Chapter 9
Governance of the Information
Systems Organization
Learning Objectives
• Understand how governance structures define
how decisions are made
• Describe governance based on organization
structure, decision rights, and control
• Discuss examples and strategies for
implementation.
© 2016 John Wiley & Sons, Inc.
2
Intel’s Transformation
• Huge performance improvements between 2013
and 2014
• Was it due to a spending increase?
• Intel’s evolution
• 1992: Centralized IT
• 2003: Protect Era – lockdown (SOX & virus)
• 2009: Protect to Enable Era (BYOD pressure)
© 2016 John Wiley & Sons, Inc.
3
Intel Reached Level 3:
1. Developing programs and delivering services
2. Contributing business value
3. Transforming the firm
Previously: categorized problems as “business” or “IT”
Now: Integrated solutions are the only way
© 2016 John Wiley & Sons, Inc.
4
IT Governance
• Governance (in business) is all about making
decisions that
• Define expectations,
• Grant authority, or
• Ensure performance.
• Empowerment and monitoring will help align
behavior with business goals.
• Empowerment: granting the right to make decisions.
• Monitoring: evaluating performance.
© 2016 John Wiley & Sons, Inc.
5
IT Governance
• IT governance focuses on how decision rights can
be distributed differently to facilitate three
possible modes of decision making:
• centralized,
• decentralized, or
• hybrid
• Organizational structure plays a major role.
© 2016 John Wiley & Sons, Inc.
6
Four Perspectives
•
•
•
•
Traditional – Centralized vs decentralized
Accountability and allocation of decision rights
Ecosystem
Control structures from legislation
© 2016 John Wiley & Sons, Inc.
7
Centralized vs. Decentralized
Organizational Structures
• Centralized – bring together all staff, hardware,
software, data, and processing into a single location.
• Decentralized – the components in the centralized
structure are scattered in different locations to
address local business needs.
• Federalism – a hybrid of centralized and
decentralized structures.
© 2016 John Wiley & Sons, Inc.
8
Organizational continuum
Federalism
• Most companies would like to achieve the
advantages of both centralization and
decentralization.
• Leads to federalism
• Distributes, power, hardware, software, data and
personnel
• Between a central IS group and IS in business units
• A hybrid approach
• Some decisions centralized; some decentralized
© 2016 John Wiley & Sons, Inc.
10
Federal IT
© 2016 John Wiley & Sons, Inc.
11
Recent Global Survey
Percent of firms reporting that they are:
• Centralized: 70.6%
• Decentralized: 13.5%
• Federated: 12.7%
© 2016 John Wiley & Sons, Inc.
12
Figure 9.4 IT Accountability and Decision Rights Mismatches
Low
Accountability
High
Strategic Norm (Level 3
Decision High Technocentric Gap
 Danger of overspending on IT balance)
Rights
creating an oversupply


Low
IT assets may not be utilized
to meet business demand
Business group frustration
with IT group
Support Norm (Level 1
balance)


Works for organizations
where IT is viewed as a
support function
Focus is on business
efficiency
© 2016 John Wiley & Sons, Inc.


IT is viewed as competent
IT is viewed as strategic to
business
Business Gap



Cost considerations
dominate IT decision
IT assets may not utilize
internal competencies to
meet business demand
IT group frustration with
business group
13
Figure 9.5 Five major categories of IT decisions.
Category
Description
Examples of Affected IS
Activities
IT Principles
How to determine IT assets that are needed Participating in setting
strategic direction
IT Architecture
How to structure IT assets
IT Infrastructure How to build IT assets
Strategies
Business
Application
Needs
IT Investment
and
Prioritization
Establishing architecture
and standards
How to acquire, implement and maintain IT
(insource or outsource)
Managing Internet and
network services; data;
human resources; mobile
computing
Developing and maintaining
information systems
How much to invest and where to invest in
IT assets
Anticipating new
technologies
© 2016 John Wiley & Sons, Inc.
14
Political Archetypes (Weill & Ross)
• Archetypes label the combinations of people who
either provide information or have key IT decision
rights
• Business monarchy, IT monarchy, feudal, federal, IT
duopoly, and anarchy.
• Decisions can be made at several levels in the
organization (Figure 9.6).
• Enterprise-wide, business unit, and region/group
within a business unit.
© 2016 John Wiley & Sons, Inc.
15
Political Archetypes
• Organizations vary widely in their archetypes
selected
• The duopoly is used by the largest portion (36%) of
organizations for IT principles decisions.
• IT monarchy is the most popular for IT architecture
(73%) and infrastructure decisions (59%).
© 2016 John Wiley & Sons, Inc.
16
Figure 9.6 IT governance archetypes
© 2016 John Wiley & Sons, Inc.
17
Emergent Governance:
Digital Ecosystems
• Challenge a “top down” approach
• Self-interested, self-organizing, autonomous sets
of technologies from different sources
• Firms find opportunities to exploit new
technologies that were not anticipated
• Good examples:
• Google Maps
• YouTube
© 2016 John Wiley & Sons, Inc.
18
Another Interesting Example
• Electronic Health Record
• Can connect to perhaps planned sources:
• Pharmacy
• Lab
• Insurance Company
• And can connect to unplanned sources:
• Banks – for payment
• Tax authority – for matching deductions
• Smartphone apps – for many purposes
© 2016 John Wiley & Sons, Inc.
19
How to Govern in this case?
• Might be difficult to impossible!
• The systems might simply emerge and evolve over
time
• No one entity can plan these systems in their
entirety
© 2016 John Wiley & Sons, Inc.
20
Mechanisms for Making Decisions
• Policies and Standards (60% of firms)
• Review board or committee
• Steering committee (or governance council)
• Key stakeholders
• Can be at different levels:
• Higher level (focus on CIO effectiveness)
• Lower level (focus on details of various projects)
© 2016 John Wiley & Sons, Inc.
21
Summary of Three Governance
Frameworks
Governance
Main Concept
Framework
CentralizationDecisions can be made by a
Decentralization central authority or by
autonomous individuals or
groups in an organization.
Possible Best
Practice
A hybrid,
Federal
approach
Decision
Archetypes
Specifying patterns based upon Tailor the
allocating decision rights and
archetype to the
accountability.
situation
Digital
Ecosystems
Members of the ecosystem
contribute their strengths,
giving the whole ecosystem a
complete set of capabilities.
© 2016 John Wiley & Sons, Inc.
Build flexibility
and adaptability
into governance.
22
A Fourth – Out of a Firm’s Control:
Legislation
© 2016 John Wiley & Sons, Inc.
23
Sarbanes-Oxley Act (SoX) (2002)
• To increase regulatory visibility and accountability of
public companies and their financial health
• All companies subject to the SEC are subject to SoX.
• CEOs and CFOs must personally certify and be
accountable for their firm’s financial records and
accounting.
• Firms must provide real-time disclosures of any events
that may affect a firm’s stock price or financial
performance.
• 20 year jail term is the alternative.
• IT departments play a major role in ensuring the
accuracy of financial data.
© 2016 John Wiley & Sons, Inc.
24
IT Control and Sarbanes-Oxley
• In 2004 and 2005, IT departments began to
• Identify controls,
• Determine design effectiveness, and
• Test to validate operation of controls
© 2016 John Wiley & Sons, Inc.
25
IT Control and Sarbanes-Oxley
Five IT control weaknesses are repeatedly uncovered by
auditors:
• Failure to segregate duties within applications, and failure
to set up new accounts and terminate old ones in a timely
manner
• Lack of proper oversight for making application changes,
including appointing a person to make a change and
another to perform quality assurance on it
• Inadequate review of audit logs to not only ensure that
systems were running smoothly but that there also was an
audit log of the audit log
• Failure to identify abnormal transactions in a timely
manner
• Lack of understanding of key system configurations
© 2016 John Wiley & Sons, Inc.
26
Frameworks for Implementing SoX
• COSO - Committee of Sponsoring Organzations of the
Treadway Commission.
• Created three control objectives for management and
auditors that focused on dealing with risks to internal
control
• Operations –maintain and improve operating
effectiveness; protect the firm’s assets
• Compliance –with relevant laws and regulations.
• Financial reporting –in accordance with GAAP
© 2016 John Wiley & Sons, Inc.
27
Control Components
Five essential control components were created to
make sure a company is meeting its objectives:
• Control environment (culture of the firm)
• Assessment of most critical risks to internal
controls
• Control processes that outline important
processes and guidelines
• Communication of those procedures
• Monitoring of internal controls by management
© 2016 John Wiley & Sons, Inc.
28
Frameworks (continued)
• COBIT (Control Objectives for Information and Related
Technology)
• IT governance framework that is consistent with COSO
controls.
• Issued in 1996 by Information Systems Audit & Control
Association (ISACA)
• A company must
• Determine the processes/risks to be managed.
• Set up control objectives and KPIs (key performance indicators)
• Develop activities to reach the KPIs
• Advantages - well-suited to organizations focused on risk
management and mitigation, and very detailed.
• Disadvantages – costly and time consuming
© 2016 John Wiley & Sons, Inc.
29
IS and the Implementation of SoX Compliance
• The IS department and CIO are involved with the
implementation of SoX.
• Section 404 deals with management’s assessment of internal
controls.
• Six tactics that CIOs can use in working with auditors, CFOs,
and CEOs (Fig. 9.9):
• Knowledge building (Build a knowledge base)
• Knowledge deployment (Disseminate knowledge to
management.)
• Innovation directive (Organize for implementing SoX)
• Mobilization (Persuade players and subsidiaries to cooperate)
• Standardization (Negotiate agreements, build rules)
• Subsidy (Fund the costs)
• A CIO’s ability to employ these various tactics depends upon
his/her power (relating to the SoX implementation).
© 2016 John Wiley & Sons, Inc.
30