IT MATTERS: The IT Governance Road Map
IT governance is an escalating issue for firms struggling with how to leverage IT to provide a competitive advantage for companies.
Managers have made numerous attempts to increase the understanding of how IT operates, and more importantly, how IT can be used to leverage the business and provide a competitive advantage for the firm. IT managers need to assess their capabilities by asking the following questions: 1) Are IT managers able to support the firm in obtaining its objectives? 2) Are they capable of keeping up with the constantly changing market environment? 3) Are they up to date on the latest and greatest technology trends and offerings to the marketplace? 4) Are they flexible enough to understand and lead business process changes as needed? 5) Are they capable of judiciously helping to manage the firm’s risk?
Information technology (IT) offers firms many opportunities to enhance or transform their products, services, markets, work processes, and business relationships. Such efforts, however, require carefully orchestrated efforts between the firm’s technology and business specialists. It is often the case that the ways in which the firm utilizes IT and the impact that IT has on a firm’s performance have been carefully guided by well-thought-out IT governance policies and procedures. Interestingly, the Meta Group recently reported that more than 80 percent of Global 2000 firms do not have a formal governance committee in place. The analyst firm also predicts that 50 percent of companies will attempt to improve their IT governance policies this year. According to the Meta Group, firms having better than average IT governance policies can realize at least a 20 percent higher return on assets than organizations with weaker governance.
What is IT Governance?
IT governance is defined as “the decision rights and accountability framework for encouraging desirable behavior in the use of IT.” IT governance is seen as a framework that ensures that information technology decisions consider the business’ goals and objectives. Similar to ways in which corporate governance aids the firm in ensuring that key decisions are consistent with corporate vision, values and strategy, IT governance ensures that IT-related decisions match companywide objectives.
IT governance has primarily been driven by the need for the transparency of enterprise risks and the protection of shareholder value. The overall objective of IT governance is to understand the issues and the strategic importance of IT, so that the firm can maintain its operations and implement strategies to enable the company to better compete now and in the future. Hence, IT governance aims at ensuring that expectations for IT are met and that IT risks are mitigated. IT governance exists within corporations to guide IT initiatives and to ensure that the performance of IT meets the following corporate objectives:
- Alignment of IT to support business operations and sustain advantages;
- Responsible use of IT resources;
- Appropriate identification and management of IT-related risks;
- Facilitation of IT’s aid in exploiting opportunities and maximizing benefits.
A structured IT governance committee or policy along with corporate managers combine to ensure that IT is synchronized with the business and delivers value to the firm. IT governance also aids companies in instituting formal project approval processes and performance management plans.
Firms typically make five types of IT decisions:
- IT principles decisions dictating the role of IT in the enterprise.
- IT architecture decisions on technical choices and directions.
- IT infrastructure decisions on the delivery of shared IT services.
- Business application requirements decisions for each project.
- IT investment and prioritization decisions.
To successfully make these five types of decisions, firms must develop and implement IT governance mechanisms. There are three general categories of IT governance mechanisms and techniques, which include 1) decision making, 2) process assignment, and 3) communication approaches. A recent study asked 250+ Chief Information Officers (CIOs) how IT governance was enacted within their organizations. Utilizing the three general categories of governance mechanisms, the table below summarizes the techniques used by the firms:
Business/IT relationship managers
IT Leadership committee composed of IT executives
IT council composed of business and IT executives
Executives of senior management committee
Process teams with IT members
Capital approval committee
Tracking of IT projects and resources consumed
Formal tracking of business value of IT
Office of CIO or officer of IT governance:
Work with managers who fail to follow the rules;
Publicize announcements from senior management;
Manage and monitor Web-based portals and intranets for IT.
Despite the fact that corporations are beginning to experience success with implementing IT governance mechanisms to better manage their IT resources, individual governance mechanisms cannot alone promise the successful implementation and execution of IT governance policies and procedures. Companies must be able to better understand the complex playing field of their competitive environment and be able to put together a reliable set of governance techniques that are simple, are easily shared and implemented, and that engage managers who make key decisions for the company.
These mechanisms provide firms, at a minimum cost, with the coordination, control, and trust that is needed to manage and utilize their IT related resources. Hence, well-developed and implemented IT governance mechanisms help firms to establish coordinated mechanisms that link IT-related objectives and goals to measurable goals. IT governance also helps to provide the necessary checks and balances to better manage and mitigate risk, standardize practices, streamline procedures, and improve returns on technology resources and assets.
IT Governance: A Continuous Process. IT governance can be seen as the continuous process of aligning corporate and IT strategy. IT governance helps to shape organizational changes over time and should be tightly tied to corporate governance procedures and regulations. IT governance is intended to safeguard the organization against criminal activity inside and outside the organization and then to develop and implement strategies and processes to manage governance.
IT Governance at Different Layers of the Organization. IT governance is typically the primary responsibility of the board of directors and executive management (including the Chief Information Officer). It is an integral part of enterprise governance and consists of the leadership and organizational structures and processes that ensure that the organization’s IT sustains and extends the organization’s strategies and objectives.
IT governance should typically address IT-related risks and opportunities at different layers of the organization. IT managers should solicit input for the development of IT governance policies and procedures, since such governance affects employees within different layers of the organization and across different business functions. All employees, from front-line employees and their managers to the executives of the board of directors, should contribute to the enforcement of IT governance policies and procedures.
Ten Action Items to Consider When Establishing IT Governance
1. Define your company’s direction on IT governance. In this step, the goal of the firm is to identify and define the strategic and tactical IT governance roles and responsibilities. Ensure that your firm has documented roles and responsibilities of the board, the executives, and the IT strategy committee. Identify and specify how priorities are set, how resources are allocated, and by whom, and how projects are tracked. In addition, include senior managers from both the IT and business divisions when you establish your direction; these individuals serve as the key champions to disseminate and encourage the adoption of IT governance procedures and policies within their divisions. Identifying champions from both sides of the business decreases the likelihood of a disconnect between business objectives and IT capabilities.
2. Determine an IT governance implementation plan. The firm requires an effective action plan that matches specific circumstances with needs. It is of foremost importance for the board to take ownership of IT governance and determine the direction that managers should follow. Such decisions are efficiently made by ensuring that the board operates with IT governance in mind:
- Ensure that IT issues, plans, and wins are on the Board’s agenda.
- Uncover IT issues by challenging management’s activities with regard to IT.
- Guide managers by helping to align IT initiatives with real business needs.
- Highlight the potential impact on the business of IT-related risks.
- Insist that IT performance be measured and reported to the Board.
- Establish an IT strategy committee that is responsible for communicating IT issues between the Board and mangers.
- Insist that the firm utilize a common approach to employing a management framework for IT governance.
3. Identify champions who have a vested interest. Assign clear responsibilities for each type of IT decision to individuals who can accept accountability for the outcomes of those decisions. Constrain the number of decision-making structures when determining how IT resources are acquired, utilized, and discarded.
4. Ensure cross-coordination and responsibilities for IT decisions. The previously listed five types of IT decisions are often distributed across the firm, so corporations need to consider overlapping responsibilities in the decision-making bodies. Overlapping memberships coordinate decisions throughout the enterprise and often ensure that the strategic objectives of managers filter down to decisions made at the individual project level.
5. Create an IT governance road map and plan for long-term strategies. IT governance should be integrated with the more broad and strategic Enterprise Governance goals. An IT governance approach helps board and management understand the implications and strategic implications of IT and assists in ensuring that the enterprise can sustain its operations and implement the strategies required to extend its operations for future growth. Avoid the “doing it all” syndrome, which most organizations attempt to do.
6. Walk before trying to run: Target short-term IT governance goals and wins. After the firm has identified and developed a strategic IT governance road map, perhaps identify short-term IT governance issues that can serve as quick wins to get the organization jump-started on its IT governance policy and regulation enforcement. These quick wins will provide a good indication of the possibilities and challenges associated with implementing sound IT governance; they also help to uncover corporate barriers that need to be addressed before long-term strategies can be implemented. Such wins will also help to provide evidence that IT governance procedures and policies can aid and protect the organization, as well as further establish the credibility for implementing IT governance policies.
7. Go To the place: Identify and manage IT-related risks and opportunities. Do your homework and understand what it is that your users need and determine how such needs affect ways in which IT is used within the corporation. In doing so, you can uncover IT-related risks and opportunities. Instead of pretending to understand instances of IT’s improper and ineffective use, go to the place where there is pain within the organization. Pay your users a visit to personally experience their IT-related difficulties. Another suggestion for identifying corporate IT risks or opportunities is to survey your users. They can be one of the best sources of input for identifying security gaps or inappropriate use of IT.
8. Revisit IT governance policies on a regular basis. Once a firm has designed a feasible set of IT governance mechanisms, governance can remain in place until a change in strategic direction or a business opportunity redefines what the firm sees as desirable use of IT resources. However, opportunities sometimes arise that are not fully (or partially) addressed in the IT governance policies and procedures. When this situation occurs, the IT governance policies must be revisited to address these situations.
9. Increase the transparency of your IT governance. One of the most significant factors that can influence the success of IT governance policy and procedures is the number of employees who can accurately describe the company’s IT governance policies. IT executives and their staffs must engage in proactive conversations with business people and IT users to better understand corporate needs. One suggestion to promote IT governance in your firm is to boost the public relations activities of the IT department. For example, consider producing and distributing an annual report from the IT department that explains and shares the firm’s IT governance and future strategic goals and plans.
10. Establish exceptions to processes in the governance processes. Occasionally business situations or opportunities occur that are not governed or addressed by the firm’s IT governance policies. Such occurrences arise simply because IT governance may prohibit particular actions, or perhaps IT governance policies may be out of date. Establish a process for the firm to follow if the need arises to update or to provide an exception to the IT governance policies that are in place.
IT governance exists to assist enterprise leaders in their responsibility to make IT successful in supporting the firm’s goals and mission. IT governance helps firm executives to raise awareness and understanding among employees. Such governance also helps provide guidance and tools to boards of directors, executive managers, and CIOs to ensure that IT is appropriately aligned with corporate goals and policies and that IT meets and exceeds expectations of the firm. Over the next 40 years, IT leadership will move from serving as an individual contributor on the corporate team to being a full member of the team. The huge burden of the CIO ensuring that IT is effectively managed will become a company and board-level responsibility. However, this change will be more easily accomplished if IT governance is fully incorporated and is properly enforced within companies.
 SearchCIO.com, 1/11/2005, “Executive Guide: IT Governance.”
 Ross, Jeanne, and Weill, Peter. “Recipe for Good Governance,” CIO Magazine, 15 June 2004, 17, (17).
 Ibid. Ross & Weill.
 “Board Briefing on IT Governance,” 2nd edition, IT Governance Institute, 2003.
 Ibid.Ross & Weill.
 “Effective IT Governance Mechanisms,” CIO Magazine, June 15, 2004.
About the Author(s)
Mark Chun, PhD, earned his doctorate in Information Systems from the University of Colorado at Boulder; an MBA from the University of California, Irvine, with a emphasis on business and strategy; and a Bachelor of Business Administration with an emphasis in management information systems from the University of Hawaii. His research focuses on the use of IT to create value and to transform organizations, the integration of information systems, and knowledge management. He has been published in the Communications of the Association of Information Systems journal, the Journal of Information Technology Management, the Journal of Global Information Technology Management, and the Journal of Information Technology Case and Application Research. Dr. Chun has worked for Intel Corporation, Pepsi Co./Taco Bell, Coopers & Lybrand, and the Bank of Hawaii, and has conducted research at Qwest, Honda, Hilton Hotels, Kaiser Permanente, Mattel, and Pratt-Whitney Rocketdyne. He has also researched the diffusion of information technology in less-developed Asian countries.