JOnline: Soft IT Governance 

Download Article

Challenges to Global IT Governance

Many global companies, especially their corporate headquarters, find it difficult to manage their global IT operations. The barriers include language, distance, local customs and regulations, and these remain difficult obstacles.

In China, the daily conversation may or may not be in Standard Mandarin (Putonghua/Guoyu/ Huayu) and the average employees may still need security awareness training to prevent them from disclosing confidential data. In Europe, one’s Greek colleague might not understand English, and in south Asia, workers may rely on the slower dial-up phone line as a main access route to the Internet. Time differences prevent the corporate headquarters from setting up a video conference that would be better than not communicating at all, but still less effective than a face–to-face meeting.

In addition to these types of common obstacles, global businesses face new challenges, such as global mergers and acquisitions, internal controls over financial reporting for regulatory compliance, and International Financial Reporting Standards (IFRS) in accounting for business combinations and consolidated financial statements.

So far, to be effective in IT management, “payment and sanction” has been a traditional governance style to manage IT staff/users and control their activities. It is a lot easier to manage IT when the business group consists mainly of domestic companies and it only needs to send IT resources to the neighborhood.

However, “in the midst of a once-in-a century credit tsunami,”1 many global businesses cannot afford to allocate sufficient resources, whether internal or external (outsourcing), to IT management to spread into their worldwide business units.

In this global IT governance era with the worldwide economic downturn, hard IT governance, as typified by payment and sanction, is inadequate to manage a business’s IT effectively and efficiently.

To complement and enhance global IT governance, the new concept of soft IT governance can be applied by applying Soft Power theory.

Soft Power Theory

Joseph Nye, the author of Soft Power: The Means to Success in World Politics,2 and the advocate of the Soft Power theory, defines the basic concept of power as:

The ability to influence others to get them to do what you want. There are three major ways to do that: one is to threaten them with sticks; the second is to pay them with carrots; the third is to attract them or co-opt them, so that they want what you want. If you can get others to be attracted, to want what you want, it costs you much less in carrots and sticks.

Thus, he coined the term soft power to:

Describe a nation’s ability to attract and persuade. Whereas hard power— the ability to coerce—grows out of a country’s military or economic might, soft power arises from the attractiveness of its culture, political ideals, and policies.

Figure 1Figure 1 describes the behaviors and resources for hard and soft power.

If the soft power theory is useful to international politics, why not apply it to IT governance? Soft IT governance should become a useful IT management tool to support business. In reference to COBIT’s 34 processes, the following will show some hard/soft IT governance examples effective for business/ IT management.

Hard/Soft IT Governance in COBIT Processes

COBIT 4.1 defines IT governance as the “responsibility of executives and the board of directors, and consists of the leadership, organizational structures and processes that ensure that the enterprise’s IT sustains and extends the organization’s strategies and objectives.”3 This basically means that IT governance is not the governance “by” IT but the governance “of” IT that supports business strategies and objectives. So, when evaluating IT management, it should always be linked to the effects on business management (e.g., reliance chain).

Definitions of the two styles of IT governance are as follows:

  • Hard IT governance—Using hard-power resources (e.g., force, sanctions, payments), management commands or induces the IT staff/users to directly improve and enhance the leadership, organizational structures and processes.
  • Soft IT governance—Using soft-power resources (e.g., institutions, values, culture, policies), management sets the agenda for, attracts and co-opts its IT staff/users to indirectly create a preferable environment of the leadership, organizational structures and processes. Figure 2 extracts hard/soft IT governance examples in reference to COBIT processes.

Smart IT Governance

As seen in old sayings, such as “to a hard anvil, a feather is a hammer,” “a mud-wall stops a cannon-ball” and “flexibility is stronger than rigidity,” or in the martial arts, people have long recognized the concepts and values of soft power.

Furthermore, “the ability to combine hard and soft powers into a winning strategy” is significant; that ability is called “smart power.”4, 5

In IT governance, it is also helpful to use this smart power theory for scoping and choosing the right tools from the hard and soft IT governance examples (see figure 2) based on an IT strategy.

Figure 2
Figure 2 continued
Figure 2 continued

Smart IT governance, the decision scheme to choose the right tools, should be influenced by business types/categories and centralized/decentralized power balance (e.g., centralized governance for financial service and decentralized/autonomous governance for the manufacturing business). In the decision-making process, the Governance Arrangements Matrix6 can be used as a reference. The hard/ soft IT governance can be fine-tuned for the governance archetypes (e.g., business/IT monarchy, federal, duopoly) in each decision process (e.g., IT principles, IT architecture, business application needs, IT investment).

COBIT’s Responsible, Accountable, Consulted and Informed (RACI) charts provide the same type of decision scheme as the Governance Arrangements Matrix. The RACI chart that indicates the functions (persons) responsible, accountable, consulted or informed by each IT control activity could also be used to create an ideal IT management organization (function model) as well as the decision scheme.

As in the Governance Arrangements Matrix (figure 3) and the COBIT RACI chart (figure 4), each archetype/function has strong (A/R) power on each decision/activity. So, when one has strong power and makes decisions, due consideration should be paid to soft IT governance as well as hard.

Figure 3

Figure 4

Likewise, the IT management maturity levels should also be considered. If the levels are low, both hard and soft powers may need to be used to manage IT, while only soft power could be used for the higher maturity levels, trusting in their self-management. In this regard, COBIT’s maturity model, rated from a maturity level of nonexistent (0) to optimized (5), provides a useful guideline to discern the right power tools for differing IT management levels.


The etymology of “governance” is “to steer” (from Latin gubernare, Greek kybernan). It does not imply governing a corporate group only by hard powers over finance and personnel.

In addition to hard power, the corporate headquarters must have soft power that can attract and co-opt all group companies worldwide. The combined powers provide true governance and can also be applied to IT management.

Based on IT strategy, governance archetypes and maturity levels, the hard and soft IT governance examples extracted from COBIT’s 34 processes can be combined to realize more effective and efficient global IT governance.


  • Nikkei BP, “Global Information Technology Management,” 2009
  • International Accounting Standards Board (IASB), International Financial Reporting Standards (IFRS)
  • Committee of Sponsoring Organizations of the Treadway Commission (COSO), Internal Control—Integrated Framework
  • The Institute of Internal Auditors, “GAIT Methodology, Guide to the Assessment of IT Risk,” August 2007
  • Office of Government Commerce (OGC), Information Technology Infrastructure Library (ITIL) Version 3, 2008
  • Project Management Institute (PMI), Project Management Body of Knowledge (PMBOK), 3rd Edition, 2004
  • International Institute of Business Analysis (IIBA), Business Analysis Body of Knowledge (BABOK), Version 2, 2008
  • Hitachi Ltd., “JP1/Automatic Job Management System,” 2009
  • Hitachi Ltd., “Open Middleware Report Web: Vol.47— Supporting Hitachi Group IT Governance,” 2009
  • Hubbard, Larry; Control Self-Assessment, The Institute of Internal Auditors, 2000
  • Nitobe, Inazo; Bushido: The Soul of Japan, 1969
  • Powell, Colin L.; Joseph E. Persico; My American Journey, 2003
  • Shultz, George P.; William J. Perry; Henry A. Kissinger; Sam Nunn; “A World Free of Nuclear Weapons,” The Wall Street Journal, January 2007
  • Carr, Nicholas G.; Does It Matter? Information Technology and the Corrosion of Competitive Advantage, 2004
  • Masaki, Akira; What Is Mandala?, NHK books, 2007
  • De Haes, Steven; Wim Van Grembergen, “Moving From IT Governance to Enterprise Governance of IT,” ISACA Journal, vol. 3, 2009
  • IT Governance Institute, Val IT, 2006-2008,
  • The Institute of Internal Auditors, GTAG (Global Technology Audit Guide) Change and Patch Management Controls: Critical for Organizational Success, 2005


1 Committee of Government Oversight and Reform, “Testimony of Dr. Alan Greenspan,” 23 October 2008
2 Nye, Joseph S. Jr.; Soft Power: The Means to Success in World Politics, 2004
3 IT Governance Institute, COBIT 4.1, USA, 2007,
4 Ibid., Nye 2004
5 Nye, Joseph S. Jr.; The Powers to Lead, 2008
6 Weill, Peter; Jeanne W. Ross; IT Governance, 2004

Kazuhiro Uehara, CGEIT, CISA, CIA, PMP
is a consulting manager specialized in IT management and IT governance at the Hitachi Consulting Co. Ltd. Uehara is vice chairman of the ISACA Tokyo Chapter’s Research Board, a coleader of the chapter’s ISACA Journal reading session, and contributes to translation reviews for the ISACA Tokyo chapter and ITGI Japan. He can be reached at

Sayaka Akino, CISA
is a member of the Tokyo Chapter’s ISACA Journal reading session and contributes to translation reviews for the ISACA Tokyo Chapter. At Hitachi Ltd., she has been working for the Hitachi’s global IT management group. She can be reached at

Enjoying this article? To read the most current ISACA® Journal articles, become a member or subscribe to the Journal.

The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.

© 2010 ISACA. All rights reserved.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.