Corporate governance of information technology

Information Technology Governance, IT Governance is a subset discipline of Corporate Governance focused on information technology (IT) systems and their performance and risk management. The rising interest in IT governance is partly due to compliance initiatives, for instance Sarbanes-Oxley in the USA and Basel II in Europe, but more so because of the need for greater accountability for decision-making around the use of IT in the best interest of all stakeholders.

IT capability is directly related to the long term consequences of decisions made by top management. Traditionally, board-level executives deferred key IT decisions to the company's IT professionals. This cannot ensure the best interests of all stakeholders unless deliberate action involves all stakeholders. IT governance systematically involves everyone: board members, executive management, staff and customers. It establishes the framework (see below) used by the organization to establish transparent accountability of individual decisions, and ensures the traceability of decisions to assigned responsibilities.

Contents 1 Definitions 2 Background 3 Problems with IT governance 4 Frameworks 5 Professional certification 6 Footnotes 7 See also 8 Further reading 9 External links

Definitions

There are narrower and broader definitions of IT governance. Weill and Ross focus on "Specifying the decision rights and accountability framework to encourage desirable behavior in the use of IT."^[1]

In contrast, the IT Governance Institute expands the definition to include foundational mechanisms: "… the leadership and organisational structures and processes that ensure that the organisation’s IT sustains and extends the organisation’s strategies and objectives." ^[2]

Van Grembergen and De Haes (2009) focus on enterprise governance of IT and define this as "an integral part of corporate governance and addresses the definition and implementation of processes, structures and relational mechanisms in the organization that enable both business and IT people to execute their responsibilities in support of business/IT alignment and the creation of business value from IT enabled investments".

While AS8015, the Australian Standard for Corporate Governance of ICT, defines Corporate Governance of ICT as "The system by which the current and future use of ICT is directed and controlled. It involves evaluating and directing the plans for the use of ICT to support the organisation and monitoring this use to achieve plans. It includes the strategy and policies for using ICT within an organisation."

Background

The discipline of information technology governance first emerged in 1993 as a derivative of corporate governance and deals primarily with the connection between strategic objectives and IT management of an organization. It highlights the importance of IT-related matters in contemporary organizations and states that strategic IT decisions should be owned by the corporate board, rather than by the chief information officer or other IT managers.

The primary goals for information technology governance are to (1) assure that the investments in IT generate business value, and (2) mitigate the risks that are associated with IT. This can be done by implementing an organizational structure with well-defined roles for the responsibility of information, business processes, applications, ICT infrastructure, etc.

Accountability is the key concern of IT governance.

After the widely reported collapse of Enron in 2000 and the alleged problems within Arthur Andersen and WorldCom, the duties and responsibilities of auditors and the boards of directors for public and privately held corporations were questioned. As a response to this, and to attempt to prevent similar problems from happening again, the US Sarbanes-Oxley Act was written to stress the importance of business control and auditing. Although not directly related to IT governance, Sarbanes-Oxley and Basel-II in Europe have influenced the development of information technology governance since the early 2000s.

Following corporate collapses in Australia around the same time, working groups were established to develop standards for corporate governance. A series of Australian Standards for Corporate Governance were published in 2003, these were:

• Good Governance Principles (AS8000)
• Fraud and Corruption Control (AS8001)
• Organisational Codes of Conduct (AS8002)
• Corporate Social Responsibility (AS8003)
• Whistle Blower protection programs (AS8004)

AS8015 Corporate Governance of ICT was published in January 2005. It was fast-track adopted as ISO/IEC 38500 in May 2008.Introduction to ISO 38500

Problems with IT governance

Is IT governance different from IT management and IT controls? The problem with IT governance is that often it is confused with good management practices and IT control frameworks. ISO 38500 has helped clarify IT governance by describing it as the management system used by directors. In other words, IT governance is about the stewardship of IT resources on behalf of the stakeholders who expect a return from their investment. The directors responsible for this stewardship will look to the management to implement the necessary systems and IT controls. Whilst managing risk and ensuring compliance are essential components of good governance, it is more important to be focused on delivering value and measuring performance.

Frameworks

There are quite a few supporting references that may be useful guides to the implementation of information technology governance. Some of them are:

• AS8015-2005 Australian Standard for Corporate Governance of Information and Communication Technology. AS8015 was adopted as ISO/IEC 38500 in May 2008
• ISO/IEC 38500:2008 Corporate governance of information technology, (very closely based on AS8015-2005) provides a framework for effective governance of IT to assist those at the highest level of organizations to understand and fulfill their legal, regulatory, and ethical obligations in respect of their organizations’ use of IT. ISO/IEC 38500 is applicable to organizations from all sizes, including public and private companies, government entities, and not-for-profit organizations. This standard provides guiding principles for directors of organizations on the effective, efficient, and acceptable use of Information Technology (IT) within their organizations.
• Control Objectives for Information and related Technology (COBIT) is regarded as the world's leading IT governance and control framework. CobiT provides a reference model of 34 IT processes typically found in an organization. Each process is defined together with process inputs and outputs, key process activities, process objectives, performance measures and an elementary maturity model. Originally created by ISACA, COBIT is now the responsibility of the ITGI (IT Governance Institute).
• The IT Infrastructure Library (ITIL) is a high-level framework with information on how to achieve a successful operational Service management of IT, developed and maintained by the United Kingdom's Office of Government Commerce, in partnership with the IT Service Management Forum. While not specifically focused on IT governance, the process related information is a useful reference source for tackling the improvement of the service management function.

Others include:

• ISO27001 - focus on Information Security
• CMM - The Capability Maturity Model: focus on software engineering
• TickIT - a quality-management certification program for software development
• CARE - Comprehensive Architecture Rationalization and Engineering: a prescriptive method to perform a systematic assessment of information systems applications in an application/project portfolio^[3]

Non-IT specific frameworks of use include:

• The Balanced Scorecard (BSC) - method to assess an organization’s performance in many different areas.
• Six Sigma - focus on quality assurance
• TOGAF - The Open Group Architectural Framework - methodology to align business and IT, resulting in useful projects and effective governance.

Professional certification

Certified in the Governance of Enterprise Information Technology (CGEIT) is an advanced certification created in 2007 by the Information Systems Audit and Control Association (ISACA). It is designed for experienced professionals, who can demonstrate 5 or more years experience, serving in a managing or advisory role focused on the governance and control of IT at an enterprise level. It also requires passing a 4-hour test, designed to evaluate an applicant's understanding of enterprise IT management. The first examination was held in December 2008.

Footnotes

See also

• Enterprise architecture
• Information Technology Infrastructure Library
• Information technology management
• IT portfolio management
• IT service management
• ISACA
• Project governance
• Val IT
• ISO/IEC 38500
• Data governance
• Website governance

Further reading

• Lutchen, M. (2004). Managing IT as a business : a survival guide for CEOs. Hoboken, N.J., J. Wiley., ISBN 0-471-47104-6
• Van Grembergen W., Strategies for Information technology Governance, IDEA Group Publishing, 2004, ISBN 1-59140-284-0
• Van Grembergen, W., and S. De Haes, Enterprise Governance of IT: Achieving Strategic Alignment and Value, Springer, 2009.
  
• W. Van Grembergen, and S. De Haes, “A Research Journey into Enterprise Governance of IT, Business/IT Alignment and Value Creation”, International Journal of IT/Business Alignment and Governance, Vol. No. 1, 2010, pp. 1–13.
  
• S. De Haes, and W. Van Grembergen, “An Exploratory Study into the Design of an IT Governance Minimum Baseline through Delphi Research”, Communications of AIS, No. 22, 2008, pp.443–458.
  
• S. De Haes, and W. Van Grembergen, “An Exploratory Study into IT Governance Implementations and its Impact on Business/IT Alignment”, Information Systems Management, Vol. 26, 2009, pp.123–137.
  
• S. De Haes, and W. Van Grembergen, “Exploring the relationship between IT governance practices and business/IT alignment through extreme case analysis in Belgian mid-to-large size financial enterprises”, Journal of Enterprise Information Management, Vol. 22, No. 5, 2009, pp. 615–637.
  
• Georgel F., IT Gouvernance : Maitrise d'un systeme d'information, Dunod, 2004(Ed1) 2006(Ed2), 2009(Ed3), ISBN 2-10-052574-3. "Gouvernance, audit et securite des TI", CCH, 2008(Ed1) ISBN 978-289366577-1

See also the bibliography sections of IT Portfolio Management and IT Service Management

• Renz, Patrick S. (2007). "Project Governance." Heidelberg, Physica-Verl. (Contributions to Economics) ISBN 978-3-7908-1926-7
• Wood, David J., 2011. "Assessing IT Governance Maturity: The Case of San Marcos, Texas". Applied Research Projects, Texas State University-San Marcos. http://ecommons.txstate.edu/arp/345 (This paper applies a modified COBIT framework to a medium sized city.)

External links

Institutes and associations

• The IT Governance Institute
• Information Systems Audit and Control Association
• International Association of Information Technology Asset Managers, Inc. - IAITAM
• Australian Computer Society Governance of ICT Committee
• IT Governance Network
• Togaf
• IT Governance Portal