Foundations for IT Governance July 17, 2009

AUTHOR: Joe Bugajski (jbugajski@burtongroup.com)

CONTRIBUTING AUTHORS:

Chris Howard Mike Rollings

TECHNOLOGY THREAD:

Management

Synopsis

IT governance (ITG) is the process whereby a business organizes itself to perform its IT responsibilities and make its important IT decisions. An ITG framework adds a program for establishing formal IT precepts to encourage desirable behaviors and consequences for noncompliance with precepts. Effective ITG engenders significantly higher industry average profitability for the business. At worst, ineffective governance can destroy business. At best, it wastes large sums of capital. Hence, ITG delivers measurable value to the business while it also improves the productivity of business operations. ITG is a component of corporate governance that derives from a legal framework. Formal governance programs are not optional for many businesses. Laws and regulations demand it. Boards of directors are the principle governors of a business. Their primary duty is to act in the best interests of the shareholders, and do so with care and loyalty to the business. The duty of care obligates directors to use their sound, knowledgeable, and informed judgment when acting on the business’s behalf. The duty of loyalty requires directors to avoid conflicts of interest or misuse of their position. Because IT is responsible for managing a business’s data, IT has an obligation to support directors with accurate, reliable, and valuable information products. Unfortunately, most IT organizations do not properly manage the business’s data. This exposes directors to personal and corporate risks that demand mitigation through an ITG program. Executive officers report to the board and bear similar duties as directors. They too risk personal liability should they make bad decisions using IT’s defective information yet do nothing about it. An ITG program is a proven way to do something about IT issues, thereby mitigating personal liability and business risks.

An ITG framework is a set of activities for mapping business strategies and risks to IT’s responsibilities and knowledge domains. An ITG framework also includes precepts that guide a businessperson’s and IT person’s behaviors consistently with the strategic direction of the business, and in ways that mitigate its more serious risks. An ITG framework also includes punitive terms for failure to comply with precepts.

This Perspective document presents the components of an effective ITG program, and its relationship to corporate governance and its legal framework. The program also explains how to map IT responsibilities and authorities to business strategies to assure effective governance of IT.

Analysis

“Governance is a process whereby societies or organizations make their important decisions, determine whom they involve in the process, and how they render account.”1 Therefore, governance is people making decisions about deciding—a group ordains who will decide what matters for constituents, under stated conditions and constraints. The decision maker chosen by governance action (i.e., a policy, law, regulation, or principle) has authority to act (rights) within certain constraints. Suppose a board of directors (governance body) votes to limit (decides) the company president’s (decision maker) to spending (rights) no more than $500,000 per item (constraint). Constraints on rights confer responsibility—an obligation to behave consistently with the spirit of the decision. The president knows better than to break a $1 million purchase into three purchases to “get around” the constraint (i.e., the president would not suddenly decide to issue two orders for $499,999 each and a third for $2; instead, board approval would be requested for the purchase). Governance supports the Goldilocks principle—not too much and not little governance, but just the right

amount of it (see Figure 1). Too much and too little governance can hurt business. Governance boards need to act accordingly and neither be too restrictive with policy (e.g., set too many policies) or too loose with policy (e.g., set too few policies).

Figure 1: The Goldilocks Principle of Governance Governance is a hot topic today. Board members and executives at public and private corporations, regulators, lawyers, and accountants; together with government leaders, educators, and research foundations; face the most important governance challenge since the New Deal legislation of the 1930’s.2 Their challenge is to learn from governance’s many failures and successes, then delicately balance regulation and creativity, risk and rewards, greed and prudence, and costs and profits. They have at stake the economy and citizenry livelihood. They have as reward prosperity, profits, and peace. Punishment for failure is inconceivable harm. No matter which reforms succeed or disappear, more regulation—more governance—is coming, and enterprises, whether public or private, commercial or nonprofit, must assure themselves that the information they produce is accurate, reliable, timely, and truthful. To do this, all enterprises must improve, or institute, governance that includes ITG.

Governance

Good governance derives from self-interest. A citizen’s self-interests include feeling safe while at home or while traveling, having the opportunity to

earn and retain wealth, and forming peaceful relationships with neighbors. A business’s self-interests include the opportunity to sell goods and services to create profits for its owners and a decent chance to grow and prosper. A government’s self-interest includes establishing conditions that promote its citizens’ self-interests and those of its businesses while it retains powers to promote security and peace internally and with other governments. Bad governance unnecessarily constrains or inhibits citizens, businesses, and governments—the governed—from promoting and achieving their self-interests. Governance, whether good or bad, limits the behaviors of the governed. It also sets consequences that the governed will bear should they not abide by those limits. In this respect, governance is a uniquely human endeavor.

Governance Failures

Nick Leeson, Ken Lay, Jeff Skinner, Calisto Tanzi, Bernie Ebers, Dennis Koslowsky, and now Bernie Madoff, B. Ramalinga Raju, and Stein Bagger—these infamous executives made fools of board members, investors, and regulators alike. The former group brought the world the Sarbanes-Oxley Act (SOX), the European Union (EU) Directive on Statutory Audit (also called the 8th Company Law Directive or EU-SOX), and the UK’s Turnbull guidance on internal control (Turnbull)—just a sampling of twenty-first century disclosure laws. The latter group of alleged crooks, together with Fannie Mae, Freddie Mac, AIG, IndyMac, Lehman Brothers, Northern Trust, Royal Bank of Scotland (RBS), Washington Mutual, Citigroup, Bear Sterns, and dozens more, will soon spawn more laws, new oversight agencies, and undoubtedly more draconian reporting regimes. Failures of corporate governance cost board members sizable portions of personal wealth3 and left nothing but empty promises for shareholders, employees, and suppliers. Still, in spring 2009, the frailties of global finance foretell yet more corporate fatalities.

Governance Guidance

Owners, directors, and governments have an abundance of guidance about how to govern (e.g., the Organisation for Economic Co-operation and Development [OECD]’s “Principles of Corporate Governance, 2004”). Many studies, books, articles, lawyers, accountancies, conferences, and consultancies can lend directors a hand with governance. Governments and regulators have websites, toll-free telephone numbers, and publications. All sources stipulate that directors bear the burden of informing themselves about a company’s financial condition, the effectiveness of its controls, and the performance of its executives. In particular, an audit committee members’ “duties, at a minimum, should include two key elements:

a. oversight of the quality and integrity of financial reports and the process that produces them;

b. oversight of the management of risk.”4 Nonetheless, directors whose outlaw chief executive officers (CEOs) bankrupted their companies, and directors whose profligate CEOs bore more risk than they seemed to know or acknowledge, failed to govern. They failed to govern not just wisely or fairly, but also competently.

Corporate Governance

Corporate governance formally defines decision-making rights and decision makers’ authorities and responsibilities concerning a business’s most important matters, and the consequences for noncompliance with precepts that define governance. It includes laws and regulations, a company charter or articles of incorporation, bylaws, and a governance framework. (See “The Details” section of this Perspective document for detailed definitions of the components of a corporate governance framework.)

Decision Makers

Boards of directors govern companies. Shareholders decide who sits on the board. The CEO or president has decision-making rights, and authorities consistent with a responsibility to run the daily affairs of the company. The other executives, the managers, and employees serve at the pleasure of the board, usually through a reporting relationship to the CEO. All are obliged to obey laws and regulations set by the governments of the places where the company does business.

Corporate Governance Framework

Typically, a business augments legal framework (laws and regulations for the places where the business conducts its activities) with governance about its most important affairs. These rules are called the business’s bylaws. The business also sets policies to guide its strategy and avoid its risks. Policies assure that persons affiliated with the business behave responsibly and in the owners’ best interests. Together, these contracts, policies, and agreements define the corporate governance framework for a business.

Governance Is Not Management

Governance is not management. This is a critical and essential distinction. Although governance deals with decision-making and decision makers, it does not specify decisions for decision makers. Rather, governance specifies limits to management decision-making authority and it gives consequences for noncompliance. In particular, good governance enables management to execute corporate strategy and mitigate risks. It does not, and it certainly never should, specify which decision should be made by whom, when, for what reasons, and with what quality. These matters concern management—not governance. Indeed, bad governance is a decision-making framework that unfairly or unwisely inhibits managers from exercising sound judgment

in the exercise of their responsibilities. Governance does not tell management to make a good decision, a bad decision, or no decision. Governance simply gives a manager the right to make that decision. Management gives direction and guidance. It assigns people to tasks and positions. Management allocates resources and decides, or not, among options which best serve the interests of the shareholders. Law and regulations circumscribe actions that people in organizations may take. They do not prevent people from taking such actions, but they do provide serious consequences should those people exceed the limits of the law or a regulation. For instance, the U.S. Federal Reserve (Fed) requires nationally chartered banks to retain a capital in the forms of cash and liquid assets equal to a minimum of 10% of total deposits. The regulation does not restrict a bank from retaining 12% of deposits if management believes this to be in its best interests. Indeed, the Fed would support such a decision. If a bank retains less than the 10% minimum, then the Fed is obliged to direct the bank to raise capital to the minimum or face sanctions that can include seizure of the bank. The term governance in common use is often muddy because it represents the structure that upholds application of both:

• Policy derived from legal frameworks • Preferred management practices

A structure to uphold governance is an organizational construct (e.g., committee) that often applies both types of governance. The organizational construct is a convenient and efficient means of implementing governance, but it confuses the term. This result occurs because committees uphold both policies and management practices. While they operate, their work becomes indiscernible from that which they are upholding—the preference or the law. It also is a factor in the role of governance and why people associate governance with formal compliance and not facilitated governance. (An

exposition of the distinctions between governance and management, and with related governance concepts, appears in the Burton Group overview “Governance, Risk, and Compliance.”) Laws and regulations are an incomplete framework for corporate governance. Business must supplement legal frameworks with policy about organization, behaviors, decision-making authorities, compensation, reporting, strategy, risk management, and compliance to name a few. Business must seek realignment or repair inconsistently implemented governance while bearing in mind variations in laws and regulations across jurisdictions where the business operates. For instance, corporations should have independent auditors review their accounting reports, yet more than half of EU nations do not uniformly implement this principle.5

IT Governance

IT governance (ITG) is a component of corporate governance. ITG specifies “the decision rights and accountability framework [needed by a business] to encourage desirable behavior in the use of IT.”6 Although excellent governance frameworks exist for ITG,7 they tend to be technically complicated, which makes them relatively inaccessible to most board members. This may explain why IT executives tend to retain responsibility for ITG when this burden falls on—first and foremost—the board of directors, then on corporate chief executive officers. Boards, corporate officers, and IT executives must collaborate to correct misalignments of ITG while making ITG frameworks understandable to directors, CEOs, chief financial officers (CFOs), and yes, chief information officers (CIOs).

Perspectives on IT Performance

Boards, top executives, non-IT business executives, and IT executives have markedly different opinions about IT’s performance. Most agree that ITG is important—unfortunately that is about the only characteristic upon which they agree.

Perspectives matter because how the business feels about IT determines IT spending priorities. It affects communications—favorable opinions correlate with better communications than adversarial opinions that seem to degrade the quality of communications. (See the Burton Group overview “Modeling Influence and Communications” for a thorough exposition of communications planning.) Lower performance opinion also correlates with increasing layers of management between the CIO and CEO or board. Lastly, improved IT performance correlates strongly with effective ITG, and this in turn correlates strongly with materially higher industry average profitability for the business.

Boards of Directors

Boards should attend to ITG immediately to correct its glaring misalignments with corporate governance and strategy.8 Business and IT leaders berate ITG as ineffective.9, 10, 11, 12 And misalignments in ITG demonstrably weaken delivery of critical information to decision makers. That information would help them to assess and manage risks and leverage opportunities. For enterprises with effective ITG, ITG correlates with stronger business performance and larger market capitalization relative to peers without ITG.13 MIT researcher Peter Weill discovered that businesses with effective ITG achieved 20% higher profits than their peers did.14 In the same paper, Weill laments that only 38% of executives knew how their businesses governed IT related matters. Even in a recession economy, this low bar for profitability improvement is a substantial incentive for boards to implement or improve an ITG program. Boards are obliged to address IT problems by instituting an ITG program. About 95% of businesses worldwide believe that they have one.15 However, a deeper look at the numbers reveals a troubling trend. For more than half of businesses surveyed, boards attended to IT matters only occasionally, and when they did, they concerned themselves with operational issues (e.g., system outages or security faults). Just over one third of

boards routinely discussed IT in broader business contexts (e.g., how does IT contribute value to the business’s strategy, or what return does the business earn for an average 50% of total capital expenditures that businesses now invest in IT). This is roughly the same number as those boards who included ITG in their corporate governance programs.

Top Executives

Down in the depths of most modern businesses lurks information in computer systems that can lift directors and executive officers veils of ignorance about the value and reliability of information they receive through IT. The CEO may not know how to get that information. The CFO may not know where exactly IT keeps it. Instead, they should at least know the CIO and that person must be able to answer these questions without traumatizing other executives or directors. Unfortunately, only 35% of corporations align the CIO’s reporting relationship to the CEO or board.16 For the rest, the CIO reports to either the CFO or chief operating officer (COO). Given the paucity of CIO reports to the board and the layers of management between the board and the CIO, it is unsurprising to find board members and CEOs who do not know the CIO personally. Informational distances like these tends to impede communications, which makes ITG less effective because it puts ITG in a reactive position rather than a strategic, proactive position. Most businesses have immature ITG. This is true for 82% of companies according to the IT Governance Institute’s annual “IT Governance Global Status Report—2008” of 749 IT executives. Most organizations also delegate ITG below the ranks of top executives. Most often, championship for ITG comes from IT management ranks (e.g., managers and direct reports of the CIO). These shortcomings are the root cause of IT’s failure to ensure quality information products arrive routinely on executives’ and directors’ desks. The paucity of IT effectiveness measures and the lack of knowledge of IT issues among boards of directors further challenges ITG effectiveness.

Business Executives (Not IT)

The vast majority of business executives believe IT is an important instrument for delivering value and controlling risks. Conversely, business executives do not support the notion that IT brings value in terms of business innovations. Rather, the value they perceive IT delivering is operational efficiency and effectiveness. A large majority of executives, 75% of those surveyed by the IT Governance Institute in 2008, feel that IT does not achieve full returns from investments and that IT fails in delivering business applications. Unfortunately, these negative perspectives may be real or imagined. Typically, IT does not measure its effectiveness well enough to discern the true problem. Nonetheless, the IT Governance Institute and MIT both report research that proves a strong correlation between ITG practices and IT outcomes in terms of investment value and application delivery prowess. Many non-IT executives believe IT fails to meet business expectations and these executives are less satisfied with IT’s performance than IT executives generally are of their own organizations.

IT Executives and Leaders

In general, most IT executives believe that they have effective ITG, whereas board members and top executives find the opposite to be true. IT executives have a higher opinion of IT’s performance than their business colleagues. They also feel IT more strategically important to the business than their colleagues do. Business executives complain that they do not receive information about new technology opportunities that IT executives say they describe to those colleagues. Clearly, there is a communications and a perception gap between business executives and IT management. The perception gap between IT and business is illustrated in Figure 2.

Figure 2: Businesspeople and IT People Perceive Results Differently

Lessons

Boards must take control of ITG, assure that the business has effective ITG, and integrate it into the business’s corporate governance framework. Boards and corporate executive management should reevaluate, and, where appropriate, realign the reporting relationship for the CIO. As noted above, often a CFO, or another executive, comes between CEO or board and CIO. This effectively reduces the CIO’s status in the executive team and reinforces the cost center/operational view of IT. Instead, this person should be a full member of the top executive team. This would give the board freer access to the person who is responsible for the most capital expenditures (by industry average) and management of the vast majority of the business’s information products. Top management should provide the board with independently determined, routine, accountability measurements of IT’s performance, including:

• Compliance with ITG precepts • IT value delivery in terms of business

innovation, return on assets, return on invested capital, and net productivity improvements

• Quality, reliability, sufficiency, accuracy, and usefulness of information products delivered by IT

• Business executives’ satisfaction with application delivery, value, quality, and performance

• IT portfolio management capability in these terms: o Spending priorities for operations and

development o Architecture plans and capabilities o Quality and sufficiency of delivered IT

services o Automation of key business capabilities o Effective management of risks o Information security and privacy

posture • IT knowledge and skills sufficiency relative

to industry norms For more information about portfolio management, see the Burton Group overview “Application Portfolio Management.” For more information about IT expenditure management, see the Burton Group Perspective document “Related Research Summary: Cross-Domain Context for Build, Buy, or Borrow Decisions.” The IT leadership team’s compensation plan should tie directly to measured improvements relative to meaningful baselines. The top management team should review and discuss measurements quarterly. The CIO should translate the results of these discussions into IT improvement objectives. The board should review and discuss the measurements annually with the CIO and executive team present. The board and executive also should use the measurements to revisit the ITG program and improve it. Finally, the CIO and executive team should ensure that their measurements actually matter. They should strive to develop measures that help them drive business model transformation where appropriate. For more information about measuring IT effectiveness, read the following Burton Group documents:

• “Measuring Enterprise Architecture Success”

• “Using Metrics Effectively: Proving and Improving the Business Value of IT”

• “You Manage What You Measure” • “IT Metrics: Measuring IT’s Business

Value” Sometimes improvements achieved by changing behaviors and processes, or adding governance and tightening controls, cannot address the issues at hand. Perhaps the IT organization is simply dysfunctional following years of abysmal application delivery performance and business avoidance of IT services. If this is the case, then transformation, not simply change, is in order. Transformative programs require special treatment. For more information about these programs, see the Burton Group Perspective document “Real Transformation: Why IT Change Is Not Enough.” The material in the “Business Problems Masquerading as Persistent IT Complaints” section is particularly noteworthy in this regard.

ITG Framework

An ITG framework consists of precepts, consequences, oversight council, and a program for implementation. Figure 3 illustrates the interaction of these ITG components. The precepts are statements that assign decision-making rights and accountability to organizations in the business. These include the board of directors, the CEO, CFO, CIO, other business executives, and IT managers. ITG consequences state terms and conditions for noncompliance with ITG precepts. The ITG program provides a plan for developing, administering, and improving the ITG framework, compliance with it, and its administration.

Figure 3: ITG Components

IT’s Responsibilities and Controls

The ITG framework sets IT’s responsibilities and controls for supporting business priorities, strategies, and goals. It also establishes the organizational structure required to meet those responsibilities and a program for allocating resources for capital expenditures and operating expenses. The responsibilities and controls are expressed as four dimensions: IT strategy, roles, behaviors, and funding. The framework will associate policies appropriate for each dimension consistently with business strategy.

IT Knowledge Domains

ITG precepts next define how architecture, infrastructure, and applications map to investments using an IT portfolio management process. The business reviews these IT knowledge domains and decides for which they will write ITG precepts (i.e., principles, policies, standards and benchmarks, guidelines and best practices, and compliance). For more information, see the Burton Group Perspective document “Enterprise Architecture Is More than Engineering.”

ITG Precepts

The ITG expresses precepts as principles, policies, standards and benchmarks, guidelines and best practices, and controls. The choice of precepts that a business adopts for the ITG depends on business

strategy and risks. An entrepreneurial business that grows by responding quickly to new market opportunities would choose relatively fewer precepts than would a highly regulated, mature business that seeks to maintain its market position and dominance. A larger business would carefully state policies about information security measures needed to mitigate risks associated with internal and external threats. A smaller business might only provide one security and one privacy policy. The mature business might employ an array of IT standards and benchmarks to guide development, whereas an entrepreneurial business might have only one or two standards with principles used to guide many decisions.

ITG Councils

The ITG program includes development of an ITG framework, administration of the framework, and improvement of the framework. The ITG program also includes the formation of these two groups:

• The board standing committee on IT governance: This committee includes members of the board, at least one of which should be a former IT executive or an executive of IT business, and the CIO. Committee members are responsible for oversight and direction of the ITG program. They determine which ITG precepts the entire board will consider. They recommend the approval of ITG precepts and lead the board discussions about ITG matters.

• The executive council on IT governance: This committee includes at least two non-IT executives and the CIO. The executive council is responsible for organizing, staffing, and funding the ITG program. Council members make strategy determinations, set IT investment priorities, and present recommendations to the Board Standing Committee. The executive council is the parent organization for other ITG councils. It establishes and appoints members of those councils, and approves work plans, charters, and funding for councils. These are four of several possible sub-councils:

o Data governance council that oversee data designs, data definitions, data models, and data. It defines precepts and approves exceptions to precepts for data modelers, data managers, overall data access strategies, data analytics, and data privacy. This council works closely with an information security council. (See the upcoming Burton Group overview “Foundations for Data Governance” for additional information.)

o Information security council that typically reviews risk analyses and vulnerability assessments and uses these to develop precepts and recommend security controls. The council also may oversee security architecture and precept exceptions and review audit reports. (See the “The Data Governance Council Model” section in the Burton Group overview “Governance, Risk, and Compliance.” Also, read the Burton Group overview “Security Metrics: Horses for Courses,” which discusses business value measurements of the information security program effectiveness.)

o Enterprise architecture (EA) council oversees the design and improvement of infrastructure systems and applications projects and approves exceptions to precepts. It guides the development of the overall IT infrastructure and oversees investments into the applications portfolio. It considers the consistency of designs for specific projects with respect to enterprise requirements, business strategy, effective reuse, and fitness of purpose. (See the Burton Group perspective “Measuring Enterprise Architecture Success,” for more information about the duties of an EA team.)

o IT investment council reviews business’s IT spending priorities in light of its strategies, risks, goals, priorities, management preferences, and legal frameworks. The council’s members are

typically senior executives with responsibility for divisions or major business units (e.g., corporate finance, risk, and legal). The IT investment council will work very closely with the IT executive council, or be a subcommittee of that council, and the EA council. The IT investment council may have funding approval authority. It also would set policy and approve standards consistently with its oversight mission. For additional information about IT investment decisions, see these Burton Group documents: Using Metrics Effectively:

Proving and Improving the Business Value of IT”

IT Metrics: Measuring IT’s Business Value

Metrics: Improving IT Value, Justifying IT Investment

The ITG program councils set plans of work that include evaluating IT and business strategic plans and goals against IT responsibilities and controls. They also evaluate risks facing the organization and map risk, strategies, and goals to appropriate ITG precepts. The objective of the mapping is to ensure precepts address strategically important issues and risks for IT and the business. The ITG program councils next map IT knowledge domains to ITG precepts. These maps identify appropriate decision assignments for IT and business. The maps also determine which precepts will be developed for the ITG framework and later presented for the board approval.

The Details

“Governance is a process whereby societies or organizations make their important decisions, determine whom they involve in the process, and how they render account.”17 Good governance fosters economic efficiency, growth, profits, innovation, effectiveness, adaptability, security, and value.18, 19, 20, 21 Unfortunately, the global economic crisis of 2007 to

2009 shows how governance can fail to deliver on its promises, whether or not such failure was borne of incompetence, criminality, oversight, greed, or a laissez-faire regulatory climate.22, 23 The economic crisis notwithstanding, properly designed and implemented governance, even if flawed, delivers value.

Corporate Governance

Corporate governance formally defines decision-making rights, decision makers’ authorities and responsibilities concerning a business’s most important matters, and the consequences for noncompliance with these precepts. A business exists as a named entity (e.g., a partnership, corporation, nonprofit organization, university, proprietorship, or government) that intends to serve a publically stated purpose (i.e., a business’s charter or its articles of incorporation) within a political jurisdiction (e.g., a city, state, province, or nation). A jurisdiction (usually) formally authorizes a business to act as a “legal being” or an “entity” (with certain rights and privileges) within its borders. Unless otherwise noted, the words “business,” “corporation,” “partnership,” “nonprofit,” or “enterprise” mean, interchangeably, any such entity.

The Decision Makers

Directors must govern companies on whose boards they serve. Shareholders, the owners of companies, indirectly govern public companies, but when they own a sizable number of shares, or they are partners, then they directly govern their companies. Governments govern through laws and regulatory agencies (e.g., the Securities and Exchange Commission [SEC] in the United States). Top executives, managers, and employees serve at the pleasure of directors, and they are obliged to obey laws set by governments under which their companies do business.

Legal Frameworks

For commercial ventures, governance starts when a person or group submits a formal request (e.g., an application to do business) to a jurisdiction’s regulatory authority (e.g., an office of the secretary of state or the SEC). The application includes the names and addresses of business’s organizers, the business’s name and address, its capital structure (it will issue shares or it will assign partnership percentage ownership interests), and other information required by the jurisdiction in formal articles of incorporation. The regulatory authority reviews the business’s application, and if it is satisfactory, the regulator authorizes the newly named entity to do business (lawfully) within that jurisdiction’s political borders. A jurisdiction’ laws and regulations, and those of its superior jurisdictions (i.e., a state within a nation), automatically take effect for a business, as if the business was a person. The jurisdiction’s laws and regulations constitute first-order governance for every business—it is its legal framework. Multijurisdictional legal frameworks complicate matters for businesses due to possibly overlapping or contradictory laws and regulations. For this reason, and many others, seeking professional legal counsel from a person licensed to practice business law in a jurisdiction is commonplace. Because many legal frameworks require a business to file its financial reports with regulatory agencies (e.g., tax authorities and the SEC), businesses also retain advice of professional accountants.

Corporate Governance Framework

Typically, a business augments its legal framework with governance about its most important affairs.

These rules are a business’s bylaws. Business also sets policies to guide its affairs to a business strategy, avoid risks, or assure that persons affiliated with the business behave responsibly and in the business owners’ best interests. Together, these contracts, policies, and agreements define the corporate governance framework for a business. A corporate governance framework vests business decision-making authorities and responsibilities with its directors and officers in ways that comport with legal frameworks, articles of incorporation, bylaws, fiduciary and sound-judgment duties, codes of conduct, and responsibilities to the business.

Bylaws

Bylaws define how a business organizes and runs itself and how it modifies its bylaws. Many jurisdictions require businesses to file current copies of their bylaws with regulators. A business customizes its bylaws to serve the best interests of its owners. Therefore, bylaws are organizational documents that specify how the business will manage its affairs that include, but are not limited to, these matters:

• The formation of a corporate governance body (e.g., a board of directors, a committee of managing partners, or a board of trustees) and establishing: o The number of members (i.e., directors),

meeting frequency, and board-membership qualifications

o Election rules for directors and the length of time they will serve

o Rules about leadership appointments (i.e., annually, the board will choose a chairperson and a secretary from among their members, and they will appoint a treasurer, who need not be a board member)

o Rules about record keeping for meetings of the board

o Rules about executive officer appointments and compensation.

• Defining which critical business matters may be decided and by whom: o A vote by a majority or supermajority of

the business’s owners (e.g., the sale of substantially all of the business shall require an affirmative vote by a supermajority [i.e., more than 60% of those entitled to vote] of shareholders of record as of [some date])

o A vote by majority of the members of board of directors (e.g., the board will meet annually to review and approve the budget)

o Decisions that the board assigns to executive officers, and decisions associated with running the day-to-day affairs of the business (e.g., the CEO shall staff the business, enter into strategic business alliances, purchase equipment, and develop business growth strategies; the CFO shall report directly to the board on the fiscal health of the business)

The board is the ultimate decision authority for a business. An affirmative, or negative, vote by a majority of the board at a meeting may be legally binding upon the board and the company. Minimally, a board decision directs, endorses, forbids, or affirms some course of action, or inaction, in a written decision in the minutes of a board meeting, that obliges compliance of the business.

Director and Officer Duties

Directors and officers have duties, principally to the owners of the business and to its employees, trading partners, and the governments and communities where the business keeps its offices.24 Principally, these are the fiduciary duties and the sound-judgment duties:

• The fiduciary duties: o Duty of care: Act professionally and in

good faith, be fully informed, and make decisions while keeping foremost in mind the best interests of the business and its owners.

o Duty of loyalty: Avoid using one’s position as a director or officer position in any way that enriches or enhances oneself at the expense of the business, or which may conflict one’s interests with those of the business or give an impression of conflict.

• The sound-judgment duties: o Duty of fairness: Act fairly and honestly

with employees, shareholders, regulators, commercial partners, and the public at large.

o Duty of obedience: Act ethically and in accord with legal and corporate governance frameworks.

Director and Officer Responsibilities to the Business

Boards of directors and corporate executive officers also have responsibilities to the business. These include:

• Exercising objective and independent judgment about business matters

• Setting, guiding, and reviewing business strategy and goals: o Evaluating opportunities to build the

business o Setting, funding, and pursuing business

goals aggressively o Evaluating progress toward goals and

adjusting course when necessary • Assessing significant risks to the business:

o Evaluating internal and external threats to the business

o Arranging funding and setting goals to control against threats

o Evaluating progress in removing or mitigating risks

• Developing effective governance frameworks, establishing controls to assure sound governance, and monitoring compliance

• Developing and managing a budget for business activities: o Allocating capital wisely, fairly, and

honestly

o Recording and reporting expenditures truthfully and completely

• Developing and maintaining sound investment portfolios: o Overseeing capital expenditures and

divestitures o Assuring smooth integration of

acquisitions and mergers o Assuring transparent reporting with

respect to all investments • Selecting, compensating, and managing key

employees, and when necessary, replacing them

• Monitoring directors, officers, and employees—and whenever necessary, dealing with these matters swiftly and fairly—with regard to: o Potential conflicts of interest o Misuse, abuse, or misallocation of assets o Fair and honest dealings with

shareholders, employees, suppliers, contractors, governments, the media, and the public

• Monitoring and accurately reporting on these responsibilities and other matters of significant business interest

• Accurate, truthful, complete, and understandable reporting to regulators and shareholders

IT Governance Precepts

The IT governance (ITG) framework is contained within the corporate governance and legal frameworks. Therefore, ITG is a component of corporate governance as shown in Figure 4. The ITG program elaborates on corporate authorities by expressing precepts as principles, policies, standards and benchmarks, guidelines and best practices, and controls. The choice of precepts that a business adopts for the ITG depends on business strategy and risks. An entrepreneurial business that grows by responding quickly to new market opportunities would choose relatively fewer precepts than would a highly regulated, mature business that seeks to maintain its market position and dominance. A

larger business would carefully state policies about information security measures needed to mitigate risks associated with internal and external threats. A smaller business might only provide one security and one privacy policy. The mature business might employ an array of IT standards and benchmarks to guide development, whereas an entrepreneurial business might have only one or two standards with principles used to guide many decisions.

Figure 4: ITG Framework Relies on Corporate Governance for Its Authority

Principles

Principles are high-level statements about the value, services, and behaviors that a business expects of its IT investments, IT strategy, and IT operations. Although principles are mandatory, as high-level statements, they may prove difficult to measure for compliance.

Most businesses will set principles for IT funding decision-making, funds allocations, and prioritization planning. The board of directors is responsible for deciding principles. Typically, top executives recommend principles. They discuss these with the board. They use the board’s advice to write final principles that the board approves.

Policies

Policies follow directly from principles and are mandatory for the business. These are behavioral control statements concerning the care, use, protection, acquisition, disposition, and management of IT matters and IT services. Policies must cover areas indicated by principles and these must map consistently to responsibilities and controls for IT knowledge domains.

Standards

Standards are specifications that support policies. They usually are mandatory. The specifications may state either business or technical requirements. Standards define preferred solution approaches, specific technologies or methodologies that IT uses to build and operate business solutions (e.g., applications or infrastructure). IT must use the standards or obtain an exception from use. Standards may include these items among others:

• Process and technology specifications for use by IT when it creates, builds, tests, implements, operates, and maintains assets and services

• Performance expectations (i.e., measures) for services and capabilities that IT delivers

• Technical specifications and architecture for systems, applications, services, and infrastructure

Guidelines and Best Practices

Guidelines and best practices are recommendations, templates, and prescriptions for guiding IT organizations to a good outcome as they perform

their work. These are optional precepts. IT is not required to use these.

Compliance

The compliance program is not part of the ITG framework. Compliance is a responsibility of the audit committee of the board and its delegates. Mandatory precepts should have consequences defined for compliance failure and an indication of how an auditor or a compliance officer might detect a compliance fault. Consequence should be proportional to the importance that the business assigns to the precept. For instance, a failure to comply with a principle would be a worse offense than failure to comply with a standard. This is because a principle can lead to multiple policies, and a policy might have several standards associated with it. Similarly, principles and policies are not all equal. Suppose an IT manager fails to comply with a principle about capital expenses. That compliance failure could result in material financial harm to the business. In this case, the compliance fault dictates punitive action against that manager (e.g., letter of reprimand, suspension, or termination). The business may also choose to press criminal and civil charges against the manager. By comparison, suppose a manager violated a procurement policy that required three vendors to provide written quotes to a request for proposal (RFP) when the total value of a vendor’s contract will exceed $100,000. For the sake of argument, suppose the contract was valued at $100,001 and the manager only requested two written and one oral quote. While the manager violated the policy, no material damage resulted from the noncompliance action. Therefore, the manager might receive an oral warning from a supervisor about compliance with policy. However, if the contract value exceeded $500,000 and other decisions about this case remained the same, then the consequences would be more serious (e.g., a letter of reprimand, suspension, or termination). Legal action would likely be inappropriate in this case.

IT’s Responsibilities

The ITG framework sets IT’s responsibilities for supporting business priorities, strategies, and goals. It also establishes the organizational structure required to meet those responsibilities and a program for allocating resources for capital expenditures and operating expenses.

Figure 5: ITG Precepts Define IT’s Responsibilities in Consideration of Business Direction The ITG precepts should address these IT and related business matters according to business operating style, and the business’s strategies, goals, and objectives (as illustrated in Figure 5):

• Strategy: Synchronizing business principles with IT principles and IT services to support the business operating model, strategy, and goals. These include strategically important: o Business outcomes and existing

operations that IT must support with technology and services

o Data center operations and programs for escalating service issues

o Information products required by the business for its operation

o Information security programs to mitigate risks associated with significant threats

o IT architectures, processes, applications, and operations

o ITG framework and program support

o Pricing for infrastructure and development services

o Technology acquisitions and disposals • Roles: Statements of IT’s responsibilities for

serving the business in various capacities. Does IT: o Deliver content management and

collaboration facilities? o Develop, test, and deploy business

applications? o Investigate and guide technology

adoption? o Manage data as an asset and

information as products? o Manage data communications and

telecommunications? o Operate data centers? o Participate in industry standards groups

or open source communities? o Plan, manage, and control programs

and projects? o Provide an information security

program? o Support clients external to the business

(e.g., a helpdesk for the business’s website)?

• Behaviors: Limitations on IT personnel decisions that may include: o Architectural solution patterns (i.e.,

prescriptions to promote efficiencies and effectiveness within design and engineering of business solutions)

o Processes for making investment decisions (e.g., calculation of internal rate of return using a discount rate set by the CFO)

o Risk avoidance strategies (e.g., assess business risk associated with early-stage technology vendors)

o Technology and vendor selection • Funding: The method that the business

employs for allocating capital to IT investment priorities, and cash for IT operating expenses. Funding principles should delineate how IT budget line items will be identified, classified, and prioritized,

and then how funds will be decided and allocated for these IT activities: o Architecture and technology planning o Business initiative and program delivery o Business continuity management o Change control and management o Compliance o ITG o IT infrastructure projects o Operations and support o Personnel training and development o Program and project management o Security and risk management

IT Knowledge Domains

ITG precepts next must define how architecture, infrastructure, and applications, map to investments using an IT portfolio management process. The business reviews these IT knowledge domains and decides for which they will write ITG precepts (i.e., principles, policies, standards and benchmarks, guidelines and best practices, and compliance):

• Architecture includes: o Balance between standardization and

innovation o Integration of applications, services,

processes, and information o Information required for and generated

by business processes o Relationships among business outcomes,

capabilities, and core business processes both within and across lines of business

o Technology knowledge, practices, and standards for the enterprise

o Technology selection in support of business strategy and goals

• Infrastructure includes systems, services, components, software, hardware, networks, security, and the like that are: o Critical to business operations o Strategic business and IT initiatives

• Infrastructure also includes programs that provide improvements. These might include:

o Consolidating systems o Eliminating redundancies o Outsourcing services instead of

performing them in-house o Removing obsolete technology

components o Upgrading technologies

• Applications and services include strategically important: o Business process and functionality

changes o Capability of design standards to meet

business requirements and methods for handling exceptions

o Change control processes o Management of applications post

delivery o Organizational realignment or

restructuring to support projects o Prototypes and pilots to gauge concept

or program viability • IT portfolio management includes:

o Assessment of asset development and maintenance costs vs. value business received

o Determination of enterprise vs. business unit asset control

o Identification of contents, value, costs, and relative importance

o Map contents to current business strategy and goals

o Measurement of value delivered to business

o Methods for determining successful outcomes

Conclusion

IT governance (ITG) is the decision-making framework for assigning rights, responsibilities, and authorities for important business-IT related matters to positions in a business. ITG is part of corporate governance; hence, authority for ITG rests with boards of directors, then top executives, and then the CIO. Research shows that businesses with effective ITG generate significantly higher than industry-average profitability. ITG also yields better investment returns and productivity. Unfortunately, research also shows that most businesses do not employ effective ITG. It is time to correct this and capture ITG profits. A framework for effective ITG is here to help.

Notes

1 John Graham, Bruce Amos, and Tim Plumptre. “Principles for Good Governance in the 21st Century.” Policy Brief No. 15. Institute On Governance. Ottawa, Canada. Aug 2003. http://unpan1.un.org/intradoc/groups/public/documents/UNPAN/UNPAN011842.pdf. The authors discuss governance in its broadest context, which encompasses many forms of societal organizations. 2 In the United States, President Franklin D. Roosevelt’s New Deal program to relieve suffering of the Great Depression brought about the creation of the Social Security Administration, the SEC, the Federal Deposit Insurance Corporation (FDIC), the Federal Housing Administration (FHA), and mortgage market giant Fannie Mae. The laws related to these institutions, including later amendments, have counterparts in most developed nations. 3 Alan Calder. IT Governance: Guidelines for Directors. IT Governance Ltd: Cambs, United Kingdom, 2005. p14. The author cites legal settlement costs of $10 million and $18 million paid, respectively, by directors of Enron and WorldCom. He further notes that these cases set a precedence that directors’ most likely will bear personal liability in similar cases, and traditional directors and officers (D&O) insurance coverage will necessarily be insufficient to cover directors’ liability. 4 The National Association of Corporate Directors (NACD). “The Enron Code: The Hidden Lesson.” DM Extra. 1 Jun 2006. p3. http://www.nacdonline.org/dm/DMX060701.pdf. The text appeared originally in a list of recommendations that the board of NACD sent in 2002 to the SEC, the New York Stock Exchange (NYSE), and the National Association of Securities Dealers Automated Quotations (NASDAQ), at the request of then Chairman of the House Energy and Commerce Committee, W. J. “Billy” Tauzin. 5 Internal Market and Services Directorate General. “Scoreboard on the Transposition of the Directive on Statutory Audit (2006/43/EC).” European Commission. 31 Oct 2008. Figure 1. http://ec.europa.eu/internal_market/auditing/docs/dir/scoreboard_en.pdf. 6 Peter Weill, Richard Woodham. “Don’t Just Lead, Govern: Implementing Effective IT Governance.” MIT Sloan Working Paper No. 4237-02. Apr 2002. http://ssrn.com/abstract=317319. 7 Formal ITG frameworks have been published by these organizations and researchers:

• Control Objectives for Information and related Technology (CobiT) and International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 30835:2008. Both specifications provide IT and business executive guidance for instituting governance and controls over IT’s services.

• Information Technology Infrastructure Library (ITIL) provides frameworks for developing services management standards and aligning these with business requirements. For more information, see Burton Group overview “ITIL Service Management Practices: Third Time’s the Charm.”

• The IT Governance Institute in the UK publishes the “CALDER-MOIR IT Governance Framework” (Calder-Moir) that mirrors ISO 30385. The IT Governance Institute publishes books and articles about ITG. Note 5 is one such publication.

• Peter Weill, Chairman, Center for Information Systems Research (CISR) and MIT Sloan Senior Research Scientist CISR, is a researcher at the Sloan School of Business of MIT whose academic research interests concern ITG and deriving business value from IT.

8 PricewaterhouseCoopers (PwC). “An Executive View of IT Governance.” IT Governance Institute. 2009. p10. http://www.itgi.org/AMTemplate.cfm? Section=DeliverablesandTemplate=/ContentManagement/ContentDisplay.cfmandContentID=47365. This global survey of 250 non-IT executives takes a comprehensive look into attitudes, practices, and effectiveness of IT organizations. The survey showed that 49% of non-IT business executives did not see a close between IT and business strategies. 9 PricewaterhouseCoopers (PwC). “An Executive View of IT Governance.” IT Governance Institute. 2009. p9. http://www.itgi.org/AMTemplate.cfm? Section=DeliverablesandTemplate=/ContentManagement/ContentDisplay.cfmandContentID=47365. The summary of findings notes that business generally sees IT as being less effective in delivering value than is desirable. A number of other important conclusions are drawn, most notably that executives need to become more involved in ITG. The survey also shows that the majority of boards discuss IT on an ad hoc basis and that when they do, they consider operational issues. This result stands in stark contrast to agreement by directors and executives that IT is important to their businesses. 10 The National Association of Corporate Directors (NACD). “The Enron Code: The Hidden Lesson.” DM Extra. 1 Jun 2006. p3. http://www.nacdonline.org/dm/DMX060701.pdf. The report discusses the board’s responsibility to arm themselves with accurate and reliable information and to dig into the information to ascertain the veracity of that information. 11 PricewaterhouseCoopers. “IT Governance Global Status Report–2008.” IT Governance Institute. http://www.itgi.org/template_ITGI.cfm? template=/ContentManagement/ContentDisplay.cfmandContentID=40584. This comprehensive survey of 749 IT leaders across the globe clearly shows that although ITG is more commonly implemented by corporations, the maturity level remains low, particularly with respect to gaps between ITG and corporate governance. 12 Peter Weill and Jeannie W. Ross. “Six IT Decisions Your IT People Shouldn’t Make.” Harvard Business Review, November 2002. http://hbr.harvardbusiness.org/2002/11/six-it-decisions-your-it-people-shouldnt-make/ar/1. In the introductory paragraphs, the authors discuss their work with over 1,000 corporate leaders, which revealed millions of dollars of IT investment wasted on inessential, even superfluous, IT systems purchases. The authors strongly advise that boards and top executives retain control over IT investments and require them to show positive return on investment. 13 Peter Weill, et al. “Compilation MIT CISR Research on IT Portfolios, IT Savvy, and Firm Performance (2000–2006).” MIT Sloan Working Paper No. 4660-07. CIS Research Working Paper No. 368. CISR, Sloan School of Management, MIT. Jan 2007. p2. http://web.mit.edu/cisr/working%20papers/cisrwp368.pdf. 14 Peter Weill and Jeanne W. Ross. “IT Governance on One Page.” MIT Sloan Working Paper No. 4517-04. CIS Research Working Paper No. 349. CISR, Sloan School of Management, MIT. Nov 2004. p1. http://ssrn.com/abstract=664612. 15 PricewaterhouseCoopers (PwC). “An Executive View of IT Governance.” IT Governance Institute. 2009. p19. http://www.itgi.org/AMTemplate.cfm? Section=DeliverablesandTemplate=/ContentManagement/ContentDisplay.cfmandContentID=47365. The report notes that 95% of businesses surveyed reported that IT was on their boards’ agenda, primarily to discuss operations issues and not ITG governance.

16 PricewaterhouseCoopers (PwC). “An Executive View of IT Governance.” IT Governance Institute. 2009. p17. http://www.itgi.org/AMTemplate.cfm? Section=DeliverablesandTemplate=/ContentManagement/ContentDisplay.cfmandContentID=47365. 17 John Graham, Bruce Amos, and Tim Plumptre. “Principles for Good Governance in the 21st Century.” Policy Brief No. 15. Institute On Governance. Ottawa, Canada. Aug 2003. p1. http://unpan1.un.org/intradoc/groups/public/documents/UNPAN/UNPAN011842.pdf. The authors discuss governance in its broadest context, which encompasses many forms of societal organizations. 18 Peter Weill and Jeanne W. Ross. “IT Governance on One Page.” MIT Sloan Working Paper No. 4517-04. CIS Research Working Paper No. 349. CISR, Sloan School of Management, MIT. Nov 2004. p1. http://ssrn.com/abstract=664612. 19 “OECD Principles of Corporate Governance, 2004 .” Organisation for Economic Co-operation and Development (OECD). http://www.oecd.org/dataoecd/32/18/31557724.pdf. The Principles are a governance guide that can be applied by lawmakers, regulators, and businesses. Although the Principles express guidelines for publically traded firms, the tenets apply to privately owned and government-owned firms. The Principles were sponsored by the World Bank and the International Monetary Fund (IMF). 20 John Pound. “The Promise of the Governed Corporation.” Harvard Business Review. Boston, Massachusetts. Mar–Apr 1995. http://hbr.harvardbusiness.org/1995/03/the-promise-of-the-governed-corporation/ar/1. The author defines a governed corporation as one for which shareholders, directors, and executives routinely question, exchange information, and make more effective decisions. The alternative to a governed corporation, according to Pound, is a managed corporation, where managers make decisions, boards hire and fire managers, and shareholders can relieve directors of their position if they are ineffective. The benefits of the governed corporation include robust, pluralistic, and adaptable decision-making processes. There are more new ideas. The oversight process is less personalized: It focuses not on the competence of the CEO but on the effectiveness of the organization (page 98). 21 Alan Calder. IT Governance: Guidelines for Directors. IT Governance Ltd: Cambs, United Kingdom, 2005. p23. 22 Angela Gurria, OECD Secretary-General. Remarks. “Business ethics and OECD principles: What can be done to avoid another crisis?” European Business Ethics Forum. 22 Jan 2009. http://www.oecd.org/document/3/0,3343, en_2649_201185_42033219_1_1_1_1,00.html. The Secretary said, “The current global economic crisis is costing the world trillions of dollars, a protracted recession, millions of lost jobs, a huge loss of confidence in financial markets, and a reversal in our efforts to curve global poverty. It is the result of the combination of several failures. A failure of business ethics is one of them; one that lies at the epicenter of this financial and economic earthquake.” 23 Paul Krugman. “Banks Gone Wild.” The New York Times. 23 Nov 2007. http://www.nytimes.com/2007/11/23/opinion/23krugman.html? ref=opinion. Mr. Krugman noted presciently that an excess of greed and a failure of governance was causing the collapse of the housing market and venerable financial institutions. 24 “OECD Principles of Corporate Governance, 2004 .” Organisation for Economic Co-operation and Development (OECD). §VI, “The Responsibilities of the Board.” pp58–66. http://www.oecd.org/home/0,3305, en_2649_201185_1_1_1_1_1,00.html.

Related Burton Group Research

These documents also discuss important aspects of ITG:

• Application Platform Strategies o SOA Governance Infrastructure

• Collaboration and Content Strategies

o Website Governance: Guidance for Portals, SharePoint, and Intranets

• Enterprise Architecture o Enterprise Architecture Is More than Engineering o Measuring Enterprise Architecture Success o Modeling Influence and Communications o Real Transformation: Why IT Change Is Not Enough o The Anatomy of Effective Enterprise Architecture

• Executive Advisory Program

o A New Classicism o Service Oriented Architecture Implications o The Effective CIO o What Does a CIO Actually Do?

• Identity and Privacy Strategies

o Survey: Getting Started with Identity Management Governance

• Security and Risk Management Strategies o Governance, Risk, and Compliance o Security Governance for the Enterprise

Copyright 2009 Burton Group. ISSN 1048-4620. All rights reserved. All product, technology and service names are trademarks or service marks of

their respective owners. See Terms of Use and publishing information at http://www.burtongroup.com/AboutUs/TermsOfUse.aspx