Here is my view of the development path that has led from corporate governance to IT governance to the enterprise governance of IT.
Corporate Governance began
In nineteen ninety-three
(which was rather early for me)
Between Robert Maxwell’s fraud
And Cadbury’s report to the LSE.
after Annus Mirabilis by Philip Larkin (1922-1985)
It was following Robert Maxwell’s drowning while cruising off the Canary Islands in 1990 that the GBP 4 billion fraud at Maxwell Communication Corporation and Mirror Group Newspapers was revealed. Maxwell was both chairman and chief executive. Consequently in 1991, the London Stock Exchange (LSE) and the accountancy profession asked Sir Adrian Cadbury to chair a committee to recommend a code of best practice for corporate governance. The resulting Cadbury Report: “Financial Aspects of Corporate Governance” (December 1992) is often seen as the point at which formally defined corporate governance emerged.
Corporate governance is now well established in the world, for example all G-20 countries have their own recommendations.
When did IT governance emerge? As Peter Weill and Jeanne Ross indicated in 2004 in the preface to their seminal book, IT Governance, the point at which the importance of conducting IT governance became clear is not well defined like that of corporate governance but emerged over a period of years from multiple research studies and discussions between managers. As early as 1998-9 Weill with Michael Vitale at the Melbourne Business School conducted an exploratory study of IT governance. Much of the work on business and IT alignment (BITA) in the 90s contributed to IT governance, too. The earliest I have been able to find the term IT governance was in an article on strategic alignment of business and IT by Henderson and Venkatraman in 1992 in chapter 7 of the book Transforming Organisations edited by Kochan and Useem.
IT governance took off as a discipline once the COBIT framework evolved from an audit to an IT governance framework with the release of COBIT 3.0 in 2000. COBIT was, and still is, widely adopted as the de facto framework to meet the IT governance requirements of Section 404 of the Sarbanes-Oxley Act (2002). It is worth pointing out that COBIT recognised that IT governance was concerned with ensuring both conformance and performance, i.e. compliance and value delivery to the business.
In Australia between 2003 and 2005, Standards Australia developed Australian Standard AS 8015-2005 for the Corporate Governance of Information and Communication Technology. This complemented the set of Australian Corporate Governance Standards - the first of which had been published in 2003. AS 8015 was fast-tracked into an ISO standard as ISO 38500, published in May 2008. Unlike the free, comprehensive resources within the COBIT framework, ISO 38500 was a slim 12 page easy-to-understand standard aimed at directors of businesses to guide them in their governance in the use of IT – however, it has to be purchased at around $100.
It was at this point that some ISO 38500 insiders started to express in public that the COBIT Framework that by now was at COBIT 4.1 and incorporated powerful IT governance approaches such as business goals driving IT goals driving IT processes was really only IT management rather than IT governance. This attack was headed off in February 2009 by an article by Gary Hardy, one of the founders of COBIT. His article "ITGI Enables ISO/IEC 38500:2008 Adoption" demonstrated how ITGI’s family of products: COBIT, Val IT (and now also Risk IT, too) provide the support for IT governance according to ISO 38500. Gary’s article showed how COBIT, Val IT and related guidance support the six principles (responsibility, strategy, acquisition, performance, conformance and human behaviour) and the three main tasks (evaluate, direct and monitor) of the ISO 38500 standard. The debate seems to have died down.
Now people are starting to discuss enterprise governance of IT rather than IT governance; notably Wim van Grembergen and Steven De Haes at the Antwerp Business School. They have been long term researchers for ISACA/ITGI and advocates of approaches to implementation of IT governance that have contributed much to the development of the COBIT framework. In their latest book “Enterprise Governance of Information Technology”, published in Spring 2009, they begin by pointing out that enterprise governance of IT is a relatively new term and they go on to explain that because of the “IT” in the naming of IT governance, discussion did not generally reach the boardrooms of organisations. Clearly the involvement of business is crucial and they indicate that there has been a shift of emphasis (largely due to the publication of ISO 38500, I feel) to focus on business involvement i.e. enterprise governance of IT. As they put it “enterprise governance of IT is an integral part of corporate governance and addresses the definition and implementation of processes, structures and relational mechanisms in the organisation that enables both business and IT people to execute their responsibilities in support of business-IT alignment and the creation of business value from IT-enabled investments.”
As I write this article, the COBIT Steering Committee is working on COBIT 5.0, due in 2010 I’ve heard. I have every expectation that it will carefully align itself with ISO 38500 and talk about the enterprise governance of IT. I am looking forward to seeing it.
© 2009 Geoff Harmer
Comments