Information Technology Governance, IT Governance or ICT Governance, is a subset discipline of Corporate Governance focused on information technology (IT) systems and their performance and risk management. The rising interest in IT governance is partly due to compliance initiatives (e.g. Sarbanes-Oxley (USA) and Basel II (Europe)), as well as the acknowledgement that IT projects can easily get out of control and profoundly affect the performance of an organization. Corporate governance is the set of processes, customs, policies, laws and institutions affecting the way a corporation is directed, administered or controlled. ... Information technology (IT), as defined by the Information Technology Association of America (ITAA)is: the study, design, development, implementation, support or management of computer-based information systems, particularly software applications and computer hardware. ... Performance management may mean: Performance measurement is the process of assessing progress toward achieving predetermined goals, while performance management is building on that process adding the relevant communication and action on the progress achieved against these predetermined goals (Bourne, M.,Franco, M. and Wilkes, J. (2003). ... Risk management is the human activity which integrates recognition of risk, risk assessment, developing strategies to manage it, and mitigation of risk using managerial resources. ... Before the signing ceremony of the Sarbanes-Oxley Act, President George W. Bush meets with Senator Paul Sarbanes, Secretary of Labor Elaine Chao and other dignitaries in the Blue Room at the White House July 30, 2002. ... The final version aims at: Ensuring that capital allocation is more risk sensitive; Separating operational risk from credit risk, and quantifying both; Attempting to align economic and regulatory capital more closely to reduce the scope for regulatory arbitrage. ...

A characteristic theme of IT governance discussions is that the IT capability can no longer be a black box. The traditional handling of IT management by board-level executives is that due to limited technical experience and IT complexity, key decisions are deferred to IT professionals. IT governance implies a system in which all stakeholders, including the board, internal customers and related areas such as finance, have the necessary input into the decision making process. This prevents a single stakeholder, typically IT, being blamed for poor decisions. It also prevents users from later complaining that the system does not behave or perform as expected: Black box is technical jargon for a device or system or object when it is viewed primarily in terms of its input and output characteristics. ...

A board needs to understand the overall architecture of its company's IT applications portfolio ... The board must ensure that management knows what information resources are out there, what condition they are in, and what role they play in generating revenue... ^[1]

Definitions

There are narrower and broader definitions of IT governance. Weill and Ross focus on "Specifying the decision rights and accountability framework to encourage desirable behaviour in the use of IT."^[2]

In contrast, the IT Governance Institute expands the definition to include underpinning mechanisms: "... the leadership and organisational structures and processes that ensure that the organisation’s IT sustains and extends the organisation’s strategies and objectives.' ^[3]

While AS8015, the Australian Standard for Corporate Governance of ICT, defines Corporate Governance of ICT as "The system by which the current and future use of ICT is directed and controlled. It involves evaluating and directing the plans for the use of ICT to support the organisation and monitoring this use to achieve plans. It includes the strategy and policies for using ICT within an organisation." AS8015 is an Australian standard for IT Governance. ...

Background

The discipline of information technology governance derives from corporate governance and deals primarily with the connection between business focus and IT management of an organization. It highlights the importance of IT related matters in contemporary organizations and states that strategic IT decisions should be owned by the corporate board, rather than by the chief information officer or other IT managers. Corporate governance is the set of processes, customs, policies, laws and institutions affecting the way a corporation is directed, administered or controlled. ... This article or section does not cite any references or sources. ... It has been suggested that Organizing be merged into this article or section. ... Information technology (IT), as defined by the Information Technology Association of America (ITAA)is: the study, design, development, implementation, support or management of computer-based information systems, particularly software applications and computer hardware. ... The Chief Information Officer or CIO is a job title for a manager responsible for information technology within an organization, such as a listed company or an educational institution. ...

The primary goals for information technology governance are to (1) assure that the investments in IT generate business value, and (2) mitigate the risks that are associated with IT. This can be done by implementing an organizational structure with well-defined roles for the responsibility of information, business processes, applications, infrastructure, etc. Investment is a term with several closely related meanings in finance and economics. ... Business value refers to the advance of an economic position which can often not be directly measured in monetary terms. ... This does not cite its references or sources. ... The ASCII codes for the word Wikipedia represented in binary, the numeral system most commonly used for encoding computer information. ... A business process is a set of linked activities that create value by transforming an input into a more valuable output. ... This article or section does not cite any references or sources. ...

Decision rights are a key concern of IT governance, being the primary topic of the book by that name by Weill and Ross.^[4] According to Weill and Ross, depending on the size, business scope, and IT maturity of an organization, either centralized, decentralized or federated models of responsibility for dealing with strategic IT matters are suggested. In this view, the well defined control of IT is the key to success.

After the widely reported collapse of Enron in 2000, and the alleged problems within Arthur Andersen and WorldCom, the duties and responsibilities of the boards of directors for public and privately held corporations were questioned. As a response to this, and to attempt to prevent similar problems from happening again, the US Sarbanes-Oxley Act was written to stress the importance of business control and auditing. Sarbanes-Oxley and Basel-II in Europe have been catalysts for the development of the discipline of information technology governance since the early 2000s. However, the concerns of Sarbanes Oxley (in particular Section 404) have less to do with IT decision rights as discussed by Weill and Ross, and more to do with operational control processes such as Change management. Enron Creditors Recovery Corporation, formerly Enron Corporation, is a defunct America energy company based in Houston, Texas. ... Arthur Andersen, see Arthur Andersen LLP v. ... For a time, WorldCom (WCOM) was the United States second largest long distance phone company (AT&T was the largest). ... Before the signing ceremony of the Sarbanes-Oxley Act, President George Bush meets with Senator Paul Sarbanes, Secretary of Labor Elaine Chao and other dignitaries in the Blue Room at the White House on July 30, 2002. ... ITIL Change Management is one of the eleven IT Service Management disciplines. ...

Following Corporate Collapses in Australia around the same time, working groups were established to develop standards for Corporate Governance. A series of Australian Standards for Corporate Governance were published in 2003, these were:

• Good Governance Principles (AS8000)
• Fraud and Corruption Control (AS8001)
• Organisational Codes of Conduct (AS8002)
• Corporate Social Responsibility (AS8003)
• Whistle Blower protection programs (AS8004)

In 2005, AS8015 Corporate Governance of ICT was published. AS8015 is an Australian standard for IT Governance. ...

Problems with IT governance

Nicholas Carr has emerged as a prominent critic of the idea that information technology confers strategic advantage.^[5] This line of criticism might imply that significant attention to IT governance is not a worthwhile pursuit for senior corporate leadership. However, Carr also indicates counterbalancing concern for effective IT risk management.

The manifestation of IT governance objectives through detailed process controls (e.g. in the context of project management) is a frequently controversial matter in large scale IT management. See Agile methods. The difficulties in achieving a balance between financial transparency and cost-effective data capture in IT financial management (i.e., to enable chargeback) is a continual topic of discussion in the professional literature^[6], ^[7] and can be seen as a practical limitation to IT governance. In software engineering, agile software development or agile methods are low-overhead methodologies that accept that software is difficult to control. ...

Relationship to other IT disciplines

IT governance is supported by disciplines such as

• Business Service Management
• IT Asset Management
• IT portfolio management
• Enterprise architecture
• Project governance
• Project management and Program management in the enterprise IT context (including software engineering where appropriate), and
• IT service management
• Business Technology Optimization

It is proposed that this article be deleted, because of the following concern: Blatant marketing, non-notable, and plagiarism (see Talk page) If you can address this concern by improving, copyediting, sourcing, renaming or merging the page, please edit this page and do so. ... IT Asset Management (ITAM) is the set of business practices that join financial, contractual and inventory functions to support life cycle management and strategic decision making for the IT environment. ... IT portfolio management is the application of systematic management to large classes of items managed by enterprise information technology (IT) capabilities. ... Enterprise Architecture is the practice of applying a comprehensive and rigorous method for describing a current and/or future structure and behavior for an organizations processes, information systems, personnel and organizational sub-units, so that they align with the organizations core goals and strategic direction. ... The term Project governance is used in industry, especially in the information technology (IT) sector, to describe the processes that need to exist for a successful project. ... Project Management is the discipline of organizing and managing resources in such a way that these resources deliver all the work required to complete a project within defined scope, quality, time and cost constraints. ... Program management is the process of managing multiple ongoing inter-dependent projects. ... e. ... IT Service Management (ITSM) is a discipline for managing large-scale information technology (IT) systems, philosophically centered on the ITSM stands in deliberate contrast to technology-centered approaches to IT management and business interaction. ... There are very few or no other articles that link to this one. ...

Frameworks

There are quite a few supporting mechanisms developed to guide the implementation of information technology governance. Some of them are:

• The IT Infrastructure Library (ITIL) is a detailed framework with hands-on information on how to achieve a successful governance of IT, developed and maintained by the United Kingdom's Office of Government Commerce, in partnership with the IT Service Management Forum.

• Control Objectives for Information and related Technology (COBIT) is another approach to standardize good information technology security and control practices. This is done by providing tools to assess and measure the performance of 34 IT processes of an organization. The ITGI (IT Governance Institute) is responsible for CObIT

• The ISO/IEC 27001 (ISO 27001) is a set of best practices for organizations to follow to implement and maintain a security program. It started out as British Standard 7799 ([BS7799]), which was published in the United Kingdom and became a well known standard in the industry that was used to provide guidance to organizations in the practice of information security.

• The Information Security Management Maturity Model ISM3 is a process based ISM maturity model for security.

• AS8015-2005 Australian Standard for Corporate Governance of Information and Communication Technology

Others include: Atil, also spelled Itil (Turkic for Big River), was a name of the Volga River and of the capital of Khazaria from the middle of the 8th century until towards the end of the 10th century. ... The Office of Government Commerce (OGC) is an organization in the government of the United Kingdom. ... To meet Wikipedias quality standards, this article or section may require cleanup. ... The Control Objectives for Information and related Technology (COBIT) is a set of best practices (framework) for information (IT) management created by the Information Systems Audit and Control Association (ISACA), and the IT Governance Institute (ITGI) in 1992. ... ISO/IEC 27001 is an information security standard published in 2005 by the International Organization for Standardization and the International Electrotechnical Commission. ... AS8015 is an Australian standard for IT Governance. ...

• BS7799 - focus on IT security
• CMM The Capability Maturity Model - focus on software engineering

Non-IT specific frameworks of use include: BS7799 (or BS7799-1) is a standard published by the British Standards Institute (BSI) in 1995 and most recently revised in 2005. ... CMM can refer to:<Component Maintenance Manual> Coordinate Measuring Machine Capability Maturity Model Center for Microanalysis of Materials Center for Molecular Modeling Centre for Metaphysics and Mind Certification in Meeting Management Chad Michael Murray, an American actor best known for his role in One Tree Hill C++ with multimethods (Cmm...

• The Balanced Scorecard (BSC) - method to assess an organization’s performance in many different areas.
• Six Sigma - focus on quality assurance

In 1992, Robert S. Kaplan and David Norton introduced the balanced scorecard (BSC), a concept for measuring a companys activities in terms of its vision and strategies, to give managers a comprehensive view of the performance of a business. ... The often-used six sigma symbol. ...

Inline references

1. ^ Nolan, R. and F. W. McFarlan (2005). “Information Technology and the Board of Directors.” Harvard Business Review (October 2005).
2. '^ Weill, P. & Ross, J. W., 2004, IT Governance: How Top Performers Manage IT Decision Rights for Superior Results', Harvard Business School Press, Boston.
3. ^ IT Governance Institute 2003, "Board Briefing on IT Governance, 2nd Edition". Retrieved January 18, 2006 from http://www.isaca.org/Content/ContentGroups/ITGI3/Resources1/Board_Briefing_on_IT_Governance/26904_Board_Briefing_final.pdf
4. ^ Weill P., Ross J., IT Governance: How Top Performers Manage IT for Superior Results, Harvard Business School Press, 2004, ISBN 1-59139-253-5
5. ^ Carr, N. G. (2004). Does IT matter? : information technology and the corrosion of competitive advantage. Boston, Harvard Business School Press. ISBN 1-59139-444-9
6. ^ Office of Government Commerce (2001). Service Delivery: Capacity Management, Availability Management, Service Level Management, IT Service Continuity, Financial Management for IT Services and Customer Relationship Management. OGC, ITIL© Managing IT Services (IT Infrastructure Library). London, The Stationery Office. ISBN 0-11-330017-4
7. ^ Remenyi, D., A. H. Money, et al. (2000). The effective measurement and management of IT costs and benefits. Computer weekly professional series. Oxford ; Boston, Butterworth-Heinemann. ISBN 0-7506-4420-6

See also

• Enterprise architecture
• IT portfolio management
• IT service management
• ISACA
• Project governance
• Val IT

Enterprise Architecture is the practice of applying a comprehensive and rigorous method for describing a current and/or future structure and behavior for an organizations processes, information systems, personnel and organizational sub-units, so that they align with the organizations core goals and strategic direction. ... IT portfolio management is the application of systematic management to large classes of items managed by enterprise information technology (IT) capabilities. ... IT Service Management (ITSM) is a discipline for managing large-scale information technology (IT) systems, philosophically centered on the ITSM stands in deliberate contrast to technology-centered approaches to IT management and business interaction. ... Information Systems Audit and Control Association (ISACA) Is an international association for the support and improvement of professionals whose jobs involve the auditing of corporate and system controls. ... The term Project governance is used in industry, especially in the information technology (IT) sector, to describe the processes that need to exist for a successful project. ... Val IT is a suite of documents that provide a framework for the governance of IT investments, produced by ISACA, one of the peak bodies concerned with information systems governance and auditing. ...

Other references

• Lutchen, M. (2004). Managing IT as a business : a survival guide for CEOs. Hoboken, N.J., J. Wiley., ISBN 0-471-47104-6
• March J., Simon H., Organizations, Blackwell Publishers, 1993 (First ed. Wiley, 1958), ISBN 0-631-18631-X
• Van Grembergen W., Strategies for Information technology Governance, IDEA Group Publishing, 2004, ISBN 1-59140-284-0
• Georgel F., IT Gouvernance : Maitrise d'un systeme d'information, Dunod, 2004(Ed1) 2006(Ed2), ISBN 2-10-050241-7

See also the bibliography sections of IT Portfolio Management and IT Service Management IT portfolio management is the application of systematic management to large classes of items managed by enterprise information technology (IT) capabilities. ... IT Service Management (ITSM) is a discipline for managing large-scale information technology (IT) systems, philosophically centered on the ITSM stands in deliberate contrast to technology-centered approaches to IT management and business interaction. ...

• Renz, Patrick S. (2007). "Project Governance." Heidelberg, Physica-Verl. (Contributions to Economics) ISBN 978-3-7908-1926-7

External links

• The IT Governance Institute
• Informations Systems Audit and Control Association
• International Association of Information Technology Asset Managers, Inc. - IAITAM
• IT Infrastructure Library
• ITIL and BS15000 Governance Forum
• Australian Computer Society Governance of ICT Committee
• IT Governance Network
• IT Governance Portal
• Ramin Communications ICT Governance papers
• ITAA E-LETTER Subscription is available for free.