Research Offers Glimpse into Muddy State of IT Governance

If a CEO must vouch for the accuracy of accounting practices, as required by the U.S.’s Sarbanes-Oxley Act of 2002, who within a company ensures that its financial application runs correctly? Or, if a CFO must demonstrate to shareholders that the company’s budget is optimally allocated, does he also have to make sure his human resources department got the best possible deal on its payroll software?
Some analysts say that IT governance is the responsibility of the CEO and is a key component of overall corporate governance. But in reality, companies’ IT governance roles are ill-defined and IT governance practices are all over the map. They range from structured, well-defined, well-managed systems to ad-hoc, non-systematic decision making, which may or may not be in line with corporate objectives and requirements.
Therefore non-profit IT Governance Institute (ITGI) commissioned researchers from PricewaterhouseCoopers to survey 695 CEOs and CIOs from 22 countries to get an idea of just where IT governance stands on the corporate priority list. The results reveal a lack of clarity about what IT governance is and who is responsible for it.
ITGI’s report “IT Governance Global Status Report – 2006” finds that just 17 percent of companies surveyed have implemented any type of IT governance solution or framework. Thirty-six percent aren’t even considering implementing one.

Unclear roles and responsibilities

One issue is awareness, the study finds. Thirty-five percent of respondents say they are not aware of organizations that offer structured methodologies or tools for designing an IT governance system. That, despite the fact that everyone from big consulting firms such as Accenture and McKinsey, to smaller niche consultants and technology analysts, to ITGI itself offer such things.
SAP for example offers a set of applications named „SAP solutions for Governance, Risk, and Compliance“ specifically for these needs. As well the Americas’ SAP Users’ Group (ASUG) Benchmarking and Best Practices program offers SAP customers data with which they can measure and manage IT performance. Of course, those things would only be helpful for companies with IT governance on the radar.
Another result shows that at six percent of companies surveyed, nobody claims responsibility for IT governance. At 33 percent of companies surveyed, the CIO claims responsibility for IT governance. That, despite the fact that many researchers, including ITGI, say that it is a CEO responsibility.
One survey question was designed to assess the value CEOs and CFOs say they are getting from their IT systems, in terms of better customer relations, better risk management, lower cost or higher product leadership. Twenty-six percent of those surveyed say they are getting no value at all or not very much value, or that they are not sure if they are getting any value.
Since it’s considered optimal IT governance when IT systems create value for the business, the data shows a disconnect between best practices and real-world practices. “Clearly, attention to IT value management is required,” the ITGI report says.

COBIT: controlling, managing and measuring IT processes

The report also assessed the use of the Control Objectives for Information and Related Technology (COBIT) 4.0, an IT governance framework advocated by ITGI and the non-profit Information Systems Audit and Control Association (ISACA). According to ITGI, COBIT is “an IT governance framework and supporting toolset that allows managers to bridge the gap between control requirements, technical issues, and business risks.”
COBIT is a system for controlling, managing and measuring 34 IT processes. For instance, COBIT offers a process for risk management along with criteria to ensure risks are controlled. COBIT defines a high-level control objective, a detailed control objective, management guidelines and a maturity model for each process. COBIT incorporates controls necessitated by Sarbanes-Oxley and other international rules.
COBIT also adheres to five specific IT governance focus areas. They are strategic alignment between IT and business goals, value delivery that ensures IT creates its promised benefits, resource management that ensures optimal investment in and proper management of IT resources, risk management, and performance management, which tracks resource usage, process performance and other benefits not measurable by traditional accounting.

Interplay COBIT, ISO 9000, ITIL

According to Forrester Research, COBIT is complemented by ISO 9000 and ITIL. ISO provides security controls, but not implementation guidance. ITIL describes how to structure operational processes, but is weak on security. And COBIT is focused on controls and metrics. It lacks a security component but offers a global view of IT processes and management that ITIL doesn’t offer.
In the Forrester report, “The Management Process Alphabet Soup,” the analyst writes, “Looking at these frameworks, we find that they are mainly complementary, but they lack directly actionable recommendations, which makes them excellent guides and checklists rather than implementation blueprints.”
But: The report finds that just nine percent of respondents use or are considering using COBIT, while 21 percent use or are considering using International Organization for Standardization (ISO) 9000, and 13 percent use or are considering using IT Infrastructure Library (ITIL).
That relates to another ITGI survey finding. A high number of respondents, 33 percent, use an internally developed framework for IT governance. They could be using systems that incorporate several tools like COBIT and ITIL, for example, or they could be using a completely unique system.

Leadership needed

Of the group of survey respondents who say IT governance is not on their radar at all, ITGI says at least 80 percent are actually performing some actions that could be classified as IT governance. Those include processes related to controlling IT costs, managing IT resources, and aligning IT strategy and overall strategy, for instance.
Still, the report data shows that some companies are a long way from implementing consistent IT governance. For instance, just 25 percent of respondents say the IT is always on the organization board’s agenda. A startling 36 percent say that IT is sometimes or never on the agenda. Since IT governance is a CEO-level priority, it’s fair to conclude that it needs more attention in the board room.
McKinsey puts the problem this way: “IT and the business too often lack a common understanding of the company’s basic objectives and have conflicting opinions about technology options and priorities,” write authors Eric Monnoyer and Paul Willmott in the McKinsey Quarterly. “The problem,” they say, “is that some companies rely on IT governance systems rather than true IT leadership.”
In the end, researchers agree that for IT governance to be a successful aspect of corporate governance, it must be systematic but flexible and responsive to changing circumstances. And it must be the responsibility of corporate leaders.
According to ITGI, “Simply put, IT governance and the effective application of an IT governance framework are the responsibilities of the board of directors and executive management.” Easier said than done.

Sarah Z. Sleeper
Sarah Z. Sleeper