Sign In

Communications of the ACM

Contributed articles

Who Owns IT?


View as: Print Mobile App ACM Digital Library Full Text (PDF) In the Digital Edition Share: Send by email Share on reddit Share on StumbleUpon Share on Hacker News Share on Tweeter Share on Facebook
Who Owns IT?, illustration

Credit: Shutterstock.com

In the 20th century, technology governance was largely about standards and centralized management. Moving into the 21st century, things began to change, first from centralized to federated technology governance models, then to "participatory" models. Commoditization, consumerization, and alternative technology-delivery models changed the way governance is defined and managed in many, though not all, companies. For many of them, the number of technology stakeholders has increased as the importance of technology has expanded to include at least three categories of governance: operational, strategic, and emerging technology. For many companies, the governance mission is evolving toward a shared, participatory model that recognizes the roles of all internal and external stakeholders, especially as companies acquire, deploy, and support technology through the "cloud" and supply chains globalize and integrate.

Our survey and interview data suggests governance now involves more stakeholders than ever before, many living way beyond the corporate firewall. The data reported here suggests participatory governance is emerging as a major technology governance model for the 21st century, and, for companies that increasingly satisfy business requirements through adoption of cloud computing, the participatory governance model is accelerating. Conversely, the companies that avoid cloud deployment and other alternative deployment models will likely stay within more-traditional centralized/federated governance structures. Our survey and interview data describes how technology governance is changing. As new technologies and technology-delivery models emerge, technology governance is evolving in ways quite different from the dominant models of the 20th and early 21st centuries. Based on the data, this article describes a new participatory governance matrix that recognizes the role internal and external stakeholders play in the technology-governance process.

Back to Top

Key Insights

ins01.gif

Back to Top

Technology Governance

Peterson14 defined information technology governance this way: "IT governance describes the distribution of IT decision-making rights and responsibilities among different stakeholders in the enterprise, and defines the procedures and mechanisms for making and monitoring strategic IT decisions." Technology governance, as in all aspects of corporate governance, concerns decision rights often organized in responsible/accountable/consultative/informed, or RACI, playbooks that describe who is allowed to acquire, deploy, and support business technology.12,20

In centralized IT organizations, decision rights involved in the acquisition, deployment, and support of technology belong to a central group reporting to a corporate executive, increasingly the CFO. In decentralized organizations, decision rights are shared across the enterprise and business units; in federated organizations, rights are coordinated across the corporate IT group, the business units, and even specific corporate functions.1,58,11,18,21,23,25 The evolution of research about technology governance is instructive here. Years ago, researchers, including Brown and Magill,7 Rockart et al.,18 and Weill and Broadbent,25 discussed technology governance in the context of organizational realities and the reality of choice, where hardware, software, and communications options were limited. But as organizations changed, especially with the federation of business units, and technology options increased, research on governance offered alternative insights into how companies redefined governance, as well as the role of technology in all business processes and models.11,20,21,23

Research on technology alignment and governance is extensive.3,6,13,24,28 We also know a lot about structures and processes.26 We know differences across governance structures are often explained through the formalization of arrangements. Historically, technology governance has been more explicit and formalized around operational technology (such as laptops, desktops, networks, storage, and security) than strategic technology (such as business applications and special-purpose hardware) or especially around emerging technology (such as social media, location-based services, wearables, and the Internet of things).2,14,17,19 Figure 1 outlines the differences among the three categories of technology, partly based on Weill and Broadbent,25 Weill and Ross,26 and Andriole.2,3


The new cloud-based, technology-delivery models and proliferation of "consumerized" devices have completely changed the governance equation.


In the 1970s and 1990s, infrastructure, in-house-developed applications, and databases were often centralized under the command of an enterprise chief information officer (CIO). Part of this command structure can be explained by the relative scarcity of hardware and software diversity at the time, unlike today, when there are many more hardware, software, communications, and delivery options than the popular "command and control" approach to managing corporate assets.

Over time, centralization yielded to decentralization and then federation. Enterprise CIOs countered with "technology standardization," believing even if the lines of business had some control, so long as they controlled the technology standards around primary devicesservers, desktops, and communicationsthey were still essentially in charge, even if they did not select every one of the organization's business applications. The centralization/decentralization/federation game persisted until the Web arrived in the early 1990s, when control was influenced by technology "consumers" who no longer viewed themselves only as end users.

During the mid-to-late 1990s, governance changed due largely to the "irrational exuberance" of the dot-com era and temporary determination that technology was more strategic than tactical. Following the dot-com crash of 2000, governance returned to operational cost control, staying that way until 2003 when technology budgets began to increase again. In the mid-2000s, governance changed again when it was shared by enterprise CIOs and business-unit CIOs (assuming the structure recognized business-unit CIOs) or just "business-unit technology directors," as they are sometimes called. Companies continued on this path until the financial world melted down again in 2008, and governance changed again, when it was centralized in the hands of a fewor even just onesenior executive(s), the CFO, the COO, or, infrequently after 2008, the CEO.

As more and more business processes and models were converted or augmented through digital technology, technology also became more accessible through new delivery models, especially cloud-delivery models. This finalized the near-total dependence business has on the reliability, scalability, and security of its digital technology, permanently changing the way companies acquire, deploy, and support technology. That is, businesses of all kinds discovered they could not functionor even existwithout IT and, by extension, the new technology-delivery models.

Old notions of governance are being challenged by technology commoditization, consumerization, and alternative technology-delivery models, along with other emerging technologies about to hit their problem-solving stride. This challenge is not just about the nuances of centralized/decentralized/federated but some very different governance structures that recognize the importance of outside participants.

Business units aggressively pilot and adopt new technologies. Consumerized, cloud-delivered technology has changed the rules around technology acquisition, deployment, and support. Business units no longer ask corporate IT if they can rent software or buy iPads; they just rent and buy as they choose, often without telling IT what they have done. So-called "shadow IT" is more pervasive than ever. The ability to do what they please is fueled by the technology itself. Cloud computing, renting rather than buying technology, and easily supported devices (such as smartphones and tablets) make it easy for anyone to acquire, deploy, and support digital technology. The new cloud-based-technology-delivery models and proliferation of consumerized devices have completely changed the governance equation.

Each governance configuration comes with implications and consequences. The allocation of decision and input rights is simultaneously political and practical. Companies must decide how they want to allocate rights and how far they want to push their political processes.

Back to Top

Challenges

The very notion that operational technology is fully commoditized challenges governance in several important ways. For example, many companies outsource their operational technology to local and/or offshore providers. Sharing outsourcing governance of even operational technology can make sense, especially as companies globalize. Strategic technology (technology facing customers and suppliers) is often "co-governed" by technology and business professionals, as the performance metrics are both technological and functional. Supply-chain partners represent an ongoing challenge to governance, as they often present their own integration and interoperability challenges that must be satisfied by the business units with which they do business.10

Renting (versus buying and installing) software calls for whole new governance models. Vendor management has emerged as a core competency for many companies. Service-level agreements must be managed for performance; business units and central IT alike have roles to play here. Similarly, renting hardware through cloud delivery will emerge within the decade as a viable alternative to building and maintaining huge server farms. This trend will challenge governance as well, requiring cooperation between business and technology units, since "control" will now involve third partiesthe cloud and supply-chain providerscommitted to providing support to the whole company, not just its central IT organization.

Consumerization has changed the way technology is introduced. Technology adoption now often occurs before employees enter the building. Web 2.0 and social-media technologies (such as wikis, blogs, podcasts, RSS filters, virtual worlds, crowd-sourcing, mashups, and social networks) are quickly making their way into companies. Corporate IT departments struggle to keep up with the use of these tools by employees, customers, and suppliers. Mashups are the creation of computing components inside and outside the corporate firewall. Who controls the APIs, the components and widgets that mash into new applications? How do companies prevent blogs and wikis from springing up on employees' laptops?

Web-based applications also pose a challenge to old governance models. They are built quickly and deployed almost instantly. Changes to existing transaction-oriented Web sites are immediate. If a business unit wants to roll out a revised global pricing schedule, does it need to go through corporate IT? We crossed that authority chasm a decade ago when we invested in user-controlled rules engines and other technologies intended to support real-time decision making. New applications are designed and developed by internal professionals and, increasingly, by outside developers accountable to business units, not to corporate IT. Application development and all varieties of Web-based applications are no longer governed by corporate IT, except, as suggested earlier, at the architectural level (which should remain in the control of the enterprise technology organization). Participatory development is a change from the past, but the prominence of the Web as the emerging dominant transaction platform has changed everything.

Globalization is another major driver of new governance models. As more and more companies expand their global reach, they must adjust the authority they exercise over the business units they encourage to grow. Decentralization and federation are necessary to enable agile decision making; business units expanding around the globe need the authority to make local and regional decisions. Extending corporate IT from headquarters around the world makes sense infrequently. Servicing an army of technology ex-pats is expensive and inhibiting. Local talent, providers, and local/regional/country support makes sense as companies build sustainable footprints around the world.

Globalization calls for new governance structures. "Headquarters" must decentralize. Standards must become architectural and procedural, not based on brands, models, or vendors. Our data suggests enterprise CIOs and CTOs should focus on infrastructure optimization, alternative technology-delivery models, and architectureand not much else. Business units should focus on requirements, application development (within architectural standards), and deployment of fast/cheap technologies like those in social media. If companies do not adjust their governance around these activities, the business-technology partnership will collapse. There will be major pushback from the business units that want to move quickly, cheaply, adaptively. If central IT organizations provide roadblocks to these operating principles, the lines of business will end run the IT organization.

Back to Top

Participatory Technology Governance

Consider this essential finding of our analysis: Where technology governance was essentially something defined and implemented by technology and business professionals in their own companies, the new participatory governance reflects the distribution of decision rights across multiple internal and external participants.

The concept of "participatory governance" emerged from informal discussions validated through formal interviews and surveys with business-technology managers and business executives across the globe (for the surveys) and the U.S. locally/regionally/nationally (for the interviews) on the state of technology governance. The data was collected from both the technology and business sides of multiple companies. Segmenting the groups indicates technology professionals are somewhat less likely to endorse participatory governance, while business professionals are much more likely to endorse it. There is, however, general agreement that cloud and supply-chain computing are the major drivers of participatory governance and that technology vendors and business suppliers should be part of the governance process.

The discussion here contrasts the way corporate leaders have governed technology in the past and where technology governance is likely to go. Participatory governance is a response to the relatively closed governance structures and processes prevalent in the 20th and early 21st centuries. It is also described by interviewees as a response to the general diffusion of digital technology within and beyond corporate firewalls. The whole notion of governance has expanded. Our data confirms emerging trends in the acquisition and control of technology assets, as well as in the administration of technology processes and services.

Companies routinely look outward to make technology decisions; that is, they find they must consult stakeholders/participants outside their companies to make important technology acquisition, deployment, and support decisions. We consolidated the results from multiple surveys, supplemented by interviews used to (anecdotally) validate/invalidate what the survey data told us.

Figure 2 outlines the governance participants identified in our data. The survey and interview questions focused on governance participants, models, and processes. The result of the surveys and interviews filled a new RACI-based governance matrix presented here. The number of participants in the emerging governance process has increased, and nearly all growth is outside the proverbial corporate firewall. Some new participants are the result of changes in the way technology is acquired, deployed, and supported (such as the vast number of cloud computing providers under contract today). Similarly, integrated supply chains have increased dependency among technology providers. Finally, since many customers are glued to their social networks, companies today must engage them through communication and content networks they do not control in any way, shape, or form. How do they "govern" this activity?

Back to Top

Survey and Interview Data

The data was collected from surveys conducted by the author at Villanova University through the Cutter Consortium (http://www.cutter.com) 20082014 and from interviews the author conducted 20042014 with CIOs and CTOs who were part of the Villanova University CIO Technology Advisory Council, a rotating group of more than 50 local, regional, and national technology executives. The surveys and interviews involved more than 500 technology managers and executives. Data was collected through surveys and face-to-face interviews repeated every two years. Survey instruments and questionnaires were developed for both data-collection processes. General technology-adoption questions, as well as specific questions, were asked about technology governance and alternative organizational structures. The data reflects input from both the technology and business sides of companies whose participants were asked to identify their roles in technology management. The data reported here represents the combined percentages for the period 20082014.


Segmenting the groups indicates technology professionals are somewhat less likely to endorse participatory governance, while business professionals are much more likely to endorse it.


Figure 3 outlines very different governance perceptions and attitudes from those expressed in surveys conducted in the late 20th and early 21st centuries. Note first the distinctions among operational technology, strategic technology, and emerging technology. Note, too, the range of referenced stakeholders. There are the usual suspectsthe corporate and business-unit clientsbut there is also a new cast of characters, including vendors, providers, partners, and even "the crowd," or the random actors who gather on social-media sites. The full cast is why the range of governance and number of governance stakeholders is dramatically different today, and why the whole notion of control will yield to what might be called "participatory" or "shared" control.

Also note the differences between technology and business professionals. While business professionals hold strong views about governance trends, the technology professionals also acknowledge the changes in technology management and acquisition, even though their opinions are measurably different from those of business professionals.

Our interviews with CIOs, CTOs, and senior executives and managers from the business side say participatory governance is inevitable, endorsing the "recommendation" to adopt a more collaborative, participatory approach to technology governance:

Here are some insightful quotes from some of our technology executives:

"It was only a matter of time before the businesses demanded more control of technology. I mean, we sort of kept them at arm's length for years. Once Apple started making stuff that everyone really really wanted, we were toast. So we had to give up some control." CIO of a chemicals company

"The world really is flat. We sell products all over the world and have databases and applications everywhere, including the cloud. It is impossible to control everything from one address. We had to rethink governance, or there would be a revolution." CIO of a technology company

"We will be 90% cloud-based in five years. Our vendors have as much to say about how we govern technology as we do. Pretty soon, cloud vendors will be telling us what we can and cannot do." CIO of a pharmaceuticals company

"Gone are the days when IT calls the shots. And maybe that's not a bad thing. For a long time, we owned all the technology and the processes for buying and implementing technology. But now we have to move faster and open up our standards to businesses that need more technology faster and cheaper. I guess it's about time." CIO of a financial services company

"Working with the businesses is great. But they don't always understand how complicated IT is or how much work it takes to get technology to work. We have to work with our vendors and consultants constantly to get all this right. The businesses worry much more about what technology can do for them now, especially for sales. That's great, but it takes more than hand waving." CIO of a financial services company

"The lines of business get it. They understand that they need our infrastructure but want more control over the applications they use. Makes sense to me, so long as their decisions keep the infrastructure viable. We can't have a free-for-all. There have to be some rules, but I get that the rules need to be more flexible. I get that now." CTO of an insurance company

Here are some quotes from our interviews with business executives:

"We need to move fast. We can't wait for IT to decide what we shouldor should notbe doing. Our problems need technology solutions. While standards are important, and all they bring to stability and security, we still need to solve problems quickly." President of a pharmaceutical business unit

"IT is the group that tells me what I can't do, not what I want to do with technology. That has to change or we will fall behind. When I ask for new technology, my question assumes that IT can make it work. Or I will find it somewhere else." CEO of a biotech company

"Cloud computing has given us all hope. Not just because it represents a good alternative but because it frees us from corporate IT. It used to be that for us to get some new database or application we had to ask IT, which then told us that it would be too hard to do. Since we depended on IT's infrastructure to get things done, we had to accept their 'interpretation' of how easy or hard it would be to give us what we wanted. Now we can go to the cloud and just rent the damn stuff." Sales manager of a financial services company

"It's about time that central IT asks us what we want. And now when we tell them they listen. I always wonder if they listen because they want to be more responsive or because they know we can just go buy it ourselves. Thank God for the cloud. It gives me the ultimate trump card." CIO of an insurance company business unit

The survey and interview data suggests business and technology professionals understand the governance process is changing and the number of participants in the governance process is increasing. Vendors, service providers, partners, and colleagues in the cloud are now governance stakeholders. Vendors and service providers are special stakeholders since the products and services they offer define de facto governance. Companies that outsource huge amounts of their operational infrastructures outsource many of their technology standards and the governance around those standards. While the standards themselves can be broad, they still define what the hardware, software, and service offerings will be.

Environments that outsource lots of technology and technology services share governance with their providers. Similarly, suppliers and other partners frequently require specific technology-based transaction processing that also results in shared governance.9,22 The crowd is one of the most dramatic challenges to corporate governance. The crowd is the source of a variety of "extensions" to everyone's technology capabilities. The best example of this is the application programming interfaces (APIs) published by companies and individuals that make it possible for clients and their providers to extend the functionality of applications quickly and cheaply. But are all APIs OK to use? Governance must extend well beyond the corporate firewall to include policies and protocols for the use of externally developedyet powerfulAPIs and other software widgets that can be used to enhance functionality. In addition to APIs and widgets, the crowd can also provide expertise. We are moving quickly toward a free-agent approach to selected corporate problem solving. What if a company must develop a dashboard, a process, a chemical, or a drug? Should it turn to the crowd? What if it moved its help desk to the cloud and paid specialists when they solved problems? Shared governance is at least partially assumed by these trends.

Finally, note in Figure 4 the responsible/accountable/consultative/informed, or RACI, playbook informed by the survey and interview data. The data suggests the participation scalefrom responsible to informedhas shifted. Of special importance is the addition of external stakeholders to the governance process.

The RACI playbook suggests the enterprise is responsible (R) and accountable (A) for operational technology but less so for strategic and emerging technology. It also suggests providers are also accountable (A) for operational delivery because so much technology is now outsourced from cloud providers. Partners and suppliers also play an important role in operational technology selection and deployment (As).

Corporate functions and business units are accountable (A) and responsible (R) for strategic and emerging technology. This is a major change from the governance of the 20th century, when most if not all strategic and emerging technology was governed by the enterprise CIO.

Providers, partners, and the crowd are now direct participants in technology acquisition, deployment, and support through their consultative (C) and informed (I) roles, with the exception of providers' shared accountability (A) for strategic and emerging technology, due primarily to the implications of the integration and support of new technology. This structure is new.

Back to Top

Conclusion

These findings and analysis indicate governance is changing, "control" is a concept morphing into collaboration and participation, and participatory governance will replace both the rigid conventional governance structures and processes of the 20th century and even more-open "federated" structures of the early 21st century. Participatory governance acknowledges expansion of the number of governance stakeholders, commoditization of technology, consumerization, and the increasing practice of outsourcing operational, strategic, and emerging technology. The data also suggests the new business technology alignment opportunity is through participatory governance.

Back to Top

References

1. Agarwal, R. and Sambamurthy, V. Principles and models for organizing the information technology function. Management Information Systems Quarterly Executive 1 (Mar. 2002), 116.

2. Andriole, S.J. Ready technology. Commun. ACM 57, 2 (Feb. 2014), 4042.

3. Andriole, S.J. Boards of directors and technology governance: The surprising state of the practice. Communications of the Association for Information Systems 24 (Mar. 2009), 373394.

4. Brousell, L. IT Reorgs on the horizon. CIO Magazine (Feb. 26, 2013).

5. Brown, C.V. Examining the emergence of hybrid IS governance solutions: Evidence from a single case site. Information Systems Research 8, 1 (1997), 6994.

6. Brown, A.E. and Grant, G.G. Framing the frameworks: A review of IT governance research. Communications of the AIS 15, 38 (2005), 696712.

7. Brown, C.V. and Magill, S.L. Alignment of the IS functions with the enterprise: Toward a model of antecedents. MIS Quarterly 18, 4 (Apr. 1994), 371403.

8. Chan, Y.E. and Reich, B.H. IT alignment: What have we learned? Journal of Information Technology 22, 4 (2007), 297315.

9. Demirkan, H., Cheng, H., and Bandyopadhyay, S. Coordination strategies in an SaaS supply chain. Journal of Management Information Systems 26, 4 (2010), 119143.

10. Dong, H., XU, S.X., and Zhu, K.X. Information technology in supply chains: The value of IT-enabled resources under competition. Information Systems Research 20, 1 (Mar. 2009), 1832.

11. Evaristo, J.R., Desouza, K.C., and Hollister, K. Centralization momentum: The pendulum swings back again. Commun. ACM 48, 2 (Feb. 2005), 6671.

12. Feltus, C., Petit, M., and Dbois, E. Strengthening employee responsibility to enhance governance of IT: COBIT RACI chart case study. In Proceedings of the ACM Workshop on Information Security Governance (Chicago, Nov. 13). ACM Press, New York, 2009, 2332.

13. McElheran, K. Decentralization versus centralization in IT governance. Commun. ACM 55, 11 (Nov. 2012), 2830.

14. Peterson, R. Crafting information technology governance. EDPACS: The EDP Audit, Control, and Security Newsletter 32, 6 (Dec. 2004), 124.

15. Peterson R. Configurations and coordination for global information technology governance: Complex designs in a transnational European context. In Proceedings of the Hawaii International Conference on System Science (Wailea, Maui, Jan. 26). IEEE Computer Society Press, 2001.

16. Peterson, R. Information strategies and tactics for information technology governance. In Strategies for Information Technology Governance, W. Van Grembergen, Ed., Idea Group Publishing, Hershey, PA, 2003, 3778.

17. Peterson, R., Parker, M.M., and Ribbers, P. Information technology governance processes under environmental dynamism: Investigating competing theories of decision making and knowledge sharing. In Proceedings of the 23rd International Conference on Information Systems (Barcelona, Spain, Dec. 1518). Kluwer Academic Publishers, Norwell, MA, 2002.

18. Rockart, J., Earl, M., and Ross, J. Eight imperatives for the new IT organization. Sloan Management Review (Oct. 1996), 4355.

19. Sambamurthy, V. and Zmud, R.W. Arrangements for information technology governance: A theory of multiple contingencies. MIS Quarterly 23, 2 (Feb. 1999), 261290.

20. Teo, W.L., Manaf, A.A., and Choong, P.H.L Practitioner factors in information technology. Journal of Administrative Sciences & Technology (June 2013), 112.

21. Tiwana, A., Konsynski, B., and Venkatraman, N. Information technology and organizational governance: The IT governance cube. Journal of Management Information Systems (Special Issue) 30, 3 (Winter 20132014), 712.

22. Topi, H. and Tucker, A.B., Eds. Information Systems and Information Technology, Volume 2 (Computing Handbook Set). Taylor and Francis, Boca Raton, FL, 2014.

23. Ullah, A. and Lai, R., Requirements engineering and business/IT alignment: Lessons learned. Journal of Software 8, 1 (Jan. 2013), 110.

24. Wallace, M. and Webber, L. IT Governance: Policies & Procedures. Wolters-Kluwer, Alphen aan den Rijn, the Netherlands, 2012.

25. Weill, P. and Broadbent, M. Leveraging the New Infrastructure: How Market Leaders Capitalize on Information Technology. Harvard Business School Press, Boston, MA, 1998, 5862.

26. Weill, P. and Ross, J. IT Governance: How Top Performers Manage IT Decision Rights for Superior Results. Harvard Business School Press, Boston, MA, 2004.

27. Weill, P., Subramani, M., and Broadbent, M. Building IT infrastructure for strategic agility. Sloan Management Review 44 (Oct. 2002), 5765.

28. Weill, P. Don't just lead, govern: How top-performing firms govern IT. MISQ Executive 3, 1 (Mar. 2004), 117.

29. Winkler, T.J. and Brown, C.V. Horizontal allocation of decision rights for on-premise applications and software-as-a-service. Journal of Management Information Systems 30, 3 (Jan. 2014), 1348.

Back to Top

Author

Stephen J. Andriole (stephen.andriole@villanova.edu) is the Thomas G. Labrecque Professor of Business Technology in the Department of Accountancy and Information Systems in the Villanova School of Business at Villanova University, Villanova, PA.

Back to Top

Figures

F1Figure 1. Technology categories.

F2Figure 2. Governance participants.

F3Figure 3. Findings from business (B) and technology (T) professionals.

F4Figure 4. RACI participatory governance.

Back to top


©2015 ACM  0001-0782/15/03

Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and full citation on the first page. Copyright for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, to republish, to post on servers, or to redistribute to lists, requires prior specific permission and/or fee. Request permission to publish from permissions@acm.org or fax (212) 869-0481.

The Digital Library is published by the Association for Computing Machinery. Copyright © 2015 ACM, Inc.


Comments


Paul Schantz

What a great post! Exceptionally relevant to higher education IT.


Displaying 1 comment