In this chapter a selective review of current IT Governance practice is provided. The intent is to provide a context for future chapters rather than to act as a comprehensive review. Hence the review only covers the major developments. It starts by looking at the empirical research on IT Governance with the focus being on Weill and Ross (2004), who in research terms have written “the book” on IT Governance. This is followed be a review of the two most dominant public IT Governance guidelines and frameworks in COBIT and ITIL.
Current State Of The Art
A good place to start in understanding IT Governance is with some definitions. As well as providing an assessment of the level of maturity in the area by the level of commonality found, it can also provide some insight into the context in which the author views this area.IT Governance is considered a subset of corporate governance. A basic definition of IT Governance is:
The primary goals for information technology governance are to (1) assure that the investments in IT generate business value, and (2) mitigate the risks that are associated with IT1Weill & Ross, (2004, p8) offer:
Specifying the decision rights and accountability framework to encourage desirable behaviour in the use of ITwhich provides more of a focus on the decision makers and their accountability to some pre-defined objectives.
A more detailed definition is provided by the IT Governance Institute through the public organisation ISACA, established over 40 years ago to support IT Governance professionals:
IT Governance is the responsibility of the board of directors and executive management. It is an integral part of enterprise governance and consists of leadership and organisational structures and processes that ensure that the organisation’s IT sustains and extends the organisation’s strategies and objectives.2
This more detailed definition extends beyond the “what” of IT Governance and begins to detail some of the “hows”. The definition reflects the auditing heritage of ISACA (Information Systems Audit and Control Association) and is consistent with the current views on corporate governance, especially in light of the Enron, Arthur Andersen and Worldcom collapses, that led to the establishment of a new compliance regime around the Sarbanes-Oxley Act in the USA.
The latter definitions infer a compliance approach with the establishment of defined processes, organisational structures and procedures as being the way to achieve effective IT Governance. How successful are such approaches? Do they guarantee business success if applied diligently? In the next section a review of empirical research linking IT Governance practices to business performance is provided.Top
Best Practice Research
The book on IT Governance by Weill and Ross (2004) was the culmination of extensive research on linking IT Governance practices to business performance at the MIT Sloan School of Management Center for Information Systems Research (CISR). Their research involved over 300 enterprises in over 20 countries during the period of 1999-2003. It represents the most extensive research conducted to date on IT Governance and its effects on business performance.
In conducting their research Weill & Ross developed a number of frameworks to support their search for best practice IT Governance. The lack of a standard way of describing an IT Governance arrangement no doubt contributed to their finding that fewer than 50% of senior executives could accurately explain their IT Governance approach. To fill this gap, they developed a Governance Arrangement Matrix with the key IT decisions/activities (IT Principles, IT Architecture, IT Infrastructure Strategies, Business Application Needs, IT Investment) on one axis and typical arrangement archetypes that they had observed (Business Monarchy, IT Monarchy, Feudal, Federal, Duopoly, Anarchy) on the other. Using this framework they were able to classify the governance patterns of the different organisations they studied, and then draw inferences about which governance patterns were most associated with good business performance.