8

GOVERNANCE OF THE INFORMATION SYSTEMS ORGANIZATION

In April 2011, Sony was hit by one of the biggest data breaches in history when a hacker to its PlayStation Network service compromised the personal information of potentially 100 million users. Sony took the on-line platform, which lets people play games with others and access multimedia content, offline for weeks. To woo back its customers it offered them a “welcome back package,” which included free games and movies, as well as $1 million identity theft insurance policy per customer in the event that their personal information was used for illegal purposes. The estimated cost of the breach is a whopping 104 million British pounds, not counting reputational damage. A U.S. Congressional Committee, the U.K. Minister of Culture, and the city of Taipei were among those demanding more information about the breach.

Sony appears to have placed little value on its security prior to the breach. Just two weeks before the breach it had laid off 205 employees, a substantial percentage of the unit responsible for network security. That is all changed now. In September 2011, Sony posted its new security policy and standards on its Web site and appointed a former official at the U.S. Department of Homeland Security, Philip Reitinger, as its first Chief Information Security Officer. “Certainly the network issue was a catalyst for the appointment,” a Sony spokesman said. “We are looking to bolster our network security even further.”¹

Mr. Reitinger reports to the Sony Executive President and General Counsel, who is also a Corporate Executive. He is responsible for assuring the security of Sony's information assets and services, overseeing corporate information security, privacy and Internet safety, and coordinating closely with key headquarters groups on security issues.²

When Sony belatedly learned the full importance of security, it recognized that it would need to place the decision rights for security decisions in the hands of a capable individual who had the ear of executives at the top level of the corporation. In place now is a governance structure to help Sony's security professionals, its IS organization, and the business units work toward achieving corporate goals, which now include information security.

Although each IS organization is unique in many ways, all have elements in common. The focus of this chapter is to introduce managers to issues related to the way decisions about IT are made in the organization. These issues should reflect the typical activities of an IS organization that were discussed in the previous chapter (Chapter 7). This chapter examines governance of the IS organization as it relates to decisions about IT issues.

IT GOVERNANCE

Expectations (or more specifically, what managers should and should not expect from the IS organization) are at the heart of IT governance. Governance in the context of business enterprises is all about making decisions that define expectations, grant authority, or ensure performance. In other words, governance is about aligning behavior with business goals through empowerment and monitoring. Empowerment comes from granting the right to make decisions, and monitoring comes from evaluating performance. As noted in Chapter 3, a decision right is an important organizational design variable since it indicates who in the organization has the responsibility to initiate, supply information for, approve, implement, and control various types of decisions. A traditional perspective of IT governance focuses on how decision rights can be distributed differently to facilitate centralized, decentralized, or hybrid modes of decision making. In this view of governance, the organization structure plays a major role.

Centralized versus Decentralized Organizational Structures

Organizational structures for IS evolved in a cyclic manner. At one end of the spectrum, centralized IS organizations bring together all staff, hardware, software, data, and processing into a single location. Decentralized IS organizations scatter these components in different locations to address local business needs. Companies' organizational strategies exist along a continuum from centralization to decentralization, with a combination of the two, called federalism, found in the middle (see Figure 8.1). Enterprises of all shapes and sizes can be found at any point along the continuum. Over time, however, each enterprise may gravitate toward one end of the continuum or the other, and often reorganization is in reality a change from one end to the other.

To illustrate these tendencies, consider the different approaches taken to organize IS in the five eras of information usage (see Chapter 2, Figure 2.1). In the 1960s, mainframes dictated a centralized approach to IS because the mainframe resided in one physical location. Centralized decision making, purchasing, maintenance, and staff kept these early computing behemoths running. The 1970s remained centralized due in part to the constraints of mainframe computing, although the minicomputer began to create a rationale to decentralize. The 1980s saw the advent of the personal computer (PC). PCs allowed computing power to spread beyond the raised-floor, super-cooled rooms of mainframes. This phenomenon gave rise to decentralization, a trend that exploded with the advent of LANs and client/server technology. The users especially liked the shift to decentralization because it put them more in control and it increased their agility. However, the pressures for secure networks and massive corporate databases shifted some organizations back to a more centralized approach. However, the increasingly global nature of many businesses makes complete centralization impossible. A recent global survey found that 70.6% of the participating organizations are centralized in terms of IT, 13.5% are decentralized, and 12.7% are federated.⁵ While the high percentage of centralized companies in the sample may seem surprising, the study suggested that with the increasing appreciation for governance found in companies with higher levels of governance maturity comes the need for control that is made possible in the centralized structure. What are the most important considerations in deciding how much to centralize or decentralize? Figure 8.2 shows some advantages and disadvantages of each approach.

FIGURE 8.1 Organizational continuum.

FIGURE 8.2 Advantages and disadvantages of organizational approaches.

Consider two competing parcel delivery companies, UPS and FedEx, in the year that they both reported spending about $1 billion on IT. UPS's IT strategy focused on delivering efficiencies to meet the business demands of consistency and reliability. UPS's centralized, standardized IT environment supported dependable customer service at a relatively low price. In contrast, FedEx chose a decentralized IT strategy that allowed it to focus on flexibility in meeting business demands generated from targeting various customer segments. The higher costs of the decentralized approach to IT management were offset by the benefits of localized innovation and customer responsiveness.⁶

In earlier chapters, two companies that have adopted different centralization/decentralization IS strategies are discussed. Zara used a centralized approach. The head of IS, who was not a CIO, reported directly to the deputy general manager, who was two levels below the CEO.⁷

This way of structuring the IS department was consistent with the organization's predominately centralized structure. It was also well suited to organizational processing where most administrative decisions were made in the headquarters at LaCoruńa, Spain. The users did not require a lot of hand-holding with regard to the POS systems in the stores. For these reasons, a centralized approach was a good fit for Zara. The store managers, however, did retain decision rights about which products to order. Thus, Zara was not totally at the end of the centralization continuum. Verifone, which we discussed in Chapter 4, needs a decentralized structure for its globally distributed employees.

The centralized and decentralized approaches amalgamated in the 1990s. Companies began to adopt a strategy based on lessons learned from earlier years of centralization and decentralization. Most companies want to achieve the advantages derived from both organizational paradigms. This desire leads to federalism.⁸ Federalism is a structuring approach that distributes power, hardware, software, data, and personnel between a central IS group and IS in business units. Many companies adopt a form of federal IT, yet still count themselves as either decentralized or centralized, depending on their position on the continuum. Organizations, such as Home Depot and the U.S. Department of Veteran Affairs, recognize the advantages of a more hybrid approach and actively seek to benefit from adopting a federal structure. Figure 8.3 shows how these approaches interrelate.

Another Perspective on IT Governance

Sometimes the centralized/decentralized/federal approaches to governance are not fine-tuned enough to help managers deal with the many contingencies facing today's organizations. This issue is addressed by a framework developed by Peter Weill and Jeanne Ross. They define IT governance as “specifying the decision rights and accountability framework to encourage desirable behavior in using IT.”⁹ IT governance is not about what decisions are actually made but rather about who is making the decisions (i.e., who holds the decision rights) and how the decision makers are held accountable for them.

FIGURE 8.3 Federal IT.

Source: Michael J. Earl, “Information Management: The Organizational Dimension,” in The Role of the Corporate IT Function in the Federal IT Organization, S. L. Hodgkinson (ed.) (New York: Oxford University Press, 1996), Figure 12.1. By permission of Oxford University Press, Inc.

It is important to match the manager's decision rights with his or her accountability for a decision. Figure 8.4 indicates what happens when there is a mismatch. Where the CIO has a high level of decision rights and accountability, the firm is likely to be at maturity Level 3 (which was introduced in Chapter 7). Where both the decision rights and accountability are low, the company is likely to be at Level 1. Mismatches result in either an oversupply of IT resources or the inability of IT to meet business demand.

Good IT governance provides a structure to make good decisions. It can also limit the negative impact of organizational politics in IT-related decisions. IT governance has two major components: (1) the assignment of decision-making authority and responsibility, and (2) the decision-making mechanisms (e.g., steering committees, review boards, policies). When it comes specifically to IT governance, Weill and his colleagues proposed five generally applicable categories of IT decisions: IT principles, IT architecture, IT infrastructure strategies, business application needs, and IT investment and prioritization. A description of these decision categories with an example of major IS activities affected by them is provided in Figure 8.5.

FIGURE 8.4 IS Decision rights-accountability gap.

Source: Adapted from V. Grover, R. M. Henry, and J. B. Thatcher, “Fix IT-Business Relationships through Better Decision Rights,” Communications of the ACM (December 2007), 50(12), 82, Figure 1.

Weill and Ross's study of 256 enterprises shows that a defining trait of high-performing companies is the use of proper decision right allocation patterns for each of the five major categories of IT decisions. They use six political archetypes (business monarchy, IT monarchy, feudal, federal, IT duopoly, and anarchy) to label the combinations of people who either input information or have decision rights for the key IT decisions. An archetype is a pattern from decision rights allocation. Decisions can be made at several levels in the organization: enterprise-wide, by business unit, and by region or group within a business unit. Figure 8.6 summarizes the level and function for the allocation of decision rights in each archetype.

For each decision category, the organization adopts an archetype as the means to obtain inputs for decisions and to assign responsibility for them. Although there is little variation in the selection of archetypes regarding who provides information for decision making, there is significant variation across organizations in terms of archetypes selected for decision right allocation. For instance, the duopoly is used by the largest portion (36%) of organizations for IT principles decisions, whereas the IT monarchy is the most popular for IT architecture and infrastructure decisions (i.e., 73% and 59%, respectively).¹⁰

FIGURE 8.5 Five major categories of IT decisions.

Source: Adapted from P. Weill, “Don't Just Lead, Govern: How Top-Performing Firms Govern IT,” MIS Quarterly Executive (2004), 3(1), 4, Figure 2.

There is no one best arrangement for the allocation of decision rights. Rather, the most appropriate arrangement depends on a number of factors, including the type of performance indicator. Some common performance indicators are asset utilization, profit, or growth.

FIGURE 8.6 IT governance archetypes.

Source: P. Weill, “Don't Just Lead, Govern: How Top-Performing Firms Govern IT,” MIS Quarterly Executive (2004), 3(1), 5, Figure 3.

IT GOVERNANCE AND SECURITY

The framework for decision rights allocation can be used to understand governance of a variety of organizational decisions. For example, it offers IT security professionals a new perspective for assigning responsibility for key information security decisions. We use it to illustrate appropriate roles of business managers and IT managers in making a company's security decisions. Below we apply the framework to five critical decisions about information security that are frequently discussed in the security literature. A governance pattern that is appropriate for each decision is discussed next and displayed in Figure 8.7.¹¹

1. Information Security Strategy. A company's information security strategy is based on such IT principles as protecting the confidentiality of customer information, strict compliance with regulations, and maintaining a security baseline that is above the industry benchmark. Security strategy is not a technical decision. Rather, it should reflect the company's mission, overall strategy, business model, and business environment. Deciding on the security strategy requires decision makers who are knowledgeable about the company's strategy and management systems. Thus, a business monarchy is a good match for such situations in which the top business executives, including the CIO or CISO, set the tone for the company's security. The IS organization likely needs to provide the required technical input for supporting the decision.

   

   FIGURE 8.7 Matching information security decisions and archetypes.

   Sources: Adapted from Andy Wu, “What Color Is Your Archetype? Governance Patterns for Information Security,” Ph.D. Dissertation, University of Central Florida (2007); and Wu, Y. and Saunders, C., “Governing Information Security: Governance Domains and Decision Rights Allocation Patterns,” Information Resources Management Journal (January–March 2011), 24(1), 28–45.

2. Information Security Policies. Security policies encourage standardization and integration. Following best practices, they broadly define the scope of and overall expectations for the company's information security program. From these security policies, lower-level policies are developed to control specific security areas (e.g., Internet use, access control) and/or individual applications (e.g., payroll systems, telecom systems). Policies must reflect the delicate balance between the enhanced information security gained from following them versus productivity losses and user inconvenience. As security attacks become more sophisticated, obeying security measures to deflect those attacks places greater cognitive demands on users. For example, they may need a different password for every account and these passwords must often be longer and less easy to remember because they must have special characters. The user productivity is often sacrificed when they have to come up with new passwords every month or when they have to scan e-mails to spot phishing attempts each day. Not surprisingly, both IT and business perspectives are important in setting policies. Business users must be able to say what they want from the information security program and how they expect the security function to support their business activities. On the other hand, IT leaders should be consulted for two reasons: (1) their judgment prevents unrealistic goals for standardization and integration, and (2) policy decisions require the ability to analyze the technical and security implications of user behaviors and business processes. If either users or IT leaders are not consulted, unenforceable policies will probably result. Thus, for high-level security architecture decisions, the IT duopoly is a good fit.
3. Information Security Infrastructure. The information security infrastructure provides protection by aligning security mechanisms to the IS architecture specifications. Firewalls, intrusion detection systems (IDSs), and encryption devices are the most popular examples of information security infrastructure, but other security and control tools are listed in Figure 12.3. Infrastructure decisions deal with technology selection and configuration. Common objectives are to achieve consistency in protection, economies of scale, and synergy among the components. Top executives typically lack the experience or expertise to make these decisions. For these reasons, corporate IT typically is responsible for managing the dedicated security mechanisms and general IT infrastructure, such as enterprise network devices. Thus, a fitting governance for these decisions is the IT monarchy, where corporate IT takes the lead and makes sure that the technology components in the infrastructure are correctly specified and configured.
4. Information Security Education/Training/Awareness. It is very important to make business users aware of security policies and practices. Training and awareness programs build a security-conscious culture. To promote effectiveness and post-training retention, training and awareness programs must be linked to the unique requirements of individual business processes. Business user participation in planning and implementing training and awareness programs helps gain acceptance of security initiatives. However, IT security personnel are in the best position to know critical issues. Thus, an IT duopoly is effective for combining the business and technical perspectives.
5. Information Security Investments. The “FUD factor” (fear, uncertainty, and doubt) used to be all that was needed to get top management to invest in information security. As information security becomes a routine concern in daily operations, security managers increasingly must justify their budget requests financially. But, it is hard to show how important security is until there has been a breach—and even then it is hard to put a dollar amount on the value of security. As when determining business needs, different units within the company may have rival or conflicting “wish lists” for information security-related purchases that benefit their unique needs. The IS organization also should have a significant say in these decisions, as it is in the best position to assess whether and how the investments may fit with the company's current IT infrastructure and application portfolio. Thus, an appropriate governance pattern for investment and prioritization decisions is IT duopoly. The most typical governance mechanism for this archetype is executive committees/councils composed of business and IT executives, such as the IT steering committee and budget committee, with the CIO having overlapping memberships in both. These committees are where IT and business leaders make business cases for their proposed investments and debate the merit and priorities of the investments. These decisions about the appropriate level of investment are made with the company's best interest in mind.

The critical decision-archetype matches described are by no means etched in stone. Organizational and environmental factors may suggest other governance patterns. For instance, it is easy to imagine that business monarchy governs security investments decisions if a company emphasizes stringent budget review and control from a pure business/financial perspective. In enterprises with many relatively independent business units, a federal archetype that involves the corporate center, business unit leaders, and IT leaders may be the proper archetype for business requirement decisions.

The archetypes clearly define the responsibilities of the major players in the company—business executives, business unit leaders, corporate IT, business unit IT, and so forth. By matching appropriate archetypes to the key security decisions, the board of directors in effect puts the decisions in the hands of those who are in the most appropriate positions for making quality decisions. In addition, decision makers are truly empowered when they hold the authority to make decisions that (1) are suitable for their positions, (2) make the best use of their expertise and knowledge, and (3) cater to the needs and specialization of the organization units to which they belong. Good matches of archetypes with key security decisions help avoid some of the symptoms of poor decision making described in Figure 8.7.

DECISION-MAKING MECHANISMS

Many different types of mechanisms can be created to ensure good IT governance. Policies are useful for defining the process of making a decision under certain situations. However, often the environment is so complex that policies are too rigid. In a recent worldwide study of IT governance almost 60% of the respondents relied on policies and standards for governance, making it the most popular mechanism for governance.¹² A review board, or committee that is formally designated to approve, monitor, and review specific topic, can be an effective governance mechanism. For example, Twila Day, CIO of Sysco, established an architecture review board to look at new technologies and processes.¹³

A third mechanism that is used very frequently for IT decisions is the IT steering committee, or an advisory committee of key stakeholders or experts that provides guidance on important IT issues. Steering committees work especially well with the federal archetypes, which calls for joint participation of IT and business leaders in the decision-making process. Steering committees can be geared toward different levels of decision making. At the highest level, the steering committee, also called an IT Governance Council, might report to the board of the directors or the CEO. The steering committee at this level is composed of top-level executives and the CIO. It provides strategic direction and funding authority for major IT projects. It ensures that adequate resources be allocated to the IS organization for achieving strategic goals. Committees with lower-level players typically are involved with allocating scarce resources effectively and efficiently. Lower-level steering committees provide a forum for business leaders to present their IT needs and to offer input and direction about the support they receive from IT operations. Either level may have working groups to help the steering committee to be effective. Further, either level is concerned with measuring the performance of the IS organization, although the assessment of performance is more detailed for the lower-level committee. For example, the lower-level committee would focus on the progress of the various projects and adherence to the budget. The higher-level committee would focus on the performance of the CIO and the ability of the IS organization to contribute to the company's achievement of its strategic goals.

Although an organization may have both levels of steering committees, it is more likely to have one or the other. If the IS organization is viewed as being critical for the organization to achieve its strategic goals, the C-level executives are likely to be on the committee. Otherwise, the steering committee tends to be larger to have widespread representation from the various business units. In this case, the steering committee is an excellent mechanism for helping the business units realize the competing benefits of proposed IT projects and develop an approach for allocating among the project requests.

For example, when Hilton Worldwide CIO started working on a project to create a new loyalty program, he and the business sponsor of the project convened a lower-level steering committee made up of people from IT, marketing, HR, finance, and other departments. They discussed change management and business issues that arose as they designed the system to be used in 85 countries over ten brands in the Hilton portfolio. The project went very smoothly. But earlier another project, one to outsource the hotel help desk, didn't go as well. The CIO learned from the second experience that there is no such thing as too much communication, and created weekly steering committee meetings for each project. He is quoted as saying, “E-mail is great for scheduling meetings, but it's the steering committees where we are working through really difficult issues together, and making promises and keeping promises, where the foundations of trust are established.”¹⁴

GOVERNANCE FRAMEWORKS FOR CONTROL DECISIONS

The framework described above focuses on which department is responsible for decisions. More recently governance frameworks have been employed specifically to define responsibility for control decisions. They are being implemented to help ward off future accounting fiascos. These frameworks focus on processes and risks associated with them.

Sarbanes–Oxley Act of 2002

In response to rogue accounting activity by major global corporations such as Enron, Worldcom, and their accounting firms, such as Arthur Andersen, the Sarbanes–Oxley Act (SoX) was enacted in the United States in 2002 to increase regulatory visibility and accountability of public companies and their financial health. The U.S. federal government wanted to assure the investing public that financial markets could be relied on to deliver valid performance data and accurate stock valuation. All corporations that fall under the jurisdiction of the U.S. Securities and Exchange Commissions are subject to SoX requirements. This includes not only U.S. and foreign companies that are traded on U.S. exchanges, but also those that make up a significant part of a U.S. company's financial reporting. All told, 15,000 U.S. companies, 1,200 non-U.S.-based companies and over 1,400 accounting firms in 76 countries have been affected by SoX.¹⁵

According to SoX, CFOs and CEOs must personally certify and be accountable for their firms' financial records and accounting (Section 302), auditors must certify the underlying controls and processes that are used to compile the financial results of a company (Section 404), and companies must provide real-time disclosures of any events that may affect a firm's stock price or financial performance within a 48-hour period (Section 409). Penalties for failing to comply range from fines to a 20-year jail term.

Although SoX was not originally aimed at IT departments, it soon became clear that IT played a major role in ensuring the accuracy of financial data. Consequently, in 2004 and 2005, there was a flurry of activity as IT managers identified controls, determined design effectiveness, and validated operation of controls through testing. Five IT control weaknesses repeatedly were uncovered by auditors:¹⁶

1. Failure to segregate duties within applications, and failure to set up new accounts and terminate old ones in a timely manner.
2. Lack of proper oversight for making application changes, including appointing a person to make a change and another to perform quality assurance on it.
3. Inadequate review of audit logs to ensure that not only were systems running smoothly but also that there was an audit log of the audit log.
4. Failure to identify abnormal transactions in a timely manner.
5. Lack of understanding of key system configurations.

Although SoX's focus is on financial controls, many auditors encouraged (forced) IT managers to extend their focus to organizational controls and risks in business processes. This means that IT managers must assess the level of controls needed to mitigate potential risks in organizational business processes. As companies move beyond SoX certification into compliance, IT managers must be involved in ongoing and consistent risk identification, actively recognize and monitor changes to the IS organization and environment that may affect SoX compliance, and continuously improve IS process maturity. It is likely that they will turn to software to automate many of the needed controls.

Frameworks for Implementing SoX

COSO

The recent Enron and Worldcom major financial scandals were not the first. In the wake of financial scandals in the mid 1980s, the Treadway Commission (or National Commission on Fraudulent Financial Reporting) was created. Its head, James Treadway, had previously served as commissioner of the SEC. The members of the Treadway Commission came from five highly esteemed accounting organizations: Financial Executives International (FEI), American Accounting Association (AAA), American Institute of Certified Public Accountants (AICPA), Institute of Internal Auditors (IIA), and Institute of Management Accountants (IMA). These organizations became known as the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Together they created three control objectives for management and auditors that focused on dealing with risks to internal control. These control objectives deal with:

• Operations—to help the company maintain and improve its operating effectiveness and protect the assets of shareholders.
• Compliance—to ensure that the company is in compliance with relevant laws and regulations.
• Financial reporting—to ensure that the company's financial statements are produced in accordance with Generally Accepted Accounting Principles (GAAP). SoX is focused on this control objective.

To make sure a company is meeting its control objectives, COSO established five essential control components for managers and auditors. These control components are (1) control environment, which addresses the overall culture of the company; (2) risk assessment of the most critical risks to internal controls; (3) control processes that outline important processes and guidelines; (4) information and communication of the procedures; and (5) monitoring by management of the internal controls. The Sabanes–Oxley Act requires public companies to define their control framework, and it specifically recommends COSO as that business framework for general accounting controls. It is not IT specific.

COBIT

COBIT (Control Objectives for Information and Related Technology) is an IT governance framework that is consistent with COSO controls. It is a governance tool that focuses on making sure that IT provides the systematic rigor needed for the strong internal controls and Sarbanes–Oxley compliance. It provides a framework for linking IT processes, IT resources, and IT information to a company's strategies and objectives. As a governance framework, it provides guidelines about who in the organization should be making decisions about the IT processes, resources, and information.

Information Systems Audit & Control Association (ISACA) issued COBIT in 1996. COBIT consists of several overlapping sets of guidance with multiple components, which almost form a cascade of process goals, metrics, and practices. At the highest level, key areas of risks are defined in four major domains (planning and organization, acquisition and implementation, delivery and support, and monitoring). When implementing a COBIT framework, the company determines the processes that are the most susceptible to the risks that it judiciously chooses to manage. There are far too many risks for a company to try to manage all of them.

Once the company identifies processes that it is going to manage, it sets up a control objective and then more specific key goal indicators. As with any control system, metrics need to be established to ensure that the goals are being met. These specific metrics are called key performance indicators. Then, activities to achieve the key goal indicators are selected. These activities, or critical success factors, are the steps that need to be followed to successfully provide controls for a selected process. When a company wants to compare itself with other organizations, it uses a well-defined maturity model. The components of COBIT and examples of each component are provided in Figure 8.8.

FIGURE 8.8 Components of COBIT and their examples.

Source: Adapted from Hugh Taylor, The Joy of SoX (Indianapolis, IN: Wiley Publishing Inc., 2006).

One advantage of COBIT is that it is well-suited to organizations focused on risk management and mitigation. Another advantage is that it is very detailed. Unfortunately, this high level of detail can serve as a disadvantage in the sense that it makes COBIT very costly and time consuming to implement. Yet, despite the costs, companies are starting to realize benefits from implementing COBIT. As a governance framework, it designates clear ownership and responsibility for key organizational processes in such a way that is understood by all organizational stakeholders. Consistent with the Information Systems Strategy Triangle discussed in Chapter 1, COBIT provides a formal framework for aligning IS strategy with the business strategy. It does so by recognizing who is responsible for important control decisions using a governance framework and focusing on risks of internal control and associated processes. Finally, it makes possible the fulfillment of the COSO requirements for the IT control environment that is encouraged by the Sarbanes–Oxley Act.

Other Control Frameworks

Although COBIT is the most common set of IT control guidelines for SoX, it is by no means the only control framework. Others include those provided by the International Standards Organization (ISO), as well as Information Technology Infrastructure Library (ITIL). ITIL is a set of concepts and techniques for managing information technology infrastructure, development, and operations that was developed in the United Kingdom. ITIL offers eight sets of management procedures in eight books: service delivery, service support, service management, ICT infrastructure management, software asset management, business perspective, security management, and application management. ITIL is a widely recognized framework for IT service management and operations management that has been adopted around the globe.

IS and the Implementation of Sarbanes–Oxley Act Compliance

Because of the level of detail, the involvement of the IS department and the CIO in implementing SoX, most notably Section 404, which deals with management's assessment of internal controls, is considerable. Although the IS department typically plays a major role in SoX compliance, it often is without any formal authority. Thus, the CIO needs to tread carefully when working with auditors, the CFO, the CEO, and business leaders. Braganza and Franken provide six tactics that CIOs can use in working effectively in these relationships.¹⁷ These strategies include knowledge building, knowledge deployment, innovation directive mobilization, standardization, and subsidy. A definition for each of these tactics, along with examples of activities to enact these tactics, is provided in Figure 8.9.

The extent to which a CIO could use these various tactics depends on the power that he or she holds relating to the SoX implementation. Those few CIOs who are given a carte blanche by their CEOs to implement SoX compliance can employ more directive activities. That is, they can use subsidy, standardization, and innovative directives tactics. For example, they can establish standards and enforce their compliance. They can create an overarching corporate compliance architecture and use mandate compliance to various controls. They can direct the SoX implementation from top down and put 404 implementation drivers in place. If, on the other hand, the CEO does not vest the CIO with the considerable power to employ such tactics, the CIO may need to take more of a persuasive stance and be more involved in training programs and building an electronic knowledge database of SoX documents. In this case, it is especially important to sell the CIO and CFO on the importance of complying with prescribed procedures and methods. In either situation, the CIO needs to acquire and manage the considerable IT resources to make SoX compliance a reality.

FIGURE 8.9 CIO Tactics for implementing SoX compliance.

SUMMARY

• Alternative governance approaches are possible. One approach is based on structure. Centralized IS organizations place IT staff, hardware, software, and data in one location to promote control and efficiency. At the other end of the continuum, decentralized IS organizations with distributed resources can best meet the needs of local users. Federalism is in the middle of the centralized/decentralized continuum.
• A second governance approach involves decision rights. In this approach IT governance specifies how to allocate decision rights in such a way as to encourage desirable behavior in the use of IT. The allocation of decision rights can be broken down into six archetypes (business monarchy, IT monarchy, feudal, federal, IT duopoly, and anarchy). High-performing companies use the proper decision rights allocation patterns for each of the five major categories of IT decisions.
• Security may best be enacted using a framework that assigns responsibility for security-related decision making based on governance archetypes.
• A third governance approach is based on controls. The Sarbanes–Oxley Act (2002) was enacted to improve internal controls. COBIT is an IT governance framework based on control that can be used to promote IT-related internal controls and Sarbanes–Oxley compliance.

KEY TERMS

archetype (p. 242)

business continuity plan (BCP) (p. 250)

centralized IS organizations (p. 237)

COBIT (Control Objectives for Information and Related Technology) (p. 253)

decentralized IS organizations (p. 237)

federalism (p. 240)

governance (p. 237)

IT governance (p. 241)

ITIL (Information Technology Infrastructure Library) (p. 255)

review board (p. 249)

Sarbanes–Oxley Act (SoX) (p. 251)

steering committee (p. 249)

DISCUSSION QUESTIONS

1. The debate about centralization and decentralization is heating up again with the advent of B.Y.O.D. and the increasing use of the Web. Why does the Internet make this debate topical?
2. Why is the discussion of decision rights among managers in a firm important?
3. Why can an IT governance archetype be good for one type of IS decision but not for another?

CASE STUDY 8-1
IT GOVERNANCE AT UNIVERSITY OF THE SOUTHEAST

University of the Southeast was one of the largest universities in the United States. It has been growing rapidly and that growth was spurred, in part, by information technology. The University embraced lecture capture technologies that allowed lectures to be streamed to students in a classroom, in dorm rooms, on the grass near the main campus' central fountain, and at a variety of other places of the students' choosing whenever they chose to watch. This made it possible to have sections of classes with over 1,000 students without having to build physical classrooms with enough seats to accommodate each person enrolled. It also made it possible to offer classes that were streamed to students at remote campuses. Each student was charged a technology fee (i.e., $5.16 for undergraduates and $13.85 for graduates per credit hour each semester) which was administered by the Information Technologies and Resources (IT&R) Office to help fund the costs of providing IT to students and faculty.

IT&R was responsible for providing computer services, technologies and telecommunications across the campus (Computer Services and Technology), helping faculty with their instructional delivery and multimedia support (Office of Instructional Resources), helping faculty develop and deliver Web-based and lecture capture courses (Center for Distributed Learning) and the library. The IT&R Office developed IT-related policies with very little input from the faculty and was responsible for deciding and implementing decisions concerning IT architecture and infrastructure. IT&R worked with the President and other top administrators in making IT investment decisions. IT&R staff also worked with the various colleges and administrative offices and an advisory board in making decisions about applications that need to be developed. However, faculty was not consulted at all when the lecture capture system was selected.

As was often the case at large universities, many decision rights on a wide range of issues had been allocated to the colleges. The College of Business Administration had its own server and Technology Support Department (TSD). A recent survey of faculty and staff in the College indicated a high level of satisfaction with the college TSD, but far less satisfaction with the services provided by the university-level IT&R. Some College respondents indicated their displeasure about IT&R's support of the technology for the lecture capture courses, help desk and classroom technologies.

The problems with the technology support for lecture capture software were particularly troublesome. The software would not authenticate students who had paid to enroll in some lecture capture courses, making it impossible for them to download the lectures even though they were registered in the course. Further, some university-affiliated housing did not have adequate network bandwidth to allow students to download the lectures. When problems occurred—which they did on a daily basis—the IT&R Help Desk often referred the students to instructors who could not resolve their problems. One faculty who was teaching a lecture class with 1,400 students exclaimed, “It is utter chaos for me when something goes wrong with the system and hundreds of my students are trying to call, see or email me in panic to get me to fix something that I can't fix.”

Recently, the CIO argued that all email accounts should be placed on one central server. This would allow the IT&R greater control and make maintenance easier and more efficient. It also would considerably improve security. But it was not ideal for the faculty. A faculty meeting about email revealed some concerns with this move. First, faculty wanted emails sent to the central university server forwarded to their accounts on their other university-based servers (i.e., the college, department, or institute servers), but found it was impossible to do so. Second, faculty wanted to retain their control over archiving emails. Third, faculty wanted to have control over their preferred e-mail address. In some cases, the faculty email addresses that they had used for a decade had been changed in the printed university directory to the email address on the central university server without their knowledge. This meant that they did not receive (or even know about) messages sent to them via the address on the university server. They could not change the printed email address in the university directory to the address on the College server that they had been using, nor forward the mail sent to the central server to a different account.

The IT&R spokesman said that having a centralized server for email accounts was more secure, reliable and efficient. He said that faculty shouldn't have control over their preferred email address, even if it were on a campus server, because of the identity management problems that it would create. A frustrated faculty member at the meeting asked the IT&R spokesman to describe one time when issues about ease of use and functionality of the system by the user were weighted more highly than security in decisions about email. The IT&R spokesman could not think of an example.

Discussion Questions

1. Describe the IT governance system currently in place at the University of the Southeast using both decision rights and structure as the bases of governance.
2. The CIO wants to implement a centralized IT governance system. As demonstrated by the case above what are the advantages of a centralized IT governance system? What are the disadvantages?
3. In your opinion, what assignment of decision rights would be best for University of the Southeast? Please explain.

CASE STUDY 8-2
THE BIG FIX AT TOYOTA MOTOR SALES (TMS)

“I would describe it as almost 1970s-like,” said Barbra Cooper of the basic and somewhat insular IS organization she inherited when she joined Toyota Motor Sales as CIO in late 1996. She found PC and network management, and such basic IS disciplines as business relationship and financial management, lacking, with the result that “No one understood the cost of delivering IS.” Far from being business partners, IS personnel, when they were consulted at all, were little more than “order takers.” More often, business units that perceived in-house IS as unable to deliver were buying their own IS with no thought to architecture standards, systems integration, or business benefits.

When a downturn in the global economy prompted Toyota executives to look more closely at the American division's spending, Cooper, already coping with local complaints about IS's bureaucratic unresponsiveness, found herself under pressure to explain costs as well. She subsequently formulated, over the course of many weeks, a strategy that would focus the energy of a decentralized, highly transparent IS organization on the company's major business segments. A team of eight staffers assembled by Cooper to make her vision reality generated a list of 18 initiatives, each of which was provided with a project owner, a team, and a mechanism for evaluating the team's success.

Improved alignment with the business side was at the top of the list of initiatives. Cooper identified and embedded in all the business units top-performing senior personnel, whom she called divisional information officers (DIOs). Accountable for IS strategy, development, and services, the DIOs were charged with forging relationships with, and gaining the respect of, the high-level business executives who headed the management committees on which the DIOs sat. “I still believe in managing IS centrally,” insisted Cooper, “but it was incumbent on us to physically distribute IT into the businesses. They could provide more local attention while keeping the enterprise vision alive.”

DIOs' accountability and responsibility was for the vertical area they served. Corporate Manager of Business Systems Ken Goltara, for example, headed up a small group of internal customers all of the associated vehicle-ordering systems, logistics, and dealer portals. For Ken's customers, it's a one-stop shop as he handles all the systems for the Toyota, Lexus and Scion organizations.

Situating approval for all major IT projects in an executive steering committee (ESC) chartered by Cooper served to further strengthen the IS-business bond, and fundamentally altered accountability for projects. The committee included, Cooper, her boss, Senior Vice President and Planning and Administrative Officer Dave Illingworth; Senior Vice President and Treasurer Mikihiro Mori; and Senior Vice President and Coordinating Officer Masanao Tomozoe. The goal for the ESC was to shift responsibility for IS project vetting and monitoring away from IS towards the business by exposing IS's inner workings to Toyota Motor Sales' business side.

Project funds were to be maintained by the ESC as a single pool of cash, distributed on a project-by-project basis as each phase of a project's goals was achieved. This window into what was spent (and not) would enable other projects to identify and go after unexpended funds, and the administrators to reallocate those funds accordingly. The more regular pacing of projects throughout the year, moreover, eliminated spending swings.

Many business executives initially balked at the new approval process. Instead of following the prescribed channel for seeking funding through the ESC, they allied themselves with lower-level business sponsors engaged with IS in business case development and implementation. After about half a year of dealing with senior-level business execs' unwillingness to take responsibility for IS projects, Cooper dictated that the ESC would not approve any project not backed by a higher-level business executive, a corporate manager at the VP-level or above. With business executives, not the IS executive, held accountable for achieving the business benefits of IS projects, both departments had the same stake in the outcome.

Discussion Questions

1. Describe the advantages of TMS's new decentralized IS structure. What are its disadvantages?
2. How did the new structure change decision rights? How did it change accountability for IS project success?
3. Why, in your opinion, would business executives shy away from the new approval process? In your opinion, will Cooper's demand that each project be backed by an executive solve the problem? Explain.

Sources: Adapted from Thomas Wailgum, “The Big Fix,” CIO Magazine (April 15, 2005), http://www.cio.com/archive/041505/toyota.html (accessed on August 15, 2005); and Michael Fitzgerald, “How to Develop the Next Generation of IT Leaders,” CIO Magazine (May 2, 2008), http://www.cio.com/article/print/341067 (accessed on July 23, 2008).