By: Dave Pultorak in conjunction with the Enterprise Computing

After years of stable development, corporate governance is
receiving significant attention. Historically, there was a strong emphasis on
finance, so much so that governance was virtually synonymous with the
measuring, monitoring, and reporting of the financial condition of the enterprise.

But that has changed. About a decade ago it became clear
that focusing on financial performance alone was not enough to ensure
sustainable results. This fact was highlighted by Robert S. Kaplan and David P.
Norton and summarized in their research. Kaplan and Norton recommended a
“balanced scorecard” of governance dimensions, including business process,
customer fulfillment, and learning and growth, in addition to financial
performance. The balanced scorecard dramatically extended the factors to be
considered in corporate governance.

In the nine years since Kaplan and Norton first published their
research, the number of authorities, pieces of legislation, and industry
regulations and standards that corporations must comply with has increased
dramatically. And many corporations have stumbled even as they worked towards a
balanced scorecard of results because the way they conducted themselves “turned
off” rather than “turned on” relevant stakeholders.

And while business fundamentals remain the same, the
landscape on which business is played out has changed drastically since 1996,
when business use of the Internet was still in its infancy. Today, enterprises
are thoroughly networked entities operating in massively networked
marketplaces. A corporation’s customers, competition, and colleagues are all
deeply interconnected. The result of a networked marketplace is an increase in
both the frequency and variability of demands on the business, including
opportunities and threats.

An example may help illustrate: imagine yourself as a
medieval ruler presiding over a backward country with no good road system
interconnecting its villages. You take the bold stroke of building roads
interconnecting the villages. As a result of your actions, vendors now have a
realistic opportunity to sell their wares in not just one market, but several
markets. And highwaymen now have a realistic opportunity of robbing people on
more than just one road. The end result is that by networking the villages with
a system of roads, you have increased both the frequency and variability of
opportunities and threats. This is precisely what has happened with our economy
with the “Internet highway.” This situation creates a requirement for corporate
directors to broaden the foundation of corporate governance, and the need for a
framework for the corporation to meet its obligation to recognized goals in an
organized way with regard to a wide range of stakeholders.

The CPR Governance Framework, first put forward by IT
management consultant David Pultorak in a 2003 webcast of the same name, is
such a framework.  The CPR governance
framework divides governance into three dimensions: conformance, performance,
and rapport.


Conformance is about ensuring compliance. It is establishing
and managing the control objectives. Conformance activities consist of documenting
what you plan to do, doing it, and accumulating evidence that you are doing it.
The goal of conformance is compliance with relevant authorities. The instrument
for measuring conformance results is the audit. All business must conform to

  • Regulatory
    authorities, such as the IRS and the FDA
  • Legal
    requirements, such as the Sarbanes-Oxley Act
  • Industry-specific
    rules, such as HIPAA
  • Market
    expectations of customers and professional associations, such as hotel
  • Professional
    codes of behavior and ethics.

Some of these conformance areas are mandatory. Others are
optional theoretically but necessary for business purposes–for example, while
there is no legal requirement for a hotel to maintain a three-to-five-star
rating, customers will avoid hotels without such ratings. And while there is no
legal requirement for members of an industry association to abide by its code
of ethics, compliance with such codes makes good business sense.


Performance is about ensuring efficiency and effectiveness.
It is doing the right things, right. The goal of performance is efficiency and
effectiveness. Performance is about ensuring the predictable, sustainable
creation of customer value and company profit. The instrument for measuring
performance results is the assessment review. All businesses must measure,
monitor, and report on relevant performance indicators, including financial
measures, product capabilities, employee productivity, internal business
process, customer fulfillment, learning and growth, and agility. These areas
extend further the balanced scorecard idea of governing beyond financial
performance indicators as a means to sustainable results.


Rapport is about ensuring that the business relates to
relevant stakeholders in a consistent and responsible way. Rapport covers
social values and standards, providing transparent performance statistics,
demonstrating integrity, and balancing the interests of stakeholders. It is
about ensuring how you do things (the means) “turns on” and does not “turn off”
relevant stakeholders. The goal of rapport is good relations with relevant
stakeholders. The instrument for measuring rapport results is the survey.

Governance requires action. It suggests behaviors to guide
relationships between and among corporations and their constituent parts. While
governance can sometimes be viewed as formal rules and procedures, there are
things you can do tomorrow to shape your board’s view of IT governance:

  • Suggest
    a discussion on governance be placed on the board agenda to gain
    concurrence on your board’s thinking on the matter.
  • Have
    the wider definition of governance broadcast throughout the corporation.
  • Propose
    that the wider definition of governance filter out to key customers and
  • Ask
    company management to discuss vital business drivers with IT management to
    further business and IT alignment.
  • Invite
    IT management to report on the effectiveness of service-level agreements
    already in place within the corporation.
  • Seek
    support from the National Association of Corporate Directors (NACD) for
    white papers and training on governance in the large, and IT governance in

In the long run, governance is strongly oriented towards
sustainability: ensuring that the corporation is successful today and
positioned for tomorrow. Corporate governance, including IT governance, is
simultaneously the scout and sentry on the frontier of company growth.

The Enterprise Computing
helps IT professionals solve problems and simplify the management
of IT through consulting and training based on the best-selling Enterprise
Computing Institute book series.