ArticlePDF Available

Board-Level IT Governance

Authors:
Ofir Turel at University of Melbourne
Ofir Turel
Peng Liu at California State University, Fullerton
Peng Liu
Chris Bart
Chris Bart
Chris Bart
  • This person is not on ResearchGate, or hasn't claimed this research yet.
Download full-text PDF
Read full-text
Download citation

Abstract and Figures

This paper suggests that boards’ involvement with information technology (IT) governance is often not at the needed level. It illuminates the differences between board-level and executive-level IT governance, explains why both the board and executives should be motivated to engage in IT governance, and provides board-level IT governance structure, action, and style suggestions. Building on a categorization of different board governance styles, this paper also offers practical recommendations, including IT related areas and questions the board should focus on, as well as a set of tools to choose and switch between governance styles.
Figures - uploaded by Ofir Turel
Author content
All figure content in this area was uploaded by Ofir Turel
Content may be subject to copyright.
Content uploaded by Ofir Turel
Author content
All content in this area was uploaded by Ofir Turel on Apr 01, 2019
Content may be subject to copyright.
Board-level IT Governance
What your company should know and how it should act
Ofir Turel
California State University, Fullerton
Peng Liu
California State University, Fullerton
Chris Bart
The Directors College
Abstract:
This paper suggests that boards’ involvement with information technology (IT)
governance is often not at the needed level. It illuminates the differences between
board-level and executive-level IT governance, explains why both the board and
executives should be motivated to engage in IT governance, and provides board-level
IT governance structure, action and style suggestions. Building on a categorization of
different board governance styles, this paper also offers practical recommendations
including IT related areas and questions the board should focus on, as well as a set of
tools to choose and switch between governance styles.
STATUS QUO: BOARDS OF DIRECTORS STILL DO
NOT GOVERN IT TO THE NEEDED EXTENT
Information technology (IT) can create business value. However, successful outcomes of using
IT are not guaranteed; especially when IT is not governed properly. Poor IT governance can lead
to value destruction through lost opportunities or innovation lag, and increased exposure to IT
risks. The good news is that many companies started discussing IT issues in the boardroom.1 In
fact, the board of directors has a fiduciary duty to govern IT in order to create business value and
mitigate IT-related risks. The board of directors represents the shareholders and other key stake-
holders of a company. It is generally considered to be responsible for all corporate governance
matters, which include IT governance.2
Legislation such as the Sarbanes-Oxley and the DoddFrank Acts have shaped the structure and
actions of board corporate governance. They also mandated at least some IT governance as a
means to ensure the accuracy of financial reporting. Nonetheless, many IT governance domains,
such as value creation and performance measure, have been left out from this reform, despite
their importance. Indeed, several of our studies revealed that many board members still see IT as
an operational issue they should avoid. For example, one board member stated:
"IT is an operational matter and we leave it to management to make it work. If it fails we
hold management accountable. As long as it doesn’t bring the company down, why should
we get involved?"
This avoidance-by-the-board partly stems from embarrassment, different priorities and prefer-
ences, but also partly because board members often lack awareness, knowledge, skills, or a com-
bination of these factors to govern IT.3,4 Many are trained in accounting, finance, law and
strategic management and therefore tend to adopt a limited governance perspective. Indeed, for
this study we analyzed Standard & Poor's 500 companies; as of 2017, twelve years after the sem-
inal recommendations of Nolan and McFarlan2 were published, only 4.4 % had a board-level IT
committee. While this may not be indicative of the existence of IT governance, it is indicative of
the emphasis boards put on IT. Boards’ low involvement with IT governance seemed to be out of
step given the increased strategic importance of and risks presented by IT.
The objectives of this paper is to examine the status-quo in board IT governance research and
practice and provide additional recommendations derived from our research. In the sections that
follow, we illuminate the differences between board-level and executive-level IT governance,
and provide board IT governance structure, action and style suggestions.
IT GOVERNANCE BY THE BOARD OF DIRECTORS
IT governance includes organizational authority, structure, actions, relations and leadership to
ensure that IT sustains and extends the strategies and objectives of an organization.5,6 It is worth
noting that IT governance is different from IT management. While IT governance includes mak-
ing strategic IT decisions and providing guidelines for IT management, IT management involves
making specific IT decisions and supporting goals defined by governing bodies.7
IT governance is the responsibility of a company’s board of directors and top management
team.8 While symbiotic, the IT governance responsibilities of the top management team and the
board are distinct. Top management’s responsibilities include strategizing, planning, budgeting,
executing, controlling, communicating and reporting on IT projects and operations. They can use
one or more IT governance frameworks (methods, standards or best practices), such as COBIT
(Control OBjectives for Information and Related Technology), ITIL (IT Infrastructure Library),
and ISO/IEC 38500 (Standard for Corporate Governance of IT).
The board, in contrast, is absent from the day-to-day implementation of IT strategies. It instead
assumes the responsibilities of initiating and steering the needed planning at the executive level,
assessing top management and its plans, setting compensation schemas for executives, and meas-
uring top management and organizational performances. The board is also involved in creating
the mechanisms needed for effective IT management and operations. For example, the board can
approve CIO roles, appoint CIOs, and create a CIO compensation schema that supports desired
objectives. Moreover, the board should respond to top management IT-related queries and needs.
For instance, the board may be approached to find ways to finance a large IT project.
Unfortunately, compared with executive-level IT governance frameworks, there are fewer guide-
lines that clearly delineate what the boards should consider doing regarding IT. Current recom-
mendations (like the ones provided by CICA9 and ITGI8 and ISO/IEC 38500) focus on suggested
topics to discuss (IT committee, opportunities, and risks) and questions the board should address
in its meetings. Synthesizing extant suggestions and our own research-based insights, we use
Figure 1 to depict the board’s IT governance and its position in the big picture of responsibilities
related to IT governance and management.
Figure 1: Responsibilities related to IT governance and management
WHY BOARDS SHOULD CARE ABOUT IT
GOVERNANCE
Studies on board IT governance unanimously suggest that this practice improves organizational
performance in various settings, regardless of the industry sector to which a firm belongs, its
profit orientation (for profit or non-for profit) and its size.2,10,11 However, there is a gap between
what academics and consultants believe boards should do to govern IT and how they actually do
it. Most boards only pay attention to IT risks and ignore other topics, like IT vision, IT strategic
planning, and IT competitive advantage,4 and only 19.6% of boards are routinely informed about
the state of IT at their companies.5 This is also reflected by the low use of key board IT govern-
ance questions in board meetings.3,11
Given the accumulating evidence that firm performance is associated with board IT govern-
ance,2,10,11 we contend that boards should consider improving their IT governance. While this
connection is not obvious to all, some board members we interviewed for our studies started re-
alizing that IT governance is an important practice that is part of their duties. For instance, one
stated:
“Having participated on several boards, I have witnessed the spectrum of IT governance
knowledge, mostly lack thereof. Many board members feel the IT should be handled by
staff, while others have come to realize the importance of IT governance.”
RECOMMENDATIONS TO COMPANIES
We synthesize extant recommendations on the structure and actions of board IT governance, and
extend it to style aspects of human interaction (See Sidebar). Specifically, we provide additional
suggestions based on our research on board governance style (i.e., how boards should interact
with top management to govern IT). The focus is in line with recent research stressing the im-
portance of relational capabilities in IT governance.12
As Sidebar shows, the focus on governance style is worthy, because it is a modifiable aspect of
boards’ work that can help them achieve better results.13 To do so, boards only need to change
interpersonal interactions with executives. However, since governance style is flexible, its bene-
fits to the company may be temporary. New board member may prefer different styles and
boards may need to adjust styles to fit with changes in the business environment. In contrast, set-
ting up committees and performing governance actions can generate long-term benefits. Note
that board governance style complements IT governance structures and actions. Effective styles
can amplify the power of IT governance, whereas ineffective styles can suppress these effects.13
Hence, companies should implement all structure, action and style aspects of IT governance. Be-
low we make recommendations on these three aspects.
Board IT governance structure: setting up a standalone IT
committee
Since many boards lack IT knowledge, one possible solution is to add IT-savvy board members.
However, this solution is not always easy to implement. Many boards still do not want to give up
a seat to technologists who may have only IT knowledge. This argument is supported by the
facts that only 7.8% of companies prefer board members with IT experiences.5 In Standard &
Poor's 500 companies, 15% of new board seats were filled by IT-savvy directors,14 which equals
to 1% of the total number of directors.
Alternatively, we recommend boards to establish a standalone IT committee.2,8 This can reduce
the risk of IT security breaches.15 We also recommend the IT committee to include independent
directors and to be chaired by an independent director. All Standard & Poor's 500 companies
have independent directors on audit and compensation committees, the chairs of which are inde-
pendent directors as well. IT committee should work closely with the audit committee on risk
mitigation tasks. While over 80% of Standard & Poor's 500 companies had managers in execu-
tive IT positions, such as CIO and CTO,16 only 4.4% had board structures (IT committees) to
deal with IT. Therefore, we call for closing this gap by establishing more board IT committees.
Clearly then, having an IT-savvy board or a board IT committee is a manifestation of the highest
level of commitment with regard to IT governance. A board committee signals that the company
considers IT to be a strategic tool that merits attention from the upper echelons. This emphasis
can trickle down to executives, managers, employees and investors. Another advantage of such a
committee is that it may require a single person who is IT-savvy, and the rest may utilize his or
her skills and supplement them with their own (e.g., accounting, legal). This structure therefore,
better utilizes the scarce resource of IT-savvy directors.
Board IT governance actions: what can boards do to govern IT
Based on interviews with and surveys from boards and synthesizing recommendation regarding
board IT governance,8,11 we provide a list of IT governance actions from which boards can
choose (see Table 1). These actions belong to the five domains of IT governance proposed by
ITGI: (1) IT resource management, (2) IT performance measurement, (3) IT strategic alignment,
(4) IT value delivery, and (5) IT risk management.8 The first domain ensures that IT resources
are sourced responsibly. IT resources include equipment, hardware, software, cloud-based stor-
age, and IT staff and knowledge. The acquisition and sourcing of IT resources often involve ma-
jor decisions on IT investment that require board approval. The second domain focuses on
ensuring that IT activities, services, and processes are performed, measured and assessed
properly. The third domain focuses on ensuring that IT is well integrated with and supportive of
business objectives. The fourth domain focuses on one of the ultimate goals of IT governance,
which is that companies successfully derive value from IT. This value includes better financial
performance, customer satisfaction, compliance, and/or operational excellence. The fifth domain
focuses on ensuring that IT related risks are managed and reasonably mitigated. IT Risks include
service disruption, technical malfunctions, cybercrimes, cyberattacks, industrial espionage, elec-
tronic fraud, faulty service, denial of service, incorrect data modification, and unauthorized data
disclosure.
Table 1. Board-level IT Governance knowledge domains and actions
Skills
Board-level IT Governance Actions
IT Resource
Management
/oversight
Create and ensure financial viability of the IT function
Approve/reject major (transformative or risk-related) IT decisions
Approve/reject IT investment budgets
Provide access to external IT resources and knowledge
IT Performance
Measurement
/oversight
Motivate top management and CIO (e.g., via compensation
structure)
Monitor IT deliverables against business objectives
Ask for state-of-IT reports from top management
IT Strategic
Alignment
Ensures reasonable IT goals and strategic plans
Encourage the CIO to interact with top management
Develop shared understanding and collaboration between the
CIO and top management
Create an atmosphere of joint accountability and support regard-
ing IT
IT Value
Delivery
Bring IT value creation insights from other organizations
Advise top management and CIO on strategic IT matters
Direct executives’ attention to IT innovation and trends
Identify possible IT opportunities and ask the executives to ex-
plore them
Respond to positive changes in the environment
IT Risk
Management
Review IT risk management policies and plans
Bring IT risk management insights from other organizations
Direct executives’ attention to IT issues and risks
Identify possible IT threats
Respond to negative changes in the environment
Board IT governance styles: how should boards interact with
top management to govern IT
Effective interaction between the board and top management can help the board understand the
full IT landscape and to better communicate its intentions and directives to executives. It also
helps management to be better receptive to and follow the directives and spirit of the board.
However, current board IT governance research and practice largely ignore style aspects of IT
governance. In our interviews and empirical studies, we found that boards need to give serious
consideration to this aspect.11,13
Applying Baumrind’s typology of parental supervision styles to the board,17 there are two over-
arching dimensions of board governance style: monitoring and advising, both of which are prime
responsibilities of the board.18,19 Being high or low in these two dimensions produces a 2x2 table
with four prototypical board governance styles: authoritarian, authoritative, permissive and ne-
glectful. Authoritarian boards mainly perform a monitoring role; authoritative boards engage
highly in both monitoring and advising roles; permissive boards concentrate on an advising role;
and neglectful boards are low in both monitoring and advising roles. One use of this table is to
locate where a company's governance style falls. This can be accomplished by boards’ self-as-
sessments and/or top management surveys. After estimating the extant governance style, it is
possible to switch to a style that better fits current needs and the business environment.
Another use of the table is to helpWith the help of four governance styles, boards can decide
what to do and what to avoid. It is well-accepted that both the monitoring and advising roles of
the board are important,18,19 and therefore boards should avoid adopting a neglectful style. Nev-
ertheless, some board members adopt a neglectful style regarding IT (see the first quote on page
2), and this can hurt the organization.2,10,11
Moreover, findings suggest that authoritarian style can be harmful to firm performance.13 It in-
creases the over-reporting burden on executives. That is, too much monitoring can result in ex-
cessive reporting and reduce management’s ability to deal with daily IT management and
operations.20 Directors are therefore advised not to engage in authoritarian style. If the board
governance of a company involves these two styles, it is time for this board to make changes
(e.g. to adopt an authoritative style). The changes can be initiated by either board members or top
management through an open discussion. In contrast to the two styles mentioned above, an au-
thoritative governance style can help a company achieve significant performance gains, because
when employed, the board plays a fairly balanced role in governance. We contend that the dual
emphasis on monitoring and advising not only can improve board oversight, but also lead the
board to provide appropriate strategic advice and support.
The effectiveness of authoritative style seems to suffer only when the company experiences a
turbulent environment with significant changes and uncertainties (e.g., new entrants, disruptive
technologies, big changes in competitors’ behaviors and customer demands). In such turbulent
environments, the board should ideally be more permissive and demonstrate that style by having
more tolerance and providing more advice to top management, while putting less emphasis on
immediate monitoring. The reason is that in such circumstances advising and supporting the ex-
ecutives is more important, and at the same time, monitoring (which includes mostly looking at
the past) can be fruitless and time consuming, given the significant changes.20 Ultimately, when
boards attempt to engage in these different IT governance styles, we recommend that they con-
sider the balance between their monitoring and advising roles.
Asking key IT governance questions (e.g., similar to the ones listed in Table 2) and setting up IT
governance structures (e.g., a committee) are effective ways to initiate board IT governance.8
Note that by asking the same questions but while employing different styles, the board can con-
vey its emphasis on the monitoring and advising aspects of governance style. The monitoring
role is covered in columns 1 and 3, while the advising role is covered in columns 2 and 3. For
example, the board can ask “What is the frequency of reporting …” to show monitoring role, and
it can ask “Are you comfortable with the frequency of reporting…” or "what can we do to help
you with this IT matter" to adopt an advising role. The board can also provide insights from
other companies or based on prior executive-level experiences its members possess, say regard-
ing reporting, to enhance or reduce the two roles. We acknowledge that this table artificially sim-
plifies the complex interactions between the board and the executives. However, it is used to
provide examples and represents a first step forward improving the effectiveness of board IT
governance. Ideally, boards should ensure style consistency throughout all interactions with ex-
ecutives.
Table 2. Examples of showing monitoring role and advising role
Monitoring Role
Advising Role
Board IT governance questions and statements
What is
Are you com-
fortable with
the frequency of reporting the matters related to the
company’s IT resources to the board
Did you know
We can help
you to clarify
the value of the company’s IT resources
the strategic importance of IT resources to the com-
pany
How did you
Do you need
help to
develop and implement the company’s IT strategy
ensure the company’s IT strategy is aligned with the
company’s overall strategy
develop shared understanding between CIO and top
management on strategic IT matters, trends, innova-
tions, issues and risks
measure the contribution provided by the company’s IT
resources
assess emerging technologies and trends, and their po-
tential impact on the company
monitor and report the performance of the company’s
IT resources, processes and projects
protect the confidentiality of intellectual and infor-
mation assets
monitor legal, regulatory and contractual obligations
related to IT resources
Did
We can help
ensure that
the investment in IT resources meet(s) the business’s
requirements to process information
the company’s IT resources and initiatives allow com-
pany to capitalize on, and adapt to marketplace forces,
trends and opportunities
its information and IT resources, systems and technolo-
gies keep pace with changing business needs and ena-
bling the organization’s success
Is/are there
We can guide
you to set up
appropriate collaboration and accountability for identi-
fying, acquiring and deploying IT resources and capa-
bilities to meet the needs of the company
We can help
you develop
adequate plans (e.g. business continuity plan and disas-
ter recovery plan) to enable continuity of critical busi-
ness operations
IT risk assessment plan and IT security policies
We can help
you access
sufficient IT resources and knowledge including succes-
sion plans for key IT personnel
What are
We can help
you choose
measures to enhance, preserve and safeguard the in-
tegrity and reliability of the company’s data and IT re-
sources
Note: “You” refers to executives, and “we” refers to the board. Some of the questions and statements are adapted
from “20 questions directors should ask about IT”.9
What should CEOs and CIOs do regarding Boards’
involvement with IT
CEOs and CIOs and other senior executives should push their boards to spend more time on IT
matters during board meetings and eventually, if needed, establish a dedicated board IT commit-
tee. Although, executives also need to spend extra amounts of time and effort to report to and
interact with the board when it starts discussing IT, the executives can benefit from IT resources,
guidance and advice provided from their board members. This is especially true if their compen-
sation is tied to long-term performance, in which case it is in their best interest to request and
motivate board IT governance. After all, board IT governance is associated with firm perfor-
mance.2,10,11
CONCLUSION
In this article we posit that board involvement with IT governance is often not at the needed
level. We illuminate the differences between board-level and executive-level IT governance, ex-
plain why the board and the management team should be equally motivated to engage the board
in IT governance, and outline board IT governance structure, action, and style recommendations.
REFERENCES
1. Paredes, D. (2016). Tech disruption and cybersecurity top boardroom agenda in NZ.
CIO. Retrieved July 17, 2018, from https://www.cio.co.nz/article/593402/tech-
disruption-cybersecurity-top-boardroom-agenda-nz/
2. Nolan, R., & McFarlan, F. W. (2005). Information Technology and the Board of
Directors. Harvard Business Review, 83(10), 96-106.
3. Bart, C. K., & Turel, O. (2010). IT and the Board of Directors: An Empirical
Investigation into the ‘Governance Questions’ Canadian Directors Ask About IT.
Journal of Information Systems, 24(2), 147-172.
4. Huff, S. L., Maher, M. P., & Munro, M. C. (2006). Information technology and the
board of directors: is there an IT attention deficit?, MIS Quarterly Executive, 5(2),55
68.
5. Andriole, S. J., & Bojanova, I. (2014). Optimizing operational and strategic it. IT
Professional, 16(5), 12-15.
6. De Haes, S., & Van Grembergen, W. (2009). An Exploratory Study into IT
Governance Implementations and Its Impact on Business/IT Alignment. Information
Systems Management, 26(2), 123-137.
7. Weill, P., & Ross, J. W. (2004). IT governance: How top performers manage IT
decision rights for superior results. Harvard Business Press.
8. Information Technology Governance Institute (ITGI). (2003). Board briefing on IT
governance. Retrieved July 17, 2018, from https://www.isaca.org/knowledge-
center/research/researchdeliverables/pages/board-briefing-on-it-governance-2nd-
edition.aspx
9. CICA. (2004). 20 Questions Directors Should Ask About It. Canadian Institute of
Chartered accountants (CICA), Toronto, ON, 116.
10. Jewer, J., & McKay, K. N. (2012). Antecedents and Consequences of Board It
Governance: Institutional and Strategic Choice Perspectives. Journal of the
Association for Information Systems,13(7), 581-617.
11. Turel, O., & Bart, C. (2014). Board-Level It Governance and Organizational
Performance. European Journal of Information Systems, 23(2), 223-239.
12. Kude, T., Lazic, M., Heinzl, A., & Neff, A. (2018). Achieving IT‐based synergies
through regulation‐oriented and consensus‐oriented IT governance capabilities.
Information Systems Journal, Forthcoming.
13. Turel, O., Liu, P., & Bart, C. (2017). Board-Level Information Technology
Governance Effects on Organizational Performance: The Roles of Strategic Alignment
and Authoritarian Governance Style. Information Systems Management, 34(2), 117-
136.
14. Spencer Stuart (2016). Spencer Stuart Board Index A Perspective on U.S. Boards.
Retrieved July 17, 2018, from https://www.spencerstuart.com/~/media/pdf%20files/
research%20and%20insight%20pdfs/spencer-stuart-us-board-index-2016.pdf
15. Higgs, J. L., Pinsker, R. E., Smith, T. J., Young, G. R. (2016). The relationship
between board-level technology committees and reported security breaches. Journal of
Information Systems, 30(3), 79-98.
16. Banker, R. D., Feng, C. Q., & Pavlou, P. A. (2011). CIO Educational Background,
Strategic Positioning, and Stock Performance. Working paper. Retrieved July 17,
2018, from https://papers.ssrn.com/sol3/papers.cfm?abstract_id=1910387
17. Baumrind, D. (1971). Current Patterns of Parental Authority. Developmental
psychology, 4, 1-103.
18. Eisenhardt, K. M. (1989). Agency Theory: An Assessment and Review. Academy of
Management Review, 14(1), 57-74.
19. Davis, J. H., Schoorman, F. D., & Donaldson, L. (1997). Toward a Stewardship
Theory of Management. Academy of Management Review, 22(1), 20-47.
20. Ghasemaghaei, M., Hassanein, K., & Turel, O. (2017). Increasing Firm Agility
through the Use of Data Analytics: The Role of Fit, Decision Support Systems, (101),
95-105.
ABOUT THE AUTHORS
Ofir Turel is a professor at the Information systems and Decision Sciences Department,
California State University, Fullerton. Before joining the academia, he held senior positions
in the information technology and telecommunications industries. His research interests in-
clude a broad range of behavioral, bio-physiological, and managerial issues in various infor-
mation systems contexts. He has published over 90 articles in various journals. Contact him
at oturel@fullerton.edu.
Peng Liu is an assistant professor at the Information systems and Decision Sciences De-
partment, California State University, Fullerton. His research interests include IT govern-
ance, business value of IT, organizational routines and capabilities, and trust in
technologies. Contact him at peliu@fullerton.edu.
Chris Bart is a retired professor of Strategic Market Leadership (Strategy and Governance)
at the DeGroote School of Business, McMaster University, Hamilton, Ontario, and is the
Principal with Corporate Missions Inc. (http://www.corporatemissionsinc.com). He is also
the Founder of The Directors College: Canada’s first university accredited director educa-
tion program. He is the author of the Canadian Business #1 best seller, “A Tale of Two Em-
ployees and the Person Who Wanted to Lead Them.” He has also published over 100 other
articles, cases, and reviews. Contact him at chris.bart@thedirectorscollege.com.
... Sustainability in Information Technology strives to introduce process modifications that comprehensively define acceptable quality, encompassing factors like the environment, welfare, development, and prospects [1]. IT governance within the project domain can be achieved by strategically grouping similar projects into programs managed at the organizational business level. ...
... If they exist, these programs are then strategically grouped into portfolios for strategic management [2]. In the context of this IT Governance validation model, it is essential to remember that this [1]- [3]can significantly contribute to practitioners and academics by enabling them to understand the implementation process carried out in stages within the IT Governance framework [4]- [6]. In this way, they can gain deeper insight, especially regarding detailed aspects of the related research process.IT governance within the project domain can be achieved by strategically grouping similar projects into programs managed at the organizational business level. ...
... Considerable research efforts have been dedicated to thoroughly investigating and dissecting various facets of this persistent issue, aiming to acquire a more profound understanding of the root causes behind why IT processes consistently yield unsatisfactory outcomes. These inadequacies result in significant setbacks, encompassing factors such as time delays, increased expenses, compromised quality, and diminished levels of customer satisfaction [1]. The overarching consequences of these recurring IT process failures extend beyond immediate setbacks. ...
View
... Other board-level IT governance researchers investigated the different roles that boards can fulfill while governing IT [1,8,16]. Also, some researchers specifically list questions that boards should ask about digital initiatives, projects, and organizational processes [11,[17][18][19]. Despite previous researchers of board-level IT governance plea for more research into how boards currently engage in board-level IT governance and actually take their responsibilities [15,17], we were unable to find scientific insights into how independent non-executive supervisory board members, in a two-tier system, act to influence digital strategy. ...
... Scientific research into the board's involvement in IT as well as the supervisory board's involvement in strategy is conducted using different research methods as shown in Fig. 3. Researchers in these areas used literature reviews [1,15,40], case studies [19,45], interview techniques [4,5,7,33,34,[42][43][44] and surveys [8,17,18,[47][48][49][50]. One researcher observed board meetings [46] and some researchers supplemented their surveys with interviews [3,18] or in-depth analysis [10] to conduct mixed-method research. ...
... Scientific research into the board's involvement in IT as well as the supervisory board's involvement in strategy is conducted using different research methods as shown in Fig. 3. Researchers in these areas used literature reviews [1,15,40], case studies [19,45], interview techniques [4,5,7,33,34,[42][43][44] and surveys [8,17,18,[47][48][49][50]. One researcher observed board meetings [46] and some researchers supplemented their surveys with interviews [3,18] or in-depth analysis [10] to conduct mixed-method research. One relevant paper is mainly based on the practical experience of the authors [11]. ...
How Supervisory Board Members Influence Digital Strategy: Towards a Framework for Digital Strategy Governance
Chapter
  • Dec 2023
  • Lect Notes Comput Sci
Since digital opportunities will continue altering business models, organizations need to formulate and execute digital strategies to sustain long-term value. A digital strategy is governed by the organization’s board. A board consists of executive and non-executive members, whereas in a two-tier system, the non-executive members form a supervisory board that is decoupled from the executive board. We present a framework illustrating how the actions of supervisory board members might influence digital strategy. We developed this framework based on a structured literature review with insights from corporate governance, strategic management, and board-level IT governance. We found that supervisory board members execute a variety of actions to take and shape strategic decisions and shape the strategic content, context, and conduct within their organization. We integrated our findings into sixteen potential actions that supervisory board members can take to influence digital strategy formulation, execution, and context. Further research should evaluate the framework and investigate the impact of their actions on digital strategies.
View
... In other words, IT expertise on the board of directors would enhance the effectiveness of organizations' cybersecurity governance (Bonime-Blanc, 2017). This would mean changes in the audit committee's role (Deloitte, 2015) or establishing a technology committee on boards of directors as a further IT governance structure (Turel et al., 2019). Hence, to discharge their oversight duties with respect to cybersecurity decisions, the board of directors (as a group) can benefit from having a technology committee (Higgs et al., 2016) and IT expertise on the board itself (Vincent et al., 2019) or on its audit committee (Ashraf et al., 2020). ...
... "IT risks are the risks information technology poses to financial reporting when IT results in poor internal controls, accounting information, or cybersecurity" (Ashraf et al., 2020, p. 24). Cyberattacks and unauthorized data disclosure are examples of IT risk issues (Turel et al., 2019). Cybersecurity "exceeds the boundaries of IT and cyber risk needs to be managed with as much discipline as financial risk" (Deloitte, 2015, p. 6). ...
... Specifically, firms "for which technology forms the backbone of their business often have a dedicated cyber risk committee that focuses exclusively on cybersecurity" (Deloitte, 2015, p. 6). Companies may also form a board-level technology committee to signal to stakeholders that the upper echelon considers IT to be a strategic tool (Turel et al., 2019) or that oversight of breach risks is a board priority (Higgs et al., 2016). These firms are more committed to cybersecurity and more inclined to react after a cybersecurity breach (Lankton et al., 2020). ...
Board of directors’ attributes and aspects of cybersecurity disclosure
Article
Full-text available
  • Nov 2022
  • J Manag Govern
As cybersecurity is a critical risk issue for organizations, cybersecurity disclosure is important for financial regulators, financial analysts, shareholders, and other stakeholders. Organizations face challenges when deciding whether, what, and when cybersecurity-related information should be disclosed. Prior studies have contributed few insights regarding the potential determinants of cybersecurity disclosure. Furthermore, their findings are based on a general or narrow measurement of this disclosure. This study draws on upper echelons and signaling theories to examine the association between various board of directors’ characteristics and extent of overall cybersecurity disclosure and its individual aspects. Extent of cybersecurity disclosure is measured based on a content analysis of annual financial regulatory filings of the 250 companies listed on the S&P/TSX Composite Index, using a scoring grid of 40 items grouped into seven categories representing different aspects of cybersecurity disclosure. This expanded disclosure measurement provides original insights for firms and their stakeholders. The main findings indicate that the presence of a committee responsible for cybersecurity on the board of directors is key to increasing cybersecurity disclosure. With or without such a committee, board IT expertise, board tenure, board independence, women directors, and board age are associated with the extent of total cybersecurity disclosure or some of its specific aspects, particularly cybersecurity risk mitigation. These findings contribute to the cybersecurity literature by examining which board of directors’ characteristics influence the extent of specific aspects of cybersecurity disclosure. They also complement results from upper echelons-based studies on corporate reporting determinants and prior IT governance studies.
View
... Healthcare organizations, like any other modern organization, are increasingly relying on IT for success (Ayatollahi and Zeraatkar 2020;De Haes and Van Grembergen 2015;Kuo et al. 2017) and have come to recognize that IT has become a crucial strategic instrument Lazic, Heinzl, and Neff 2011;Lee and Setiawan 2013). Information Technology has demonstrated value as a tool for implementing business strategy (Burmann and Meister 2021;Jiandong and Hongjun 2010;Karahanna et al. 2019;Turel, Liu, and Bart 2019), resulting in healthcare organizations being compelled to advance strategic information systems in the pursuit to provide better and more effective healthcare services (Achieng and Ruhode 2023;Negash et al. 2018;Sha, Chen, and Teoh 2020). The implementation of healthcare information systems generates measurable business returns and benefits (AbuKhousa and Al-Qirim 2012), leading in improved service quality and cost reductions (Tsiknakis and Kouroubali 2009). ...
View
... IT governance ensures the effectiveness of IT utilization and can achieve the link between IT and business by the board of directors, executive management, and IT management (De Haes & Van Grembergen, 2004); this involves multiple scopes, including strategic align ment, risk management, resource management, value delivery, and performance measure ment (Wilkin & Chenhall, 2010;Turel et al., 2019). For ensuring strategic alignment and the effectiveness of governance, the involvement of high-level roles in an IT-implementing firm is necessary to create firm value and mitigate risks. ...
Does AI bring value to firms? Value relevance of AI disclosures
Article
Full-text available
  • May 2023
This study examines the value relevance of a firm’s artificial intelligence (AI) implementation and its awareness of the related risks. We proxy a firm’s AI implementation by AI-related disclosures and risk factors in 10-K filings to the U.S. Securities and Exchange Commission. Our results show that AI implementation disclosures in 10-K filings are more value relevant than those without AI disclosures. We also find that the disclosed AI-related risk factors are value relevant, suggesting that investors positively value a firm’s AI risk awareness. By further classifying AI risk factors by a topical analysis of the latent Dirichlet allocation, we find that investors value AI-related risk factor disclosures more regarding security and data privacy. Finally, we find that when a firm has better board- or executive-level IT governance, investors place greater value on AI-related risk factor disclosures regarding business operations.
View
Survival of the Fittest Through Digital Transformation: Turning the Board's Digital Awareness to Action
Article
Full-text available
  • Feb 2025
  • INFORM SYST J
Digital transformation (DT) is a complex, lengthy and risky process that can disrupt habituated operations. Thus, the board of directors can and should play a crucial role in strategically steering DT initiatives. However, interviews (n = 21) with and survey responses (n = 19) from board members and IT leaders of large enterprises revealed that boards often lack digital awareness, which makes them insufficiently equipped to understand the risks and opportunities presented by new digital technologies (e.g., AI). We identified four ways in which the digital awareness deficit manifested in practice, as well as specific impacts of such deficits on the DT process. Our data also revealed several practices that can be used for increasing the digital awareness of board members and translating this awareness into board DT actions.
View
View
IT-Governance - Ordnungsrahmen und Handlungsfelder für eine erfolgreiche Steuerung der Unternehmens-IT
Book
Full-text available
  • Jan 2023
Dieses Buch beschreibt praxisorientiert und systematisch die Grundlagen und einzelne Handlungsfelder der IT-Governance im Detail. Diese Handlungsfelder sowie Mechanismen und Maßnahmen zur Umsetzung einer IT-Governance werden integriert dargestellt und die vielfältigen Querbezüge diskutiert. Die praktischen Implikationen werden in Form von Handlungsempfehlungen hervorgehoben. Im Einzelnen behandelt das Buch die folgenden Punkte: - Wertbeitrag der IT als Handlungsfeld - Akteure der IT-Governance - Stakeholder als Handlungsfeld - IT-Organisation als Handlungsfeld - IT-Risiken als Handlungsfeld - IT-Compliance als Handlungsfeld - Data Governance - Normen und Standards der IT-Governance Die Entwicklung des Gebiets in Praxis und Forschung sowie der State of the Art werden grundlegend dargestellt. Hinsichtlich der Positionierung in Organisationen wird immer auch auf die wichtige Schnittstelle zwischen IT-Governance und IT-Management Bezug genommen, sodass klar zwischen Governance- und Managementverantwortung unterschieden wird. Das Buch dient zugleich als Hilfestellung und als Nachschlagewerk, um in der täglichen Praxis den vielfältigen Herausforderungen der IT-Governance professionell und mit nachhaltigem Nutzen zu begegnen. _____________________________________________________________________________________ This book describes the fundamentals and individual fields of action of IT governance in detail in a practice-oriented and systematic manner. These fields of action as well as mechanisms and measures for implementing IT governance are presented in an integrated approach and the many cross-references are discussed. The practical implications are highlighted in the form of recommendations for action. In detail, the book covers the following subjects: - Value contribution of IT as a field of action - Actors in IT governance - Stakeholders as a field of action - IT organization as a field of action - IT risks as a field of action - IT compliance as a field of action - Data governance - Norms and standards of IT governance The development of the field in practice and research as well as the state of the art are fundamentally presented. With regard to positioning in organizations, reference is always made to the important interface between IT governance and IT management, so that a clear distinction is made between governance and management responsibility. The book serves both as an aid and a reference work for meeting the diverse challenges of IT governance in daily practice in a professional way and with sustainable benefits.
View
View
View
Board-Level Information Technology Governance Effects on Organizational Performance: The Roles of Strategic Alignment and Authoritarian Governance Style
Article
Full-text available
  • Jan 2017
We report on two empirical studies that explore key factors that help translating information technology (IT) governance by the board of directors into organizational performance. The first study shows that strategic alignment partially mediates the effect of board-level IT governance (ITGI) on performance. The second study demonstrates that authoritarian governance style negatively moderates the effect of board-level ITG on performance. Together, these studies open up the black box between board-level ITG and organizational performance.
View
The Relationship Between Board-Level Technology Committees and Reported Security Breaches
Article
Full-text available
  • Jan 2016
After several high-profile data security breaches (e.g., Target Corporation, Michaels Stores, Inc., The Home Depot), corporate boards are prioritizing the oversight of Information Technology (IT) risk. Firms are also increasingly faced with disclosure decisions regarding IT security breaches. This study proposes that firms can use the creation of a board-level technology committee as part of the firm’s information technology governance (ITG) to signal the firm’s ability to detect and respond to security breaches. Using reported security breaches during the time period 2005–2014, results indicate that firms with technology committees are more likely to have reported breaches in a given year than are firms without the committee. Further analysis suggests that this positive association is driven by relatively young technology committees and external source breaches. Specifically, as a technology committee becomes more established, its firm is not as likely to be breached. To obtain further evidence on the perceived value of a technology committee, this study uses a returns analysis and finds that the presence of a technology committee mitigates the negative abnormal stock returns arising from external breaches. Findings add to the evolving ITG literature, as well to the signaling theory and disclosure literatures.
View
IT and the Board of Directors: An Empirical Investigation into the “Governance Questions” Canadian Board Members Ask about IT
Article
Full-text available
  • Nov 2010
In modern organizations, information technologies (IT) often help drive organizational strategies. As such, IT require both judicious planning and oversight. While executive oversight over IT is quite common nowadays, several studies indicate that due to the many benefits and risks associated with IT, more/better board-level oversight may be in order. Unfortunately, there is a scarcity of research on the involvement of board members in IT governance. We attempt to partially fill this gap by empirically examining the degree to which the 27 IT governance questions that make up an IT board governance framework recommended by the Canadian Institute of Chartered Accountants are raised by the board members of 94 Canadian firms. We also investigate the extent to which the questions are considered important. Our findings show that: board members use only some of the IT governance questions and not all the recommended ones; there is a gap between the IT governance questions board members ask and the ones they perceive to be important; and the number and importance of IT governance questions that board members ask appear to vary with both their organization's strategic use of IT and the need for IT reliability. Implications for research and practice are offered.
View
Board-level IT governance and organizational performance
Article
Full-text available
  • Mar 2014
Research on the strategic management of Information Technology (IT) resources has mostly focused on the oversight provided by the management team as a means to increase organizational performance. In recent years, boards of directors have also increased their involvement in IT matters, and various theoretical lenses suggest that this oversight too has the potential to influence organizational performance. Hence, this study synthesizes the resource-based and contingency views of MIS with corporate governance theories, and examines key antecedents and consequences of board-level IT governance (ITG) using a multi-method approach. Structural Equation Modelling analysis applied to organization-level data collected from 171 board members suggested that the level of ITG exercised by boards was contingent upon the organization's ‘IT use mode’, along the two dimensions of need for (a) fast and reliable IT, and (b) new innovative IT. But, the findings further suggested that the contingency approach may be suboptimal because it can cause new ways of leveraging IT to be ignored. High levels of board-level ITG, regardless of existing IT needs, increased organizational performance. This phenomenon was illuminated with applicability checks. Moreover, content analysis and structured interviews with board members further enriched these insights.
View
View
Achieving IT-based synergies through regulation-oriented and consensus-oriented IT governance capabilities
Article
  • Nov 2017
This study aims at exploring the IT governance capabilities that enable organizations to achieve IT-based synergies. Following existing work on the contextualization of theories and drawing on the resource-based view of the firm (RBV), we develop an RBV of IT-based synergies in two steps. First, we adopt existing context-specific constructs and relationships from prior work on IT governance capabilities, IT relatedness, and synergies to develop a preliminary contextualization of the RBV. Second, to further refine our theoretical framework, we conduct an exploratory field study that includes interviews with 26 CIOs and other IT executives from 21 multibusiness firms. Our findings suggest that IT governance capabilities lead to IT-based synergies through IT relatedness and business process relatedness. We found regulation-oriented IT governance capabilities (IT roles and IT processes) to increase IT relatedness, while consensus-oriented IT governance capabilities (IT groups and relational capabilities) had a positive effect on business process relatedness. Our results suggest that, in isolation, IT and business process relatedness lead to IT cost synergies, while collectively enabling IT-induced business synergies. Our study is among the first to treat IT relatedness as an endogenous construct and to explicitly integrate business process relatedness into the IT governance domain. Our context-specific decomposition of IT governance capabilities helps to better explain their links to IT and business process relatedness. These findings contribute to a better understanding of the tension between IT-based synergies and business-IT alignment. Decision-makers are guided in developing IT governance capabilities to achieve IT-based synergies.
View
Increasing firm agility through the use of data analytics: The role of fit
Article
  • Jun 2017
  • DECIS SUPPORT SYST
Agility, which refers to a dynamic capability within firms to identify and effectively respond to threats and opportunities with speed, is considered as a main business imperative in modern business environments. While there is some evidence that information technology (IT) capabilities can help organizations to be more agile, studies have reported mixed findings regarding such effects. In this study, we identify the conditions under which IT capabilities translate into agility gains. We focus on a specific and critical IT capability, the use of data analytics, which is often leveraged by firms to improve decision making and achieve agility gains. We leverage dynamic capability theory to understand the influence of data analytics use as a lower-order dynamic capability on firm agility as a higher-order dynamic capability. We also draw on the fit perspective to suggest that this impact will only accrue if there is a high degree of fit between several elements that are closely related to the use of data analytics tools within firms including the tools themselves, the users, the firm tasks, and the data. The proposed research model is empirically validated using survey data from 215 senior IT professionals confirming the importance of high levels of fit between data analytics tools and key related elements. The findings provide the understanding of the impacts of data analytics use on firm agility, while also providing guidance to managers on how they could better leverage the use of such technologies. These findings could be more broadly used to inform the effective use of other forms of IT in organizations.
View
Toward A Stewardship Theory of Management
Article
  • Jan 1997
Recent thinking about top management has been influenced by alternative models of man.1 Economic approaches to governance such as agency theory tend to assume some form of homo-economicus, which depict subordinates as individualistic, opportunistic, and self-serving. Alternatively, sociological and psychological approaches to governance such as stewardship theory depict subordinates as collectivists, pro-organizational, and trustworthy. Through this research, we attempt to reconcile the differences between these assumptions by proposing a model based upon the subordinate's psychological attributes and the organization's situational characteristics.
View
Optimizing Operational and Strategic IT
Article
  • Sep 2014
The authors explore seven operational and strategic technology capabilities and management practices, which are shaping today's enterprise IT systems and applications: cloud computing, BYOD, big data analytics, social business analytics, location awareness, crowdsourcing, and governance federation.
View
Antecedents and Consequences of Board IT Governance: Institutional and Strategic Choice Perspectives
Article
  • Jul 2012
  • J ASSOC INF SYST
In spite of the potential benefits of board IT governance and the costs of ineffective oversight, there has been little field-based research in this area and an inadequate application of theory. Drawing upon strategic choice and institutional theories, we propose a theoretical model that seeks to explain the antecedents of board IT governance and its consequences. Survey responses from 188 corporate directors across Canada indicate that both board attributes and organizational factors influence board involvement in IT governance. The results suggest that proportion of insiders, board size, IT competency, organizational age, and role of IT influence the board's level of involvement in IT governance. The responses also indicate that board IT governance has a positive impact on the contribution of IT to organizational performance. Overall, the results support the integration of strategic choice and institutional theories to explain the antecedents to board IT governance and its consequences, as together they provide a more holistic framework with which to view board IT governance.
View