Research and Advances
Computing Applications

Corporate Governance of IT: A Framework For Development

Boards of directors are beginning to look beyond the accounting roots of IT governance toward the risk of legal liability and harm to product brand and corporate reputation.
Posted
  1. Introduction
  2. Three-Stage Model
  3. Grid Framework
  4. Beyond ROI
  5. Conclusion
  6. References
  7. Author
  8. Figures

Interest in corporate IT governance typically focuses on ensuring return on investment (ROI) and compliance with accounting procedures. To succeed, however, ITG must also provide a comprehensive framework that allows organizations to deal with a range of computing issues [1, 6]. Recall how excessive focus on ROI led Enron, WorldCom, and others into legal and financial ruin. Recent literature highlights control and measurement issues, especially with regard to methods for measuring success/failure of governance practices (such as the balanced scorecard, or set of quantitative and qualitative metrics, to assess corporate performance) [2]. But organizations must develop their own policies and procedures regarding ITG and give them to their architects and developers for implementation [6].

Two recent events—one involving the theft of credit-card data, the other involving software failure—illustrate the urgency of ITG. In the first case, American Express and Visa terminated their relationship with CardSystems Solutions, a payment processor, in 2005 over what is thought to be the credit-card industry’s worst data breach to date. The CEO of CardSystems acknowledged the company had been improperly storing data, violating Visa and American Express security rules. In the other case, also in 2005, a computer system failure forced the Tokyo Stock Exchange to suspend trading of many stocks for several hours, revealing the vulnerability of one of the world’s largest trading systems. That glitch brought to light a serious limitation of the exchange—no backup system. Additional examples of the consequences of poor ITG are discussed in [6]. All of them highlight the urgent need for an all-encompassing ITG model and framework that can be expanded as needed to develop comprehensive ITG and identify its critical role in organizational governance. Additionally, the use of various types of IT (such as the Web) in promoting corporate governance can be examined.

Here, I describe a three-stage model of corporate ITG and develop a grid framework for policies and procedures, addressing how an organization could manage the introduction of comprehensive ITG and the kinds of policies and procedures in such governance. A 1998 study by the Nolan Norton Institute (www.nolannorton.com) found that the intensity of IT utilization was the most important differentiator of ITG and management in most organizations. While IT has become a major factor in business productivity, incorporating ITG into organizations remains highly problematic. Explicit ITG and management models are scarce, and available commercial literature offers insufficient theoretical tools to provide practical solutions. Information Edge 2001, an online publication, published by the Scottsdale Institute (www.scottsdaleinstitute.org/infoedge/), also pointed out that, while IT is a critical driver of business success, boards of directors, even in technology companies, have not kept pace. Indeed, there is a basic disconnect between boards and the IT staffs of the companies they oversee. In addition, the publication reported, business strategies are typically not translated into the operational objectives of IT management units.

IT use within organizations demands thorough and thoughtful board governance, but such oversight is often delegated to lower management as operations matters, more an overhead item than a primary factor of production. Boards traditionally scrutinize business strategy and strategic risks. Faced with technology issues for which they have little interest and even less expertise, boards have largely left ITG on the sidelines. As it becomes increasingly difficult to distinguish organizational strategic mission from the IT that enables the mission, closing the ITG gap has become imperative.

Moreover, ITG is critical because performance expectations and reality often do not match. Boards tend to expect management to juggle myriad responsibilities:

  • Deliver quality IT solutions on time and within budget;
  • Harness and exploit IT to return strategic and operational value;
  • Leverage IT to increase efficiency and productivity; and
  • Manage IT risk.

All must be performed (without immediate oversight) at the “worker bee” lower-management level. Boards are surprised when their organizations experience financial losses, damaged reputations, weakened competitive positions, missed deadlines, higher-than-expected costs, lower-than-expected quality, and/or failure of IT initiatives to deliver promised benefits [9].

Overall corporate governance typically focuses on the ways suppliers of finance assure themselves of earning ROI. Adapting that definition for IT, researchers and practitioners suggest focusing on three main questions:

  • How does one ensure return on IT investment?;
  • What is the role of the chief information officer and the IS organization?; and
  • How is the IS function controlled by top management?

ITG can be defined as “the organizational capacity to control the formation and implementation of IT strategy and provide direction to achieve competitive advantages for the corporation” [1, 4, 6]. Another definition is “how those persons entrusted with governance of an entity will consider IT in their supervision, monitoring, control, and direction of the entity. How IT is applied within the entity will have an immense impact on whether the entity will attain its vision, mission, or strategic goals” [4]. Both these definitions suggest that organizations must make every effort to establish structures that yield business value through IT and control mechanisms and minimal misguided IT investment.

These definitions also emphasize the alignment of IT objectives with business strategy, along with valid measurement of IT performance. Risks must be mitigated, requiring that ITG not be an isolated activity. CEOs and CFOs, as well as CIOs, should recognize it as a primary factor of production and make it an integral part of top management, rather than a technical segment practiced in relative isolation from organizational leadership. Boards practicing proper ITG often uncover and address problems in advance by addressing key questions: How critical is IT to sustaining the enterprise? How critical is IT to growing the enterprise? How far should the enterprise go in risk mitigation? Do the benefits justify the costs? Is IT a regular item on the board’s agenda? Is IT addressed in a structured manner? And is the reporting level of the most senior IT manager commensurate with the importance of IT? Since IT is a critical function for supporting and enabling enterprise goals, effective ITG generates real business benefits (such as reputation, trust, product leadership, time-to-market, and reduced costs), all of which increase stakeholder value [1, 4, 7].

While many business organizations recognize the business benefits of IT, successful ones also understand and manage the risks associated with implementing new technologies. Timely measures aimed at addressing these concerns must be promoted by the top-governance echelon of each enterprise. Hence, boards and executive management must extend governance to include IT. ITG is the responsibility of the board and executive management as an integral part of overall enterprise governance. Governance reflects the leadership and organizational structures and processes that ensure IT sustains and extends the organization’s strategies and objectives.


Governance reflects the leadership and organizational structures and processes that ensure IT sustains and extends the organization’sstrategies and objectives.


Back to Top

Three-Stage Model

In the three-stage conceptual corporate governance model outlined in Figure 1, Stage 1 emphasizes routine operational practices and procedures. Stage 2 expands and enriches them, focusing on the enterprise as a whole, as well as on customers, suppliers, and other alliance partners. Stage 3 extends good practices out to the industry and further still for the good of the public. Effective ITG can permeate industry, and a particular business can be at the forefront of the effort. Ideas from a prior stage are embedded throughout the organization (such as by developing a code of ethics for intranet use, creating an executive ombudsman position, or developing a whistleblower policy on IT project management).

In Stage 1, policies and procedures concerning internal activities are introduced and standardized; for example, rules governing employee privacy, email, security, data handling, and ethics are codified, and awareness of these rules promoted. Stage 2 begins once the focus shifts from internal policies, procedures, and standards to interactions and partnerships with customers, suppliers, and alliances; for instance, rules governing customer relationships and supply chains are formulated and shared with the external partners. In Stage 3, ITG practices are extended to the industry as “best practices,” perhaps leading to voluntary compliance by other organizations. The public could also be involved, as organizational governance boards or committees are formed, by including citizen members; when this practice is found to be effective by top management, it can be emulated by other organizations in the industry. The three stages are not necessarily sequential; establishment of policies and procedures can be simultaneous and overlapping.

Back to Top

Grid Framework

Figure 2 outlines a four-quadrant grid framework depicting two primary dimensions of ITG: focus (operational, strategic) and driver (internal, external). The interaction between them results in the four quadrants: internal/operation; internal/strategic; external/operational; and external/strategic. In each, I specify examples of drivers and processes that require governance. The grid is adapted from [1].

The internal/operational quadrant concerns routine policies and procedures that most organizations must implement as a minimum. They focus on employees within the organization and include elements (such as email policy, codes of ethics, information assurance, and security and privacy), as well as software quality assurance and testing. For example, it was widely reported that the W32.Blaster worm may have contributed to the August 14, 2003 electrical power blackout in the northeastern U.S. The worm is believed to have compromised the performance of communication lines linking data centers used by utility companies to manage the power grid [10]. One can only speculate about how well-planned communication policy and procedures might have dealt with viruses to head off such a potential disruption.

Following the Columbia shuttle disaster on February 1, 2003, the accident investigation board (Report Volume 1, August 2003, www.nasa.gov/columbia/home/CAIB_Vol1.html) concluded that “deficiencies in communication were a foundation for the Columbia accident.” A massive bureaucracy—NASA—relied on informal email communication to manage the in-flight analysis of the damage to Columbia’s left wing by a piece of insulation foam that broke off during liftoff. This limitation led to a series of discussions with little or no cross-organizational communication, often with no feedback from senior managers when contacted by lower-level engineers regarding their concerns about shuttle safety [11].

In contrast, organizations can post their policies and “what-to-do” manuals on their intranets, providing easy access by employees to corporate policy. For example, processes for handling end-of-life computing-asset disposal can be developed by the IT department. The proper disposal of old equipment is critical for minimizing security risks and environmental concerns. This is a new development in the ITG domain, and the related policy needs to be adopted and communicated to all employees.

In the internal/strategic quadrant, I extend governance beyond routine operational procedures to policies affecting the organization’s overall performance. Top management is better positioned to address yet more questions, including: Is due-diligence analysis with regard to IT performed routinely? A scenario in this regard involves the due-diligence evaluation of IT during merger talks. Are substantive audit controls in place? And is benchmarking used for intra-industry comparison? How IT aligns with business strategy, ROI, and measurement must be included.

The external/operational quadrant in Figure 2 covers governance policies regarding integration of customer relationships, supplier management, outsourcing with third-party vendors, other alliances, and channel relationships. A 2003 article reported that IT managers who cut corners in their offshore outsourcing contracts could be jeopardizing their organizations’ security and intellectual property [11]. With regard to online exchanges that bring suppliers and buyers together, as in the case of Covisint, an online auto exchange (www.covisint.com/about/), policies concerning antitrust compliance must be enunciated and made available to all parties.

Regulatory requirements and the need to protect corporate reputations make it crucial (at the risk of dire legal and business consequences) for companies to implement comprehensive data-privacy programs. Failure of ITG in these instances will eventually expose them to legal liability, hinder their ability to do business in certain parts of the world (most notably Europe and North America), and jeopardize trust-based relationships with customers.


Transparency and accountability in corporate ITG are critical to stakeholder confidence and creating a positive image with the general public.


In the external/strategic quadrant, the effect of laws and regulations are typically felt operationally, as the organization adopts governance policies and procedures dealing with compliance. In this operational context, the Health Insurance Portability and Accountability Act of 1996 and the Sarbanes-Oxley Act of 2002 come to mind. Sarbanes-Oxley, which aims to produce a more complete and accurate assessment of the financial condition of public companies, requires that they disclose “all material off-balance-sheet expenditures or other aspects of their finances”; the result has been that CFOs insist that CIOs provide them with more detailed information about the status of IT projects. CFOs push hard to ensure they are able to update quarterly earnings reports with as much information as possible about ongoing IT projects.

For example, in each quarter during 2003–2004, Texas-based Freight Pro, a logistics and shipping company, delivered a formal report on the status of its IT projects to its board of directors [3]. The reports detailed the anticipated cost timeline and benefits of new and existing projects [3]. The USA PATRIOT Act of 2001 requires financial services companies to improve their ability to identify customers and flag suspicious transactions [5]. Also, airlines continue debating how to maintain privacy [8] while still being responsive to the government’s need to examine passenger data. Announced in 2003, the Computer-Assisted Passenger Pre-Screening program (CAPPS II) program was terminated by President George W. Bush in 2004 and replaced by another program called “Secure Flight” in 2005 that is not scheduled to be fully operational until 2010.

Government officials in the U.S. have said they will not be able to access personal information and would limit intrusion to a “threat assessment level” that flags certain passengers for further scrutiny. Despite the 9/11 terrorist attacks, this assessment attracted widespread public protest, and airlines (notably Delta Air Lines, JetBlue Airways, and Northwest Airlines) that cooperated have faced a fierce backlash from the flying public and their lawyers. For example, Delta terminated a program in 2003, after a threatened boycott, while JetBlue and Northwest were hit with class-action lawsuits following revelations that they secretly gave passenger data to government researchers [12].

Back to Top

Beyond ROI

Long-term ITG success requires organizations to look beyond ROI and traditional accounting perspectives that focus on financial numbers. The three-stage model I’ve devised to gradually implement ITG policies, combined with my four-quadrant grid framework, provides a good starting point for initiating ITG and enabling management to address the issue from a more comprehensive perspective. This approach is a major departure from the historical accounting view of governance. A board of directors can include external members (such as a local community activist, public policy expert, professor, or welfare worker) to provide external perspectives, particularly with regard to public and social policy.

To accomplish governance objectives, a steering committee of senior IT and business executives can determine corporate IT priorities and capital investment. Many organizations have IT steering committees that govern and manage IT resources on a corporate level. An IT steering committee provides the advantage of involving (executive) business management in IT issues, aligning IT with business strategy. “The need for an IT steering committee as a coordinating mechanism,” according to [6], “arose because information systems span all departments and functions. The members of such a committee are, therefore, senior representatives of the main divisions and functions chaired by a top executive, preferably the CEO” [6]. This approach can extend to self-directed work teams made up of IT staffers and business-unit liaisons to manage individual projects.

Boundaries specify the kinds of decisions work teams can and cannot make. An overall enterprise architecture council that sets corporate IT standards, plus more targeted groups (such as an IT security council), can also be created. The Information Systems Audit and Control Foundation (www.isaca.org) and the IT Governance Institute (www.itgi.org) have together developed an IT assessment tool called Control OBjectives for Information and related Technology, or COBIT, to measure IT performance and gather information needed to keep boards informed [4]. For example, the Scottsdale Institute (www.scottsdaleinstitute.org/general/default.asp) and First Consulting Group (www.fcg.com) have together developed a performance improvement program to help IT value in the health care industry. This tool, together with a complementary IT cost-benchmarking program, can help organizations understand their IT costs, compare themselves with other organizations, and network with them to gain insight into practices and lessons learned. Additionally, a knowledge repository can be developed to document organizational best practices in governance.

Back to Top

Conclusion

Transparency and accountability in corporate ITG are critical to stakeholder confidence and creating a positive image with the general public. There is no generally accepted model for ITG. However, my conceptual model, outlined here, is useful for such ITG development. The need to target different industries, stakeholder objectives, corporate cultures, institutional ITG frameworks and traditions demands a range of approaches. Quality ITG influences ethical practices and corporate awareness of the environment and societal interests of the communities in which they operate. These practices, in turn, affect the reputation and long-term performance of the organization. A sound governance policy can minimize cost and schedule overruns.

Pursuing the benefits of integrated ITG, many organizations set up IT governance committees [6]. In light of increased awareness of disclosure and transparency among companies we can expect more governance practices supported by models and tools based on legal, ethical, and public policies and principles. Organizations would thus be better able to avoid unnecessary risk and ensure expensive projects remain under control vis-à-vis cost, schedule, and strategic alignment.

As the idea of ITG is still relatively new, we should seek additional insight from the “best practices” of successful organizations. The need for research in ITG model development, both prescriptive and normative, is clear. The role of IT in overall corporate governance can and should be investigated. Additionally, cross-cultural studies of compliance, disclosure, transparency, and IT governance will shed light on global differences in perceptions. Finally, empirical studies should be performed by academic researchers and practitioners alike to validate/confirm the broad frameworks outlined in this article.

Back to Top

Back to Top

Back to Top

Figures

F1 Figure 1. The three stages of IT governance.

F2 Figure 2. A framework for IT governance.

Back to top

    1. Henderson, J. and Venkatraman, N. Strategic alignment: Leveraging information technology for transforming organizations. IBM Systems Journal 38, 2–3 (1999), 472–484.

    2. Hoffman, T. Disparate views of IT governance spark debate. Computerworld (May 5, 2003), 14.

    3. Hoffman, T. CFOs push IT managers for more info about projects (Sarbanes-Oxley boosts reporting demands for CIOs). Computerworld (Apr. 28, 2003), 10.

    4. IT Governance Institute. Board Briefing on IT Governance, 2nd Edition. Rolling Meadows, IL; www.itgi.org.

    5. Mearian, L. Brokerages face big IT bills to comply with USA Patriot Act. Computerworld (Mar. 17, 2003), 12.

    6. Nolan, R. and McFarlan, F. Information technology and the board of directors. Harvard Business Review 83, 10 (Oct. 2005), 96–106.

    7. Scottsdale Institute. Closing the governance gap: Bringing boards into the IT equation. Information Edge 7, 7 (Aug. 2001).

    8. Sharkey, J. Growing opposition to computer screening. New York Times (Feb. 10, 2004), C7.

    9. Thibodeau, P. Offshore risks are numerous, say those who craft contracts. Computerworld (Nov. 3, 2003), 12.

    10. Verton, D. Blaster worm linked to severity of blackout. Computerworld 37, 35 (Sept. 1, 2003), 1.

    11. Verton, D. Inadequate systems play a role in Columbia disaster, report finds. Computerworld 37, 35 (Sept. 1, 2003), 5.

    12. Vijayan, J. Laws, concern for corporate image make privacy a priority. Computerworld (Oct. 6, 2003), 12.

Join the Discussion (0)

Become a Member or Sign In to Post a Comment

The Latest from CACM

Shape the Future of Computing

ACM encourages its members to take a direct hand in shaping the future of the association. There are more ways than ever to get involved.

Get Involved

Communications of the ACM (CACM) is now a fully Open Access publication.

By opening CACM to the world, we hope to increase engagement among the broader computer science community and encourage non-members to discover the rich resources ACM has to offer.

Learn More