach, the original and the unified structure based on the reference model (ISO14001). The nomenclature has been unified taking into account the level of detail provided for each approach, irrespective of the name used by each one. Thus, it can be concluded from Table 3 the minimum level of granularity that can be selected for all the approaches: sub-activity. We considered the following aspects presented before in order to define the correspondence template: Level of detail that will be used for the comparisons: sub-activity (in the unified structure).
The elements that make up the template are: the names of the phases and the activities and sub-activities codes, for the reference model, and the sub-activities that are connected with the sub-activity of the reference model (using the unified structure), for each ES approach.
3.1.6. Phase 6: Identify Similarities among the Models Table 4 shows the correspondence template filled with the results of the mapping process, in which three different scenarios can be found:

•
First scenario: There is correspondence, without assessing its accuracy. It is enough that the sub-activity makes some reference, although slight. This scenario means that the correspondence template shown in Table 4 defines what sub-activity is the one that refers to the sub-activity of the reference model (ISO14001). This is evidenced by showing the code of the corresponding sub-activity by using the unified structure. • Second scenario: The sub-activity does not contribute to ES. The reason for this scenario is that GRI G4, SGE21 and ISO26000 also cover economic and social sustainability domains. In addition, there are sub-activities typical of the context of each approach. Thus, for example, GRI G4, as a guide to help organizations in preparing sustainability reports, includes sub-activities referring to this specific information. In the same way, EMAS has sub-activities related to the certification process. Such kinds of sub-activities were not considered because they are not a relevant contribution to ES. • Third scenario: The sub-activity contributes to ES but does not exist in the reference model (ISO14001). In this case, this sub-activity becomes a reference for the other approaches, providing a new ES factor to be considered. These sub-activities, which have no correspondence in the reference model, are included in Table 4 using the unified terminology as follows: 3.1.3, 3.2.1, 3.3.1, 2.5.1 and 5.11.1 for SGE21; G4-44 and G4-51b for GRI G4, and 4.4 and 4.5 for ISO26000.
Since the purpose of this work is to establish correspondences between ES approaches, we only considered scenarios 1 and 3. An empty cell in Table 4 denotes that there was no correspondence with the sub-activity of the reference model.
It is important to note that the relevant ES factors were identified from Table 4 by applying the deductive method. As a representative example, the sub-activity 1.1, from the activity "EMS1 Understanding the organization and its context" of the reference model (first row in Table 4), has correspondence with the sub-activity G4-1 (GRI G4), with the sub-activities 1.1.1, 1.2.1, 1.3.1, 1.4.1 and 1.5.1 (EMAS), with the sub-activity 6.1.1 (SGE21), and with the sub-activities 1.1 up to 1.3 (ISO26000). Since there is correspondence (scenario 1), although it is not exact, it means that each of these sub-activities can contribute to EMS1 activity. Therefore, the set of contributions (sub-activities) for the EMS1 reference activity is:

•
Determine the internal and external problems of the organization, legal aspects and economic environment (from ISO14001). • Strategic focus of the organization (mission, vision, strategies, purposes, scope) from GRI G4 and ISO26000. • Description of the organization (from EMAS). • Define a strategic plan for sustainability (from SGE21).
A similar strategy was used to identify the rest of relevant ES factors. The full description of the relevant ES factors can be found later in Section 3.2.6 (first three columns in Table 8). In order to graphically organize the overlapping and most common sub-activities, the similarities between ES approaches (Table 4) are synthesized by means of a Venn diagram [59] in Figure 3. The five ES approaches are labeled in this figure as A (ISO14001), B (GRI G4), C (EMAS), D (SGE21), and E (ISO26000). With the exception of the cases mentioned in Phase 5 of Activity 1 (3.1.3, 3.2.1, 3.3.1, 2.5.1 and 5.11.1 for SGE21, and G4-44 and G4-51b for GRI G4), the sub-activities of the reference model overlap with the sub-activities of the other approaches (see Table 4). Therefore, the overlapped sub-activities are coded with the nomenclature of the reference model (i.e., A or ISO14001) in the Venn diagram. We can determine from Figure 3 the similarities across the ES approaches through their common sub-activities: • The sub-activities 1.  We can determine from Figure 3 the similarities across the ES approaches through their common sub-activities:

Phase 1: Select the Possible Standards and Models to be Analyzed
We used the following criteria to select the ITG standards and models for the comparative study: (a) those related to ITG, (b) those with a relevant proponent institution, (c) those most used by organizations, and (d) those with updated information and whose documentation is available. However, in this case and as opposed to Activity 1, it was necessary to incorporate an additional criterion: (e) those with a level of detail equivalent to a sub-activity level, regardless of what it is called. This was necessary to take advantage of the level of detail (sub-activity) achieved in the identification of the relevant ES factors, which acts as the reference model for Activity 2 (see Figure 1). Otherwise, it would not be guaranteed that the comparison and the subsequent quantification would be completely objective.
Using these criteria, the following approaches were selected: COBIT5:2012, ISO38500:2015, and WEILL & ROSS:2005. Table 5 shows the bibliographic references that support compliance with the criteria for each approach. It is worth mentioning that we have not selected other models for not meeting any of the aforementioned criteria. For example, the ITG Framework for SMEs (SMEsITGF) [33] and the ITG Model for Universities (MITGU) [32] have not been selected because they do not meet criteria b) and c), and the CALDER-MOIR [29,60] and FORRESTER [31,61] approaches have been excluded because they do not meet criterion e), since they are limited to the level of activity. Table 5. Bibliographic references supporting the compliance with the criteria for the selection of ITG standards and models. Criteria: (a) related to ITG, (b) relevant proponent institution, (c) most used by organizations, (d) updated information and whose documentation is available, and (e) level of detail equivalent to a sub-activity level. The relevance of the criterion (e) can be illustrated by trying to compare COBIT5 using the activity instead of the sub-activity level (in the unified structure) with the relevant ES factors. Thus, going back to the example shown in Section 3.1.6, the activity "EMS1 Understanding the organization and its context" of the relevant ES factors is composed of four sub-activities. In this case, the activity "Evaluate" of the process "EDM01 Ensure Governance Framework Setting and Maintenance" from COBIT5 ( Table S2a in the supplementary material) could be covered by the above-mentioned EMS1 activity. However, this would be a subjective comparison since it would be not guaranteed to have a connection with all its sub-activities. In fact, if we descend to the sub-activity level, we will see that only two of the four sub-activities of EMS1 are covered by COBIT5, as it will be explained later in Section 3.2.6.

Phase 2: Define the Reference Model
In this case, the reference model is the set of the relevant ES factors identified in Activity 1, which are composed of activities and sub-activities. This reference model will be compared with the three approaches selected in the previous phase. Table 6 shows a descriptive synthesis for these approaches, whereas a detailed description for each approach is provided in the supplementary material (Table S2a-c). Each table shows the name of the phase, the name of the activity and its coding. Table 6. Descriptive synthesis of the ITG approaches. Table  Structure COBIT5 S2a

Model/Standard
This standard is composed of 37 processes, five of which are related to governance. Each process is composed of governance practices, which decompose in activities. In total, there are 79 governance activities.

S2b
This standard is composed of six principles. Each principle is composed of three tasks, which decompose in activities. In total, there are 58 activities.

WEILL & ROSS S2c
This standard is composed by six components. Each component is composed of activities. In total, there are 25 activities.

Phase 3: Select the Process(es) to be Analyzed
In this case, the processes to be considered are all those relating the dimension of ES and ITG. Therefore, all the processes included in each ITG approach will be analyzed to see if they consider or not the ES factors identified in Activity 1.

Phase 4: Set the Level of Detail
The minimum granularity is the sub-activity level. This is because the ITG approaches will be mapped with the relevant ES factors, which are composed by activities and sub-activities. This was to avoid the "grosso modo" issue stated in the Introduction. Logically, homogeneity should be maintained between both levels of detail. When addressing the homogeneity criterion, we are faced with the same inconvenient detail in Phase 4 for Activity 1 (Section 3.1.4). In this regard, it should be noted that all the ITG approaches studied in this work have the same level of detail, although they use different nomenclatures. For example, where COBIT5 talks about activities, the relevant ES factors talk about sub-activities. Table 7 summarizes the relevant information until now: it shows, for each approach, the original and the unified structure based on the relevant ES factors. The nomenclature has been unified taking into account the level of detail provided for each approach, irrespective of the name used by each one.  Figure 1). • Level of detail that will be used for the comparisons: sub-activity (in the unified structure).
The elements that make up the template are: the relevant ES factors (using the structure Activity, Sub-activity and the Approach which contributes) and the sub-activities that are connected to an ES factor (and how this connection is) for each ITG approach. Thus, during the mapping process, there were different situations determined by two dimensions: location and content. The "location" dimension refers to whether or not the ES sub-activity is located on the ITG approach. On the other hand, the "content" dimension refers to the matching of the points of view (ES and ITG) for the considered ES factor. There are the following four possible situations based on these two dimensions: • Situation 0: The relevant ES factor (sub-activity) does not exist in ITG (i.e., neither of these dimensions are fulfilled). • Situation 1: The relevant ES factor (sub-activity) partially corresponds to ITG, but it deals with ES in one model and deals with ITG in the other (i.e., location is partially fulfilled and content is not fulfilled). • Situation 2: The relevant ES factor (sub-activity) is present in ITG, but it deals with ES in one model and deals with ITG in the other (i.e., location is fulfilled and content is not fulfilled). • Situation 3: The relevant ES factor (sub-activity) is present and with the same meaning in ITG (i.e., both location and content are fulfilled).
3.2.6. Phase 6: Identify the Similarities among the Models Table 8 shows the correspondence template filled with the results of the mapping process. It is worth mentioning that the situation labeled as "3" in the previous phase never happened. As a representative example of ES deficiencies in ITG, we found the other three possible situations considering the activity "EMS2 Understanding the needs and expectations of interested parties" and COBIT5 (see Table 8). The situation "0" appeared when the sub-activity "Identify the interested parties that are affected", provided by ISO14001, was considered: it does not exist in COBIT5 (i.e., empty cell). The situation "1" appeared when the sub-activity "Identify the interests of the stakeholders that are affected", provided by ISO26000, was considered: it is partially considered in COBIT5 by its sub-activity ITG44 (in the unified structure, see Table S2a in the supplementary material). However, while it refers to ES in ISO26000, it refers to IT in COBIT5. The situation "2" appeared, for example, when the sub-activity "Identify the needs and expectations of interested parties", provided by ISO14001, was considered: it is located in COBIT5 through its sub-activity ITG21 (in the unified structure, see Table S2a in the supplementary material). However, as in the previous example, it refers to two different aspects (ES and ITG).

Phase 7: Present the Results
We can determine the similarities across the ITG approaches and the relevant ES factors from Table 8 by identifying their common sub-activities: • Sub-activities with correspondence in the three ITG approaches considered: "Define the environmental policy of the organization within the defined scope", and "Define representatives to establish, implement and maintain, in addition to establish the functions and responsibilities". • Sub-activities with correspondence in two of the three ITG approaches considered: "Define a strategic plan for Sustainability", "Establish procedures to deal with risks and opportunities", "Detail the most important effects, risks and opportunities", "Ensure that the applicable legal requirements are taken into account in the establishment and maintenance of your EMS", "Management must ensure the availability of human, specialized, infrastructure, financial and technological resources to establish, implement, maintain and improve the EMS", "Establish a research, development and innovation environment", "Describe values, principles, standards and norms of the organization", "Define generalities of how external and internal communication will take" and, finally, "Establish, implement and maintain procedures to periodically evaluate compliance with applicable legal requirements".    The environmental benefits provided by your personal best performance 0 0 0 ISO14001 The functions and responsibilities that it has in the EMS 0 0 0 ISO14001 The potential consequences of deviating from environmental procedures 0 0 0

GRI G4
Describe values, principles, standards and norms of the organization. Establish internal and external mechanisms to report unethical or illicit behavior and matters related to the integrity of the organization.   Taking into account the previous points, we can determine to what extent the relevant ES factors are present in the ITG approaches in order to obtain quantitative measurements about their sustainability deficit. This quantitative study was categorized according to the types of situations already discussed in Section 3.2.5, since each represents a different type of deficiency. Table 9 summarizes the quantitative results. Thus, the first two columns show the number of activities and sub-activities of the relevant ES factors. The last six columns show, for each situation described in Section 3.2.5, the number of sub-activities (ES factors) that are connected to the ITG approach and the corresponding percentage. Table 9. Synthesis of the quantitative study derived from Table 8.

Discussion
This work addressed two main objectives regarding sIT Governance: identifying the relevant ES factors derived from the main ES approaches, and determining to what extent these factors are already present in the main ITG approaches.
Regarding the first objective, we extracted the relevant ES factors, which are composed of 27 activities and 103 sub-activities (Table 4), from ISO14001, GRI G4, EMAS, SGE21, and ISO26000 ( Figure 1, Activity 1). It should be noted that most of these belong to ISO14001, which was the reference model selected in Section 3.1.2.
To achieve the second objective ( Figure 1, Activity 2), we developed a correspondence template considering the relevant ES factors and COBIT5, ISO38500 and WEILL & ROSS as representative of IT Governance approaches (Table 8). This template let us determine, in a quantitative manner, to what extent current ITG approaches refer to the relevant ES factors (Table 9). Analyzing this last table, we can conclude that the situation labeled as "0" (i.e., the relevant ES factor does not exist in ITG) has, by far, the highest percentages. This situation demonstrates that there is a clear ES deficit in the ITG approaches studied: 72.82% in COBIT5, 82.52% in ISO38500 and 95.15% in WEILL & ROSS. This conclusion quantitatively corroborates the studies performed by Machado et al. [43], and by Merhout and O'Toole [44], although they restricted their analysis only to COBIT. In addition, the quantitative study carried out in our work also reveals that COBIT5 is the proposal that best covers ES issues, as confirmed by the results for situations "1" and "2" in Table 9.
It should be noted that the work presented here addressed the two main deficiencies presented in the Introduction section, since: 1.
The five main ES approaches (ISO14001, GRI G4, EMAS, SGE21 and ISO26000) have been considered in order to extract the relevant ES factors. It is worth mentioning at this point that, although ISO14001 is the approach providing more ES factors, none of the current studies has considered it.

2.
The issue about "grosso modo" was considered by applying the criteria of homogeneity and granularity to select the level of detail.
Future work should focus on two immediate research lines. The first would address the specific deficiencies of each ITG approach to make it "more sustainable". The second line, where we are currently working, would develop a new framework for sIT Governance, including ES in the ITG processes. Thus, we are identifying the relevant (i.e., not general) ITG factors from the main ITG approaches using the same criteria that were employed here to identify the relevant ES factors. The idea is to develop a correspondence template between the relevant ES and the relevant ITG factors with the purpose to identify the type of ES deficits of the relevant ITG factors. Once these deficiencies have been identified, we can propose a sIT Governance framework. In order to improve this proposal, it will also be important to perform case studies in different organizations. Finally, it is important to note that by using ISO14001 as the reference model we can take advantage of the synergies derived from its wide dissemination. ISO14001 certified organizations would find the new framework familiar.