Business Accent

Getting IT governance right

Jaspreet Singh

Attention to IT governance is necessary to ensure that IT investments generate the required business value, and that risks associated with IT are lessened

Information Technology (IT) has become pervasive in today’s dynamic and turbulent business environments. While business executives could delegate, ignore or avoid IT decisions in the past, this is now impossible in most sectors and industries. The dependence on IT becomes imperative in our knowledge-based economy where organisations use technology to manage, develop and communicate intangible assets such as information and knowledge. Corporate success can only be attained when information and knowledge, very often provided and sustained by technology, are secure, accurate and reliable, and provided to the right person at the right time at the right place.

This dependence on IT implies a huge vulnerability that is inherent in complex IT environments. System and network downtime has become far too costly for any organisation in these days of doing business around the clock on a global scale. Take the impact of downtime on a bank or a hospital; the risk factor is accompanied by a wide spectrum of external threats such as errors and omissions, abuse, cyber crime and fraud.

Information technology often entails large capital investments in organisations, while companies have multiple shareholders who demand the creation of business value through these investments. The question of the productivity paradox is “Why has IT not provided measurable value to the business world?” This question has puzzled many practitioners and researchers.

The issues described above reveal that the critical dependency on IT calls for a specific focus on IT governance. This is needed to ensure that IT investments will generate the required business value, and that risks associated with IT are mitigated.

IT, and its use in business environments, has experienced a fundamental transformation in the past few decades. Since the introduction of IT in organisations, academics and practitioners conducted research and developed theories and best practices in this emerging knowledge domain. This has resulted in a variety of definitions of IT governance, some of which are formulated below.

Defining IT governance

IT governance has been defined in many ways.

The organisational capacity to control the formulation and implementation of IT strategy, and guide to proper direction for the purpose of achieving competitive advantages for the corporation.
The Ministry of International Trade and Industry (1999)

IT governance is the responsibility of the board of directors and executive management. It is an integral part of enterprise governance, and consists of the leadership and organisational structures and processes which ensure that the organisation’s IT sustains and extends its strategy and objectives.
IT Governance Institute (2001)

IT governance is the organisational capacity exercised by the board, executive management and IT management to control the formulation and implementation of IT strategy, and in this way ensure the fusion of business and IT.
Van Grembergen (2002)

IT governance vs IT management

IT management focusses upon the internal effective supply of IT services and products, and the management of existing IT operations. IT governance is much broader, and concentrates on performing and transforming IT to meet the present and future demands of the business (internal focus) and a business’ customers (external focus).

IT governance, corporate governance & the board

The definition of IT governance as proposed by the IT Governance Institute states that “IT governance is the responsibility of the board and executive management, and that IT governance should be an integral part of enterprise governance.” How can we explain this relationship between IT governance, corporate governance (or enterprise governance) and the board?

Enterprise governance is the system by which entities are directed and controlled. Business dependency on information technology has made it so that enterprise governance issues cannot be solved without considering IT. Enterprise governance should therefore drive and set IT governance. Information technology in turn can influence strategic opportunities as outlined by an enterprise, and can provide critical input to strategic plans. In this way, IT governance helps an enterprise take full advantage of its information, and can be seen as a driver for enterprise governance.

Looking at this interplay in greater depth, enterprise activities require information from IT activities to meet business objectives, and IT must be aligned with enterprise activities to take full advantage of its information. IT governance and enterprise governance cannot therefore be considered as pure, distinct disciplines, and IT governance needs to be integrated with the overall enterprise governance structure.

As IT governance becomes an integral part of corporate governance, it is of course a responsibility of the board of directors. The composition of the board varies widely from organisation to organisation, but generally involves a mix of executive directors (those who are employed directly by the business) and non-executive or ‘independent’ directors (those who are appointed from outside the business).

There are also important differences between countries regarding the role, composition and procedures of the board. These differences naturally lead to variations in expectations, emphasis, etc, but the fundamental responsibilities of the board do not change, and attention should be paid to the close link between technology management and the achievement of business goals. Moreover, market analysts state that investors are willing to pay more for the shares of a well-governed company. Although hypothetical premiums are difficult to measure, there is little question that good governance makes a difference to corporate value.

A holistic approach towards IT governance acknowledges its complex and dynamic nature consisting of a set of inter-dependent sub-systems that deliver a powerful whole. Moreover, taking the context of hyper competition and fluctuating economic conditions into account, IT governance within an organisation cannot be a static model. It should address both current and emerging requirements, and thus be able to continuously evolve.

Roles and responsibilities

Clear and unambiguous definitions of the roles and the responsibilities of the involved parties are a crucial pre-requisite for creating an effective IT governance framework. It is the role of the board and executive management to communicate these roles and responsibilities, and to make sure that they are clearly understood throughout the organisation. The board as well as the business and IT management have to play an important role in assuring the governance of IT. The CIO is certainly not the only and primary stakeholder in such a process.

The CEO has the singular responsibility for carrying out strategic plans and policies that have been established by the board, and he should ensure that the CIO is included and accepted in the senior-level decision-making process. The CIO and CEO should report on a regular basis to the board; the board in turn has to play the role of independent overseer of business performance and compliance. Board members should keep their knowledge up-to-date with regard to current business models, management techniques, technologies, and of course potential risks and benefits associated with each of these. This helps them ask the right questions. The establishment of an IT strategy committee at board level can be a very helpful mechanism to achieve these goals.