JOnline: Small Business IT Governance Implementation 

Download Article

The largest risks to businesses today are failure to align information technology to real business needs and failure to use information technology to create value for the business. Effectively managed IT can provide small businesses with a competitive advantage, whereas ineffective management can impair the business as a whole. With recent increases in demand for cost reduction, the need for small businesses to actively manage their IT resources has never been greater.

This article will provide an overview of IT governance, discuss the benefits to small businesses, suggest a framework for implementation in small businesses and discuss critical success factors.

Definition of IT Governance

For the purpose of this article, the following definition of IT governance will be used:

IT governance is the responsibility of executives and the board of directors, and consists of the leadership, organizational structures and processes that ensure that the enterprise’s IT sustains and extends the organization’s strategies and objectives.1

IT governance is no longer about making specific IT decisions. Businesses that recognize and manage the connection between information technology and economic success are able to realize significant value from their IT investments and enhance their operations. IT governance allows businesses to maximize revenue by utilizing resources only for projects with the highest value. Over a period of time, businesses that successfully govern IT are able to recognize 30 percent higher profits than firms without successful IT governance.2 IT governance can also lead to improved customer satisfaction, as it allows management to fully understand customers’ needs and results in more effective and efficient service. By integrating IT governance with corporate governance, businesses are able to improve processes and align resources with business strategy.

Between Corporate Governance and IT Governance

As the emergence of technology throughout business continues, large corporations and small businesses alike are realizing the necessity for IT integration at every step of the business process. As IT nestles its way into every aspect of business, the overall organizational governance must in turn support the IT function. For a company to achieve the proper balance, information systems’ direction must be aligned with the basic business drivers.3 IT’s role has transformed from a helpful tool in business to the sole support for the primary processes. The scope of the impact of IT has widened to encompass every key strategic decision. Small businesses must be prepared to have not only a strategic plan for the primary business activity, but also a strategic plan for IT that is aligned with the overall guiding objectives of the organization.

IT governance fails to serve its purpose within business when its objectives and goals are incongruent with the overall strategic plan. In many cases, the failure of IT governance, coupled with the lack of participation by business leadership in key IT decision making, has contributed to the lack of IT governance within business and, in some extreme cases, has led to outsourcing.4 It is imperative that the governance framework be established based on clear performance objectives for the governing bodies to achieve. The objectives, in turn, serve as a tool to benchmark and assess the success of the governance efforts. In this model, the efficiency of the management of IT can be evaluated based on similar criteria as used to evaluate the management of the entire organization.

As technology continues to evolve, bringing innovation to business daily, the governance of an organization must be agile and reactionary to changes within the industry and competitive business environment. Business processes are increasingly growing toward complete automation, and, as this shift occurs, directors grow more reliant on the information provided by the IT systems. The connection between IT governance and corporate governance is two-pronged. The information that management relies on to make strategic decisions is often a product of the IT systems. In addition, the vision of the company gaining a competitive advantage is achieved by bridging business and technology.5 In an effort to harmonize the structure of an organization to achieve both IT-related goals in line with the strategic goals of the business, IT corporate governance must have an integral place within the organizational structure and fit within the bounds of the company’s overall mission.


Several frameworks exist for implementing IT governance. Small businesses should evaluate the frameworks and use a combination that best fits their business model. Small businesses frequently have informal IT arrangements, but the best approach is to use existing frameworks and apply them in a flexible manner.6 The framework provided in IT Governance: How Top Performers Manage IT Decision Rights for Superior Results can be easily implemented by small businesses and acts as a guide for designing an effective IT governance program.

This framework, illustrated in figure 1, is broken down by three questions that businesses must answer in order to design their methodology:
  1. What decisions need to be made?
  2. Who will have input?
  3. How are the decisions formed and enacted?

Figure 1

The first component of the framework asks what decisions need to be made. By identifying the decisions that must be made, businesses are able to align their IT strategy with their overall business strategy. The Weill and Ross framework advises businesses to make five key governance decisions about the principles that will be used, infrastructure strategies, the technical guidelines and standards that will be followed, necessary applications, the amount that should be invested, and where it should be invested.

Next, businesses must identify who will be involved in the decision making and whether or not they have input into the five key governance decisions. Decision rights also determine who will be held accountable. The IT governance framework proposed by Weill and Ross offers six political archetypes to describe who will be involved and their input rights. In a small business, a business monarchy or a duopoly should be used. A business monarchy is comprised of groups of business executives, such as the chief executive officer (CEO), chief financial officer (CFO) and chief information officer (CIO). A duopoly would split the power between the CIO and the CEO (or one other group).7

Last, businesses must determine how they will form decisions and enact them. The Weill and Ross framework divides this into three mechanisms that specify how the decisions will be enacted: decision-making structures, alignment processes and communication approaches.

Decision-making structures are the organizational units responsible for making IT decisions, typically in the form of committees or executive teams. It is essential that small businesses ensure commitment from the committee. Executives are on numerous committees and have been known to avoid their responsibilities due to time constraints, causing a bottleneck. The frequency of meetings will be determined by the requirements of the business. It is important that businesses do not overstaff their committees. This often leads to the inability to make decisions. However, as the business becomes more knowledgeable in using IT strategically, the level of senior executive involvement can be reduced to free up resources.8

Alignment processes are the formal processes that ensure that policies are followed and also provide input to decision makers. These include IT investment proposal and evaluation processes, as well as project tracking. Because IT investments can generate significant returns if well managed, an IT investment approval process is necessary. To allow for project comparison, businesses should use a standardized approval application that estimates return on investment (ROI), net present value (NPV) and the risk associated with each project.9 For most small companies, spreadsheets and a portal are sufficient for evaluating and tracking IT projects. It is important that businesses realize the combined impact of a full set of projects, rather than one project by itself. Without the approval process, IT projects become localized, and do not satisfy the goals of the business.10

Businesses must also track ongoing IT projects. Project tracking allows businesses to measure implementation milestones and to quickly identify and address problems. A project tracking portal may also be a method for user feedback.11 Small businesses can use a variety of tools, including purchased software or an internally developed management methodology.

Similarly, the value realized by the overall business should be calculated. This entails determining whether the business was able to recognize cost savings or an increase in revenue. A formal calculation of value from IT helps businesses to understand the sources of value and the impact that complications have on value. This also leads to more realistic estimates of future projects.12 Some small businesses put less emphasis on this until they become more familiar with IT governance.

The third mechanism is the communication approach. Businesses must utilize announcements, designate IT advocates, and educate employees to circulate IT governance policies and the outcomes of the IT decision-making process. As management communicates more formally about IT mechanisms, how they work and expected outcomes, the effectiveness of governance increases. Informal meetings and methods tend to be ineffective, while announcements to senior management, formal committees and web-based portals all aid in the dissemination of information. Furthermore, without educating employees regarding the importance of IT governance, businesses will not be able to recognize the full value of IT.13

Critical Success Factors for IT Governance Implementation

Figure 2There are specific best practices present across businesses that have experienced continued success incorporating IT governance within their top management. These critical success factors enable the organizations to achieve strategic goals while maintaining IT as a priority among directors and management. Governance performance varies significantly across differing industries, but, regardless, identifiable characteristics are apparent throughout IT governance leaders. Broadbent and Kitzis’ “six markers of effective IT governance” and Weill and Ross’ “seven characteristics of top governance performers” present similar indicators and best practices for firms to follow to achieve effective IT governance. As depicted in figure 2, key success factors tailored to a particular organization’s strategic position can enable a small business to attain solid governance structures. The key success factors to attaining a solid governance structure are:

  1. Clearly communicated and differentiated business strategy—A focused and well-defined business strategy should be established by top management and communicated to all levels of management. Companies that exhibit a better understanding of the overall mission statement of the business are better able to understand the importance of the IT management function.14 Governance performance tends to be lower within enterprises pursuing operational excellence. This operational strategy, described as the default strategy of enterprises without a clear strategy, tends to place too high an emphasis on cost. Thus, the focus shifts away from the business mission and governance.15
  2. Clear business objectives for IT investments—Businesses that focus on a smaller subset of goals and objectives for investment in IT are better able to achieve effective IT governance.16 It is important to distinguish specific objectives and focus energies on fewer, more important goals. In a small business setting especially, the fewer primary goals established, the easier it becomes to achieve an IT governance structure based on solid results. Communication is key, as is disseminating the IT investment goals throughout the business. The cycle is completed as the IT goals are achieved, governance is established, and, in turn, the IT organization supports and encourages behaviors that embody the IT goals.
  3. High-level executive participation in IT governance— CEO involvement in laying the foundations for IT governance has the greatest positive correlation of all the best practices discussed. If the “tone at the top” fails to resonate the importance of aligning IT objectives with business goals, then the possibility of a sound IT governance structure is doomed. In an effort to instill the importance of IT governance among executives of a small business, it is important to educate all directors on the fundamentals of IT governance and to involve them in the process of establishing the governance arrangement within their small business. Top management needs to be able to accurately describe the IT governance arrangement within their small business to communicate the structure down throughout all tiers of management. Overall, the more directly involved executives are in IT governance, the better the governance performance. The CIO should, of course, be actively involved in the IT governance of the business; however, other senior managers need to play an active role in development as well, in an effort to leverage their business objectives within the IT objectives. The dual relationships of the business unit managers delving into the IT function of the business play an integral role in balancing the overall strategic objectives of the company with the IT objectives. An accurate test of whether or not a business is achieving this success factor is to survey top managers in leadership positions and question their knowledge of IT governance. If most management can accurately describe the role of IT governance within the business, this objective has been achieved.17 The percentage of managers who can accurately describe IT governance is an accurate indicator of future governance performance.
  4. Stable IT governance with few changes from year to year—Because technology impacts business with a number of changes every year, stability within the governance structure of IT has proven to be an important factor in the success of governance. Stability from year to year enables people throughout the organization to maintain an understanding of the workings of IT governance and its function. More changes from year to year lead to lower governance performance and increased confusion related to the role of IT.18 Changes within IT governance take a minimum of six months to implement and increased changes often lead to management frustration and, in some extreme cases, complete disregard for the IT governance structure by top management and business unit managers. Of course, the need for changes will occur, but it is advised to make small changes, rather than large-scale changes, and to communicate the changes clearly with all levels of management. In a smaller business setting, the necessity will exist for tweaking the responsibilities of the IT governance structure, but keeping such changes to a minimum will accelerate the success of IT corporate governance within the organization.
  5. Well-functioning, formal acceptance process—Businesses with effective IT governance in place also have well-established exception processes in place for dealing with acceptance of new IT investment ventures. If exception processes are nonexistent, small businesses may miss opportunities for IT to improve the individual business unit’s performance. Establishment of a tone that permits deviations from the agreed-upon IT standards and promotes IT development is paramount within a small business setting. The nature of technology is fast-paced and innovative; however, it is important to have in place, even in smaller organizations, a formal process of acceptance for any changes. Without a formal process, “renegade” changes can occur, which, in some cases, can be extremely detrimental to an organization’s performance.19 Enterprises must manage such changes closely and ensure that change management becomes an integral part of the IT governance process put in place.
  6. Formal methods of communication—Establishing guidelines and standard procedures for communication further strengthens the IT governance structure. The CIO engaging more often with other management throughout the organization reinforces the presence of IT management and further highlights IT’s place—aligned with the overall encompassing goals of management. There are many specific communication tools that should be implemented in an effort to strengthen the communication of IT governance. Senior management announcements are useful aids written and distributed to management to reinforce and alert readers to any governance changes. Although changes should be kept to a minimum, those that are deemed necessary should be communicated clearly through these announcements.20 Intranets are also useful tools within a small business to serve as a single place for governance information. Intranets are accessible to all employees of a business and initiate executive participation and business unit participation within the IT governance of the business.


As daily operational business processes become increasingly more reliant on IT, it is imperative for an infrastructure to be in place to serve the IT function in an organization. As small businesses are forced to carry on the pace of innovations within technology to remain competitive, it is essential that they have in place sound IT governance structures within their management organization. Business leaders must integrate business goals with IT, proposing IT as a strategic element of business and communicating their governance proposals throughout their organizations. The need for effective IT management is more critical than ever. By business leaders working hand in hand with CIOs, following basic IT governance implementation models and tailoring them to their individual businesses’ missions, strong IT corporate governance can be achieved within any business regardless of size.


1 IT Governance Institute, Unlocking Value:  An Executive Primer on the Critical Role of IT Governance, 2008
2 Ibid.
3 Cassidy, Anita; A Practical Guide to Information Systems Strategic Planning, St. Lucie Press, USA, 1998
4 Weill, P.; J. Ross; IT Governance: How Top Performers Manage IT Decision Rights for Superior Results, Harvard Business School Press, USA, 2004
5 Broadbent, M.; E. Kitzis; The New CIO Leader: Setting the Agenda and Delivering the Results, Harvard Business School Press, USA, 2005
6 PricewaterhouseCoopers, IT Governance in Practice— Insights From Leading CIOs, 2007
7 Op cit, Weill and Ross
8 Ibid.
9 Ibid.
10 Ibid.
11 Ibid.
12 Ibid.
13 Ibid.
14 Op cit, Broadbent and Kitzis
15 Op cit, Weill and Ross
16 Ibid.
17 Ibid.
18 Op cit, Broadbent and Kitzis
19 Op cit, Weill and Ross
20 Ibid.

Janeane Leyer
is the senior auditor for Wildes, Stevens, Brackens & Co. in Richmond, Virginia, USA. She is currently working on her master’s degree in accounting from the University of Richmond (Virginia, USA).

Katelyn Quigley
is a staff accountant for Cherry, Bekaert and Holland LLP in Virginia, USA, and is completing her master’s degree in accounting from the University of Richmond.

ISACA Journal, formerly Information Systems Control Journal, is published by ISACA, a nonprofit organization created for the public in 1969. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors, employers or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.

Subscription Rates:
US: one year (6 issues) $75.00
All international orders: one year (6 issues) $90.00
Remittance must be made in US funds.