Information technology governance
Encyclopedia
Information Technology Governance, IT Governance is a subset discipline of Corporate Governance
focused on information technology
(IT) systems and their performance
and risk management
. The rising interest in IT governance is partly due to compliance initiatives, for instance Sarbanes-Oxley in the USA and Basel II
in Europe, but more so because of the need for greater accountability for decision-making around the use of IT in the best interest of all stakeholders.
IT capability is directly related to the long term consequences of decisions made by top management. Traditionally, board-level executives deferred key IT decisions to the company's IT professionals. This cannot ensure the best interests of all stakeholders unless deliberate action involves all stakeholders. IT governance systematically involves everyone: board members, executive management, staff and customers. It establishes the framework (see below) used by the organization to establish transparent accountability of individual decisions, and ensures the traceability of decisions to assigned responsibilities.
In contrast, the IT Governance Institute expands the definition to include foundational mechanisms: "… the leadership and organisational structures and processes that ensure that the organisation’s IT sustains and extends the organisation’s strategies and objectives."
Van Grembergen and De Haes (2009) focus on enterprise governance of IT and define this as "an integral part of corporate governance and addresses the definition and implementation of processes, structures and relational mechanisms in the organization that enable both business and IT people to execute their responsibilities in support of business/IT alignment and the creation of business value from IT enabled investments".
While AS8015
, the Australian Standard for Corporate Governance of ICT, defines Corporate Governance of ICT as "The system by which the current and future use of ICT is directed and controlled. It involves evaluating and directing the plans for the use of ICT to support the organisation and monitoring this use to achieve plans. It includes the strategy and policies for using ICT within an organisation."
first emerged in 1993 as a derivative of corporate governance and deals primarily with the connection between strategic objectives and IT management of an organization
. It highlights the importance of IT-related matters in contemporary organizations and states that strategic IT decisions should be owned by the corporate board, rather than by the chief information officer
or other IT managers.
The primary goals for information technology governance are to (1) assure that the investments in IT generate business value
, and (2) mitigate the risks that are associated with IT. This can be done by implementing an organizational structure
with well-defined roles for the responsibility of information
, business process
es, applications
, ICT infrastructure, etc.
Accountability is the key concern of IT governance.
After the widely reported collapse of Enron
in 2000 and the alleged problems within Arthur Andersen
and WorldCom, the duties and responsibilities of auditors and the boards of directors for public and privately held corporations were questioned. As a response to this, and to attempt to prevent similar problems from happening again, the US Sarbanes-Oxley Act
was written to stress the importance of business control and auditing. Although not directly related to IT governance, Sarbanes-Oxley and Basel-II in Europe have influenced the development of information technology governance since the early 2000s.
Following corporate collapses in Australia around the same time, working groups were established to develop standards for corporate governance. A series of Australian Standards for Corporate Governance were published in 2003, these were:
AS8015 Corporate Governance of ICT was published in January 2005. It was fast-track adopted as ISO/IEC 38500 in May 2008.Introduction to ISO 38500
used by directors. In other words, IT governance is about the stewardship of IT resources on behalf of the stakeholders who expect a return from their investment. The directors responsible for this stewardship will look to the management to implement the necessary systems and IT controls. Whilst managing risk and ensuring compliance are essential components of good governance
, it is more important to be focused on delivering value and measuring performance.
Others include:
Non-IT specific frameworks of use include:
See also the bibliography sections of IT Portfolio Management
and IT Service Management
Corporate governance
Corporate governance is a number of processes, customs, policies, laws, and institutions which have impact on the way a company is controlled...
focused on information technology
Information technology
Information technology is the acquisition, processing, storage and dissemination of vocal, pictorial, textual and numerical information by a microelectronics-based combination of computing and telecommunications...
(IT) systems and their performance
Performance management
Performance management includes activities that ensure that goals are consistently being met in an effective and efficient manner. Performance management can focus on the performance of an organization, a department, employee, or even the processes to build a product or service, as well as many...
and risk management
Risk management
Risk management is the identification, assessment, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities...
. The rising interest in IT governance is partly due to compliance initiatives, for instance Sarbanes-Oxley in the USA and Basel II
Basel II
Basel II is the second of the Basel Accords, which are recommendations on banking laws and regulations issued by the Basel Committee on Banking Supervision...
in Europe, but more so because of the need for greater accountability for decision-making around the use of IT in the best interest of all stakeholders.
IT capability is directly related to the long term consequences of decisions made by top management. Traditionally, board-level executives deferred key IT decisions to the company's IT professionals. This cannot ensure the best interests of all stakeholders unless deliberate action involves all stakeholders. IT governance systematically involves everyone: board members, executive management, staff and customers. It establishes the framework (see below) used by the organization to establish transparent accountability of individual decisions, and ensures the traceability of decisions to assigned responsibilities.
Definitions
There are narrower and broader definitions of IT governance. Weill and Ross focus on "Specifying the decision rights and accountability framework to encourage desirable behavior in the use of IT."In contrast, the IT Governance Institute expands the definition to include foundational mechanisms: "… the leadership and organisational structures and processes that ensure that the organisation’s IT sustains and extends the organisation’s strategies and objectives."
Van Grembergen and De Haes (2009) focus on enterprise governance of IT and define this as "an integral part of corporate governance and addresses the definition and implementation of processes, structures and relational mechanisms in the organization that enable both business and IT people to execute their responsibilities in support of business/IT alignment and the creation of business value from IT enabled investments".
While AS8015
AS8015
The AS 8015-2005 standard for corporate governance of information and communication technology was published in 2005 by Standards Australia. The standard provides principles, a model and vocabulary as a basic framework for implementing effective corporate governance of ICT within any...
, the Australian Standard for Corporate Governance of ICT, defines Corporate Governance of ICT as "The system by which the current and future use of ICT is directed and controlled. It involves evaluating and directing the plans for the use of ICT to support the organisation and monitoring this use to achieve plans. It includes the strategy and policies for using ICT within an organisation."
Background
The discipline of information technology governanceGovernance
Governance is the act of governing. It relates to decisions that define expectations, grant power, or verify performance. It consists of either a separate process or part of management or leadership processes...
first emerged in 1993 as a derivative of corporate governance and deals primarily with the connection between strategic objectives and IT management of an organization
Organization
An organization is a social group which distributes tasks for a collective goal. The word itself is derived from the Greek word organon, itself derived from the better-known word ergon - as we know `organ` - and it means a compartment for a particular job.There are a variety of legal types of...
. It highlights the importance of IT-related matters in contemporary organizations and states that strategic IT decisions should be owned by the corporate board, rather than by the chief information officer
Chief information officer
Chief information officer , or information technology director, is a job title commonly given to the most senior executive in an enterprise responsible for the information technology and computer systems that support enterprise goals...
or other IT managers.
The primary goals for information technology governance are to (1) assure that the investments in IT generate business value
Business Value
In management, business value is an informal term that includes all forms of value that determine the health and well-being of the firm in the long-run...
, and (2) mitigate the risks that are associated with IT. This can be done by implementing an organizational structure
Organizational structure
An organizational structure consists of activities such as task allocation, coordination and supervision, which are directed towards the achievement of organizational aims. It can also be considered as the viewing glass or perspective through which individuals see their organization and its...
with well-defined roles for the responsibility of information
Information
Information in its most restricted technical sense is a message or collection of messages that consists of an ordered sequence of symbols, or it is the meaning that can be interpreted from such a message or collection of messages. Information can be recorded or transmitted. It can be recorded as...
, business process
Business process
A business process or business method is a collection of related, structured activities or tasks that produce a specific service or product for a particular customer or customers...
es, applications
Application software
Application software, also known as an application or an "app", is computer software designed to help the user to perform specific tasks. Examples include enterprise software, accounting software, office suites, graphics software and media players. Many application programs deal principally with...
, ICT infrastructure, etc.
Accountability is the key concern of IT governance.
After the widely reported collapse of Enron
Enron
Enron Corporation was an American energy, commodities, and services company based in Houston, Texas. Before its bankruptcy on December 2, 2001, Enron employed approximately 22,000 staff and was one of the world's leading electricity, natural gas, communications, and pulp and paper companies, with...
in 2000 and the alleged problems within Arthur Andersen
Arthur Andersen
Arthur Andersen LLP, based in Chicago, was once one of the "Big Five" accounting firms among PricewaterhouseCoopers, Deloitte Touche Tohmatsu, Ernst & Young and KPMG, providing auditing, tax, and consulting services to large corporations...
and WorldCom, the duties and responsibilities of auditors and the boards of directors for public and privately held corporations were questioned. As a response to this, and to attempt to prevent similar problems from happening again, the US Sarbanes-Oxley Act
Sarbanes-Oxley Act
The Sarbanes–Oxley Act of 2002 , also known as the 'Public Company Accounting Reform and Investor Protection Act' and 'Corporate and Auditing Accountability and Responsibility Act' and commonly called Sarbanes–Oxley, Sarbox or SOX, is a United States federal law enacted on July 30, 2002, which...
was written to stress the importance of business control and auditing. Although not directly related to IT governance, Sarbanes-Oxley and Basel-II in Europe have influenced the development of information technology governance since the early 2000s.
Following corporate collapses in Australia around the same time, working groups were established to develop standards for corporate governance. A series of Australian Standards for Corporate Governance were published in 2003, these were:
- Good Governance Principles (AS8000)
- Fraud and Corruption Control (AS8001)
- Organisational Codes of Conduct (AS8002)
- Corporate Social Responsibility (AS8003)
- Whistle Blower protection programs (AS8004)
AS8015 Corporate Governance of ICT was published in January 2005. It was fast-track adopted as ISO/IEC 38500 in May 2008.Introduction to ISO 38500
Problems with IT governance
Is IT governance different from IT management and IT controls? The problem with IT governance is that often it is confused with good management practices and IT control frameworks. ISO 38500 has helped clarify IT governance by describing it as the management systemManagement system
A management system is the framework of processes and procedures used to ensure that an organization can fulfill all tasks required to achieve its objectives....
used by directors. In other words, IT governance is about the stewardship of IT resources on behalf of the stakeholders who expect a return from their investment. The directors responsible for this stewardship will look to the management to implement the necessary systems and IT controls. Whilst managing risk and ensuring compliance are essential components of good governance
Good governance
Good governance is an indeterminate term used in development literature to describe how public institutions conduct public affairs and manage public resources in order to guarantee the realization of human rights. Governance describes "the process of decision-making and the process by which...
, it is more important to be focused on delivering value and measuring performance.
Frameworks
There are quite a few supporting references that may be useful guides to the implementation of information technology governance. Some of them are:- AS8015-2005 Australian Standard for Corporate Governance of Information and Communication Technology. AS8015 was adopted as ISO/IEC 38500 in May 2008
- ISO/IEC 38500:2008 Corporate governance of information technology, (very closely based on AS8015-2005) provides a framework for effective governance of IT to assist those at the highest level of organizations to understand and fulfill their legal, regulatory, and ethical obligations in respect of their organizations’ use of IT. ISO/IEC 38500 is applicable to organizations from all sizes, including public and private companies, government entities, and not-for-profit organizations. This standard provides guiding principles for directors of organizations on the effective, efficient, and acceptable use of Information Technology (IT) within their organizations.
- Control Objectives for Information and related Technology (COBITCOBITCOBIT is a framework created by ISACA for information technology management and IT Governance. It is a supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks.-Overview:...
) is regarded as the world's leading IT governance and control framework. CobiT provides a reference model of 34 IT processes typically found in an organization. Each process is defined together with process inputs and outputs, key process activities, process objectives, performance measures and an elementary maturity model. Originally created by ISACA, COBIT is now the responsibility of the ITGI (IT Governance Institute). - The IT Infrastructure Library (ITILItilItil may mean:*Atil or Itil, the ancient capital of Khazaria*Itil , also Idel, Atil, Atal, the ancient and modern Turkic name of the river Volga.ITIL can stand for:*Information Technology Infrastructure Library...
) is a high-level framework with information on how to achieve a successful operational Service management of IT, developed and maintained by the United KingdomUnited KingdomThe United Kingdom of Great Britain and Northern IrelandIn the United Kingdom and Dependencies, other languages have been officially recognised as legitimate autochthonous languages under the European Charter for Regional or Minority Languages...
's Office of Government CommerceOffice of Government CommerceThe Office of Government Commerce is part of the Efficiency and Reform Group of the Cabinet Office, a department of the Government of the United Kingdom...
, in partnership with the IT Service Management ForumIT Service Management ForumThe IT Service Management Forum is an independent and internationally-recognised forum for IT Service Management professionals worldwide....
. While not specifically focused on IT governance, the process related information is a useful reference source for tackling the improvement of the service management function.
Others include:
- ISO27001 - focus on Information Security
- CMMCapability Maturity ModelThe Capability Maturity Model is a development model that was created after study of data collected from organizations that contracted with the U.S. Department of Defense, who funded the research. This model became the foundation from which CMU created the Software Engineering Institute...
- The Capability Maturity Model - focus on software engineering - TickITTickITTickIT is a quality-management certification program for software development, supported primarily by the United Kingdom and Swedish software industries through UKAS and SWEDAC respectively....
is a quality-management certification program for software development
Non-IT specific frameworks of use include:
- The Balanced ScorecardBalanced scorecardThe Balanced Scorecard is a strategic performance management tool - a semi-standard structured report, supported by proven design methods and automation tools, that can be used by managers to keep track of the execution of activities by the staff within their control and to monitor the...
(BSC) - method to assess an organization’s performance in many different areas. - Six SigmaSix SigmaSix Sigma is a business management strategy originally developed by Motorola, USA in 1986. , it is widely used in many sectors of industry.Six Sigma seeks to improve the quality of process outputs by identifying and removing the causes of defects and minimizing variability in manufacturing and...
- focus on quality assurance - TOGAFTOGAFThe Open Group Architecture Framework is a framework for enterprise architecture which provides a comprehensive approach for designing, planning, implementation, and governance of an enterprise information architecture...
- The Open Group Architectural Framework - methodology to align business and IT, resulting in useful projects and effective governance.
Professional certification
Certified in the Governance of Enterprise Information Technology (CGEIT) is an advanced certification created in 2007 by the Information Systems Audit and Control Association (ISACA). It is designed for experienced professionals, who can demonstrate 5 or more years experience, serving in a managing or advisory role focused on the governance and control of IT at an enterprise level. It also requires passing a 4-hour test, designed to evaluate an applicant's understanding of enterprise IT management. The first examination was held in December 2008.See also
- Enterprise architectureEnterprise architectureAn enterprise architecture is a rigorous description of the structure of an enterprise, which comprises enterprise components , the externally visible properties of those components, and the relationships between them...
- Information Technology Infrastructure LibraryInformation Technology Infrastructure LibraryThe Information Technology Infrastructure Library , is a set of good practices for IT service management that focuses on aligning IT services with the needs of business. In its current form , ITIL is published in a series of five core publications, each of which covers an ITSM lifecycle stage...
- Information technology managementInformation technology managementIT management is the discipline whereby all of the technology resources of a firm are managed in accordance with its needs and priorities. These resources may include tangible investments like computer hardware, software, data, networks and data centre facilities, as well as the staffs who are...
- IT portfolio managementIT portfolio managementIT portfolio management is the application of systematic management to large classes of items managed by enterprise Information Technology capabilities. Examples of IT portfolios would be planned initiatives, projects, and ongoing IT services...
- IT service managementIT Service ManagementIT service management is a discipline for managing information technology systems, philosophically centered on the customer's perspective of IT's contribution to the business. ITSM stands in deliberate contrast to technology-centered approaches to IT management and business interaction...
- ISACA
- Project governanceProject governanceProject governance is the management framework within which project decisions are made. Project governance is a critical element of any project since while the accountabilities and responsibilities associated with an organization’s business as usual activities are laid down in their organizational...
- Val ITVal ITVal IT is a governance framework that can be used to create business value from IT investments. It consists of a set of guiding principles and a number of processes and best practices that are further defined as a set of key management practices to support and help executive management and boards...
- ISO/IEC 38500ISO/IEC 38500The ISO/IEC 38500 Corporate governance of information technology standard, provides a framework for effective governance of IT to assist those at the highest level of organizations to understand and fulfill their legal, regulatory, and ethical obligations in respect of their organizations’ use of...
- Data governanceData governanceData governance is an emerging discipline with an evolving definition. The discipline embodies a convergence of data quality, data management, data policies, business process management, and risk management surrounding the handling of data in an organization...
- Website governanceWebsite governanceWebsite governance may be defined as an organization's structure of staff ; technical systems; and the policies, procedures, and relationships such staff have in place to maintain and manage a website...
Further reading
- Lutchen, M. (2004). Managing IT as a business : a survival guide for CEOs. Hoboken, N.J., J. Wiley., ISBN 0-471-47104-6
- Van Grembergen W., Strategies for Information technology Governance, IDEA Group Publishing, 2004, ISBN 1-59140-284-0
- Van Grembergen, W., and S. De Haes, Enterprise Governance of IT: Achieving Strategic Alignment and Value, Springer, 2009.
- W. Van Grembergen, and S. De Haes, “A Research Journey into Enterprise Governance of IT, Business/IT Alignment and Value Creation”, International Journal of IT/Business Alignment and Governance, Vol. No. 1, 2010, pp. 1–13.
- S. De Haes, and W. Van Grembergen, “An Exploratory Study into the Design of an IT Governance Minimum Baseline through Delphi Research”, Communications of AIS, No. 22, 2008, pp.443–458.
- S. De Haes, and W. Van Grembergen, “An Exploratory Study into IT Governance Implementations and its Impact on Business/IT Alignment”, Information Systems Management, Vol. 26, 2009, pp.123–137.
- S. De Haes, and W. Van Grembergen, “Exploring the relationship between IT governance practices and business/IT alignment through extreme case analysis in Belgian mid-to-large size financial enterprises”, Journal of Enterprise Information Management, Vol. 22, No. 5, 2009, pp. 615–637.
- Georgel F., IT Gouvernance : Maitrise d'un systeme d'information, Dunod, 2004(Ed1) 2006(Ed2), 2009(Ed3), ISBN 2-10-052574-3. "Gouvernance, audit et securite des TI", CCH, 2008(Ed1) ISBN 978-289366577-1
See also the bibliography sections of IT Portfolio Management
IT portfolio management
IT portfolio management is the application of systematic management to large classes of items managed by enterprise Information Technology capabilities. Examples of IT portfolios would be planned initiatives, projects, and ongoing IT services...
and IT Service Management
IT Service Management
IT service management is a discipline for managing information technology systems, philosophically centered on the customer's perspective of IT's contribution to the business. ITSM stands in deliberate contrast to technology-centered approaches to IT management and business interaction...
- Renz, Patrick S. (2007). "Project Governance." Heidelberg, Physica-Verl. (Contributions to Economics) ISBN 978-3-7908-1926-7
- Wood, David J., 2011. "Assessing IT Governance Maturity: The Case of San Marcos, Texas". Applied Research Projects, Texas State University-San Marcos. http://ecommons.txstate.edu/arp/345 (This paper applies a modified COBIT framework to a medium sized city.)