Why IT governance should fall to the board

Not everything in IT should be down to the CIO

IT governance is often wrongly delegated to the CIO. That situation must change if it is to meet the principles defined in corporate governance, says Julie Short.

A collapse of trust in business management over the past 10 years has led to regulations to make good corporate governance mandatory. With the recent financial crisis, corporate governance has again received close attention.

It seems professional investors are willing to pay a premium for companies with strong, effective corporate governance. But IT executives, considered the guardians of key IT corporate assets, often struggle to implement effective IT governance in line with corporate governance goals.

Corporate governance provides the structure for determining organisational goals, allocating the authority to achieve them and monitoring performance to ensure those objectives are attained. Although several principles of corporate governance influence IT governance, there are two where this influence is substantial:

  • Disclosure and transparency
    This refers to the financial and operational information of the organisation and foreseeable risk factors.
  • Responsibility of the board of directors
    This involves ensuring strategic guidance to the organisation, effective monitoring and responsibility to stakeholders.

Although the degree of liability varies from country to country, board members are expected to act in the best interest of stakeholders to approve strategy, to oversee management, to make key decisions and to approve the systems of risk oversight and internal control. Capital spending on IT assets may be as much as 50 per cent of the total capital spending in some organisations.

But when it comes to managing those assets, few boards understand how much their organisations rely on IT for continuing operations and information assets that reside in numerous applications in their infrastructure. Few realise how much of a role IT plays in enabling or hindering their business strategy.

Few boards realise how many business decisions rely on the information contained in these assets. Even fewer have the fundamental knowledge needed to ensure that the appropriate oversight is in place. But these issues do not relieve them of responsibility to ensure the company's IT assets are governed appropriately.

IT governance is not simply the management of IT but refers to how organisations must ensure that IT assets deliver business value and whose performance is measured and risks are mitigated. As with all governance, there is no single solution.

Effective IT governance must be a cohesive, integrated process aligned with the business, compatible with the management decision-making style and culture, and perceived by business management as providing value.

Too often IT governance has been left to the CIO without engaging the board, which has the responsibility to understand the inherent risks and strategic importance of IT. I firmly believe that boards must be more involved in IT governance to ensure their organisations will be able to sustain operations and implement future strategies.

I also believe IT professionals need to educate themselves on the principles of corporate governance to work more closely with the business and to implement IT governance in a manner that supports the principles of corporate governance.

Gartner's IT Governance Demand-Supply Model clearly states that IT governance is a business goal, not just an IT goal. IT governance is defined as addressing two main areas: demand-side governance - deciding what IT should work on - and supply-side governance - deciding how IT should do what it does.

Demand-side governance is a management investment decision-making and oversight process; therefore, it is primarily a business management responsibility, driven by the decision authority delegated under the corporate governance umbrella.

Supply-side governance is primarily the CIO's responsibility and is the mechanism that ensures compliance with corporate policies, such as those addressing regulatory compliance, security and procurement.

In speaking with clients, I see the lines between the business and IT becoming more blurred. I see IT tasks being performed in the business, business taking on IT leadership roles and vice versa.

But when it comes to IT governance, I see that often this is erroneously...