Corporate governance of information technology
Information technology governance is a subset discipline of corporate governance focused on information technology (IT) systems and their performance and risk management. The rising interest in IT governance is partly due to compliance initiatives, for instance Sarbanes-Oxley in the USA and Basel II in Europe, but more so because of the need for greater accountability for decision-making around the use of IT in the best interest of all stakeholders.
IT capability is directly related to the long term consequences of decisions made by top management. Traditionally, board-level executives deferred key IT decisions to the company's IT professionals. This cannot ensure the best interests of all stakeholders unless deliberate action involves all stakeholders. IT governance systematically involves everyone: board members, executive management, staff and customers. It establishes the framework (see below) used by the organization to establish transparent accountability of individual decisions, and ensures the traceability of decisions to assigned responsibilities.
Both narrow and broad definitions of IT governance exist. Weill and Ross focus on "Specifying the decision rights and accountability framework to encourage desirable behavior in the use of IT."
In contrast, the IT Governance Institute expands the definition to include foundational mechanisms: "… the leadership and organisational structures and processes that ensure that the organisation's IT sustains and extends the organisation's strategies and objectives."
Wim Van Grembergen and Steven De Haes (2009) focus on enterprise governance of IT and define this as "an integral part of corporate governance", something which "addresses the definition and implementation of processes, structures and relational mechanisms in the organization that enable both business and IT people to execute their responsibilities in support of business/IT alignment and the creation of business value from IT enabled investments".
AS8015, the Australian Standard for Corporate Governance of Information and Communication Technology (ICT), defines Corporate Governance of ICT as "The system by which the current and future use of ICT is directed and controlled. It involves evaluating and directing the plans for the use of ICT to support the organisation and monitoring this use to achieve plans. It includes the strategy and policies for using ICT within an organisation."
The discipline of information technology governance first emerged in 1993 as a derivative of corporate governance and deals primarily with the connection between strategic objectives and IT management of an organization. It highlights the importance of IT-related matters in contemporary organizations and states that strategic IT decisions should be owned by the corporate board, rather than by the chief information officer or other IT managers.
The primary goals for information technology governance are to (1) assure that the investments in IT generate business value, and (2) mitigate the risks that are associated with IT. This can be done by implementing an organizational structure with well-defined roles for the responsibility of information, business processes, applications, ICT infrastructure, etc.
Accountability is the key concern of IT governance.
After the widely reported collapse of Enron in 2000 and the alleged problems within Arthur Andersen and WorldCom, the duties and responsibilities of auditors and the boards of directors for public and privately held corporations were questioned. As a response to this, and to attempt to prevent similar problems from happening again, the US Sarbanes-Oxley Act was written to stress the importance of business control and auditing. Although not directly related to IT governance, Sarbanes-Oxley and Basel-II in Europe have influenced the development of information technology governance since the early 2000s.
Following corporate collapses in Australia around the same time, working groups were established to develop standards for corporate governance. A series of Australian Standards for Corporate Governance were published in 2003, these were:
- Good Governance Principles (AS8000)
- Fraud and Corruption Control (AS8001)
- Organisational Codes of Conduct (AS8002)
- Corporate Social Responsibility (AS8003)
- Whistle Blower protection programs (AS8004)
AS8015 Corporate Governance of ICT was published in January 2005. It was fast-track adopted as ISO/IEC 38500 in May 2008.
Problems with IT governance
Is IT governance different from IT management and IT controls? The problem with IT governance is that often it is confused with good management practices and IT control frameworks. A short way to explain the difference is by researching the following statement: "management is not leadership". While IT management is about good shepherding of assets and resources, IT governance adds a vision and leadership dimension. ISO 38500 has helped clarify IT governance by describing it as the management system used by directors. In other words, IT governance is about the stewardship of IT resources on behalf of the stakeholders who expect a return from their investment. The directors responsible for this stewardship will look to the management to implement the necessary systems and IT controls. Whilst managing risk and ensuring compliance are essential components of good governance, it is more important to be focused on delivering value and measuring performance.
Less than a quarter of all enterprises have adopted any major IT governance standard despite the potential benefits to performance and profitability. While different companies have different reasons, the failure is often a reflection of the belief that IT governance standards are too expensive to implement, that they don’t reflect reality, or that it is unnecessary if they have already reached compliance with Sarbanes-Oxley (SOX) and other standards. However, the benefits that can be achieved by following the best practices should outweigh these perceived issues.
There are quite a few supporting references that may be useful guides to the implementation of information technology governance. Some of them are:
- AS8015-2005 Australian Standard for Corporate Governance of Information and Communication Technology. AS8015 was adopted as ISO/IEC 38500 in May 2008
- ISO/IEC 38500:2008 Corporate governance of information technology, (very closely based on AS8015-2005) provides a framework for effective governance of IT to assist those at the highest level of organizations to understand and fulfill their legal, regulatory, and ethical obligations in respect of their organizations’ use of IT. ISO/IEC 38500 is applicable to organizations from all sizes, including public and private companies, government entities, and not-for-profit organizations. This standard provides guiding principles for directors of organizations on the effective, efficient, and acceptable use of Information Technology (IT) within their organizations.
- COBIT (Control Objectives for Information and related Technology) is regarded as the world's leading IT governance and control framework. COBIT provides a reference model of 34 IT processes typically found in an organization. Each process is defined together with process inputs and outputs, key process activities, process objectives, performance measures and an elementary maturity model. Originally created by ISACA, COBIT is now the responsibility of the ITGI (IT Governance Institute).
- ITIL (IT Infrastructure Library) is a high-level framework with information on how to achieve a successful operational Service management of IT, developed and maintained by the United Kingdom's Office of Government Commerce, in partnership with the IT Service Management Forum. While not specifically focused on IT governance, the process-related information is a useful reference source for tackling the improvement of the service management function.
- ISO/IEC 27000-series - focus on Information Security
- CMM - The Capability Maturity Model: focus on software engineering
- TickIT - a quality-management certification program for software development
Non-IT specific frameworks of use include:
- The Balanced Scorecard (BSC) - method to assess an organization’s performance in many different areas.
- Six Sigma - focus on quality assurance
- TOGAF - The Open Group Architectural Framework - methodology to align business and IT, resulting in useful projects and effective governance.
Certified in the Governance of Enterprise Information Technology (CGEIT) is an advanced certification created in 2007 by the Information Systems Audit and Control Association (ISACA). It is designed for experienced professionals, who can demonstrate 5 or more years experience, serving in a managing or advisory role focused on the governance and control of IT at an enterprise level. It also requires passing a 4-hour test, designed to evaluate an applicant's understanding of enterprise IT management. The first examination was held in December 2008.
- Corporate Governance of ICT
- Data governance
- Enterprise architecture
- Information governance
- Information Technology Infrastructure Library
- Information technology management
- ISO/IEC 38500
- IT portfolio management
- IT service management
- Project governance
- Val IT
- Website governance
- Blitstein, Ron, 2012. "IT Governance: Bureaucratic Logjam or Business Enabler", Cutter Consortium.
- S. De Haes, and W. Van Grembergen, “An Exploratory Study into the Design of an IT Governance Minimum Baseline through Delphi Research”, Communications of AIS, No. 22, 2008, pp. 443–458.
- S. De Haes, and W. Van Grembergen, “An Exploratory Study into IT Governance Implementations and its Impact on Business/IT Alignment”, Information Systems Management, Vol. 26, 2009, pp. 123–137.
- S. De Haes, and W. Van Grembergen, “Exploring the relationship between IT governance practices and business/IT alignment through extreme case analysis in Belgian mid-to-large size financial enterprises”, Journal of Enterprise Information Management, Vol. 22, No. 5, 2009, pp. 615–637.
- Georgel F., IT Gouvernance : Maitrise d'un systeme d'information, Dunod, 2004(Ed1) 2006(Ed2), 2009(Ed3), ISBN 2-10-052574-3. "Gouvernance, audit et securite des TI", CCH, 2008(Ed1) ISBN 978-2-89366-577-1
- Lutchen, M. (2004). Managing IT as a business : a survival guide for CEOs. Hoboken, N.J., J. Wiley., ISBN 0-471-47104-6
- Renz, Patrick S. (2007). "Project Governance." Heidelberg, Physica-Verl. (Contributions to Economics) ISBN 978-3-7908-1926-7
- Van Grembergen, W., Strategies for Information technology Governance, IDEA Group Publishing, 2004, ISBN 1-59140-284-0
- Van Grembergen, W., and S. De Haes, Enterprise Governance of IT: Achieving Strategic Alignment and Value, Springer, 2009.
- Wim Van Grembergen, and S. De Haes, “A Research Journey into Enterprise Governance of IT, Business/IT Alignment and Value Creation”, International Journal of IT/Business Alignment and Governance, Vol. No. 1, 2010, pp. 1–13.
- Weill, P. and Ross, J.W. (2004). IT Governance: How Top Performers Manage IT Decision Rights for Superior Results, Boston, MA, Harvard Business School Publishing, ISBN 1-59139-253-5
- Wilkin, C.L. and Chenhall, R.H. (2010). A Review of IT Governance: A Taxonomy to Inform AIS, Journal of Information Systems, 24 (2), 107–146.
- Wood, David J., 2011. "Assessing IT Governance Maturity: The Case of San Marcos, Texas". Applied Research Projects, Texas State University-San Marcos. (This paper applies a modified COBIT framework to a medium sized city.)
- Weill, P. & Ross, J. W., 2004, IT Governance: How Top Performers Manage IT Decision Rights for Superior Results", Harvard Business School Press, Boston.
- "Board Briefing on IT Governance, 2nd Edition" (PDF). IT Governance Institute. 2003. Retrieved January 18, 2006.
- Introduction to ISO 38500[dead link]
- "IT Governance Standards: Myths & Reality". Dell.com. Retrieved 2012-06-19.
- [dead link]
- "itgi.org". itgi.org. 2010-06-22. Retrieved 2012-09-19.
- "itil.co.uk". itil.co.uk. Retrieved 2012-09-19.