Since Sarbanes-Oxley has become a household name, the criticality of governance has been at the forefront of business strategy and priorities nation- and worldwide. While corporate governance is mandated in terms of adherence to a handful of industry and financial legislations, the general concept of governance for better control and assurance is still a work in progress in nonmandated arenas such as IT management.


Yet long before Sarbanes-Oxley, HIPAA and BASEL II, the IT community was interested in better controls and management. In 1998, industry association ISACA (Information Systems Audit and Control Association) tapped a six-year old audit tool, COBIT (Control Objectives for Information Related Technologies), to serve as the IT industry’s first governance framework. In concept, IT governance would be mandated by a company’s board of directors, helping enterprises ensure greater value for the IT organization by ensuring steps for business alignment and management of risk, resources and performance.


All of this sounded very utopian, but, it wasn’t really until after 9/11 and the nation’s urgent attention to security, coupled with growing awareness of corporate bankruptcies and fraud, that compliance really started driving rapid adoption and strategies for IT governance.


Bolstering the adoption were organizations like ISACA and the IT Governance Institute, consulting firms, technology analysts and academics. Among them, Peter Weill and Jeanne W. Ross of MIT’s Sloan School of Management literally wrote the book on how companies can best approach the complex - but business-changing - practice of IT governance. In their book, IT Governance: How Top Performers Manage IT Decision Rights for Superior Results, Weill and Ross summarize the findings of interviews with 250 enterprises: Companies with strong IT governance perform 25 percent better than those without it.1


Think of it this way: if 50 percent of a typical organization’s capital expenditure budget goes to IT, and 80 percent of that budget today goes to simply “keeping the lights on,” or treading water, who wouldn’t want to put in place a methodology and process to get more from less? Indeed, great IT governance can help organizations use existing resources and funding to not only maintain what they already have invested in, but also better balance the need for new product R&D and keep ahead of compliance. If the current reality is an 80/20 split of budget for “have to have” versus discretionary spend items, organizations with solid IT governance can help move that equation to more like 60/40—all to drive better business advantage and improve IT value to the organization.


To be clear, the goal of IT governance, however, is not about driving every IT organization from a utility or trusted supplier archetype to that of a value-added “partner” to the business. While this sounds good on paper, the reality is that it is not always appropriate in practice. And identifying the kind of IT archetype your business needs is one of the first, most crucial steps to then creating the appropriate governance processes. Following are the IT archetypes, as defined by Forrester Research, and supporting examples.2

  • Utility player: In a business not driven by IT, such as established manufacturing, where the business value comes from cost-effectively producing consumer goods.
  • Trusted supplier: Where IT can begin to transform how a business provides its service, such as the impact Harrah’s use of customer relationship management (CRM) technology had on transforming the customer’s gaming experience.
  • Partner player: Where information technology is the cornerstone of the business, such as for PayPal or Autobytel.

Regardless of the archetype, all IT organizations and their CIOs still have consistent barriers to being effective that IT governance can address, including: addressing unrealistic expectations, gaining sponsorship for new programs, ensuring project success, responding to service requests and outages, and proving their value to the business.


IT Governance in Action


Following are a few examples highlighted by Peter Weill and Jeanne Ross in MIT’s CISR Research, of companies that have used IT governance to improve return on their IT investment and achieve more value from IT.

  • Improve IT alignment to meet enterprise goals: State Street. State Street is a world leader in financial services, with more than 22,000 employees in 22 countries serving clients in more than 100 markets. State Street implemented a governance structure that encouraged desirable behaviors in IT. For example, project managers indicated that the architectural review process helped deliver solutions more quickly because technology issues surfaced before they negatively impacted projects. The shared infrastructure governance model has evolved to address the joint needs of businesses. The IT governance structure enabled consolidation of the IT infrastructure, resulting in significant cost savings and cost avoidance, while still enabling new offerings to clients.3
  • Enable collaborative decision-making: UNICEF. UNICEF instituted a centralized approach to IT governance. The CIO established a governance structure enabling IT to work with other C-level managers to establish priorities and act on decisions. IT governance transformed the way UNICEF operates and has improved global knowledge, information flow, transparency and communication.4
  • Drive more value from a shared infrastructure: ING DIRECT. ING DIRECT implemented an IT governance structure that enabled its eight country-based businesses to act autonomously while sharing a common, “standardized” business model. This model supports ING DIRECT’s ability to build modules for reuse, thereby standardizing applications and achieving a universally compatible architecture.5

Four Priorities for Bringing IT Governance to Your Company


IT governance is not a plug-and-play application. It is a journey requiring executive commitment, continuous improvement, effective process management and organizational buy-in. The following are top-line “must haves” for any organization considering IT governance.


Executive sponsorship: vision and enablement. Many business initiatives can take shape from a grass-roots level by finding a small seed project to use as a showcase to engage business management. However, when it comes to something as game changing as IT governance, a grassroots approach is almost always futile and frustrating. Ideally, instead, IT governance is driven from the top down by leadership that can provide vision of the “N” state, articulate its benefits to solicit participation, engage the business and overcome roadblocks. Moving an organization from being function-centric to process-centric requires cultural and organizational changes. Because there is no one-size-fits-all solution or prescriptive approach, there will be fits and starts, obstacles and failures. Therefore, you need to have leaders with the courage and fortitude to venture into the unknown and learn as you go. This can start with a CIO, so long as the CIO has a “seat” at the business management table and is already in a role of strategic influence.


Business participation. Business governance of IT is where this concept started, i.e., the board of directors being the intended drivers of IT governance. But when business doesn’t do this, IT must be able to help drive involvement by showing benefits at an enterprise level. When done well, IT is aligned with the business, bringing value. Conversely, if IT tries to drive decisions without business involvement, it will only lead to misunderstanding and potential mistrust.


The core of IT governance is about making decisions in regard to the use of technology: what decisions need to be made, who is accountable for making decisions and how decisions are made. Historically, far too many technology decisions have been made without business participation. The first step in establishing IT governance is to understand the required decisions and assign the appropriate business accountability. Determining the role of business is crucial in decisions regarding IT’s role in the enterprise, the appropriate architecture, infrastructure, applications and how IT dollars are spent.


Business process initiative. Frameworks and methodologies, like COBIT and now Information Technology Infrastructure Library version 3, are fundamental approaches for IT governance. But successful IT governance is ultimately about process. IT governance processes must be first be identified and designed. Companies need to recognize that three to four times that amount of time will need to be spent implementing the processes, which involves a change initiative requiring significant communications and training. From there, you have to manage the process: identify and assign roles; drive the process management lifecycle; ensure process execution; monitor and measure results; and respond to the data.


Few organizations are adept at process management discipline. Often, this stage is best supported with the help of a consulting services firm to create the processes and process governance best suited for your organization, along with the tools and training to best implement it.


Infrastructure for fact-based information. Ultimately, supporting all of this is the technology providing you with valid, timely data, or “one version of the truth.” The key is the appropriate integration of single source data and specific knowledge as to which decisions the data pertains. Project and portfolio management software, network monitoring tools and configuration management databases are examples of the systems required to better enable you to make decisions based on facts.


IT governance is both the holy grail and wholly possible, but it’s not something that can be implemented overnight or with one “magic bullet” solution. Instead, it takes a structured and targeted approach that when followed correctly can lead to measurable benefits. Studies show that companies with effective IT governance in place achieve an additional 40 percent return on their IT investment over companies that are flying blind. IT governance leads to this increased ROI by:

  • Clarifying the organization’s business strategy and ensuring that IT spend is mapped back to achieving these objectives.
  • Ensuring the right people are included in a business decision.
  • Providing an infrastructure that allows the IT department to learn from previous efforts and ensure data is chronicled to help inform future decisions.
  • Improving process, monitoring and measuring so that the necessary adjustments can be made to ensure the success of future efforts.
  • Allowing organizations to respond quickly to possible process changes or if the needs of a project suddenly change.
  • Freeing up the CIO to focus more on leveraging technology for strategic advantage rather than having to “keep the lights on.”

As the global market forces businesses to ensure better leverage of capital expenditure investments, stronger compliance and transparency, and continuing research and development to drive the organization forward, the need for organizational approaches like IT governance rises exponentially.



  1. Peter Weill and Jeanne W. Ross. IT Governance: How Top Performers Manage IT Decision Rights for Superior Results. Harvard Business School Press, 2004.
  2. Laurie M. Orlov. "The Three Archetypes of IT." Forrester Research, March 22, 2006.
  3. Peter Weill and Jeanne W. Ross. " Don't Just Lead, Govern: How Top-Performing Firms Govern IT." MIT's   CISR Research, March 2004.
  4. Peter Weill and Jeanne W. Ross. "IT Governance on One Page." MIT's CISR Research, November, 2004.
  5. Peter Weill and Jeanne W. Ross. "IT Governance on One Page." MIT's CISR Research, November, 2004.

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access