Chapter 9: Governance of the
IT Function
Summarized from: Lynda Applegate, Robert D.
Austin, and Deborah L. Soule, Corporate
Information Strategy And Management: Text
and Cases, McGraw Hill, 8th Edition, 2009.
Prepared by Celeste Ng
Essentials of Enterprise Governance

Enron, an American energy company能源公司


In late 2001, shortly after claiming revenues自稱收入of $111
billion and named “America’s Most Innovative Company” for
six consecutive years, filed for bankruptcy申請破產
It



Hid the fact that most of its profits and revenues利潤和收入were
derived from deals with special purpose entities特殊目的公司
Avoided reporting debts and losses clearly in its financial
statements
Pressured施壓Arthur Anderson Consulting to ignore the issues
In response to this case, legislation法律has pushed
senior managers and company boards to attend more
carefully to matters of governance
Prepared by Celeste Ng
Introduction - Governance

Governance治理involves establishing
chains of建立一鏈responsibility責任,
authority管理權 and communication, as well
as policies政策, standards, measurements
and control mechanisms機制that


Allow organizational members to carry out their
roles and responsibilities
Serve to define expectations, allocate
resources, manage risk, and verify
performance驗證工作表現
Prepared by Celeste Ng
Source: https://www.enisa.europa.eu/activities/riskmanagement/current-risk/business-processintegration/files/ir_governance.gif
Prepared by Celeste Ng
What is SOX?

“The Sarbanes-Oxley Act of 2002 (often
shortened to SOX) is legislation passed by the
U.S. Congress to protect shareholders and the
general public from accounting errors and
fraudulent practices in the enterprise, as well
as improve the accuracy of corporate
disclosures. The U.S. Securities and
Exchange Commission (SEC) administers the
act, ….” – Source:
http://searchcio.techtarget.com/definition/Sarb
anes-Oxley-Act
Prepared by Celeste Ng
Governance system

A governance system治理制度

At corporate level企業層面, these include:
(1) a board of directors董事會intended to
oversee監督organizational strategies, structures
and systems on behalf of the shareholders; and
 (2) an external auditors外部審計師who should
offer insights見解into the reliability of the
company’s financial statements
 To oversee監督the performance of the company

Prepared by Celeste Ng
The need for governance system
(Why?....The real problem.)

Is partially driven by what we refer to as the
“agency problem”代理問題


The physical separation實體隔離between the
owners of a company and its managers (or agents)
provides those managers the opportunities to act in
ways that are advantageous有利to themselves but
detrimental不利to the interests of the owners
To minimize the agency problem, certain
control and monitoring systems are instituted
設立to ensure conformance to a set of
externally defined requirements符合外部定的
要求
Prepared by Celeste Ng
The objectives of governance

Ensure that managers and employees




Faithfully translate strategies into operational
initiatives忠實地由策略變成行動計劃
Protect organizational assets資產and use them
efficiently
Comply with遵守laws and regulations法規
What is it: Is the process of establishing lines
of:


Responsibility, authority, communications, policies,
standards, measurement and internal control
mechanisms
That guide people in fulfilling their roles and
responsibilities
Prepared by Celeste Ng
The benefits of good enterprise
governance
Affect a company’s share price股價or its
cost of raising capital籌集資金的成本
 A quality control mechanism品質控制機
制for assuring better defined biz
processes and efficiency
 Facilitate the access to external
resources such as debt-financing債務融
資or foundation support基金會的支助

Prepared by Celeste Ng
Example of IT Governance
Standards
Direct quote from:
http://en.wikipedia.org/wiki/ISO/IEC_38500

ISO/IEC 38500



An international standard for Corporate governance of information
technology是一個國際標準的資訊科技監管published jointly by the
International Organization for Standardization (ISO) and the
International Electrotechnical Commission (IEC)
Provide guiding principles for directors of organizations on the
effective, efficient, and acceptable use of Information Technology (IT)
within their organizations
Set out six principles for good corporate governance of IT:






Responsibility;
Strategy;
Acquisition;
Performance;
Conformance;
Human behaviour.
Prepared by Celeste Ng
Source:
http://www.itgovernance.in/images/itgov_framework.jpg
Prepared by Celeste Ng
Drivers意志towards better IT
governance (1)

(1) The growth增長in IT investments due to
business value of IT



In the past, IT investment is justified in terms of
cost-savings (using IT for automation, cost
reduction, efficiency)
But, increasingly, IT is able and expected to
facilitate more rapid and widespread innovation,
underpinning new products and services, reach
new customers (an example of IT innovation)
Governance practices such as establishing
procedures and criteria for evaluating, prioritizing,
and monitoring the major IT investments in
delivering biz value, can help organization through
this transition
Prepared by Celeste Ng
Drivers towards better IT
governance (2)

(2) Business risk potential of IT IT的潛在風險
due to the use of IT


The increasing criticality of IT to enterprise viability
and the fact that many critical biz activities are
thoroughly dependent on information and IS, and
organization’s IT capability (IT能力)can no longer
be approached as a “black box”.
Good governance practices aim to make senior
executives and board accountable for managing
the risk and ensuring that stakeholders receive
maximum value from IT
Prepared by Celeste Ng
Drivers towards better IT
governance (3)

(3) IT as an enabler推動者of corporate governance and
compliance公司管治及遵守法規


Organization today is subject to an increasing number of
regulations governing data retention, information protection,
financial accountability財務責任制, financial risk management,
recovery from disasters災害復原and disclosure 公開 of biz
information
Two triggers



Prevent further terrorism恐怖主義– requires organizations to maintain
robust records強大的記錄of financial and communications
transactions
Sarbanes-Oxley Act of 2002 (Enron), intended to increase internal
financial controls in public organizations公共機構
Although IT governance is not a formal requirement specified
by the legislation, its effective practice can improve internal
controls and accessibility to data獲得數據that many of these
laws demand.
Prepared by Celeste Ng
Research findings



Companies with more mature IT governance practices
are less likely to have customer data stolen or lost,
often face significantly lower financial losses accruing
from loss or theft of customer data
As IT governance capabilities mature, organizations
end up spending relatively less on regulatory
compliance efforts遵守法規; and their governance, risk
management, and compliance capabilities improve
The scope of IT governance is broad and varies
among countries


United States – driven by compliance
Europe (UK) – besides compliance, greater emphasis on
value and performance
Prepared by Celeste Ng
Good practices (1)

Broad-based direct senior involvement廣泛高
層的直接參is associated with stronger IT
governance performance
 Clear ownership所有權but broad participation


IT governance requires an owner with the
necessary authority and accountability權力和問責
(Ze2); and
Designates an individual to be accountable for the
design, implementation, and performance of IT
governance
Prepared by Celeste Ng
Good practices (2)
Enforce execution but accommodate
exception容納例外
 Define benefits and target expectations


Evaluate IT governance efforts in terms of
how well it enables IT to deliver on four
objectives
Cost effectiveness
 Asset utilization資產利用率
 Business growth
 Business flexibility

Prepared by Celeste Ng