Explain the role of information technology governance institute (itgi) on infosec governance.

• Gartner client? Log in for personalized search results.

IT Governance (ITG)

IT governance (ITG) is defined as the processes that ensure the effective and efficient use of IT in enabling an organization to achieve its goals. IT demand governance (ITDG—what IT should work on) is the process by which organizations ensure the effective evaluation, selection, prioritization, and funding of competing IT investments; oversee their implementation; and extract (measurable) business benefits. ITDG is a business investment decision-making and oversight process, and it is a business management responsibility. IT supply-side governance (ITSG—how IT should do what it does) is concerned with ensuring that the IT organization operates in an effective, efficient and compliant fashion, and it is primarily a CIO responsibility.

The COBIT Mission: To research, develop, publicise and promote an authoritative, up-to-date, international set of generally accepted information technology control objectives for day-today use by business managers and auditors.

Features

Author: Steven De Haes, Ph.D., Anant Joshi, Ph.D., Tim Huygh and Salvi Jansen
Date Published: 1 July 2017
español
Download PDF

IT governance, also referred to as governance of enterprise IT (GEIT) or corporate governance of IT, is a subset of corporate governance that is concerned with enterprise IT assets. In an analogy to corporate governance, IT governance is concerned with the oversight of IT assets, their contribution to business value and the mitigation of IT-related risk.1 A commonly referenced definition states:

Enterprise governance of IT is an integral part of corporate governance exercised by the board and addresses the definition and implementation of processes, structures and relational mechanisms in the organization that enable both business and IT people to execute their responsibilities in support of business/IT alignment and the creation of business value from IT-enabled business investments.2

Prior studies identify five domains that warrant oversight of the board of directors (BoD) and executive management in governing IT assets:3, 4, 5, 6

• Strategic alignment—Focuses on aligning business and IT strategies and operations
• Value delivery—Concentrates on optimizing expenses and proving the value of IT
• Risk management—Addresses the IT-related business risk
• Resource management—Optimizes IT-related knowledge and resources
• Performance measurement—Monitors IT-enabled investment and service delivery

Emerging research calls for more board-level engagement in IT governance and identifies serious consequences for enterprises if the board is not involved. For example, high levels of board engagement in IT governance, regardless of existing IT needs, increases enterprise performance.7 From the board perspective, there is also a growing need to comply with an increasing amount of regulatory and legal requirements (e.g., privacy), of which many also impact IT. These regulatory requirements redefine the responsibilities of the BoD for IT governance.8

Despite the agreement between researchers and practitioners on the need for board-level involvement in IT governance, it appears that this is more the exception than the rule in practice.9, 10, 11 This article builds on the assumption that the behavior of the board toward IT governance and digital leadership can be influenced by external factors, such as corporate governance codes,12 and describes the study that answers the questions:

• What IT governance-related guidelines are contained in national corporate governance codes?
• What differences can be observed between various corporate governance codes?

Research Design

The research began with a literature review to underpin the study and to define the main concepts that were used in the research project.

Next, a sample of international corporate governance codes was analyzed. The selection of national corporate governance codes was based on two dimensions—geography (i.e., continent) and economy (i.e., income groups). Using an index of all of the corporate governance codes around the world,13 a national corporate governance code was selected to populate as many cells as possible (figure 1). When a country had multiple corporate governance codes, the most recent code for listed companies was selected. An additional requirement was that the corporate governance code should be available in English. The final sample of national corporate governance codes (N=15) is presented in figure 1.

To analyze each corporate governance code for IT-governance-related content, an IT governance transparency framework was used.14 This IT governance disclosure framework contains 39 disclosure items that are distributed over the following domains (focus areas): IT strategic alignment, IT value delivery, IT risk management and IT performance measurement (figure 2). Because the IT resource management domain overlays all other focus areas,15 the framework incorporates IT resource items across all of the four remaining IT governance focus areas.16 Using the IT governance transparency framework as a coding frame, a binary classification approach was used to analyze the national corporate governance codes, i.e., an item is scored 1 if the item is present as a guideline or practice in the corporate governance code and scored 0 otherwise.

Corporate Governance Codes Make Little Reference to IT Governance or Digital Leadership

Figure 2 presents the item-level analysis of the 15 corporate governance codes for IT governance-related content. A first general observation is that, aside from the South African code, the corporate governance codes score very low overall for including IT-governance-related practices or guidelines. A reasonable explanation is that many national corporate governance codes are based on the Organization for Economic Cooperation and Development (OECD) principles of corporate governance.17 Eight of the 15 national corporate governance codes explicitly state that they are based on the OECD principles. The remaining seven corporate governance codes show a lot of similarities with the OECD principles, but do not explicitly refer to OECD. Because the G20/OECD principles do not include specific directives regarding IT governance or IT-governance disclosure (aside from using the company website as a disclosure channel for material company information), it is not an unreasonable assumption that this might lead to a low attention to IT-governance-related matters in the national corporate governance codes that use these principles as a blueprint.

An interesting observation at the item level is that use of IT for regulation and compliance in the IT risk management domain is found in 11 of the 15 selected corporate governance codes. Again, a reasonable explanation can be found in the G20/OECD principles on corporate governance. As part of disclosure and transparency, it states that the organization website provides an excellent means to disclose material company information.18 This is, indeed, a way of using IT for regulation and compliance. Finally, the IT is part of audit committee item, belonging to the IT strategic alignment domain, is also found in the Macedonia corporate governance code. These are the only two disclosure items that were found in corporate governance codes other than South Africa.

Indeed, the South Africa corporate governance code, King III,19 contains a significant amount of IT-governance-related guidance. King III came into effect for South African entities beginning 1 March 2010 and is applicable to all entities (regardless of their size and whether or not they are listed). King III contains an IT-governance chapter consisting of seven IT-governance principles and some additional and more detailed recommended practices for each of these principles (figure 3).20

Conclusions and Implications

In this research project, a selection of national corporate governance codes was analyzed for IT governance-related content. The findings showed that only the contemporary South African corporate governance code, King III, contains a significant amount of IT governance-related guidance.

As IT becomes more pervasive in firms all over the world, it makes sense for boards to take on accountability for IT-related matters. This view is shared by researchers and practitioners alike. In transitioning from COBIT 4.1 to COBIT 5, ISACA clearly emphasized the need for board involvement in enterprise governance and management of IT. It did so by explicitly including board-level accountabilities and responsibilities in the EDM domain, thereby further emphasizing the separation between the governance and management of IT. Because boards around the world are directly influenced by corporate governance codes, it makes sense for the committees that are drafting national corporate governance codes to include guidance for board members, to enable them for their accountabilities and responsibilities in the realm of IT governance.

Acknowledgment

This research is part of a co-created research project by KPMG Belgium, CEGEKA Belgium, Samsung Belgium, the Antwerp Management School and the University of Antwerp (Belgium). The leadership role of the industry partners in supporting this research is focused on better understanding the crucial accountability of the BoD in governing digital assets and providing solutions and tools for these board members to assume their accountability.

Endnotes

1 Weill, P.; J. Ross; IT Governance: How Top Performers Manage IT Decision Rights for Superior Results, Harvard Business School Press, USA, 2004, www.abebooks.com/book-search/isbn/1591392535/
2 De Haes, S.; W. Van Grembergen; Enterprise Governance of Information Technology, Springer, Germany, 2015, www.springer.com/gp/book/9781441946621
3 Butler, R.; M. J. Butler; “Beyond King III: Assigning Accountability for IT Governance in South African Enterprises,” South African Journal of Business Management, vol. 41, iss. 3, 2010, p. 33-35
4 IT Governance Institute, Board Briefing on IT Governance, 2nd Edition, 2003
5 Posthumus, S.; R. Von Solms; “The Board and IT Governance: Towards Practical Implementation Guidelines,” Journal of Contemporary Management, vol. 7, 2010, p. 574-596
6 Valentine, E.; G. Stewart; “Enterprise Business Technology Governance: Three Competencies to Build Board Digital Leadership Capability,” 48th Hawaii International Conference on System Sciences, IEEE, 2015, p. 4513-4522, http://ieeexplore.ieee.org/document/7070359/
7 Turel, O.; C. Bart; “Board-level IT Governance and Organizational Performance,” European Journal of Information Systems, vol. 23, iss. 2, 2014, p. 223-239, http://link.springer.com/article/10.1057%2Fejis.2012.61
8 Trites, G.; “Director Responsibility for IT Governance,” International Journal of Accounting Information Systems, vol. 5., iss. 2, 2004, p. 89-99, www.sciencedirect.com/science/article/pii/S1467089504000089
9 Bart, C.; O. Turel; “IT and the Board of Directors: An Empirical Investigation Into the Governance Questions Canadian Board Members Ask About IT,” Journal of Information Systems: Fall 2010, vol. 24, iss. 2, 2010, p. 147-172, http://aaajournals.org/doi/abs/10.2308/jis.2010.24.2.147
10 Andriole, S.; “Boards of Directors and Technology Governance: The Surprising State of the Practice,” Communications of the Association for Information Systems, vol. 24, article 22, 2009, http://aisel.aisnet.org/cgi/viewcontent.cgi?article=3418&context=cais
11 Coertze, J.; R. Von Solms; “The Board and CIO: The IT Alignment Challenge,” 47th Hawaii International Conference on System Sciences, IEEE, 2014, http://ieeexplore.ieee.org/document/6759147/
12 Parent, M.; B. H. Reich; “Governing Information Technology Risk,” California Management Review, vol. 51, iss. 3, 2009, p. 134
13 European Corporate Governance Institute, “Index of Codes,” www.ecgi.org/codes/all_codes.php
14 Joshi, A.; L. Bollen; H. Hassink; “An Empirical Assessment of IT Governance Transparency: Evidence from Commercial Banking,” Information Systems Management, 2013, www.tandfonline.com/doi/abs/10.1080/10580530.2013.773805
15 Op cit, IT Governance Institute
16 Op cit, Joshi
17 Organisation for Economic Co-operation and Development, G20/OECD Principles of Corporate Governance, 30 November 2015, www.oecd-ilibrary.org/governance/g20-oecd-principles-of-corporate-governance-2015_9789264236882-en
18 Op cit, OECD
19 The next version of the Corporate Governance Code, King IV, will be released in 2017.
20 Institute of Directors in South Africa; King III Code of Corporate Governance for South Africa, 2009, https://c.ymcdn.com/sites/www.iodsa.co.za/resource/collection/94445006-4F18-4335-B7FB-7F5A8B23FB3F/King_III_Code_for_Governance_Principles_.pdf

Steven De Haes, Ph.D.
Is a full professor of information systems management at the University of Antwerp—Faculty of Applied Economics and at the Antwerp Management School (Belgium). He is actively engaged in teaching and applied research in the domains of digital strategies; IT governance and management; IT strategy and alignment; IT value and performance management; IT assurance and audit; and information risk and security. He acts as the academic director for this research program.

Anant Joshi, Ph.D.
Is a researcher at the University of Antwerp and Antwerp Management School (Belgium) and an assistant professor at Maastricht University (The Netherlands). His research interests include corporate governance of IT, business value of IT and corporate governance.

Tim Huygh
Is a Ph.D. candidate in information technology governance at the department of management information systems of the Faculty of Applied Economics at the University of Antwerp. His research interests include IT governance and management, and business/IT alignment.

Salvi Jansen
Is a business engineer in management information systems and a consultant at KPMG Advisory in Belgium. Working in the IT governance and strategic alignment field, he aims to provide the business with fact-based insights and enjoys delivering audit and advisory engagements in a variety of sectors. His research interest is IT governance and focuses on the processes, controls and capabilities that are needed at the executive level to direct and control IT management.

What are the 5 types of IT governance?

What is governance in information technology?

What are the four 4 focus areas of IT governance?

What is the role of IT governance?