This chapter focuses upon the Australian Standard for the Corporate Governance of Information and Communication Technology (ICT) AS8015 (Standards Australia, 2005) and presents research findings that can be applied as recommendations to enhance the effective implementation of this Standard’s principles within an organization. These recommendations relating to the principles outlined within the Standard concern such factors as, identifying and addressing issues surrounding the implementation of this Standard and the actions that could be undertaken to improve the effectiveness of ICT governance by sharply focusing upon the governance aspects of ICT within business, as opposed to the management aspect of ICT.
This research investigates and identifies the organizational issues that surround the implementation of organizational governance of ICT, both within the business and in support of business strategies and goals, however before proceeding it is important to note that the terms “ICT governance” and “IT governance” are used interchangeably throughout this chapter, depending on the source being cited. Nevertheless, before investigating the issues that impact on organizational ICT governance, we must establish its genesis in relation to corporate governance and development as an associated governance discipline that is coming under greater focus due to recent public failures that have brought into sharp focus the issues of organizational governance and accountability.
Corporate governance is defined by the Organisation for Economic Cooperation and Development (OECD) as an activity which “involves a set of relationships between a company’s management, its board, its shareholders and other stakeholders” (OECD, 2004), these recommendations were published in the OECD Principles of Corporate Governance (2004). These principles represent a common point of understanding between representative member countries and promote acceptable practices that assist business organizations to deliver transparent and informative reporting to shareholders and ensure boards of management are accountable for their actions (Witherell, 2004). The Australia Standard entitled Good Governance Principles AS8000 (2003) is heavily based on the OECD principles of corporate governance and reflects the Australian perspective of corporate governance as concerned with conduct and relationships between company stakeholders (Standards Australia, 2003).
In relation to corporate governance, IT governance is a subset defined as “specifying the decision rights and accountability framework to encourage desirable behaviour in using IT” (Weill & Ross, 2004) and therefore, IT governance focuses on the governance of IT use within the particular organization. Van Grembergen (2004) further links IT governance to corporate governance by indicating that today’s business and business strategies are now dependent to some extent on an underlaying IT infrastructure support. Therefore, corporate governance is responsible for setting high-level organizational strategies and controls, while IT governance provides the information and IT structure to facilitate strategic alignment and support of organizational goals. Furthermore, the linkage of IT governance and corporate governance is more apparent because of the increasing dependence upon and utilisation of IT to support business operations, which can potentially expose and impinge adversely upon the critical functionality of the IT infrastructure supporting the business. This suggests that poor application of IT governance can affect corporate governance through loss of business, harm to corporate reputation and a weakening of competitive position (CPA, 2005).
This premise is supported by KPMG (2002) who found that IT failures accounted for 60% of all business interruptions in Australia, resulting in downtime, reduced income and loss of customers. There have also been a number of other cases in Australia and around the world where a lack of IT governance has resulted in significant financial losses. A further example is the widely reported situation at the National Australia Bank (NAB), here it found that employees were able to request changes to the IT systems that enabled them to erase records of their transactions and resulted in notable financial losses for the bank (Mair, 2004). In response to this and other failures of IT governance, a new Australian Standard within the AS8000 series, namely the Corporate Governance of ICT AS8015 (Standards Australia, 2005) was developed and released in early 2005. This standard consists of six principles applicable to the governance of ICT within a business organization and forms the initial reference point of this research.