IT Governance: Toward a Unified Framework Linked to and Driven by Corporate Governance
David Pultorak
Introduction
At the time of this writing, the industry has yet to sort out the precise nature of IT governance. IT governance remains an evolving concept within an evolving concept: that of corporate governance. The old adage, "What you see depends on where you sit,"describes precisely where we are in the discourse around the nature of IT governance. Existing perspectives on the nature of IT governance include the following:
IT managers and specialized IT staff tend to see IT governance as a mechanism for aligning business and IT at the level of the program office, projects, and significant IT investments and architectural decisions.
IT Auditors tend to see IT governance as a control mechanism to ensure compliance with relevant authorities and to manage risk to the business.
IT service management professionals tend to see IT governance as ensuring IT services are aligned to current and future business needs, meet quality objectives as perceived by the customers, and are managed for efficiency and effectiveness.
Corporate board members and top managers sometimes do not know what to make of IT governance (just as they are sometimes at a loss for what to make of IT in general) and have in some cases abdicated responsibility for IT governance.
Except in the last instance, there is nothing inherently wrong with any of these perspectives. What is wrong and dangerous is an over-focus on one perspective or the persistence in the organization of multiple, unaligned perspectives. For example, many organizations coping with Sarbanes-Oxley start to see corporate governance solely as control around financial reporting and pay little regard to other aspects of governance. The operational reality in many of today’s organizations is that IT governance is conducted as an unaligned set of activities based on a mix of competing micro-theories, the unintended consequence of which is the creation of the very inefficiencies and risk exposures that governance mechanisms are intended to address.
This chapter looks at IT governance from a perspective and scope that is different from what is common today. It takes the position that IT governance, properly construed, is a discipline within corporate governance, and as such, the board’s perspective should be primary and the board should be the ultimate driver of IT governance. As a discipline within corporate governance, IT governance activity should be directed in the dimensions important to corporate governance: Conformance, Performance, and Relating Responsibly (CPR), where
Conformance is ensuring that the corporation meets relevant regulatory requirements.
Performance is ensuring that the corporation achieves its performance objectives.
Relating responsibly is paying appropriate attention to relevant stakeholders.
We start by briefly recounting the evolution of the concept of corporate governance. We then outline a three-part CPR framework for board-directed governance and provide guidance on how to implement the CPR framework for IT governance.