Abstract
Background: Following the corporate failures of the 1990s, factors identified as evidence for these failures extended beyond just weak or ineffective corporate governance models, codes and legislation. Poor management and oversight of information technology (IT) systems were also identified as sources of failure as a result of organisations’ significant utilisation and reliance on IT. For more control and regulations, existing corporate governance codes of practice and the development thereof were reviewed and reformed. Information technology governance reforms were then incorporated into corporate governance codes, and IT governance established as a board-level responsibility. Over the years, studies into board-level IT governance have been limited, and thus the nature of board-level IT governance and its constitutional aspects are not fully known.
Objectives: The aim of this study was to identify and assess aspects of IT governance implemented by the boards of companies listed on the Johannesburg Stock Exchange in South Africa.
Method: In-depth, semi-structured interviews were conducted. Interview data was thematically analysed and key themes identified.
Results: Boards have been effective in terms of IT investments and budgeting, which were identified as key factors in effecting IT oversight. Boards have delegated most aspects of their IT governance oversight to board-level risk and audit committees, thus limiting the level and depth of interrogation of IT oversight by the board. The oversight of board IT governance is weak in outsourced IT arrangements.
Conclusion: The implementation of board-level IT governance goes beyond prescribed IT governance principles within corporate governance codes. In effecting their IT governance, boards consider IT projects that contribute to organisational sustainability and those that positively add value to stakeholders, such as employees and consumers.
Keywords: IT governance framework; corporate governance; IT governance; framework; board-level IT governance.
Introduction
The central controlling authority in organisations is the board, which is responsible for overseeing the overall operations of the corporation. This responsibility involves ensuring the continuous existence of the corporation, directing the activities and processes of the corporation and ensuring the corporation abides by the laws and regulations of the home state or country (Akingunola, Adekunle & Adedipe 2013; Ayuso et al. 2014; Krause, Semadeni & Cannella 2013). To be effective in carrying out its oversight role, the board is guided by codes of corporate governance and best practice. These codes and practices guide and specify required structures, processes and sets of values for the board’s implementation and institutionalisation. These codes are dynamic and should be continuously reviewed to keep up with ongoing changes within the socio-economic environment, as well as within laws and regulations (Aguilera & Cuervo-Cazurra 2004).
The corporate governance practices of the 20th century did not fully accomplish the expected control and regulations for organisational success. This is evident by various corporate failures of the 1990s (Veasey 2004). The failures extended beyond just weak or ineffective corporate governance models, codes and legislations (Soltani 2014). Poor management and ineffective oversight of information technology (IT) were also identified (Li et al. 2012). The ineffective oversight of IT called for a review of the board’s oversight function to include IT governance. This necessitated the review and reform of corporate governance codes and practices to include IT governance. In South Africa, the corporate governance code released in 2009 (referred to as ‘King III’) included IT governance principles within its code, thus making IT governance an integral responsibility of the board. However, studies on IT governance have focused more on managerial structures and decision-making, and less on the actual role of the board in IT governance. Knowledge on how boards have implemented IT governance as an integral part of their corporate governance responsibilities is therefore lacking (Bart & Turel 2010).
The objective of this study is to assess the nature of IT governance at the board level of companies listed on the Johannesburg Stock Exchange (JSE), to examine the aspects of IT governance implemented by the board and to construct a board-level IT governance framework.
Literature review
The advancement of IT since the 1990s has prompted organisations to adopt various IT solutions to enable improved operational efficiencies and to attain strategic goals. Almost all aspects of the organisation depend extensively on IT (Spremic & Popovic 2008) and account for over 50% of an organisation’s information assets. This extensive integration of information assets brought to the attention of the board the importance of IT oversight. The governance of IT has since obtained much attention at the board level (The King Committee 2009). The need for the board oversight to ensure that the organisation obtains maximum output from its IT investment has become more important (IT Governance Institute [ITGI] 2008).
Information technology governance decision models
The decision-making practices of IT governance have taken various forms since the works of Sambamurthy and Zmud (1999), Peterson (2004) and Simonsson and Johnson (2006). The governance of IT has shifted from the focus on delegation of authority in decision-making regarding what IT to use, how much is used and who uses it. Organisations now focus their IT governance on the strategic use of IT and what the organisation stands to gain from its IT deployment (Pearlson, Saunders & Galleta 2009).
As a result of the contingency theory, an organisation’s choice of IT governance model is influenced by the existing contingencies that influence the organisation (Jacobson 2009), both from within and without. Contingencies that influence an organisation and its IT governance include defining and aligning the IT strategy to the organisation’s strategy, making IT investment decisions, implementing IT controls and making overall IT risk-management decisions. These contingencies are dealt with by the central controlling decision-making structure within the organisation, which is the board. The role of the board is guided by corporate governance principles. Thus, an organisation’s IT governance is influenced by its corporate governance practices.
Influence of corporate governance on information technology governance decision models
According to Peterson (2001), corporate governance decisions influence IT governance models and, where conflict exists between the two, corporate governance decision presides. However, this may differ in the case of an IT-outsourced environment. In an outsource relationship where an organisation’s IT service is provided by an external IT service provider, decisions relating to a given domain of IT being delivered by the service provider are located with the service provider’s authority and thus are outside the control of the organisation’s corporate and IT governance models (Peterson 2004). Such an external structure may therefore influence the organisation’s internal IT governance model. Managing this external influence on the nature of an organisation’s IT governance model becomes a challenge. Peterson (2001) concludes that for organisations to effectively manage these factors and implement the effect oversight of IT governance, they need to build a particular capability to underpin their IT governance decision-making structures.
Information technology governance capabilities
Structural capabilities, process capabilities and relational capabilities are the three key capability structures required for the effective implementation of IT governance (Peterson 2004). Structural capabilities are established at various levels within the organisation as formal structures (such as a committee and advisory board) that are assigned the role of overseeing the management of IT governance-related decisions (Bart & Turel 2010; Jewer & Mckay 2012). Process capabilities include formal processes and procedures that enable the development and selection of IT strategies, monitoring of the performance of the implemented IT strategies, and decision-making to rectify IT implementation (Jewer & Mckay 2012; Marks 2010; Schwertsik, Wolf & Krcmar 2010). Relational capabilities are established communication and collaboration mechanisms that enable the active participation of stakeholders in making joint choices relating to IT that transcend the functional interest within the organisation (Ali & Green 2012). They also encompass the knowledge gained through communication and collaboration with stakeholders (Balsmeier, Buchwald & Zimmermann 2013).
Information technology governance decision-making responsibilities
In the detailed description of the three capabilities, Peterson (2004) highlights the need for processes and procedures that underpin each of the capabilities and key decision-making areas that align to them:
- accountability for selection and prioritisation of decision options relating to IT
- deriving and aligning IT strategy within the organisational strategic decision areas
- identifying and establishing key stakeholder relationships and participation in IT decision-making.
Following on from the who, what and how of IT governance decision-making by Weill and Ross (2004), the required governance structure of Pearlson et al. (2009) and Peterson’s (2004) capability for decision-making; the relationship and alignment between the capabilities, IT domains and IT decision-making areas are illustrated in Figure 1.
 |
FIGURE 1: Information technology governance decision-making and implementation process alignment. |
|
The board accountability for information technology governance decision-making
The literature on corporate governance shows that the board is the topmost structure with overall corporate governance authority (Hendry & Kiel 2004). Following a top–down approach, overall strategic decisions, approval and accountability within an organisation are still ordered by the board and implemented at the lower level by management (Stevenson & Radin 2015). Accountability for IT governance within the organisation therefore resides with the board, as IT is strategically and extensively employed across all functions within the organisation. The associated high risk of the potential failure of IT further entrenches IT governance within corporate governance as a board responsibility (Spremic & Popovic 2008).
Strategic alignment of business and information technology decision-making
As an enabler of an organisation’s strategic ability, IT strategies are developed to influence organisational strategic goals and enhance operational performance. The board’s responsibility of oversight of business strategy should therefore also include ensuring the alignment of the IT strategy to the business strategy (Calder 2008; Webb, Pollard & Ridley 2006).
The alignment of the IT strategy to the business goals should enable the determination of IT capability requirements for effective and strategic IT implementation. Thus, the decision-making by boards includes IT investment decisions regarding what IT domain is required and the related operational capabilities (Parent & Reich 2009).
Implementation of information technology strategic decisions and stakeholder involvement
The active participation of stakeholders in IT strategic choices ensures that IT decision-making processes transcend functional interest within organisations (Ali & Green 2012). Various established communication and collaboration mechanisms provide the needed processes that engage stakeholders in the decision-making process. The decision-making processes and implementation are enhanced and supported by the establishment of relevant internal structures and the combined knowledge and competences brought on board by these stakeholders (Balsmeier et al. 2013; Mohamed, Kaur & Singh 2012).
Methodology
To assess aspects of IT governance implemented by JSE-listed companies, a qualitative methodology was followed. At the time of this study, ShareData, an accredited website for the JSE, published (in 2015) a total of 385 companies, as listed on the JSE across all seven provinces of the country. Because of convenience and constraint of resources, the province of KwaZulu-Natal was selected as the study site, where a total of 23 private companies were identified as the purposive sample. Out of the 23 companies, 3 were on suspension by the stock exchange and thus the 20 companies in good standing were contacted. Only 10 agreed to participate in the study, resulting in a response rate of 43.5%, computed using the American Association for Public Opinion Research (AAPOR) formula, which is higher than the average response rate of similar studies (Ogbechie 2012).
Because the companies differ in type of industry and size (profitability, revenue, return on assets), a multiple case study and an in-depth, semi-structured interview approach was adopted. According to Ghauri and Gronhaug (2005) and Yin (2013), this would enable the study to cover an in-depth understanding of the possible differences and similarities in aspects of IT governance implemented across the companies. The participating companies nominated representatives as interviewees and each of the companies were considered as a separate case. Interviewees were executives with board-level IT oversight and corporate governance responsibilities, and thus identified as the right respondents with the appropriate knowledge of IT governance at the board level. According to Kumar Vinod and Associates (2014), interviewees should have the appropriate knowledge of the phenomenon being studied. A total of 16 interviews were conducted because some companies provided more than one nominee. Interviews were conducted under conditions of confidentiality; the details were recorded and transcribed, and NVivo software was used in the identification of themes. Hence, a thematic analysis was conducted.
To assess a link between board-level IT governance and organisational performance, the annual turnover between 2010 and 2014 of each of the 10 participating companies (cases) was reviewed. The literature states that effective IT governance positively impacts organisational performance (Jewer & McKay 2012). The JSE adopted, as a mandatory requirement for all listed companies, board-level IT governance principles in 2009 as an integral part of their corporate governance practices. The period 2010–2014 was considered as adequate to find and understand how JSE-listed companies implemented IT governance as an integral part of the corporate governance practices at the board level.
Findings and discussion
The study’s findings are presented to highlight the variation in the various boards of the 10 cases. These variations are discussed to identify board structure and diversity, organisational size by turnover, and factors that influence the board’s IT-related decisions and oversight. The findings and discussions are as follows.
Impact of strategy on turnover
Based on their turnover over a period of 5 years, it was evident that some companies had a significantly higher turnover whilst others had a lower or declined turnover. As shown in Figure 2, all the companies achieved growth within the stipulated period, except company C4. The reason obtained from the organisations’ published annual reports reference achieved growth as a result of the varying strategies pursued during the period in review.
 |
FIGURE 2: Companies’ average percentage growth from 2010 to 2014. |
|
Insight from the published annual financial reports of the companies provided information on the strategies they pursued. Over the period, both C4 and C7 pursued growth strategies with the intension of improving their turnover. The company, C7, reported an acquisition strategy and acquired several companies operating in a similar industry. This provided C7 with short-term returns as it was able to save costs through achieving synergies and reducing process duplication and redundancy in the organisational structure. This is consistent with the findings of Yaghoubi et al. (2016) that, in an acquisition strategy, cost savings and short-term growth in turnover are best attained when acquisitions are made within a related industry. The company C4, however, diversified into new markets, which included newer industries. From its financial reports, C4 incurred more cost in trying to review current operational inefficiencies and duplication that should lead to a reduction and streamlining of operations across its newly acquired companies. The company, C4, is thus incurring more cost now but with the intention of later returns from its investments.
Themes and thematic analysis
The dominant themes and subthemes that affect board-level IT governance include the characteristics of the board, the nature of IT within the organisation, internal organisational factors and factors external to the organisation. Attained IT value and organisational performance emerged as resultant outcome themes of the effectiveness of IT governance.
Board characteristics
From the thematic analysis of participants’ responses, board characteristics were identified with the following subthemes: board size, competence diversity of the board, composition of independent non-executive directors, IT competence and knowledge of the board members.
Board size
What constitutes an ideal board size has been inconsistent within the literature. A maximum board size suggested within the literature varies between 12 and 17 (De Andres & Vallelado 2008; Ogbechie 2012). The Companies Act of South Africa (Republic of South Africa [RSA] 2008) states that the size of a board is to be specified by the board itself and documented in the organisation’s memorandum of incorporation. The board should, however, ensure that a balance of skills and competences exist on the board, and within a reasonable board size (De Andres & Vallelado 2008; Ogbechie 2012).
For this study, the following was adopted: a board size of 12 or more members was classified as large, a board of between 9 and 11 members was classified as medium, and a board of 8 or fewer members was classified as small. The findings indicate that four companies had boards classified as large, another four were classified as medium and two were classified as small. To obtain further insight on this, the literature indicates that larger boards are likely to have a negative effect on the organisational performance, whilst small to medium-sized boards tend to improve organisational performance (Iturralde et al. 2016). A review of the companies’ percentage of annual growth over a 5-year period was carried out and is presented in Table 1. As indicated in Table 1, the companies with board sizes classified as medium recorded a high percentage of annual growth over the period. The rest of the organisations with a medium and low percentage of annual growth were distributed evenly across the other two classified board sizes. Whilst no further evidence was found to link performance, board size and IT governance, it is worth noting that the finding is consistent with that of Iturralde et al. (2016).
| TABLE 1: Board structure of participating companies. |
Diversity of board competence
Directors’ competences, skills and experience are significant and bring diversity to the board, improving the rigour of deliberations and the board’s performance (Ogbechie 2012). Most respondents indicated that the majority of their board members had financial and accountancy qualifications and competences. Further records extracted from the annual financial reports of these companies support the respondents’ responses, as presented in Figure 3.
 |
FIGURE 3: Board composition of participating companies. |
|
It is evident from Figure 3 that more chartered accountants than other professions serve these 10 boards, making up to 57% in one case. From the literature, board decisions on IT-related investments focus more on accessing IT investments based on the financial returns (ROI) and the cost savings achieved from such investments.
This finding indicates that with chartered accountants being in the majority on these boards, effective control and monitoring of IT investments is achieved. The finding also reflects the dominance of the shareholder-focused model of corporate governance in these listed companies. It indicates that the enlightened shareholder model of corporate governance proposed by the Companies Act of 2008 (RSA 2008) and corporate governance practices have not been adopted by all listed companies. The focus of organisations is to achieve returns, mainly financial, on shareholders’ investment rather than pursuing the interest of all key stakeholders as proposed by the enlightened shareholder model.
Composition of independent non-executive directors and information technology competence and knowledge
As recommended by corporate governance best practices, a board must constitute a majority of independent non-executive directors (The King Committee 2009). As found in the literature, independent non-executive directors bring divergent and independent views to board deliberations and facilitate rigorous deliberation and effective decision-making. However, the findings of this study indicate that whilst 80% of organisations have a majority of independent non-executives on their boards, only 30% indicated having IT-knowledgeable, independent non-executives who contributed effectively to IT-related deliberations. Another 30% indicated having independent non-executives with low IT-related competences. Most participants indicated that the executives rather than non-executives on the board had championed IT-related deliberations. Accordingly, executives possess more IT-related skills and competences.
It can be concluded from these findings that effective IT oversight at a board level requires directors who are IT-knowledgeable and possess IT-related skills and competences. Therefore, the IT skills, competences and knowledge of directors, rather than their independence, are required for effective IT governance by the board.
Board subcommittees and the delegation of information technology governance
Legislation and corporate governance codes require a board to set up various board subcommittees to assist the board in carrying out its oversight responsibilities (The King Committee 2009). Terms of reference clearly defined by the board guide the work of the subcommittees. Similarly, various IT governance and management frameworks recommend the establishment of an IT governance committee at the board level.
This study found that whilst all organisations had various board subcommittees, none had a board-level IT subcommittee. However, 50% of participants indicated having an IT steering committee (ITSC) at management level. According to these participants, strategic and operational IT-related deliberation takes place on the ITSC, which mainly comprises executives, business representatives and IT managers. The ITSC reports to the audit committee.
The finding is that boards of organisations delegate IT governance oversight to board-level subcommittees such as risk and audit committees. Where ITSCs exist, their role is to assist audit committees.
The derived framework
Following the thematic analysis, the derived framework including the board characteristics is presented in Figure 4.
 |
FIGURE 4: Ako-Nai’s board-level information technology governance framework. |
|
Internal factors
These are themes that align to internal organisational structures that are instituted to effect organisations’ overall strategic objectives and how IT is positioned to enable the attainment of these strategic objectives.
Role of information technology within organisations
The findings of this study show that organisations use IT in three different ways: strategically to gain a competitive advantage, operationally to increase operational efficiency and as a service to provide added value to customers.
In the strategic use of IT, participants indicated that the oversight of board IT governance focuses on ensuring strategic alignment between the IT strategy and the business strategy. However, participants also indicated that boards rely on executives to justify the alignment between the business strategies and formulated IT strategy. Where executives justify this alignment, the board approves IT strategies and the associated implementation plans with convincing projections of the achievement of the strategic business goals. Boards further demand progress reports on the implementation plans (initiated IT projects) and institute measures to overcome implementation risks and issues.
In organisations that use IT to improve operational efficiency, this study found that boards focus on IT investments that aim to save operational costs. The board assesses IT investments associated with improving IT capacity and skills that are consistent with saving operational costs. To ensure cost saving in operations that implement IT investments, the board manages its oversight by obtaining ongoing IT capacity reports, including instituted measures to manage IT issues and risks. The study also found that the board requests management to confirm the existence of IT disaster recovery plans and testing schedules to affirm its effectiveness.
Regarding the use of IT to provide customer-added value, participants in the study indicated that for the oversight of IT investments, the board focuses on non-financial return (emotive) on investment, which comprises expected long-term benefits. The board subsequently requires reports from management in support of non-financial returns attained in terms of retained customers, improved customer satisfaction and customer loyalty.
From these findings, it can be deduced that the role and use of IT within the organisation influences the effectiveness of board IT governance.
Information technology leadership
The two classifications of IT leadership referred to in the literature are executive-level and non-executive-level IT roles (Coertze & Von Solms 2013). Most of the literature on IT governance recommends that IT leadership be the executive type. However, this study shows that only a minority (30%) of IT leadership includes executives; the majority (70%) are non-executives. This indicates that JSE-listed companies are not adhering to IT governance recommendations within the literature. However, the finding of this study also indicate that 40% of IT leadership of the companies that participated in this study had access to the board. According to the participants of this study, the board requires direct input and advice from IT leadership to assist in making IT-related decisions and to effect IT oversight. The board therefore has expert advice from IT leadership when required.
In the 60% of companies without direct IT leadership access to the board, the chief financial officers (CFOs) represented IT on the board. According to participants of the study, CFOs are unable to adequately address IT-related matters at the board level and mostly refer to IT management in order to obtain answers to queries from the board.
It can therefore be deduced from the findings of this study that granting IT leadership access to the board to provide needed IT expert advice and information enhances the effectiveness of the board’s IT governance. Irrespective of being executive or non-executive, IT leadership’s direct access to the board is more effective than through an intermediary like the CFO. Similarly, De Haes and Van Grembergen (2009) also state that a direct IT-reporting line to the chief executive officer (CEO) is one of the effective ways to achieve the successful implementation of IT governance. Information technology leadership that is closer to the CEO is better able to influence and communicate the importance and impact of IT to the CEO and subsequently to the board (Ferguson et al. 2013).
Information technology strategic alignment
According to a participant in this study, it is necessary for the board and executives to have a better understanding of the importance of IT and its use in driving the organisation’s strategy. Overall, 60% of participants in this study indicated that their organisation’s IT strategies enabled the organisation’s strategy. They stated that their strategy formulation followed a methodical process where the formulation of the IT strategy followed the business strategy to give effect to the business strategy.
In the 60% of organisations where the IT strategy enabled the organisation’s strategy, the boards assessed and approved IT investments that emanated from the IT strategy. The board scrutinised each IT investment to ensure that its approval was dependent on its strategic intent in effecting the organisation’s strategic goals.
An inference from the findings of this study is that the board oversees the alignment of the IT strategy to the business strategy by ensuring that a methodical strategy formulation process is in place. This process in turn ensures that the IT strategy follows and effects the business strategy (Benkhayat, El Manouar & Sadok 2015). Therefore, the board’s oversight gives priority to IT investments that are strategic and enables the organisation to achieve its strategic goals.
Information technology risk profile
The findings of the study indicate that 60% of participating organisations agree that IT has a real risk profile that requires specific attention. This was also confirmed in a study by Huff, Schroeder and Pauleen (2012).
Participants indicated that boards effect the oversight of IT risk through monitoring and controlling the assessment reports of the IT risk profile presented by management. These reports also include compliance to IT-related regulation and legislation. Boards are also concerned with IT risks emanating from advancing technologies such as Internet usage, social media, cybercrime, hacking and the need for information security.
It is evident that boards are very aware of IT risk and its impact on organisations. Therefore, boards effect IT governance oversight mainly by monitoring their companies’ risk profile at all times and ensuring that management implement adequate measures and controls.
Information technology investment and budget oversight
Information technology investment decisions have generally been driven by financial indicators such as ROI, profitability and return on assets (ITGI 2006; Parfitt & Tryfonas 2009). However, the finding is that some boards have shifted from the traditional financial basis of making IT investments. According to a participant:
‘… there is a lot of capital expenditure that you cannot motivate on a pure ROI or pure cost outlay basis … very often those investments are accepted on those basis [sic] that they might not have a measurable ROI …’ (Interviewee C9, respondent 1)
Participants indicated that boards consider ‘emotive’ justification, which involves investment outcomes that are non-financial or non-tangible. These outcome justifications include IT investment projects that improve customer satisfaction and loyalty as well as those that improve the skills and competence of employees.
It is clear from this study that the motive for IT investments in organisations extends beyond financial outcomes to include non-financial outcomes. Boards effect their oversight of IT investments by approving new policies that support non-financial motivation for IT investments.
Information technology policies, procedures and practices
The findings indicate that boards direct IT policy development, and executives oversee its implementation. This is consistent with recommended best practices and principles (Calder 2008; Sarbanes-Oxley Act 2002; The King Committee 2009). Most participants indicated that their boards monitor the effectiveness of IT policies and procedures and obtain assurance from management on the containment of IT-related risks.
Where IT policies have been ineffective, the board’s oversight has ensured that new policies have been developed and implemented by the executive management.
External factors
These are themes and their corresponding subthemes that indicate IT-related dynamics outside the direct control of organisations and their boards. Participants provided various approaches used by their boards to effect oversight within these dynamics.
Compliance regulations and legislation
A board’s IT governance responsibility and oversight ensures the achievement and observation of legal and regulatory compliance (Aguilera & Jackson 2010; Aoki 2010). Evidently, organisations have endeavoured to achieve and maintain compliance to avoid the high risk and associated severe consequences of non-compliance.
The finding of this study is that organisations use both internal and external auditing processes to effect compliance with IT-related regulations and legislations. Most participants indicated that their boards monitored and effected control of compliance in a proactive manner. The finding is thus that boards demand assurance from management via comparative reports that affirm the existence of measures instituted to manage and sustain compliance.
Information technology trend awareness and response
Participants indicated that boards are very aware of IT trends and the possible impact of demands from management reports on their organisations. Participants further indicated that their boards are aware of the current IT trends such as cloud computing, cyber security and social media. The finding of this study is that the board’s main concerns with IT trends are the related risk and potential negative impact on organisations. Most participants highlighted their board’s concern with social media and its potential impact on the organisation’s name and brand equity.
Negative perceptions of organisations on these platforms are likely to significantly affect these organisations’ brand, reputation and hence revenue. Organisation brand equity is central to the organisation’s existence, as high and sustained brand equity affects sustainable profitability (Cretu & Brodie 2007).
Whilst the findings of this study on the board’s awareness and potential impact on organisations are consistent with the literature (Loane 2005; Spremic & Popovic 2008), boards have become more proactive in their oversight. Following information obtained on global IT trends, boards demand that management present new IT trends and new policies in order to proactively protect the organisation against potential threats.
The finding of this study is that boards invest in projects that extend their organisations’ presence on these social media platforms. These investments include IT systems (including apps) that present content that strengthens the organisation’s brand and that monitor brand-related issues on the platforms. They also proactively develop policies to combat possible threats to the organisation and have improved the board’s IT governance effectiveness.
Supporting information technology governance frameworks
Most of the participants indicated that organisations develop IT governance frameworks in-house to meet their own internal requirements. These IT governance frameworks are presented to the board for review and approval.
The finding is that IT governance frameworks developed in-house often fit the organisation’s corporate governance requirements. These frameworks have assisted boards to effect IT governance and assisted executives and IT leadership on strategic IT acquisition, implementation and maintenance.
Information technology value considerations
Participants indicated that their board’s decisions on IT investments are influenced by the investment’s expected value-add to the organisation. They also stated that the board recognises IT value beyond the ‘old school’ business models driven by financial returns on the organisation’s IT investments.
The findings indicate that boards consider and approve IT investment projects that positively influence the performance and output of their organisation’s internal and external stakeholders (including the employees, customers, suppliers and subcontractors). Whilst the justification for these IT projects is non-tangible, the value of the output permeates the organisational performance as a whole.
According to Ho, Wu and Zin (2011) and Kohli and Grover (2008), the organisational value attributed to the use of IT extends beyond tangible financial measures. The finding of this study is that boards’ understanding of IT value indeed extends beyond tangible and financial returns and includes efficiencies gained in the use of IT in engaging with organisational stakeholders.
Information technology governance in outsourced information technology environment
The findings indicate that organisations with significant outsourced IT services do not have IT leadership positions within the organisation. In such organisations, the CFO fills the role of IT leadership and depends extensively on external service providers for advice on internal IT-related matters.
The significant finding of this study is that organisations with extensive outsourced IT services lack IT governance oversight capability. From the findings, the only IT governance capacity found within these organisations is the role of the CFO as the IT leadership representative. Information technology governance oversight therefore does not exist at the board level but rather extends outside the organisation to the service provider. This calls on organisations with significant IT outsourcing to endeavour to develop IT governance capability to underpin their IT governance decision-making structures.
Effecting board-level information technology governance and assurance
According to participants, their boards’ assurance of IT governance is effected through both internal and external structures. Participants indicated three types of internal structures, namely the risk committee, audit committee and sustainability committee. The external structures include management consulting companies and experts.
It is clear from the findings that boards rely on audit committees in ensuring compliance to legislation and regulation, and the implementation of approved policies and process controls. The risk committee focuses more on IT risk-related matters whilst external experts and consulting firms provide independent and objective views regarding the assessment of IT governance.
Whilst the use of internal and external structures to support the board is consistent with corporate governance codes and practices (RSA 2008; The King Committee 2009; UK Code 2012), some participants were of the view that the entire board should discuss IT governance rather than just limiting this to board subcommittees.
The findings indicate that boards ensure that risk and audit committees possess the needed skills and competences and are adequately resourced to deliver on the expectations of the board.
Board challenges
The findings indicate that boards face challenges in their pursuit of effective board-level IT governance. According to participants, their board’s deliberation on IT-related matters is dominated by executives with minimal contributions from non-executive board members. Most participants indicated that their boards lack understanding of strategic IT, the ‘IT master plan’ and its strategic alignment to the business strategy as presented by IT leadership.
Organisations are unable to effectively access and evaluate strategic opportunities presented by IT because of limited strategic IT skills and competence. The result is that boards are unable to critically and adequately assess IT risk and its potential organisational impact.
Recommendations
The literature shows that IT governance frameworks have mostly focused on management-level issues across the organisations that failed to capture the relevant elements of IT governance that enable boards to effectively implement IT governance (Damianides 2005; Peterson 2001; Weill & Ross 2004).
Thus, boards continue to face numerous challenges IT governance oversight, which include the lack of relevant IT knowledge to raise appropriate questions that interrogate IT issues and give the needed directives (Dahberg & Kivijarvi 2006; Damianides 2005; Short & Gerrard 2009). This is also compounded by the lack of clarity between IT governance and IT management by many of the existing IT governance frameworks.
The challenges of IT governance oversight thus require an IT governance framework that focuses on board-level corporate governance responsibilities, which can enable the board to perform its IT governance oversight without the confusion of other non-board-level issues (Jordan & Musson 2004; Raghupathi 2007).
Whilst Cobit 5 is the most commonly used IT governance framework highlighted within the literature, its proposed governance processes still require the board to set up and maintain an IT governance framework, thus requiring specific knowledge and identification of necessary factors to consider and include in the framework.
The framework derived from this study (Figure 4) therefore provides direct input into an IT governance framework for a board based on the board’s defined corporate governance responsibilities. The framework provides specific internal and external factors for the board to focus on, and required board characteristics that would positively enhance the board’s IT governance effectiveness.
The derived framework therefore provides a unique combination of factors and board characteristics that have not been previously considered and thus represent a unique contribution to the literature. Further research is proposed to test and validate the application components of the framework.
Conclusion
To improve IT governance within an organisation, in-house IT governance frameworks are developed. However, the quality and content of these frameworks have been questioned by external assurance agencies. Although the majority of boards have taken accountability for IT governance oversight, delegating the responsibility to board subcommittees weakens the ability of these boards to effectively interrogate strategic IT matters directly. However, whilst organisations have improved their board-level IT governance, those with a significant outsourced IT are ineffective in governing their IT.
Driven by the determination for organisational sustainability, organisations’ use of IT with non-tangible returns on the investment has received significant consideration at the board level. Information technology investment projects that enable organisational sustainability include IT implementation to obtain quality information for effective decision-making, the improvement of information security and the continuing of organisational brand equity.
Overall, this empirically developed board-level IT governance framework is therefore a unique contribution to the body of knowledge in corporate governance. However, the framework would have to be empirically tested and validated in follow-up studies. This would highlight which factors and aspects of IT governance identified in the framework significantly impact organisational performance.
Limitation
The results of this study cannot be generalised across the entire population of the JSE because of the purposive sampling technique used. Generalisability of the results is limited to only listed private companies located with the KwaZulu-Natal province. It is recommended that a similar study be carried out using a quantitative approach with a simple random sample across the entire JSE population with more generalisable results.
Another limitation is that the cases were not analysed per type of industry. A similar study that includes a more in-depth analysis per industry to understand the difference in the nature of IT governance across industries of listed companies is thus recommended.
Acknowledgements
The University of KwaZulu-Natal is acknowledged for their support of the study as part of A.A.-N.’s doctorate degree.
Competing interests
The authors declare that they have no financial or personal relationships that may have inappropriately influenced them in writing this article.
Authors’ contribution
This study was a student and supervisor collaboration. The main research was conducted by A.A.-N. under the supervision of A.M.S.
References
Aguilera, R.V. & Cuervo-Cazurra, A., 2004, ‘Codes of good governance worldwide: What is the trigger?’, Organization Studies 25(3), 415–443. https://doi.org/10.1177/0170840604040669
Aguilera, R.V. & Jackson, G., 2010, ‘Comparative and international corporate governance’, The Academy of Management Annals 4(1), 485–556. https://doi.org/10.5465/19416520.2010.495525
Akingunola, R.O., Adekunle, O.A. & Adedipe, O.A., 2013, ‘Corporate governance and bank’s performance in Nigeria (Post–bank’s consolidation)’, European Journal of Business and Social Sciences 2(8), 89–111.
Ali, S. & Green, P., 2012, ‘Effective information technology (IT) governance mechanisms: An IT outsourcing perspective’, Information Systems Frontiers 14(2), 179–193. https://doi.org/10.1007/s10796-009-9183-y
Aoki, M., 2010, Corporations in evolving diversity: Cognition, governance, and institutions, Oxford University Press, New York.
Ayuso, S., Rodríguez, M.A., García-Castro, R. & Ariño, M.A., 2014, ‘Maximizing stakeholders’ interests: An empirical analysis of the stakeholder approach to corporate governance’, Business & Society 53(3), 414–439. https://doi.org/10.1177/0007650311433122
Balsmeier, B., Buchwald, A. & Zimmermann, S., 2013, ‘The influence of top management corporate networks on CEO succession’, Review of Managerial Science 7(3), 191–221. https://doi.org/10.1007/s11846-011-0073-6
Bart, C. & Turel, O., 2010, ‘IT and the board of directors: An empirical investigation into the “governance questions” Canadian board members ask about IT’, Journal of Information 24(2), 147–172.
Benkhayat, A., El Manouar, A. & Sadok, H., 2015, ‘Firm business strategy and IT strategy alignment: A proposal of a new model’, in 2015 Xth International Scientific and Technical Conference “Computer Sciences and Information Technologies” (CSIT), Lviv, Ukraine, September 14–17, 2015, pp. 172–178, IEEE Computer Society Washington, DC.
Calder, A., 2008, ISO/IEC 38500: The IT governance standard, IT Governance Ltd., Cambridgeshire.
Coertze, J. & Von Solms, R., 2013, ‘The board and IT governance: A replicative study’, African Journal of Business Management 7(35), 3358–3373. https://doi.org/10.5897/AJBM2013.7172
Cretu, A.E. & Brodie, R.J., 2007, ‘The influence of brand image and company reputation where manufacturers market to small firms: A customer value perspective’, Industrial Marketing Management 36(2), 230–240. https://doi.org/10.1016/j.indmarman.2005.08.013
Dahlberg, T. & Kivijarvi, H., 2006, ‘An integrated framework for IT governance and the development and validation of an assessment instrument’, The 39th Hawaii International Conference on System Sciences, January 8–11, 2019, pp. 1–10, IEEE, Kauai, HI.
Damianides, M., 2005, ‘SOX and IT governance: New guidance on IT control and compliance’, Information Systems Management 22(1), 77–85. https://doi.org/-10.1201/1078/44912.22.1.20051201/85741.9
De Andres, P. & Vallelado, E., 2008, ‘Corporate governance in banking: The role of the board of directors’, Journal of Banking & Finance 32(12), 2570–2580. https://doi.org/10.1016/j.jbankfin.2008.05.008
De Haes, S. & Van Grembergen, W., 2009, ‘An exploratory study into IT governance implementations and its impact on business/IT alignment’, Information Systems Management 26(2), 123–137. https://doi.org/10.1080/10580530902794786
Ferguson, C., Green, P., Vaswani, R. & Wu, G.H., 2013, ‘Determinants of effective technology governance’, International Journal of Auditing, 17(1), 75–99.
Ghauri, P.N. & Grønhaug, K., 2005, Research methods in business studies: A practical guide, Pearson Education, London.
Hendry, K. & Kiel, G.C., 2004, ‘The role of the board in firm strategy: Integrating agency and organisational control perspectives’, Corporate Governance: An International Review 12(4), 500–520. https://doi.org/10.1111/j.1467-8683.2004.00390.x
Ho, J.L.Y., Wu, A. & Xu, S.X., 2011, ‘Corporate governance and returns on information technology investment: Evidence from an emerging market’, Strategic Management Journal 32(6), 595–623. https://doi.org/10.1002/smj.886
Huff, S., Schroeder, A. & Pauleen, D., 2012, ‘KM governance: The mechanism for guiding and controlling KM programs’, Journal of Knowledge Management 16(1), 3–21. https://doi.org/10.1108/13673271211198918
IT Governance Institute, 2006, Enterprise value: Governance of IT investments, the Val IT framework, Rolling Meadows, IL.
IT Governance Institute, 2008, Unlocking value: An executive primer on the critical role of IT governance, Rolling Meadows, IL.
Iturralde, T., Maseda, A., Arosa, B. & Garcia-Ramos, R., 2016, ‘Boards of directors in SMEs: An empirical evidence of board task performance’, South African Journal of Business Management 47(4), 47–58. https://doi.org/10.4102/sajbm.v47i4.74
Jacobson, D.D., 2009, ‘Revisiting IT governance in the light of institutional theory’, in HICSS’09. 42nd Hawaii International Conference on System Sciences, January 05–08, 2009, pp. 1–9, IEEE Computer Society, Washington, DC.
Jewer, J. & McKay, K.N., 2012, ‘Antecedents and consequences of board IT governance’, Institutional and Strategic Choice Perspectives 13(7), 581–617.
Jordan, E. & Musson, D., 2004, Corporate governance and IT governance: Exploring the board’s perspective, viewed 01 June 2016, from https://www.researchgate.net/profile/Ernest_Jordan/publication/228296166_Corporate_Governance_and_IT_Governance_Exploring_the_Board%27s_Perspective/links/00b49532f8aff10534000000.pdf?origin=publication_list
Kohli, R. & Grover, V., 2008, ‘Business value of it: An essay on expanding research directions to keep up with the times’, Journal of the Association for Information Systems 9(1), 23–39. https://doi.org/10.17705/1jais.00147
Krause, R., Semadeni, M. & Cannella, A.A., 2013, ‘External COO/presidents as expert directors: A new look at the service role of boards’, Strategic Management Journal 34(13), 1628–1641. https://doi.org/10.1002/smj.2081
Kumar Vinod & Associates, 2014, Geographic Information Systems for Smart City, Copal Publishing, New Delhi.
Li, C., Peters, G.F., Richardson, V.J. & Watson, M.W., 2012, ‘The consequences of information technology control weaknesses on management information systems: The case of Sarbanes-Oxley internal control reports’, MIS Quarterly 179–203. https://doi.org/10.2307/41410413
Loane, S., 2005, ‘The role of the Internet in the internationalisation of small and medium sized companies’, Journal of International Entrepreneurship 3(4), 263–277. https://doi.org/10.1007/s10843-006-7855-y
Marks, N., 2010, ‘The pulse of IT governance: Gauging the effectiveness of technology strategy and usage can be critical to maintaining organizational health’, Internal Auditor 67(4), 32–37.
Mohamed, N., Kaur, J. & Singh, G., 2012, ‘A conceptual framework for information technology governance effectiveness in private organizations’, Information Management & Computer Security 20(2), 88–106. https://doi.org/10.1108/09685221211235616
Ogbechie, C.I., 2012, ‘Key determinants of effective board of directors: Evidence from Nigeria’, Doctoral dissertation, Brunel University, London.
Parent, M. & Reich, B.H., 2009, ‘Governing information technology risk’, California Management Review 59(3), 134–152. https://doi.org/10.2307/41166497
Parfitt, M. & Tryfonas, T., 2009, ‘Painless: A model for IT governance assessment in the UK public sector’, The EDP Audit Control & Security Newsletter 39(2–3), 1–25. https://doi.org/10.1080/07366980902907779
Pearlson, K.E., Saunders, S.C. & Galleta, D.F., 2009, Managing & using information systems: A strategic approach, John Wiley & Sons, Hoboken, NJ.
Peterson, R.R., 2001, ‘Configurations and coordination for global information technology governance: Complex designs in a transnational European context’, in Proceedings of the 34th Annual Hawaii International Conference on System Sciences, January 03–06, 2001, p. 10, Washington, DC.
Peterson, R.R., 2004, ‘Crafting IT governance’, Information Systems Management 21(4), 7–22. https://doi.org/10.1201/1078/44705.21.4.20040901/84183.2
Raghupathi, W., 2007, ‘Corporate governance of IT: A framework for development’, Communication of the ACM 50(8), 94–99. https://doi.org/10.1145/1278201.1278212
Republic of South Africa (RSA), 2008, Companies Act 71 of South Africa, Government Printer, Pretoria.
Sambamurthy, V. & Zmud, R.W., 1999, ‘Arrangements for information technology governance: A theory of multiple contingencies’, MIS Quarterly 23(2), 261–290. https://doi.org/10.2307/249754
Schwertsik, A.R., Wolf, P. & Krcmar, H., 2010, ‘Understanding IT governance: Towards dimensions for specifying decision rights’, in M. Schumann, L.M. Kolbe, M.H. Breitner & A. Frerichs (eds.), Multikonferenz Wirtschaftsinformatik, pp. 207–218, Universitätsverlag Göttingen, Göttingen.
Short, J. & Gerrard, M., 2009, IT governance must be driven by corporate governance, Gartner, Stamford, CT.
Simonsson, M. & Johnson, P., 2006, Defining IT governance: A consolidation of literature, Royal Institute of Technology, Stockholm.
Sarbanes-Oxley Act Public Law No. 107–204, 2002, Government Printing Office, Washington DC.
Soltani, B., 2014, ‘The anatomy of corporate fraud: A comparative analysis of high profile American and European corporate scandals’, Journal of Business Ethics 120(2), 251–274. https://doi.org/10.1007/s10551-013-1660-z
Spremic, M. & Popovic, M., 2008, ‘Emerging issues in information technology governance: Implementing the corporate IT risks management model’, WSEAS Transactions & Systems 7(3), 219–228.
Stevenson, W.B. & Radin, R.F., 2015, ‘The minds of the board of directors: The effects of formal position and informal networks among board members on influence and decision making’, Journal of Management & Governance 19(2), 421–460. https://doi.org/10.1007/s10997-014-9286-9
The King Committee, 2009, King Report on Governance for South Africa, Institute of Directors, Johannesburg.
UK Code 2012 [Council, F.R.,[2012], The UK corporate governance code, September, London.
Veasey, N.E., 2004, ‘The judiciary’s contribution to the reform of corporate governance’, Journal of Corporate Law Studies 4, 225–241. https://doi.org/10.1080/14735970.2004.11419920
Webb, P., Pollard, C. & Ridley, G., 2006, ‘Attempting to define IT governance: Wisdom or folly?’, in Proceedings of the 39th Annual Hawaii International Conference on System Sciences, Kauai, HI, United States, January 04–07, 2006, pp. 1–10.
Weill, P. & Ross, J.W., 2004, IT governance. How top performers manage IT decision rights for superior results, Harvard Business School Press, Boston, MA.
Yaghoubi, R., Yaghoubi, M., Locke, S. & Gibb, J., 2016, ‘Mergers and acquisitions: A review (part 2)’, Studies in Economics and Finance 33(3), 437–464. https://doi.org/10.1108/SEF-07-2015-0165
Yin, R.K., 2013, ‘Validity and generalization in future case study evaluations’, Evaluation 19(3), pp.321–332.
| 
Hide
Show all
Email this article (Login required)
