Exploring differences between smaller and large organizations' corporate governance of information technology

Abstract

Corporate governance of information technology (CGIT) is targeted at maximizing IT investment to achieve business objectives and value. Yet there is little empirical evidence about organizations' attitudes to and use of CGIT to deliver such value, or the role of related policies, practices, frameworks and methodologies. This study explored the views of Chief Information Officers and executive managers of smaller and large, primarily Australian organizations, regarding governance of IT. Through a survey, we investigated their views regarding the perc eived relevance, influential drivers, challenges and perceived benefits from the use of CGIT. Regardless of organizational size, our findings demonstrate substantially the same benefits, influences and challenges. Further, besides the widely acknowledged importance of strategic alignment of business and IT, risk management was found to be significant both in influencing the decision to adopt CGIT and as a perceived key capability for delivering improved organizational performance and resource-based value. As such, the study contributes new knowledge related to delivering business value through governing IT.

Introduction

Given information technology's (IT's) pervasive role in organizational processes that support business objectives, and with global IT expenditure projected as $3.7 trillion in 2015 (Gartner, 2015), value delivery from IT investment remains a concern (Kohli and Grover, 2008, Wilkin et al., 2013, Wu et al., 2015). Our paper focuses on corporate governance of information technology (CGIT), a subset of corporate governance, particularly its strategic focus on improved organizational performance and maximizing IT value. Defined as “the responsibility of the board of directors and executive management, CGIT … consists of the leadership and organizational structures and processes that ensure that the organization's IT sustains and extends the organization's strategies and objectives” (ITGI, 2003 p. 10).

To enhance IT's capability to create business value, a number of CGIT-related tools and management systems have been developed. These include: PRINCE2 (Projects in Controlled Environments), ITIL (IT Infrastructure Library), COBIT² (Control Objectives for Information and Related Technology), Val IT (Value from IT investments) and ISO/IEC 38500:2008 (an international standard for CGIT). Whilst the body of research concerned with IT governance issues in Australia is growing (e.g., Zhao et al., 2008, Campbell et al., 2009, Robb and Parent, 2009, Wilkin and Riddett, 2009, Wilson and Pollard, 2009, Wilkin et al., 2013), few studies have explored practitioner views of CGIT, including the influences, challenges and perceived benefits related to an organizations' application of CGIT policies and practices. Research is also lacking regarding how organizations perceive ISO/IEC 38500:2008′s principles to be relevant. Our research aims to address these knowledge gaps through a survey in Australia of business and IT executives from large (LO) and smaller (SO) organizations whose roles engage with CGIT. Moreover, recognizing that resource-constrained SOs face significant challenges in managing their assets to achieve sustainable competitive advantage (Beck et al., 2005, Cragg et al., 2011), our research aim was also to investigate any perceived differences between SOs and LOs in this regard. Besides such perceptions, the survey collected quantitative data about each organization, the status of CGIT policy and related responsibilities.

Findings from the 143 respondents (43 from SOs and 100 from LOs) showed the key implications as: SOs were equally engaged with CGIT and business/IT alignment as their LO counterparts; that human engagement with CGIT was a primary source of challenge for both (with strategies related more to defining accountabilities than upon control); and that risk management was a primary influence upon organizations of both sizes to engage with CGIT. In particular, we found: that (1) project management methodologies had higher levels of awareness and implementation than frameworks more directly related to IT governance; (2) the meaning of CGIT was construed in terms of IT alignment and value from IT; and (3) LOs were more likely to have a written policy than SOs. Influences for CGIT policy development reportedly relate to focusing on what IT could do for the organization (risk management and achieving alignment) rather than the issue of adequate organizational resources.

Benefits achieved by CGIT were found to include alignment of IT with business needs, and definition of accountabilities and responsibilities. Identified challenges primarily concern human issues (i.e., acceptance, commitment, communication and change management). Structural mechanisms by which to achieve CGIT were found to be formal in nature, i.e., IT steering committees (mainly LOs), formal policies and procedures and the Chief Information Officer's (CIO) role on the board. There was general agreement with ISO/IEC 38500:2008′s principles for CGIT, particularly regarding CGIT's role in ensuring regulatory compliance, appropriate delegations being in place and IT being fit for purpose.

The study's relevance can be gauged from evidence of high-profile IT project failures (e.g., Hutchinson, 2010, Toomey, 2009) and organizations' failure to realize benefits from IT investments (e.g., Barua et al., 2010). For example, a Commission of Inquiry into Queensland Health's payroll IT disaster reported that this failure related to governance practice, not the relevant standards (Chesterman, 2013). Even so, Standards Australia released an updated Information and Communications Technology (ICT) governance standard as a response (Clarke, 2014). Similarly, conflicted reports are evident in the USA. The US Air Force's development of the Expeditionary Combat Support System, which was scrapped after spending over a billion dollars for reportedly “zero results” (Shaw, 2012 p. 1), has been attributed to the lack of an assigned “accountable leader” who would exercise authority to enforce organizational changes necessary for successful project implementation (Stross, 2012 p. 2). In other words, the failure was in the exercise of IT governance, not necessarily in the relevance of an applicable standard.

These scenarios suggest that investigation is required into what constitutes current CGIT practice, the relevance of related tools/standards, and their capability to deliver organizational value from IT. In reporting our investigation, the paper is organized as follows. After reviewing the relevant literature, we introduce our theoretical perspective. We then outline the research methods and the study's context. After discussing our findings and their implications, we outline limitations and suggest opportunities for future research.