1. IT Governance: Establishing Who DecidesOR
The topic of IT Governance is one that is of great interest to me. Given you registered for this event, I’m thinking that’s either because it is also of interest to you or you think it should be of interest to you or you had nothing else to do.
Andrew J. Clark (Syracuse University)

2. Value of organization’s IT
My interest in Governance
Ineffective governance symptoms
Why is it important - who cares?
IT Governance model
Conclusion
What is the value that an organization generates from its Information Technology? I thought I’d start with my conclusion….well, sort of.
Research at MIT by Peter Weill & Jeanne Ross led them to conclude that:
Effective IT Governance is the SINGLE most important predictor of the value that an organization generates from its IT investment.
Here are the five points I want to cover and we can go into various levels of detail here:
Start with what is governance, IT governance and why I became interested in the topic
Talk about some of indicators that governance may be ineffective, symptoms of it.
Talk a bit about why it’s important, why should anyone care about IT governance
Describe a model for IT governance that I’ve used and you could also to assess and improve IT governance in your own organization
Parting thoughts

3. My interest in IT Governance
by Weill & Ross
Recent reading/research
New CIO at SU
Functional area relationships
Enterprise thinking
My interest in IT Governance was piqued by a number of events that happened close in time:
I’m a bit of a book-a-holic and was taking graduate courses and stumbled across some early work by Peter Weill at MIT and Marianne Broadbent at Gartner. That led me to more recent work by Dr. Weill and Dr. Jeanne Ross – specifically a text titled IT Governance: How Top Performers Manage IT Decision Rights for Superior Results.
In 2004, Dr. Paul Gandel came to Syracuse University as our New CIO. I wanted to develop a set of thoughts and recommendations related to our IT area.
Increasingly good working relationships among various functional areas and IT directors led me to believe some might be interested in working together on the topic…and they were. As a group we worked and developed a white paper for Dr. Gandel.
More and more people at SU were beginning to think of the whole organization instead of within silos. They were thinking across the enterprise.
These factors really led me to do more reading and research, to get a number of people together who were interested in the topic and to do some work in the area.

4. What is Governance?
In the English language, “governance” is an old term which, like “civil society”, fell into disuse, but which has been revived, given new meaning, and attained widespread currency. Like “government” and “governor”, it is derived from the Latin work “gubernare” – the action of steering a ship. A popular definition reflects these ancient Roman roots by defining governance as “steering, not rowing.[1]
To talk about IT Governance, we have to talk about “governance”. Just for fun, I did a Google search with the question, “What is governance?” The search produced 220 Million results and the web dictionary listing contained 24 results.
Don MacLean provided this thought for a workshop in 2004 on Internet Governance – I thought it nicely led into the topic.
As I’ve mentioned, the word “governance” has a number of meanings. However, most somehow relate to control, authority and domination and many are not particularly helpful when trying to reduce the confusion surrounding the term “governance”. But the “steering” idea above begins to provide some help in thinking about governance.
[1] MacLean, Don, “Herding Schrodinger’s Cats: Some Conceptual Tools for Thinking about Internet Governance”, page 6, Background paper for the ITU Workshop in Internet Governance Geneva, February Accessed November 15, Available at Internet

5. What is Governance?
“Providing the structure for determining organizational objectives and monitoring performance to ensure that objectives are obtained.”[2]
Organizational leaders play many roles in their organizations. Perhaps one of the most crucial relates to the governance of the organization. And governance can be thought of in relation to “key assets” that an organization possesses.
How decisions are made about organizational priorities, strategies and goals, and major resource allocations, and who is held accountable for these decisions are functions of organizational governance.
The key assets many think of associated with being governed are:
Human assets
Financial assets
Physical assets
IP (Intellectual Property) assets
Relationship assets
[2] “OECD Principles of Corporate Governance, Organization for Economic Cooperation and Development, Directorate for Financial, Fiscal and Enterprise Affairs, SG/CG (99) 5 and 219, April 1999

6. What is IT Governance?
Information Technology Governance, IT Governance or ICT Governance, is a subset discipline of Corporate Governance focused on information technology (IT) systems and their performance and risk management3.
Some people don’t think as carefully or as often about a 6th Key Asset: Information & IT assets
But, just as an institution’s senior leaders must be involved in and understand the governance of the organization’s other key assets, they need to be involved in and understand the governance of the institutions information and IT assets.
Let’s talk about what IT governance is. A general point about IT governance is:
Effective IT governance is the SINGLE most important predictor of the value an organization generates from IT.
I said this at the beginning, and I’ll say it again at the end. Let’s move more into IT Governance and some definitions.
3. Wikipedia

7. What is IT Governance? (continued)4
Describes the rules and procedures for making and monitoring decisions on strategic IT concerns.
IT governance is the term used to describe how those persons entrusted with governance of an entity will consider IT in their supervision, monitoring, control and direction of the entity.
Here are a couple of definitions from a pile of definitions that Norma Holland presented at an EDUCAUSE Leadership Institute program in These give a sense of the phrase and its meaning. Just so you know, Norma presented quite a few more than these two, I just wanted to show a couple of them to you.
ASK: I’m not sure this is what you think about when you think of the topic of “IT Governance”…but I now think along these lines
4. Holland, Norma, EDUCAUSE Leadership Program, June 2005

8. IT Governance is:
The assignment of decision rights and the accountability framework to encourage desirable behaviors in the use of IT.
This is the way Drs. Weill and Ross describe IT Governance. Actually their text specifically defines it as:
IT governance:= specifying the decision rights and accountability framework to encourage desirable behavior in the use of IT.
To me, this definition is more useful than some of the others.
The basic idea is who can make critical decisions and who is accountable and to what end. The idea is to be explicit, purposeful and intentional in establishing this framework.
Governance is not management. Governance is about decision rights (vesting decision authority in either a individual or a group). Management is about the implementation of those specific decisions. Governance is more strategic and management is more tactical.
Decision rights
Accountability
Desirable behaviors

9. Symptoms of ineffective governance
Low IT value
IT barrier to strategies
Ineffective IT mechanisms
Can’t explain governance
Projects late & over budget
Outsourcing seen as fix
Changes frequently
These are some symptoms of ineffective IT governance:
Senior management senses low value from investments made in IT. They frequently don’t even think of them as investment but simply costs.
IT is often a barrier to implementing new strategies. Instead of being a strategic enabler, it limits the ability to respond to new opportunities.
The IT decision-making mechanisms are slow or contradictory (or both).
The inability to explain how IT is governed in an organization – especially senior management’s ability to explain it. If it can’t be explained how can it be followed? If < 50% of managers in leadership positions can accurately describe IT governance and the number is not increasing monthly, governance is a problem.
Some of the more conservative studies have shown that < ½ of IT projects complete on time and on budget. Good project management is part of good IT governance.
Some outsourcing decisions result simply from frustration with IT. If this is seen as a quick fix solution, it suggests that governance is a problem.
Governance should change Infrequently, only when a change in strategy prompts a change in desired behaviors.

10. Why is it important? IT Costs / Business value New business models
Business risk
Dependence on other entities
Essential business knowledge
Business’s reputation
Studies done by Gartner, and the MIT Sloan Center for information Systems Research (CISR) have shown that businesses with effective governance structures have more-focused strategies, and senior business leaders were more heavily involved in governance.
These companies had a specific focus on a smaller number of objectives for their IT investment (e.g. lowering cost, supporting new ways of doing business, greater flexibility, or facilitating customer communication).
In addition their studies showed that exception processes functioned more effectively, were more transparent and fair and there were fewer non-sanctioned exceptions.
Increasing costs of IT – are causing people to think more about the money they spend on IT. We are realizing the increasing value of information to business and organizations. These things are combining to have people think of this money as being invested in IT and some are actually starting to manage IT investments as a portfolio. Good governance pays off – above average governance in firms leads to Return on Assets (ROA) of > 20% higher than firms with poorer governance.
IT has the ability to change business practices – to allow people to do business in completely different ways from the past. This is enabling new business models.
IT is pervasive. Estimates are that < 20% of IT spending is visible in the IT budget. The interconnected workspace, the interconnected planet is increased risk of doing business because of this interconnectedness. A failure at one point is likely to ripple through a highly connected organization or set of organizations.
Because of this connectedness, businesses are increasingly dependent on entities beyond their direct control.
IT enables, helps businesses build and maintain knowledge essential to sustain and grow their businesses. Decisions throughout the enterprise need to be consistent with senior leadership’s direction.
IT failures increasingly impact a business’s reputation, people increasingly expect 24x7, 365 service at 5 9’s of reliability. Any failure degrades the reputation of a business.

11. Why is it important? (2) Research findings:
Thoughtful design leads to above average returns on IT investments
Percent of executives who can describe IT governance.
Studies done by Gartner, and the MIT Sloan Center for information Systems Research (CISR) have led to a number of findings or results, these are two I thought important:
An approach or structure for IT governance simply has evolved over a number of years or decades; it was not really designed. Research has determined that organizations that thoughtfully design their IT governance arrangements to harmonize with business objectives achieve above average returns on their IT investments.
And, the Strongest indicator of effective governance is the % of executives who can describe their enterprise’s IT governance arrangements. The higher the %, the higher the governance performance.

12. Governance Model Three Major Components
What decisions need to be made?
(Domains)
Who has decision and/or input rights?
(Styles)
How are the decisions formed and
enacted? (Mechanisms)
I’m now going to spend some time talking about a model of IT governance presented by Drs. Weill & Ross in their text. I also believe this model could be used for governance of areas other than IT.
The model helps people address three major questions:
What decisions must be made to ensure IT is effectively managed and that it is effectively used? This component is labeled “domains”
Who should be involved in making decisions and what should be their level of involvement. This component is labeled “styles”
How will the decisions be formed and how will they be monitored? This component is labeled “mechanisms”

13. What Decisions Need to be Made? (Domains)
There are five major decisions domains
Principles
Infrastructure strategies
Architecture
Business application needs
Investment and prioritization
These are the five major areas (i.e. domains) in which decisions should be made
Principles are the high-level statements about how IT will be used to create business value. While the five decisions are interconnected, decisions about principles steer the direction and decision making for the other four. Research demonstrated organizations that get superior business value from IT have a small number of clearly articulated principles.
 MeadWestvaco: (1) Benchmarked lowest TCO, (2) Consistent flexible infrastructure, (3) Rapid deployment of new applications
MetLife: (1) Enable the business, (2) Ensure information integrity, (3) Create a common customer view.
Infrastructure strategies define the approach to building shared and standard IT services across the enterprise.
Architecture defines the set of technical choices that guide the enterprise in satisfying business needs.
There are decisions about the business application needs and how best to meet them (e.g. acquire or build).
Investment and prioritization decisions include defining the investment focus, how to fund initiatives, justification for investments, approval processes and accountability.

14. Who has Decision & /or Input Rights? (Styles)
The model draws heavily on the language of corporate governance and politics (or medieval language) for depicting key players behaviors and approaches to decision-making. Most any of these styles can be utilized in any of the domains.
A Business Monarchy is where the executive leadership has the decision rights, which may be exercised through an executive committee or council. C-Level (e.g. CEO, CIO, CFO) executives as a group or individuals Usually includes Executive Committee and IT Councils with senior business executives and CIO (but CIO does not act independently). Higher Ed: Chancellor, President, Provost, etc.
An IT Monarchy is where IT executives have the decision rights. Often exercised through an IT leadership council or CIO office. Individual or groups of IT executives only.
A Feudal Style is where business unit leaders or their delegates have the decision rights and authority is localized.
A IT Duopoly is where IT executives and other business or process leaders share rights.
The Federal Style is where governance rights are shared by a C-level executives and at least one other group. Typically this is a combination of senior executives, IT executives, business unit leaders, business process owners, and end users.
Anarchy is where individual process owners or end users have decision rights and there are usually no formal mechanisms for exercising rights.
Business Monarchy
IT Monarchy
Feudal
IT Duopoly
Federal
Anarchy

15. Key players in Governance Archtypes5
C-level IT
Biz
Business Monarchy √
IT Monarchy
Feudal
IT Duopoly
Federal
Anarchy
Here is another way of looking at the styles and whether they involve C-level executives, IT and/or Business or functional areas of an organization.
5. Weill, P. & Ross, J.W. (2004)

16. How are Decisions Formed & Enacted? (Mechanisms)
Decision-making structures
Alignment processes
Communication approaches
Governance mechanisms are used to implement the decisions made by the governance styles. Most businesses use multiple mechanisms to help implement their governance arrangements.
These are the three categories or types of mechanisms that Weill & Ross present:
Decision-making structures: the organizational units and roles responsible for making IT decisions, such as committees, executive teams, and business/IT relationship managers.
Alignment processes: formal processes for ensuring that daily behaviors are consistent with IT policies and provide input back to decisions. These include things such as IT investment proposal and evaluation processes, architecture exception processes, service-level agreements, chargeback and metrics.
Communication approaches: announcements, advocates, channels, and education efforts that disseminate IT governance principles and policies and outcomes of IT decision-making processes.

17. Mechanisms: Decision-making structures5
% using
CIO Rank
Executive or senior management committee
89 %
3.5
*** IT leadership committee comprising IT executives
85 %
3.8
Process teams with IT members
84 %
3.4
*** Business/IT relationship managers
83 %
3.9
*** IT council comprising business and IT executives
71 %
3.7
Architecture committee
66 %
3.1
Capital approval committee
55 %
Here is some information from MIT Sloan School Center for Information Systems Research (CISR) based on 256 enterprises in 23 countries. This shows information related to the Decision-making structures mechanism. The columns are the percent of participants using the structure and the CIO rank of the effectiveness of the structure [1 = ineffective to 5 = highly effective].
The structures are ordered with the most used at the top, then decreasing use in each succeeding row.
The decision-making structures that have asterisks in front of them are those that CIOs ranked highest in effectiveness. It’s interesting that all these structures fall higher than the midpoint of effectiveness.
5. Weill, P. & Ross, J.W. (2004)

18. Mechanisms: Alignment Processes6
% using
CIO Rank
*** Tracking of IT projects and resources consumed
96%
3.4
*** Service-level agreements
88%
3.2
Formally tracking business value of IT
62%
2.9
Chargeback arrangements
61%
2.8
Here are the alignment processes that were ranked.
Remember that alignment refers to processes for ensuring daily behaviors are consistent with IT policies and also provide input back to the decisions.
Only two of them, the top two:
Tracking of IT projects and resources consumed
Service-level agreements
Were ranked over the effectiveness midpoint
6. IBid

19. Mechanisms: Communication Approaches7
% using
CIO Rank
*** Work with managers who don’t follow the rules
90%
3.2
Senior management announcements
88%
2.9
*** Office of CIO or Office of IT governance
85%
3.6
Web-based portals and intranets for IT
79%
Here are the communication approaches that were ranked.
Remember that these approaches are geared to disseminate IT governance principles, policies and outcomes of IT decision making.
Only two of them, lines 1 and 3:
Work with managers who don’t follow the rules
Office of CIO or Office of IT governance
Were ranked over the effectiveness midpoint
7. Ibid

20. The Governance Model The “Harmony ‘What-How’ Framework”
Arrangements
Performance
Goals
Strategy
This framework depicts how:
Enterprise strategy, governance arrangements and performance goals are harmonized – “the whats” are linked together so they are aligned and drive an organization to achieve its vision or steer in the strategic direction in which they are trying to move.
The top row is enacted by the bottom row so that:
Organization’s strategy defines the desirable behavior.
Organization’s governance arrangements are enacted through its governance mechanisms
Organization’s performance goals are measured through metrics.
The square purple box is what I consider the heart of the model. This part of the model describes the operative behaviors, cultural, and the structural organization of the business. I’ll talk most about this part of the model.
One way to use this model is similar to process mapping where we describe how something exists today, what is know at the “AS-IS” representation of the organization or a process. Then you determine where you want to go, what you want the organization or process to be like in the future. You define the “TO-BE” organization. In this sense you can determine the AS-IS governance structure that exists in your organization and then use information and knowledge to identify what you want to change and design the desired or TO-BE governance structure.
How
How
How
Desirable
Behaviors
Governance
Mechanisms
Metrics &
Accountabilities
What
What

21. Mapping Styles Against Domains
Principles
Architecture
Infrastructure
Business Applications
Investment & Priorities
Styles
Input
Decision
Business Monarchy
IT Monarchy
Feudal
Federal
Duopoly
Anarchy
This matrix is simply a tool for describing and communicating governance arrangements within a enterprise.
In general for most enterprises effective governance has broad based input and tightly controlled decision rights.
Business monarchies tend to dominate decision making about IT investments and IT infrastructure.
IT monarchies typically have decision rights for IT principles and IT architecture.
Feudal structures typically do not have decision rights for any domain.
Federal structures are most commonly used for input rights but almost never for decision rights.
Anarchy, were it is intentional, may have both decision and input rights.
The specifics selected may be a bit different for different “types” of organizations.
HANDOUTS & ASK AUDIENCE: To map their organization’s governance out.
So, how did yours come out? At SU we used the matrix to assess our “as is” approach. I convened ~ 10 people knowledgeable about how we did things and we mapped it out. Want to know how it came out? Let me show you.

22. SU’s Mapping of Styles Against Domains
Principles
Architecture
Infrastructure
Business Applications
Investment & Priorities
Styles
Input
Decision
Business Monarchy
IT Monarchy
Feudal
Federal
Duopoly
Anarchy √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ √
So, there’s how it came out.
I know you might not be able to read it from where you are, but here are the important points:
Each checkmark represents where 1 or more individual thought an input or decision was made.
You’ll notice how full the overall table is
You’ll notice many columns are completely full
You’ll notice the IT Monarchy and Duopoly are almost completely full
This could mean a number of things:
The people involved had no idea how things were done.
We didn’t have any governance for these domains
We had confusing governance for these domains
Some combination of the preceding √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ √

23. Mapping Styles Against Domains
Principles
Architecture
Infrastructure
Business Applications
Investment & Priorities
Styles
Input
Decision
Business Monarchy
IT Monarchy 1
Feudal
Federal
Duopoly
Anarchy 30 27 6 7 1 12 1 73 59 18 20 10 8 9
While, the specifics selected may be a bit different for different “types” of organizations, the most common governance pattern allowed for broad-based inputs with decision rights allocated to different groups depending on the decision.
Red squares indicate the where the highest % of organizations gave input rights. Black squares indicate where the highest % of organizations gave decision rights.
For the three more business-oriented IT decision (principles, business application needs, and investment), more than 80 percent of the enterprises provided inputs through a federal governance model. 3 1 2 1 18 3 83 14 46 4 59 6 81 30 93 27 15 36 34 15 30 23 17 27 6 30 1 1 3 1

24. How Top Financial Performers Govern8
Principles
Architecture
Infrastructure
Business Needs
Investment & Priorities
Business Monarchy
Profit
Growth
IT Monarchy
Feudal
Federal
Duopoly
ROA
This table displays some of the differences in IT governance for how leaders in different types of organizations:
Profit
Growth
Asset Utilization
They were identified as leaders by having significantly higher or increasing average three year industry adjusted profits, growth or ROA.
The IT Governance Decisions made by Leaders in “Profit” as measured by Return on Investment (ROI) and Return on Equity (ROE) are listed as Profit in the table.
The decisions made by Leaders in revenue growth identified by the word “Growth”
And, decisions made Leaders in asset utilization as measured by Return on Assets (ROA) are indicated by ROA.
The squares colored red indicate the most common decision patterns across all firms in the survey.

25. Non-Profit IT Governance
More Business Monarchies
Less IT Monarchies
More Federal decision arrangements
More Federal input arrangements
More IT duopolies
While Drs. Weill and Ross included some government and not-for-profit organizations in their research, unfortunately they did not include universities.
In my correspondence with Dr. Ross, she told me that while they had given a copy of their text to the VP/CIO at MIT, they hadn’t done any work with the organization on the topic. Dr. Broadbent told me that I should run with all deliberate speed in the other direction from higher education.
That said, here are 5 patterns of IT performance that is notably different for non-profit (versus for profit organizations):
There are more business monarchies involved in all decisions except for architecture decisions.
There are significantly fewer IT monarchies in all decisions.
There are more federal arrangements in all decisions except investments
There are more federal arrangements for inputs to all decisions
There are more duopolies for IT architecture.

26. Top 10 Leadership Principles
Actively design governance
Know when to redesign
Involve senior managers
Make choices
Clarify exception handling
Weill & Ross distilled their research into 10 principles of IT Governance:
Management should actively design IT governance around the enterprise’s objectives and performance goals. Also the fewest number (6-10) of effective mechanisms should be used and regularly reviewed.
Learning about governance, redesigning and then implementing it all take time. So, redesign should be infrequent. Only with a change in desirable behavior.
Firms with more effective IT governance have more senior management involvement. Senior management necessarily gets involved in strategic decisions…and IT governance is that.
Its not possible for IT governance to meet every goal, but governance can and should highlight conflicting goals for debate.
Exceptions help an organization learn – they challenge the status quo. However, an exception process has to be clearly defined and understood by all.

27. Top 10 Leadership Principles (continued)
Provide right incentives
Assign ownership & accountability
Design at multiple levels
Provide transparency & education
Implement common mechanisms
6. Misalignment of incentive and reward systems with behaviors that IT governance was designed to encourage is a common problem. How can you expect governance to work when the incentives are driving different behavior?
7. IT Governance MUST have an owner and accountabilities. And it can’t be designed in isolation from other key firm assets. A person or group can’t implement IT governance alone – IT assets are more and more important to enterprise performance. Today, the CIO owns IT governance in the majority of sizable organizations.
Many organizations have separate IT functions at the division, business unit levels. These separate entities must have connected layers of IT governance. Weill & Ross recommend starting first with enterprise IT governance because this will have implications for other levels of governance.
The more special deals are made, the less confidence there is in the process and the more workarounds are used. It is impossible to have too much education or transparency about IT governance.
Weill and Ross believe that enterprises using the same mechanisms to govern more than one of the six key assets have better governance. An organization that uses executive committees to address all enterprise issues including IT, creates synergies by considering multiple assets.

28. References
Board Briefing on IT Governance , Available from Click on Governance, then on Downloads, and scroll down to Anonymous Access
Broadbent, M. & Kitzis, E., The New CIO Leader: Setting the Agenda and Delivering Results, Cambridge, Harvard Business School Press, 2004
Lane, D, CIO Wisdom: Best Practices from Silicon Valley’s Leading IT Experts, Upper Saddle River, Pearson Prentice Hall, 2004
McCredie, J. (2006) Improving IT Governance in Higher Education (Research Bulleting 18). Boulder, CO: EDUCAUSE Center for Applied Research. Available from
McNurlin, B.C. & Sprague Jr, R.H. (2004) Information Systems Management in Practice, Upper Saddle River, Pearson Prentice Hall.
Weill, P. & Ross, J.W. (2004), IT Governance: How Top Performers Manage IT Decision Rights for Superior Results, Boston, Harvard Business School Press
Here are some references on the topic of IT Governance

29. Contact Information:
Andrew J. Clark
Syracuse University
Chief Process Architect
Here is contact information for me if any of you want to have some exchanges or more in depth conversations on the topic feel free to contact me.