IT Governance

Introduction

This article examines the theoretical perspectives and current insights as well as open issues regarding information technology (IT) governance. The term first emerged in the academic and practitioner literature in 1992 (Loh & Venkatraman, 1992) when the first major IT outsourcing contracts were signed, creating the need for organizations to more explicitly 'govern' their IT arrangements from a relatively straightforward internal IT department to a complex hybrid arrangement crossing the organizational boundary. Conceptually, the term can be traced back to the areas of corporate governance, strategic information systems, and (to a lesser extent) IT management (Webb, Pollard, & Ridley, 2006). Where corporate governance is about decision making rights and responsibilities in the interest of the organization's shareholders and other stakeholders (OECD Publishing, 2004), IT governance is about the decision rights and accountability framework to encourage desirable behavior in the use of IT by an organization (Peter Weill & Ross, 2004).

Since 1992, the importance of IT governance has increased significantly, as evidenced by a stream of literature (see the next section for an overview), and executives and researchers alike agree that IT governance today plays a vital role for corporate success. Beyond outsourcing (complex offshoring and outsourcing have become common since 1992), the following set of drivers has contributed to this increased importance:

• •

  Increasing IT pervasiveness: executives find it increasingly difficult to avoid or delegate IT decision making (De Haes & Van Grembergen, 2009; Peterson, 2004). A mounting number of strategic IT issues require cross-functional perspectives and business input for resolution;

• •

  Compliance requirements: IT must accommodate legislative compliance that typically requires detailed audit trails. Perhaps the best example is the so-called SOX compliance, referring to the US Sarbanes-Oxley Act, which was prompted by the failure and demise of Enron in 2002. Sarbanes-Oxley focuses on enhanced corporate governance through improved internal controls - requiring and emphasizing IT accountability and imposing new IT governance requirements (Brown & Grant, 2005);

• •

  ROI pressure: IT investments have a notoriously bad track record when it comes to demonstrating measurable value to the business. The low success rate of IT development and implementation projects is widely published and researched: the Standish Group (The Standish Group, 2013) reports that, using 2012 data from a global set of thousands of 'small' IT projects, only 39% of these can be considered successful (on time, on budget and with required features), 43% challenged, and 18% failed (projects cancelled or results never used), with overall average cost overruns of 59% and time overruns of 74%. The success rate reported by the Standish Group has not significantly improved over the last 15 years. Although these studies have received criticism (Eveleens & Verhoef, 2010), the general consensus is that the failure rate of IT projects is very high. Many of the factors explaining the failure rate relate to unclear roles and responsibilities within and between the IS and business people involved. In addition, those projects that successfully 'go live' subsequently fail to demonstrate organizational benefits due to poor alignment between IS and business strategies (Kearns & Sabherwal, 2007).

• •

  Strategic IT sourcing: beyond outsourcing (which has seen an enormous growth since the original Kodak-IBM deal discussed in the aforementioned 1992 article by Loh and Venkatraman), executives are now faced with more complex offshoring and outsourcing arrangements that also include cloud-based offerings of platforms, infrastructures and applications (Heier, Borgman, & Bahli, 2012);

• •

  Cost control: mounting human and financial consequences of IT put forward strong arguments for improved control processes. Nolan and McFarlan (2005) estimate that corporate information assets often make up more than 50% of capital investment budgets - given constantly changing technologies, as well as an increasingly complex business environment.