This chapter considers the governance issues raised by the increasing use of external parties to supply IT resources (including packaged enterprise software). The chapter briefly reviews existing formal governance frameworks and their treatment of IT outsourcing, then introduces an analytical model for considering outsourcing benefits and risks. The chapter then goes on to highlight some strategic IT governance issues that become critical once a firm outsources a significant proportion of its IT services. The aim of the chapter is to alert decision makers to the fact that outsourcing IT incorporates residual risks even when widely recommended operational controls are implemented. It concludes that effective control processes are necessary, but not sufficient for good corporate governance and suggests that those responsible for corporate governance ensure that both operational and strategic governance issues are considered when IT is substantially outsourced.
The effective management, control, and alignment (with business needs) of IT resources have been a topic of interest to the information systems discipline for decades (e.g., see Earl, 1988). However, it is generally only since the 1990’s (Loh & Venkatranam, 1992) that the term “IT Governance” has been used to describe this responsibility. Typically IT governance is seen as a subset of the corporate governance framework, which defines the institutional structures and processes for directing and controlling the firm in a way that encourages management to maximize the welfare of shareholders and other stakeholders (Tirole, 2001; Weill & Ross, 2004). Governance is understood to encompass authority, accountability, stewardship, leadership, direction, control, and, importantly, management of corporate risks (ASX, 2003; Tirole, 2001).
IT Governance focuses particularly on getting value from the firm’s substantial investments in information resources and systems, including their performance, efficiency, and value for money. IT Governance also focuses on identifying, reducing, and managing the significant risks that IT and information systems pose to a firm. IT Governance occurs at different levels within an organization and so is part strategy (enabling value by integrating risk consideration into strategic IT decision making) and part tactical/operational, where it is concerned with effective IT management and minimizing identified risks (including risk of compliance failure).