IT governance — aka “enterprise governance of IT” or “corporate governance of IT” — oversees the organization’s IT assets. Studies have shown that high levels of board-level IT governance, regardless of existing IT needs, increase organizational performance. From the board’s perspective, there is a growing need to comply with an increasing amount of regulatory and legal requirements (e.g., privacy issues), many of which also impact IT. These regulatory requirements redefine directors’ responsibilities for IT governance.
Despite general agreement among researchers and academics of the need for board-level involvement in IT governance, it appears that in practice this is more the exception than the rule. Given the prevalence of this issue, we have sought to answer the question, “What is the state of the art of the research domain of board-level IT governance?” In this Advisor, we share a few of our findings on the various determinants, theories, and outcomes surrounding board-level IT governance.
How Boards (Can) Lead and Govern Digital Assets
Our findings include seven theories (i.e., agency, voluntary disclosure, stewardship, resource dependence, contingency, strategic choice, institutional) that ground the “why” and “how” of board-level IT governance. Figure 1 summarizes the key findings of this research.
The “Why” of Board-Level IT Governance
In this section, using four theories (i.e., agency, voluntary disclosure, stewardship, and resource dependence), we discuss the key factors in explaining why boards should be involved in IT governance.
Provide Oversight on IT-Related Matters (Agency Theory)
The agency theory defines two actors: (1) the principal who assigns tasks and (2) the agent who executes them. Because different people have varying levels of risk acceptance, the tasks assigned to the agent can be executed in a way that conflicts with the principal’s interests. Thus, the board should play an oversight role to address this so-called principal-agent problem. This problem can arise between the board and executive management as well. Executive management — and more specifically, the CIO — are employed as agents by the board to take up the day-to-day operation of the organization. To enable effective oversight, the board can set IT policy, ask critical questions, establish an IT-related oversight committee, and so on.
Improve Firm Valuation Through IT Governance Transparency (Voluntary Disclosure Theory)
It is important that IT governance communications extend to the organization’s external stakeholders. The concepts of voluntary disclosure theory and agency theory predict that, through better information intermediation, organizations can improve their liquidity and firm valuation. In highly digitized environments, transparency on IT governance can be a vital source of information for stakeholders. We addressed this requirement to create transparency on IT governance toward stakeholders in a Cutter Consortium Executive Update, where we examined how boards report on IT value, risk, performance, and strategic alignment.
Provide Guidance and Direction on IT-Related Matters (Stewardship Theory)
The stewardship theory postulates that, in contrast to the agency theory, the relationship of the owners and management is built on trust in equal interests. The behaviors of the stewards and principals must align. With this perspective, “managers need less oversight, and more advice, because they are deemed to be trustworthy good stewards of the resources they manage.” This theory implies that it is the board’s role to discuss IT issues and provide guidance to management based on these discussions.
Build Unique Digital Capabilities for Competitiveness (Resource Dependence Theory)
Resource dependence theory states that organizational success is dependent on the deployed resources, which can be internal or external to the organization. The board can also be a valuable resource in both knowledge and capital acquired through experience in the organization’s respective industry. As an example, board members can reuse IT oversight and guidance practices they have seen applied in other organizations or acquired through outsourcing experiences. IT governance competencies at the board level can in this way improve organizational performance by building unique board-level digital capabilities as an enabler for competitiveness and sustainable growth.
The “How” of Board-Level IT Governance
There is no one approach to IT governance. Boards are confronted with many different factors that influence how they should and can take up their IT-related accountabilities, including those discussed in this section. Using the remaining three theories outlined earlier (i.e., contingency, strategic choice, and institutional), we discuss the key ways in how boards should be involved in IT governance.
Board-Level IT Governance Depends on IT’s Role (Contingency Theory)
The contingency theory describes the dependence of an organization’s success on various internal and external factors (e.g., size of the organization, adaptability to the environment, resource availability). A firm’s board-level IT governance depends on an interplay of external factors. The focus of this theory, from Cutter Consortium Fellow Richard Nolan and Harvard Professor F. Warren McFarlan, is on the firm’s reliance on its technology. The theory defines four “IT use modes” along two axes (see Figure 2). A low need for new IT requires a defensive IT strategy, while a high need demands an offensive strategy. The spectrum illustrates the need for reliable IT: within a defensive IT strategy, a high need for reliability results in a “factory” use mode, while a low need results in a “support” use mode. Within an offensive strategy, a high need for reliability results in a “strategic” use mode, and a low need results in a “turnaround” mode. In each mode, the level of, and approach in, board IT governance can be different (e.g., in terms of required governance structures and oversight questions to be asked).
Board-Level IT Governance Depends on Strategic Choices and Organizational Factors (Strategic Choice and Institutional Theory)
University of Waterloo Professors Jennifer Jewer and Kenneth McKay have set strategic choice theory and institutional theory against each other in the context of board-level IT governance. Strategic choice theory states that organizational leaders can have an impact on the structures of the organization depending on their strategic choices. This is opposed to institutional theorists who claim that these organizational structures come from “established” values, norms, and beliefs in the organization.
Jewer and McKay use the strategic choice theory to research propositions regarding organizational factors, such as board size, proportion of insiders, and IT expertise and their influence on board-level IT governance. They use the institutional theory to research propositions regarding organization size, organization age, and the role of IT in the organization — and their influence on board-level IT governance.
[For more from the authors on this topic, see “From the Board: Leading and Governing Digital Assets.”']