CORPORATE GOVERNANCE OF IT: A FRAMEWORK FOR DEVELOPMENT

Boards of directors are beginning to look beyond the accounting roots of IT governance toward the risk of legal liability and harm to product brand and corporate reputation.
Interest in corporate IT governance typically focuses on ensuring return on investment (ROI) and compliance with accounting procedures. To succeed, however, ITG must also provide a comprehensive framework that allows organizations to deal with a range of computing issues [1, 6]. Recall how excessive focus on ROI led Enron, WorldCom, and others into legal and financial ruin. Recent literature highlights control and measurement issues, especially with regard to methods for measuring success/failure of governance practices (such as the balanced scorecard, or set of quantitative and qualitative metrics, to assess corporate performance) [2]. But
organizations must develop their own policies and procedures regarding ITG and give them to their architects and developers for implementation [6]. Two recent eventsone involving the theft of credit-card data, the other involving software failureillustrate the urgency of ITG. In the first case, American Express and Visa terminated their relationship with CardSystems Solutions, a payment processor, in 2005 over what is thought to be the credit-card indus-

By

W. RP Raghupathi

94

August 2007/Vol. 50, No. 8 COMMUNICATIONS OF THE ACM

trys worst data breach to date. The problematic. Explicit ITG and CEO of CardSystems acknowl- management models are scarce, edged the company had been and available commercial literature improperly storing data, violating offers insufficient theoretical tools Visa and American Express secu- to provide practical solutions. rity rules. In the other case, also in Information Edge 2001, an online 2005, a computer system failure publication, published by the forced the Tokyo Stock Exchange Scottsdale Institute (www.scottsto suspend trading of many stocks daleinstitute.org/infoedge/), also for several hours, revealing the vul- pointed out that, while IT is a critnerability of one of the worlds ical driver of business success, largest trading systems. That glitch boards of directors, even in techbrought to light a serious limita- nology companies, have not kept tion of the exchangeno backup pace. Indeed, there is a basic dissystem. Additional examples of the connect between boards and the consequences of poor ITG are dis- IT staffs of the companies they cussed in [6]. All of them highlight oversee. In addition, the publicathe urgent need for an all-encom- tion reported, business strategies passing ITG model and frame- are typically not translated into the work that can be expanded as needed to develop comprehensive ITG and identify its critical role in Citizenship organizational governance. Stage 3 and - Industry Public Good Additionally, the use of - Public various types of IT (such as Accountability Stage 2 and Processes Strategic the Web) in promoting - Partners Value-added - Customers corporate governance can - Suppliers be examined. Operational Stage 1 Standards Here, I describe a three- Individuals - Groups stage model of corporate Internal External Extended ITG and develop a grid framework for policies and procedures, addressing Organizational Focus how an organization could manage the introduction Figure 1. The three stages of IT governance. of comprehensive ITG and the kinds of policies and procedures in such governance. A 1998 study by operational objectives of IT manRP fig 1 (8/07) the Nolan Norton Institute agement units. (www.nolannorton.com) found IT use within organizations that the intensity of IT utilization demands thorough and thoughtful was the most important differen- board governance, but such overtiator of ITG and management in sight is often delegated to lower most organizations. While IT has management as operations matbecome a major factor in business ters, more an overhead item than a productivity, incorporating ITG primary factor of production. into organizations remains highly Boards traditionally scrutinize

business strategy and strategic risks. Faced with technology issues for which they have little interest and even less expertise, boards have largely left ITG on the sidelines. As it becomes increasingly difficult to distinguish organizational strategic mission from the IT that enables the mission, closing the ITG gap has become imperative.

oreover, ITG is critical because performance expectations and reality often do not match. Boards tend to expect management to juggle myriad responsibilities: Deliver quality IT solutions on time and within budget; Harness and exploit IT to return strategic and operational value; Leverage IT to increase efficiency and productivity; and Manage IT risk.

All must be performed (without immediate oversight) at the worker bee lower-management level. Boards are surprised when their organizations experience financial losses, damaged reputations, weakened competitive positions, missed deadlines, higher-than-expected costs, lower-than-expected quality, and/or failure of IT initiatives to deliver promised benefits [9]. Overall corporate governance typically focuses on the ways suppliers of finance assure themselves
95

COMMUNICATIONS OF THE ACM August 2007/Vol. 50, No. 8

it as a primary factor of production and make it an integral part of top management, rather than a technical segment practiced in relative isolation from organizational leadership. Boards practicing proper How does one ensure return on IT investment?; ITG often uncover and address problems in advance What is the role of the chief information officer by addressing key questions: How critical is IT to susand the IS organization?; and taining the enterprise? How critical is IT to growing How is the IS function controlled by top manthe enterprise? How far should the enterprise go in agement? risk mitigation? Do the benefits justify the costs? Is IT a regular item on the ITG can be defined as boards agenda? Is IT the organizational addressed in a structured Integration of customer Compliance with privacy relationship (such as laws (such as HIPAA); capacity to control the manner? And is the privacy); Compliance with External Supplier management governance (such as the formation and implereporting level of the most (such as online exhange); Sarbanes-Oxley Act); mentation of IT strategy senior IT manager com Data protection; Capability Maturity Model; Driver Outsourcing; and ISO 9000 series; and and provide direction to mensurate with the Privacy USA PATRIOT Act achieve competitive importance of IT? Since Codes of ethics; Audit control; Email/Web policy; Benchmarking; advantages for the corIT is a critical function for Internal Information assurance; Due diligence; poration [1, 4, 6]. supporting and enabling and IT value measurement; and IT quality assessment Another definition is enterprise goals, effective Strategic alignment and testing. how those persons ITG generates real busiOperational Strategic Focus entrusted with governess benefits (such as repnance of an entity will utation, trust, product consider IT in their leadership, time-to-marsupervision, monitorket, and reduced costs), all of which increase stakeFigure 2. A framework for IT governance. ing, control, and direcholder value [1, 4, 7]. tion of the entity. How While many business organizations recognize the RP fig 2 (8/07) IT is applied within the entity will have an immense business benefits of IT, successful ones also underimpact on whether the entity will attain its vision, stand and manage the risks associated with implemission, or strategic goals [4]. Both these defini- menting new technologies. Timely measures aimed at tions suggest that organizations must make every addressing these concerns must be promoted by the effort to establish structures that yield business value top-governance echelon of each enterprise. Hence, through IT and control mechanisms and minimal boards and executive management must extend govmisguided IT investment. ernance to include IT. ITG is the responsibility of the These definitions also emphasize the alignment of board and executive management as an integral part IT objectives with business strategy, along with valid of overall enterprise governance. Governance reflects measurement of IT performance. Risks must be mit- the leadership and organizational structures and igated, requiring that ITG not be an isolated activity. processes that ensure IT sustains and extends the CEOs and CFOs, as well as CIOs, should recognize organizations strategies and objectives.

of earning ROI. Adapting that definition for IT, researchers and practitioners suggest focusing on three main questions:

Governance reflects the leadership and organizational structures and processes that ensure IT sustains and extends the organizations strategies and objectives.

96

August 2007/Vol. 50, No. 8 COMMUNICATIONS OF THE ACM

THREE-STAGE MODEL In the three-stage conceptual corporate governance model outlined in Figure 1, Stage 1 emphasizes routine operational practices and procedures. Stage 2 expands and enriches them, focusing on the enterprise as a whole, as well as on customers, suppliers, and other alliance partners. Stage 3 extends good practices out to the industry and further still for the good of the public. Effective ITG can permeate industry, and a particular business can be at the forefront of the effort. Ideas from a prior stage are embedded throughout the organization (such as by developing a code of ethics for intranet use, creating an executive ombudsman position, or developing a whistleblower policy on IT project management). In Stage 1, policies and procedures concerning internal activities are introduced and standardized; for example, rules governing employee privacy, email, security, data handling, and ethics are codified, and awareness of these rules promoted. Stage 2 begins once the focus shifts from internal policies, procedures, and standards to interactions and partnerships with customers, suppliers, and alliances; for instance, rules governing customer relationships and supply chains are formulated and shared with the external partners. In Stage 3, ITG practices are extended to the industry as best practices, perhaps leading to voluntary compliance by other organizations. The public could also be involved, as organizational governance boards or committees are formed, by including citizen members; when this practice is found to be effective by top management, it can be emulated by other organizations in the industry. The three stages are not necessarily sequential; establishment of policies and procedures can be simultaneous and overlapping. GRID FRAMEWORK Figure 2 outlines a four-quadrant grid framework depicting two primary dimensions of ITG: focus (operational, strategic) and driver (internal, external). The interaction between them results in the four quadrants: internal/operation; internal/strategic; external/operational; and external/strategic. In each, I specify examples of drivers and processes that require governance. The grid is adapted from [1]. The internal/operational quadrant concerns routine policies and procedures that most organizations must implement as a minimum. They focus on employees within the organization and include elements (such as email policy, codes of ethics, information assurance, and security and privacy), as well as software quality assurance and testing. For example, it was widely reported that the W32.Blaster worm may have contributed to the August 14, 2003 electrical

power blackout in the northeastern U.S. The worm is believed to have compromised the performance of communication lines linking data centers used by utility companies to manage the power grid [10]. One can only speculate about how well-planned communication policy and procedures might have dealt with viruses to head off such a potential disruption. ollowing the Columbia shuttle disaster on February 1, 2003, the accident investigation board (Report Volume 1, August 2003, www.nasa.gov/columbia/home/CAIB_Vol1.h tml) concluded that deficiencies in communication were a foundation for the Columbia accident. A massive bureaucracyNASArelied on informal email communication to manage the inflight analysis of the damage to Columbias left wing by a piece of insulation foam that broke off during liftoff. This limitation led to a series of discussions with little or no cross-organizational communication, often with no feedback from senior managers when contacted by lower-level engineers regarding their concerns about shuttle safety [11]. In contrast, organizations can post their policies and what-to-do manuals on their intranets, providing easy access by employees to corporate policy. For example, processes for handling end-of-life computing-asset disposal can be developed by the IT department. The proper disposal of old equipment is critical for minimizing security risks and environmental concerns. This is a new development in the ITG domain, and the related policy needs to be adopted and communicated to all employees. In the internal/strategic quadrant, I extend governance beyond routine operational procedures to policies affecting the organizations overall performance. Top management is better positioned to address yet more questions, including: Is due-diligence analysis with regard to IT performed routinely? A scenario in this regard involves the due-diligence evaluation of IT during merger talks. Are substantive audit controls in place? And is benchmarking used for intra-industry comparison? How IT aligns with business strategy, ROI, and measurement must be included. The external/operational quadrant in Figure 2 covers governance policies regarding integration of customer relationships, supplier management, outsourcing with third-party vendors, other alliances, and channel relationships. A 2003 article reported that IT managers who cut corners in their offshore outsourcing contracts could be jeopardizing their organizations security and intellectual property [11]. With regard to online exchanges that bring suppliers and buyers together, as in the case of Covisint, an

COMMUNICATIONS OF THE ACM August 2007/Vol. 50, No. 8

97

Transparency and accountability in corporate ITG are critical to stakeholder confidence and creating a positive image with the general public.

online auto exchange (www.covisint.com/about/), policies concerning antitrust compliance must be enunciated and made available to all parties. Regulatory requirements and the need to protect corporate reputations make it crucial (at the risk of dire legal and business consequences) for companies to implement comprehensive data-privacy programs. Failure of ITG in these instances will eventually expose them to legal liability, hinder their ability to do business in certain parts of the world (most notably Europe and North America), and jeopardize trustbased relationships with customers. n the external/strategic quadrant, the effect of laws and regulations are typically felt operationally, as the organization adopts governance policies and procedures dealing with compliance. In this operational context, the Health Insurance Portability and Accountability Act of 1996 and the Sarbanes-Oxley Act of 2002 come to mind. Sarbanes-Oxley, which aims to produce a more complete and accurate assessment of the financial condition of public companies, requires that they disclose all material off-balance-sheet expenditures or other aspects of their finances; the result has been that CFOs insist that CIOs provide them with more detailed information about the status of IT projects. CFOs push hard to ensure they are able to update quarterly earnings reports with as much information as possible about ongoing IT projects. For example, in each quarter during 20032004, Texas-based Freight Pro, a logistics and shipping company, delivered a formal report on the status of its IT projects to its board of directors [3]. The reports detailed the anticipated cost timeline and benefits of new and existing projects [3]. The USA PATRIOT Act of 2001 requires financial services companies to improve their ability to identify customers and flag suspicious transactions [5]. Also, airlines continue debating how to maintain privacy [8] while still being responsive to the governments need to examine pas-

senger data. Announced in 2003, the ComputerAssisted Passenger Pre-Screening program (CAPPS II) program was terminated by President George W. Bush in 2004 and replaced by another program called Secure Flight in 2005 that is not scheduled to be fully operational until 2010. Government officials in the U.S. have said they will not be able to access personal information and would limit intrusion to a threat assessment level that flags certain passengers for further scrutiny. Despite the 9/11 terrorist attacks, this assessment attracted widespread public protest, and airlines (notably Delta Air Lines, JetBlue Airways, and Northwest Airlines) that cooperated have faced a fierce backlash from the flying public and their lawyers. For example, Delta terminated a program in 2003, after a threatened boycott, while JetBlue and Northwest were hit with class-action lawsuits following revelations that they secretly gave passenger data to government researchers [12].
BEYOND ROI Long-term ITG success requires organizations to look beyond ROI and traditional accounting perspectives that focus on financial numbers. The three-stage model Ive devised to gradually implement ITG policies, combined with my four-quadrant grid framework, provides a good starting point for initiating ITG and enabling management to address the issue from a more comprehensive perspective. This approach is a major departure from the historical accounting view of governance. A board of directors can include external members (such as a local community activist, public policy expert, professor, or welfare worker) to provide external perspectives, particularly with regard to public and social policy. To accomplish governance objectives, a steering committee of senior IT and business executives can determine corporate IT priorities and capital investment. Many organizations have IT steering commit-

98

August 2007/Vol. 50, No. 8 COMMUNICATIONS OF THE ACM

tees that govern and manage IT resources on a corporate level. An IT steering committee provides the advantage of involving (executive) business management in IT issues, aligning IT with business strategy. The need for an IT steering committee as a coordinating mechanism, according to [6], arose because information systems span all departments and functions. The members of such a committee are, therefore, senior representatives of the main divisions and functions chaired by a top executive, preferably the CEO [6]. This approach can extend to self-directed work teams made up of IT staffers and business-unit liaisons to manage individual projects. Boundaries specify the kinds of decisions work teams can and cannot make. An overall enterprise architecture council that sets corporate IT standards, plus more targeted groups (such as an IT security council), can also be created. The Information Systems Audit and Control Foundation (www.isaca.org) and the IT Governance Institute (www.itgi.org) have together developed an IT assessment tool called Control OBjectives for Information and related Technology, or COBIT, to measure IT performance and gather information needed to keep boards informed [4]. For example, the Scottsdale Institute (www.scottsdaleinstitute.org/general/default.asp) and First Consulting Group (www.fcg.com) have together developed a performance improvement program to help IT value in the health care industry. This tool, together with a complementary IT cost-benchmarking program, can help organizations understand their IT costs, compare themselves with other organizations, and network with them to gain insight into practices and lessons learned. Additionally, a knowledge repository can be developed to document organizational best practices in governance.
CONCLUSION Transparency and accountability in corporate ITG are critical to stakeholder confidence and creating a positive image with the general public. There is no generally accepted model for ITG. However, my conceptual model, outlined here, is useful for such ITG development. The need to target different industries, stakeholder objectives, corporate cultures, institutional ITG frameworks and traditions demands a range of approaches. Quality ITG influences ethical practices and corporate awareness of the environment and societal interests of the communities in which they operate. These practices, in turn, affect the reputation and long-term performance of the organization. A sound governance policy can minimize cost and schedule overruns. Pursuing the benefits of integrated ITG, many

organizations set up IT governance committees [6]. In light of increased awareness of disclosure and transparency among companies we can expect more governance practices supported by models and tools based on legal, ethical, and public policies and principles. Organizations would thus be better able to avoid unnecessary risk and ensure expensive projects remain under control vis--vis cost, schedule, and strategic alignment. As the idea of ITG is still relatively new, we should seek additional insight from the best practices of successful organizations. The need for research in ITG model development, both prescriptive and normative, is clear. The role of IT in overall corporate governance can and should be investigated. Additionally, crosscultural studies of compliance, disclosure, transparency, and IT governance will shed light on global differences in perceptions. Finally, empirical studies should be performed by academic researchers and practitioners alike to validate/confirm the broad frameworks outlined in this article. c
REFERENCES
1. Henderson, J. and Venkatraman, N. Strategic alignment: Leveraging information technology for transforming organizations. IBM Systems Journal 38, 23 (1999), 472484. 2. Hoffman, T. Disparate views of IT governance spark debate. Computerworld (May 5, 2003), 14. 3. Hoffman, T. CFOs push IT managers for more info about projects (Sarbanes-Oxley boosts reporting demands for CIOs). Computerworld (Apr. 28, 2003), 10. 4. IT Governance Institute. Board Briefing on IT Governance, 2nd Edition. Rolling Meadows, IL; www.itgi.org. 5. Mearian, L. Brokerages face big IT bills to comply with USA Patriot Act. Computerworld (Mar. 17, 2003), 12. 6. Nolan, R. and McFarlan, F. Information technology and the board of directors. Harvard Business Review 83, 10 (Oct. 2005), 96106. 7. Scottsdale Institute. Closing the governance gap: Bringing boards into the IT equation. Information Edge 7, 7 (Aug. 2001). 8. Sharkey, J. Growing opposition to computer screening. New York Times (Feb. 10, 2004), C7. 9. Thibodeau, P. Offshore risks are numerous, say those who craft contracts. Computerworld (Nov. 3, 2003), 12. 10. Verton, D. Blaster worm linked to severity of blackout. Computerworld 37, 35 (Sept. 1, 2003), 1. 11. Verton, D. Inadequate systems play a role in Columbia disaster, report finds. Computerworld 37, 35 (Sept. 1, 2003), 5. 12. Vijayan, J. Laws, concern for corporate image make privacy a priority. Computerworld (Oct. 6, 2003), 12.

W. RP Raghupathi (raghupathi@fordham.edu) is an associate professor of information systems in the School of Business at Fordham University, New York.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee.

2007 ACM 0001-0782/07/0800 $5.00

COMMUNICATIONS OF THE ACM August 2007/Vol. 50, No. 8

99