Outsourcing IT Governance to Deliver Business Value

Max Blecher

IT governance is widely espoused; however, levels of implementation do not seem to be commensurate with the potential benefits. Many reasons for this have been suggested, including implementation complexity, change readiness and incorrect sponsorship, to name a few. This article identifies one of the factors impeding implementation and proposes IT governance outsourcing as a viable solution.

The IT Governance Dichotomy

Research has shown that there is a positive relationship between good IT governance and increased corporate profitability.¹ Many studies and reports have also linked the appropriate use of IT to increased business effectiveness, strategic advantage, greater customer intimacy, increased innovation and a host of other business improvement metrics.

Yet many organisations do not seem to be rushing to implement IT governance. The IT Governance Institute’s (ITGI’s) IT Governance Global Status Report² shows that, in 2005, 58 percent of the 623 organisations surveyed had not yet started implementing IT governance; this statistic is down 2 percent from 60 percent in 2003.

If the benefits are so obvious, why is there such a gap?

Resource Constraints

One of the answers may be found in understanding who, in reality, has the responsibility for implementing IT governance.

ITGI indicates that ‘IT governance is the responsibility of the board of directors and executive management’.³

However, the Global Status Report research shows that chief information officers (CIOs) are actually driving IT governance activities. A full 33 percent of respondents indicated that the CIO has overall responsibility for IT governance, as compared with only 24 percent of respondents attributing this responsibility to the chief executive officer.

But CIOs are invariably under pressure from the business to reduce costs. In addition, projects often cost more than originally planned, information and transaction volumes are increasing, geographies are expanding, and IT service requirements are becoming more demanding. It is not hard to see that dedicating resources to IT governance is a relatively unattractive proposition for CIOs.

Naturally, regulatory requirements and audit pressures will result in the allocation of resources to address key risk areas, but this tends to be reactive, grudging IT governance spending.

How, then, can CIOs proactively take advantage of the benefits of IT governance, given their operational constraints? Enter variable cost IT governance.

Outsourcing IT Governance

As with the outsourcing of any other function, the reasons for outsourcing IT governance must be clearly understood and the benefits and risks weighed before any decisions are made. ITGI’s definition of IT governance can be used to develop a simple framework for assessing the suitability of outsourcing key IT governance components.

IT governance is the responsibility of the board of directors and executive management. It is an integral part of enterprise governance and consists of the leadership and organisational structures and processes that ensure that the organisation’s IT sustains and extends the organisation’s strategies and objectives.⁴

Figure 1 shows the main components of this definition mapped to key benefits and risks associated with the outsourcing of these activities. For completeness, the aspects of ‘enterprise governance’ and ‘sustaining and extending the organisation’, defined previously, can be mapped to the leadership component.

It is clear, from the benefits and risks listed in figure 1, that various types of sourcing relationships will be required for the different IT governance activities that are outsourced. For instance, a strategic partner relationship will be required for the outsourcing of IT governance leadership activities, whilst the more operational activities present lower levels of risk and will tend to follow project- or commodity-based engagements.

Conclusion

In this article, the benefits of IT governance supply flexibility were shown to be particularly attractive for CIOs who operate in cost-driven businesses.

The value proposition, however, extends to a wider group of enterprise stakeholders. Thought leadership, organisational independence and rapid results are important value levers for business executives and board members who may be tasked with implementing IT governance in their organisations.

Naturally, these benefits need to be assessed in the context of the risks that any outsourcing engagement may present.

Endnotes

¹ Weill, P.; J. Ross; How Top Performers Manage IT Decision Rights for Superior Results, Harvard Business School Press, USA, 2004

² IT Governance Institute, IT Governance Global Status Report 2006, USA, 2006

³ IT Governance Institute, Board Briefing on IT Governance, 2nd Edition, USA, 2003

⁴ Ibid.

Max Blecher
is the managing director of Virtual Alliance, an IT governance solutions provider based in Johannesburg, South Africa. He has 20 years of consulting and operational experience in information systems and has worked in a number of industries. He is the president of the ISACA South Africa Chapter and a member of ITGI’s IT Governance Committee. He may be contacted at maxb@virtualalliance.co.za.

Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by the ISACA. Membership in the association, a voluntary organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal.

Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of the Information Systems Audit and Control Association and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journal does not attest to the originality of authors' content.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by the Information Systems Audit and Control Association Inc., for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.


What is CISA	What is CISM	What is CGEIT	What is CRISC
Benefits of CISA	Benefits of CISM	Benefits of CGEIT	Benefits of CRISC
How to Become Certified	How to Become Certified	How to Become Certified	How to Become Certified
Register for the Exam	Register for the Exam	Register for the Exam	Register for the Exam
Prepare for the Exam	Prepare for the Exam	Prepare for the Exam	Prepare for the Exam
Taking the Exam	Taking the Exam	Taking the Exam	Taking the Exam
Apply for Certification	Apply for Certification	Apply for Certification	Apply for Certification
Maintain Your CISA	Maintain Your CISM	Maintain Your CGEIT	Maintain Your CRISC


COBIT 5 Home
Product Family
Education and Training
News
Recognition
Join the Conversation
Looking for COBIT 4.1?