menu image
AssuranceSecurityGovernanceMembers & LeadersProfessionals & PractitionersStudents & EducatorsExhibitors & Advertisers
menu shadow
Overview & History
What's New
Certification
Education & Conferences
Standards
Research
Publications
Chapters
Membership
Bookstore
Downloads
COBIT
Risk IT
Career Centre
spacer image
Print this page
spacer image

Home

Spotlight on Governance

By Stacey Hamaker, CISA
Volume 1, 2003

Image

The recent spate of high-profile corporate bankruptcies has intensified the call for improved corporate governance. This article provides an overview of the following forms of governance, then discusses how they relate to one another:

  • Corporate governance
  • Enterprise governance
  • Information technology (IT) governance

First, this article will define the three forms of governance.
Table 1 provides a comparative chart that outlines some of their differentiating characteristics. Second, it will look at the emerging concept of enterprise governance illustrated in figure 1. Next, the value of good governance practices will be examined. And finally, there are questions provided to help an organization assess its own governance practices.

As boards of directors resolve to strengthen their corporate governance practices, they will inevitably need to strengthen their capabilities in the areas of accountability, transparency and disclosure. Enterprise governance provides the comprehensive accountability framework that coordinates all management activity including corporate governance and information technology governance. Most of these management activities are dependent upon effective and reliable information.

Corporate Governance

Corporate governance is a concept that evolved during the 1990s and has been endorsed by most global stock exchanges. One of the most widely recognized international proponents of corporate governance is the Organisation for Economic Co-operation and Development (OECD). This is a multilateral organization composed of 30 of the world's leading economies.1

In 1999, the OECD developed a set of recommendations called the Principles of Corporate Governance. These principles were later endorsed by the G7 Finance Ministers and became incorporated into the OECD Guidelines for Multinational Enterprises (MNE) in a chapter on disclosure and transparency. Since then, many other international organizations and governments have adopted similar principles and guidelines. The corporate governance structure of an organization is defined by its corporate charter, bylaws and formal policy. The importance of good corporate governance increasingly is recognized worldwide as a best practice.2 "Corporate governance initiatives aim to create boards that are more responsive to shareholders by attempting to balance the CEO's power with the board's ability to act as genuine custodians of the organization."3

Enterprise Governance

Enterprise governance is a relatively new informal term that refers comprehensively to the way an organization is managed. One description from the Information Systems Audit and Control Foundation (ISACF) describes enterprise governance as "the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately and verifying that the enterprise's resources are used responsibly."4

Information Technology (IT) Governance

IT governance is a formally recognized discipline that is considered an integral part of enterprise governance. Although information technology is managed by the head of the information services department, the responsibility for IT direction lies with the board of directors and the executive team. A primary proponent of IT governance is ISACA®, which, in 1998, created the IT Governance Institute. This group is dedicated to defining and promoting the concept of IT governance.

"IT governance consists of the leadership and organizational structures and processes that ensure that the organization's IT sustains and extends the organization's strategies and objectives."5

Enterprise Governance Is the
Accountability Framework

Like the term "freedom," enterprise governance is a concept that generally is understood, yet there is no formal body charged with its definition and promotion. Therefore, this discussion of enterprise governance is based solely on the interpretation of the author.

Enterprise governance is illustrated in figure 1 using an umbrella analogy. Enterprise governance is the accountability framework for all management processes. This framework is designed (explicitly or implicitly) by the executive team under the auspices of the board of directors. Together, they strive to optimize use of resources by aligning all the activities of the organization in order to clarify and execute strategic and operational direction as well as attitude toward risk. Below the graphic is a recap of the key enterprise governance processes.

Benefits Of Good Governance Practices

Good Governance Adds Monetary Value
Evidence of the increasing value placed on corporate governance is found in two studies conducted by McKinsey & Company in conjunction with Institutional Investors, Inc. and published in the McKinsey Quarterly.6 Both studies concluded that major international investors were willing to pay a premium ranging from 11-16 percent in the 1996 study to 18-28 percent in 2000 for shares in a company that is known to be well governed. Poor governance can cost millions, as illustrated in the following examples taken from recent news articles. These stories particularly illustrate the complex and costly interplay between enterprise governance and IT governance.

Lack of executive info- "That was no manufacturing problem putting Bridgestone/Firestone and its defective tires in the glare of an angry public. That was an information problemÉ. I bet we'll learn that with the right kind of integrated information system, managersÉwould have discovered the flaw before it became a problem. We're still in the dark about why executives at the two companies were in the dark."7

Rolling up too fast- In 2000, Dallas, Texas, USA-based Dynamex, Inc. was formally investigated by the Securities and Exchange Commission, had its US $115 million credit facility frozen, was nearly de-listed off the American Stock Exchange and faced a shareholder lawsuit accusing company officials of mismanagement and fraud. Problems at the US $240 million provider of same-day delivery and logistics services were due to the abyss of accounting problems that resulted in too many mergers and acquisitions too fast to manage the resulting financial transactions. Deloitte & Touche LLP was hired to sort out the mess but had to ask for more time citing difficulty of gathering information from so many sources.8

Lack of strategic alignment- Gartner, Inc., the consulting powerhouse, had to deal with its own alignment issues as described in the 15 November 2001, issue of CIO Magazine. In 1999, Gartner had no system to determine which IT projects would support the company's strategy. There were multiple projects for the same function and projects at cross-purposes. The company found it was working on too many of the wrong things. It was spending US $1 million per month on IT projects and wasting about US $8 million per year on the lack of centralized purchasing and missed opportunities to cut costs. These issues caused further problems with poor morale among staff and executives at all levels. It is believed that miscommunication also impaired Gartner's ability to make sound, strategic acquisition decisions when the acquisition of TechRepublic lost about US $107 million. This is thought to have contributed to the dramatic drop in share price from US $18 per share in March 2000 to about US $6 a year later.9

Inadequate technology risk management- "In a rare case of public finger-pointing, i2 Technologies Inc. andÉNike Inc. traded accusations over the cause of a software problemÉthat resulted in product shortages and excesses as well as late deliveries. Nike said it (the problem) cost it (the company) $100 million in revenueÉ.The news caused the shares of both companies to skid about 20 percent. And when you get right down to it, it's a people problem. Someone did not manage the risk."10

Failure of line management- Oxford Health Plans "failed to catch millions of dollars in medical care costs, resulting in a US $200 million charge and a write-off of more than US $100 million in premiums it failed to collect from customers." Author Jim Champ writes, "I'm bettingÉ(the) debacle at Oxford Health Plans will turn out to be more about failure of line management than the collapse of the HMO's elaborate IS function."11

Poor quality control- Tens of thousands of local telephone books were recalled by SBC Southwestern Bell and Gordon Publications in a suburb of Dallas after it was discovered that they contained 4,000 numbers that customers did not want published, including women fleeing abusive men and police officers who were concerned for their families.12

The overall benefits of good governance are summarized as follows:

  • Maximizes revenues by deploying resources to the highest value initiatives
  • Minimizes business risk and adverse publicity through better planning of major enterprise initiatives (frequently overlooked by traditional risk assessments or audit plans)
  • Saves hard dollars (in areas that often do not show up on the P & L statements) by: Ð Reducing duplication, waste and cancellations Ð Reducing loss, penalties and damages Ð Rationalizing governance methodologies Ð Favorable directors and officers (D & O) insurance rates
  • Increases confidence in the organization for all stakeholders (employees, customers, suppliers, lenders, shareowners)
  • Streamlines operations and information for improved responsiveness to market conditions

Improving Corporate Governance
Requires Smarter Enterprise Governance

Considerable international media attention recently has been focused on the need for improved corporate governance. There is not sufficient space in this article to recap all of the related issues. However, most sources agree that strengthening corporate governance dictates improved accountability and transparency. Board independence means directors will need better information and methods to adequately assess and oversee the activities of their firms. A coordinated framework of enterprise governance can help boards and executive management teams streamline and focus their organization's strategy as well as its internal system of controls.

The expanding role of technology has caused it governance to become a critical component of enterprise governance. Information technology and IT departments today provide the tools to:

  • Enable many strategic initiatives that generate competitive edge
  • Provide analytical and executive decision support information (including governance measures)
  • Track the organization's performance in nonfinancial as well as financial systems
  • Monitor internal control systems
  • Capture and store the organization's intellectual capital
  • Oversee corporate information policies such as security, privacy, continuity and disaster recovery

Questions to help organizations begin to assess their levels of enterprise governance follow. They are broken down by area-strategic planning, financial management, operations and control framework.

Strategic Planning

  1. Does the organization have an integrated process for strategic planning supported by various steering committees that will help to review and prioritize proposals from a practical viewpoint? If so, does this include IT initiatives?
  2. Can the organization steadily track its progress towards long-term goals, or does the yardstick continue to change?
  3. Is the organization moving toward a more proactive stance or does it seem to exist in a constant state of chaos?
  4. Is there a defined project prioritization methodology in use? Does it take into account factors besides return on investment?
  5. Are goals and objectives reasonable and attainable? Do they make sense at the operational level and get buy-in from the folks on the front lines?
  6. Are organizational priorities clearly delineated or is staff constantly scrambling to address multiple top priorities?
  7. Are large initiatives communicated across the organization? What steps are taken to ensure that similar projects are not in progress in different areas?
  8. Are enterprise-wide projects well planned and executed? Are remote groups included?
  9. Do executives take the time to understand the operational details and the impact of strategic decisions?
    Financial Management
  10. Are standard accounting principles utilized? Are they standardized across the organization? Do they allow for regional variations?
  11. Are there any questionable accounting practices in use?
  12. Is financial information available as needed in a timely fashion?
  13. Are internal and external auditors independent? Do they have access to the board of directors?
  14. Are fixed assets well tracked and managed?
  15. Does the company maintain the financial reserves to survive tough economic cycles?
    Operations
  16. Does the organizational structure of the organization reflect and facilitate the nature of the business?
  17. Are roles and responsibilities clearly documented throughout the organization so that few issues fall between the cracks?
  18. Are the business processes reasonably effective and do they have proper internal controls? Are there many exceptional transactions?
  19. Do the technology systems provide adequate processing and analytical capability?
  20. Are policies and standards adequately documented and communicated throughout the organization?
  21. Have the issues of security, privacy and disaster recovery been addressed in business unit operations as well as in the information infrastructure?
  22. Is information synchronized across the organization (price lists, parts descriptions, terminology, promotion dates and terms)?
  23. Does key information reside only within certain individuals? Would the loss of these individuals pose a business risk?
    Control Framework
  24. Has the board of directors adopted industry best practices in corporate governance?
  25. Has the organization adopted industry standards to help manage risks? If so, which are used?
  26. Is risk assessed at the enterprise level (strategic/business risk, reputation, technology) as well as at the operational level?
  27. Are efforts in the areas of risk management, internal audit, security and quality control coordinated together?
  28. Is management certain that the organization's most vital data and business records are catalogued, stored and disposed of in a responsible manner?
  29. Are processes, systems and business rules adequately documented and standardized throughout the organization?

Conclusion

A good governance framework pays big dividends. Beyond corporate governance, organizations also need to take a look at their enterprise governance and IT governance activities. Firms need to make sure they have a comprehensive and coordinated accountability framework that streamlines and focuses the tremendous resources of their firms to provide maximum and sustainable value.

Endnotes

1www.amb-usa.fr/usoecd/intro.htm
2The Organisation for Economic Co-operation and Development (OECD) US Mission to the OECD newsletter, Volume 2, Issue 1 July, 2000, www.amb-usa.fr/usoecd/newslett/newsletter3.htm
3Conger, Jay A., Edward E. Lawler III, and David L. Finegold, Corporate Boards-New Strategies for Adding Value at the Top, Jossey-Bass Inc., A Wiley Company, San Francisco, 2001
4Board Briefing on IT Governance, Information Systems Audit and Control Foundation, Rolling Meadows, IL, 2001
5Ibid.
6Felton, R., A. Hudnut, and J.V. Heeckeren, "Putting a Value on Board Governance," The McKinsey Quarterly, 1996, p. 4, 170-175, www.mckinseyquarterly.com; Coombes, Paul, and Mark Watson, "Three Surveys on Corporate Governance," The McKinsey Quarterly, 2000, p. 4, 74-77
7Hall, Mark, "Information Gap," Computerworld, 18 September 2000, www.computerworld.com/cwi
8Allen, Margaret, and Rusty Cawley, "Woes at Dynamex illustrate problems facing roll-up firms," Dallas Business Journal, 14-20 January 2000, p. 1
9Ferranti, Marc "Gartner Align Thyself," CIO, 15 November 2001, www.cio.com/archive/111501/align_content.html
10Ward, Leah Beth, "I2 blames customized software," Dallas Morning News, 28 February 2001
11Champ, Jim, "What Went Wrong at Oxford Health?," Computerworld, 26 January 1998, www.computerworld.com/cwi
12Terry, Stephen, "Phone books recalled," Dallas Morning News, 22 August 2002

Stacey Hamaker, CISA
is the managing principal of Shamrock Technologies. Hamaker founded this strategic information consulting practice in 1990. Located in Dallas-Fort Worth, Texas, USA, Shamrock Technologies specializes in strategic, enterprise-wide analyses, requirements definition, project management and internal control reviews for large, interdepartmental special projects. Recently, the firm has been pioneering governance issues. Clients include both public and private sector organizations typically larger than US $1 billion. For more information, access www.shamrock-technologies.com.
nav menu image
spacer image
Assurance | Security | Governance
Members & Leaders | Professionals & Practitioners | Students & Educators | Exhibitors & Advertisers
Info Request | Join | Bookstore | My ISACA | About ISACA
Home | Site Map | Shopping Cart | Logout | Contact Us
spacer image
menu shadow

Terms Of Use | Privacy Policy | IP Guidelines
© 2010 ISACA All rights reserved.
3701 Algonquin Road, Suite 1010, Rolling Meadows, Illinois 60008 USA