Discussion 5
RESEARCH ARTICLE
Board-level IT governance and organizational
performance
Ofir Turel1 and Chris Bart2
1Steven G. Mihaylo College of Business and
Economics, California State University, Fullerton,
CA, U.S.A.; 2DeGroote School of Business, McMaster University, Hamilton, Ontario,
Canada
Correspondence: Ofir Turel, Steven G. Mihaylo College of Business and Economics, California State University, 800 N. State College Blvd., P.O. Box 6848, Fullerton, CA 92834-6848, U.S.A. Tel: þ1 657 278 5613
Both authors contributed equally to this work
Received: 24 October 2011 Revised: 26 January 2012 2nd Revision: 27 August 2012 3rd Revision: 5 November 2012 4th Revision: 11 December 2012 5th Revision: 13 December 2012 Accepted: 14 December 2012
Abstract Research on the strategic management of Information Technology (IT)
resources has mostly focused on the oversight provided by the management
team as a means to increase organizational performance. In recent years, boards of directors have also increased their involvement in IT matters, and
various theoretical lenses suggest that this oversight too has the potential
to influence organizational performance. Hence, this study synthesizes the resource-based and contingency views of MIS with corporate governance
theories, and examines key antecedents and consequences of board-level IT
governance (ITG) using a multi-method approach. Structural Equation Modell- ing analysis applied to organization-level data collected from 171 board
members suggested that the level of ITG exercised by boards was contingent
upon the organization’s ‘IT use mode’, along the two dimensions of need for
(a) fast and reliable IT, and (b) new innovative IT. But, the findings further suggested that the contingency approach may be suboptimal because it can
cause new ways of leveraging IT to be ignored. High levels of board-level ITG,
regardless of existing IT needs, increased organizational performance. This phenomenon was illuminated with applicability checks. Moreover, content
analysis and structured interviews with board members further enriched these
insights. European Journal of Information Systems (2014) 23, 223–239. doi:10.1057/ejis.2012.61; published online 5 February 2013
Keywords: IT governance; board of directors; resource-based view; strategic grid; organizational performance; corporate governance
Introduction The business value of Information Technology (IT) has been studied over the last two decades (Mukhopadhyay et al, 1995; Hitt & Brynjolfsson, 1996; Devaraj & Kohli, 2000; Kohli & Devaraj, 2003), in part, to try to demystify the productivity paradox (Brynjolfsson, 1993) and to help companies understand the merits of investing in IT (Devaraj & Kohli, 2003; Kohli & Devaraj, 2003; McAfee & Brynjolfsson, 2008). This line of research has especially examined how IT resources and capabilities, including IT artefacts, policies, managerial capabilities, and human capital, influence firm performance (Melville et al, 2004; Kohli & Grover, 2008). A critical mass of studies now indicates that technology does create value when it is synergistically embedded into value creation processes (Melville et al, 2004; Wade & Hulland, 2004; Kohli & Grover, 2008); and that this effect depends on many factors, including IT management and planning capabilities and processes, which are the focus of this study. These include the ability to effectively manage IT resources, identify fruitful projects, lead the IT function, and coordinate IT needs and solutions with stakeholders (Melville et al, 2004)
European Journal of Information Systems (2014) 23, 223–239 & 2014 Operational Research Society Ltd. All rights reserved 0960-085X/14
www.palgrave-journals.com/ejis/
The current study expands this view, and examines the antecedents and organizational performance conse- quences of often overlooked IT management processes, more specifically, IT governance (ITG) by the board of directors. ITG is ‘an integral part of enterprise governance and consists of the leadership and organizational struc- tures and processes that ensure that the organization’s IT sustains and extends the organization’s strategies and objectives’ (IT Governance Institute, 2003, p. 10). Con- sistent with the definition by the IT Governance Insti- tute, IT is treated as a broad concept that encapsulates technical infrastructure, the supporting organizational structure, and IT management capabilities and processes. Because ITG is the responsibility of the executive manage- ment team and the board of directors (IT Governance Institute, 2003, p. 10), we use the term board-level ITG to narrow the focus of this study on boards of directors and their ITG-related actions. Relying on the above definition of ITG, board-level ITG is defined as the board’s actions to ensure that the organization’s IT sustains and extends the organization’s strategies and objectives. While board- level ITG may be an important practice that can drive organizational performance, little is known about it (Nolan & McFarlan, 2005; Bart & Turel, 2010). We seek to partially fill this gap, and examine whether the level of ITG exercised by boards is based on the IT use mode of the organization (an internal contingency), whether this con- tingency approach has merit, and whether performance gains caused by ITG exercised by boards are sustainable.
We first rely on several theoretical lenses to explain how boards’ ITG practices can influence organizational performance. Taking a resource-based perspective (Peter- af, 1993; Hart, 1995), board-level ITG can be conceived as a managerial IT resource, which can add value to the executive management team and the organization in four ways by: (1) facilitating strategic leadership, (2) advising the executive management team, (3) establishing con- trol mechanisms to protect the principals’ (stakeholders) interests from self-interest actions of the executive man- agement team (agents), and (4) enabling access to external resources (e.g., knowledge, capital) (Zahra & Pearce, 1989; Johnson et al, 1996). All of these can apply to IT issues as later explained. As such, board-level ITG has the potential to complement and supplement the more commonly examined resource of executives’ IT management practices and decisions.
Given the presumed influence of board-level ITG on organizational performance, it is also desirable to under- stand some of its antecedents and the way they poten- tially interact with ITG practices. One such factor can be the organization’s mode of IT use (Nolan & McFarlan, 2005); that is, the extent to which IT is used for strategic- offensive purposes and the extent to which IT needs to be fast and reliable. These factors are used by Nolan & McFarlan (2005) as the basis for offering prescriptive ITG guidelines for boards. When either one of the suggested IT needs is high, a higher level of ITG by the board is prescribed to the organization. Employing a contingency
view (Fiedler, 1964; Weill & Olson, 1989), the board is likely to assess, at least to some extent, the particular IT situation of their organization and use this information for deciding on the optimal level of ITG. We therefore propose that the level of ITG by the board depends, in part, on the organization’s need for (1) fast and reliable IT, and (2) innovative and competitive IT. These organi- zational IT needs can also moderate the proposed effect of ITG on firm performance. Specifically, it is proposed that the fit between these needs (the IT use mode) and the prescribed level of ITG by the board should augment firm performance.
Altogether, this model conceptualizes and examines board-level ITG, some of the mechanisms that drive its enactment and how such actions translate to firm performance. The proposed model is first tested with Structural Equation Modelling techniques applied to data collected from 171 board members. While the hypothe- sized direct effects were supported, the moderation (fit between the prescribed and exercised level of ITG) effects were not, which implies that board-level ITG increases organizational performance regardless of the IT needs of the organization. We then shed more light on these insights by using applicability checks, and by using struc- tured interviews and content analysis to develop a better understanding of the potential sustainability of board- level ITG effects and ways to improve board-level ITG. Ultimately the findings enrich and advance the IT value and management literatures by adding one missing piece – board-level ITG. Presumably, this missing piece can influence many other IT capabilities and resources discussed in the MIS literature, and ultimately improve organizational performance. Thus, this study develops a platform for future research on the antecedents, forms and configurations, and consequences of ITG by an organization’s board of directors.
Theoretical background This section provides an overview of three concepts that are pertinent to this study: (1) board-level ITG and its difference from governance by executive management; (2) the IT environment as an internal contingency that can influence board-level ITG; and (3) IT management capabilities and their effects on organizational perfor- mance. Other concepts and theories are embedded in the hypotheses section.
Board-level ITG ITG is an oversight practice that is executed by both the board of directors and the executive management team. Its objective is to ensure effective utilization of IT such that: (1) IT is aligned with the enterprise, (2) IT allows the organization to exploit opportunities, (3) IT resources are used responsibly, and (4) IT risks are managed appropria- tely. These four foci are intertwined with performance measurement – the board and the executive management team need to track project plans and delivery, and monitor IT services and risks (IT Governance Institute, 2003).
Board-level IT governance and organizational performance Ofir Turel and Chris Bart224
European Journal of Information Systems
Similar views regarding the scope of ITG have been expressed in multiple studies (O’Donnell, 2004; Read, 2004; Trites, 2004).
Several associations and standardization bodies have attempted to develop ITG frameworks, including Val IT (framework for planning, executing and monitoring the extraction of value from IT-enabled processes), and COBIT (Control Objectives for Information and related Technol- ogy) which are endorsed by the IT Governance Institute (see www.itgi.org). Others include ISO/IEC 38500 (Standard for Corporate Governance of IT, 2008) by the International Organization for Standardization, and COSO (Committee of Sponsoring Organizations) guidelines for internal con- trol systems, fraud prevention, and risk management (see www.coso.org). However, there is no single widely accepted ITG framework (Raghupathi, 2007; Wilkin & Chenhall, 2010).
Given the importance of ITG, it should include signi- ficant board involvement (Read, 2004). The board of directors is a group that oversees the management of an organization. Their general corporate governance respon- sibilities include strategic planning and monitoring, ensuring policies and resources for achieving targets, validating internal controls, and making sure risks are identified and monitored. Boards of directors approve all major decisions, often provide advice and counsel to executives (external directors can bring insights from other organizations with which they are involved), and monitor both management’s actions and the resultant performance (Daily et al, 2003a, b). All of these duties can have IT links, which behove the board to engage in ITG (Trites, 2004). Boards obtain information for their ITG duties (e.g., for risk assessment, assessment of needed resources, and examination of strategic needs) by raising IT issues in the boardroom and asking management questions about existing and potential IT risks, invest- ments, and strategic plans (Bart & Turel, 2010). These questions can drive management to examine overlooked IT issues, find funding sources for IT projects, and ensure that managers act according to the best interest of stakeholders.
While board-level ITG is an important topic (Nolan & McFarlan, 2005), there has been little empirical research on it. Studies thus far have focused on ITG by executives and IT managers but not on ITG by the board (see review in Wilkin & Chenhall, 2010). These studies mostly show, through a resource-based lens, that management over- sight regarding IT adds value. We argue that board-level ITG can add value beyond the value produced by execu- tives’ ITG practices. Other authors discuss the ITG respon- sibilities of board members (O’Donnell, 2004; Read, 2004; Trites, 2004; Wilkinson, 2004) or suggest conceptual ITG development frameworks (Raghupathi, 2007). These conceptual papers have highlighted the potential impor- tance of board-level ITG and the need to further study empirically this essential practice. This paper extends these works, and examines a theory-based framework explicating the links between the IT environment of an
organization, board-level ITG, and organizational perfor- mance.
The IT environment and board-level ITG Boards often respond to industry demands while taking into account the internal situation of the organization (Zahra & Pearce, 1989; Minichilli et al, 2009). They should therefore employ contingent governance – change their governance style and foci based on the internal and external situations they perceive (Strebel, 2004). It is reasonable to expect that the same applies to IT issues, and that boards consider, among other things, the way the organization utilizes IT when they decide on their ITG efforts.
What may be the key situational IT criteria (the con- tingency factors) boards would normally consider? Researchers have advanced the notion of the IT strategic grid (McFarlan et al, 1983; Cash et al, 1988) to the board level. They argue that one important consideration is the organization’s ‘IT usage mode’ which is based on two criteria: (1) the need for new, cutting-edge technologies to gain (or sustain) competitive advantage (‘high need/ offensive use’ vs ‘low need/defensive use’), and (2) the need for fast and reliable information technologies (high need vs low need) (Nolan & McFarlan, 2005). The two contingency factors, the four resultant modes (i.e., factory, strategic, support, and turnaround), as well as the 14 indicators for determining a firm’s classification, are depicted in Figure 1.
Companies in the ‘turnaround mode’ do not need fast, reliable IT systems and so there is a greater expectancy for potential system failures. Such companies, though, will still attempt to use innovative, less tested technologies ‘offensively’ to help them implement major transforma- tions, reduce costs, and gain strategic advantage. In con- trast, companies in the strategic mode heavily rely upon both expensive state-of-the-art IT for producing significant strategic gains and quick, highly reliable systems (which typically require stronger IT security, stability, and backup than those in the turnaround mode). When companies do not need such revolutionary technologies to thrive strate- gically but nevertheless require rapid response and reliable IT to carry out major operations (e.g., an automated auto assembly line), their IT usage is more ‘defensive’ in nature and they are categorized as ‘factory mode’. Finally, ‘support mode’ companies are those in which both the need for IT response swiftness and reliability is low and there is a low need for new state-of-the-art technologies to stay in business (i.e., IT is used only for defensive purposes).
IT management capabilities and organizational performance Organizational performance captures an organization’s health along financial, systemic, and social dimensions (Zahra & Pearce, 1989). The financial performance dimension focuses on wealth maintenance and creation; the systemic performance dimension focuses on sur- vival and growth; and the social performance dimension
Board-level IT governance and organizational performance Ofir Turel and Chris Bart 225
European Journal of Information Systems
captures organizations’ responses to societal expecta- tions. We adopt a slightly narrower view in this study, and focus mostly on the financial performance dimen- sion for two key reasons. First, the systemic and social dimensions often translate into companies’ bottom-lines and are hence reflected in their financial performance (McGuire et al, 1988; Habbershon et al, 2003). Second, it is likely to be easier for directors to observe, reflect, and report on overall financial performance as opposed to the other two.
IT investments translate into financial payoffs predo- minantly when IT management capabilities and pro- cesses supplement the investment in IT (Mata et al, 1995; Santhanam & Hartono, 2003). The rationale of this effect is that managerial IT skills meet three criteria for sustained competitive advantage (Mata et al, 1995), and that such an advantage often translates to improved performance (Bharadwaj, 2000; Wiggins & Ruefli, 2002). First, IT management capabilities are valuable and can influence firm performance (Lewis & Byrd, 2003; Ravichandran & Lertwongsatien, 2005; Byrd et al, 2006). Second, managerial IT capabilities are heterogeneously distributed across competing firms; that is, not all firms possess this capability to the same extent (Weill, 2004; Weill & Ross, 2004). Finally, managerial IT capabilities are imperfectly mobile. They are very difficult to develop and require long periods of learning by doing and trial and error (Mata et al, 1995). Indeed, the potential influences of different facets of managerial IT capabilities on organizational performance have gained support in multiple studies (Armstrong & Sambamurthy, 1999; Bharadwaj, 2000; Lewis & Byrd, 2003; Santhanam & Hartono, 2003; Ravichandran & Lertwongsatien, 2005). This study argues that board-level ITG is an overlooked IT management capability that can also influence organiza- tional performance.
Figure 2 synthesizes the concepts reviewed in this section and depicts the resultant research model and associated hypotheses which we develop in the next section.
Hypotheses The literature thus far has mostly implied that IT manage- ment capabilities are a property of the IT unit, and/or of the executive management team (i.e., the CEO, CIO, and other executives) (Armstrong & Sambamurthy, 1999; Wade & Hulland, 2004). However, several studies suggest that boards can oversee and steer an organization’s IT manage- ment efforts (Nolan & McFarlan, 2005; Appleby, 2008). Accordingly, we conjecture that ITG by the board is a special and important IT management capability – worthy of separate treatment, investigation, and nomenclature. To this end, we propose that board-level ITG meets the three criteria suggested by Mata et al (1995) for sustained strategic impact of IT resources, and that it has the resource attributes specified by Wade & Hulland (2004) for achiev- ing at least a short term strategic advantage.
First, several studies show that firm executives, includ- ing the CEO, CIO, and their interactions can influ- ence organizational performance (Chatterjee et al, 2001; Preston et al, 2008; Chen et al, 2010; Johnson & Lederer, 2010). However, the actions of top executives can be guided and monitored, in part, by the plans and demands set by the board of directors (Laux, 2010; O’Shannassy, 2010).
Factory Mode
- One-minute system failure causes loss of business
- Response time lag has serious consequences for users
- Core business activities are online
- Most systems work is maintenance
- Systems work provides little strategic value or cost saving
Support Mode - 12-hour service interruption causes no serious
consequences Online userre sponse time can take up to 5 seconds
- Systems are mostly invisible to customers and suppliers
- 80% of value transactions can quickly revert to manual - Most systems work is maintenance
Strategic Mode
- One-minute system failure causes loss of business
- Response time lag has serious consequences for users
- New systems promise major transformations and cost reductions
- New systems will close gaps with competitors
Turnaround Mode
- New systems promise major transformations and cost reductions
- New systems will close gaps with competitors - IT is more than 50% of capital spending - IT is more than 15% of total corporate expenses
Need for New IT (with strategic impact)
Low Need (Use IT Defensively)
N ee
d fo
r Sp
ee d
& R
el ia
bi lit
y
H ig
h L
ow
High Need (Use IT Offensively)
Figure 1 Contingency variables for board-level ITG, the emergent IT use modes, and their indicators (adapted from Nolan &
McFarlan (2005) as adapted from the original strategic impact grid described in McFarlan et al (1983)).
Need for New IT (Low = Defensive, High = Offensive)
Need for Fast & Reliable IT
(Low Need, High Need)
Level of ITG by the Board
Perceived Organizational Performance
H1
Contingency Variables
Board’s IT Oversight Practices
Outcome
H 2b
H 2a
H3a
H 3b
Figure 2 Research model.
Board-level IT governance and organizational performance Ofir Turel and Chris Bart226
European Journal of Information Systems
The board directs (or limits) the executive management team’s attention to the business areas, and presumably also IT issues, the board perceives to be important through the questions and requests they raise in the boardroom. These efforts have been linked to organiza- tional performance (Mueller & Barker, 1997; Cannella & Hambrick, 2001).
Extending this view, we argue that board-level ITG can add value to other IT management resources, such as the executive management team’s IT management capabil- ities. First, from a resource-dependence view (Johnson et al, 1996), directors are often affiliated with multiple organizations, vendors, and customers, and have indus- try and governance experience (Zahra & Pearce, 1989). They therefore often provide organizations with access to resources, such as knowledge and capital, to which execu- tives may not have access. External knowledge may include the IT oversight practices developed in another organization or experiences gained with an outsourcing vendor. Access to capital may include the ability to secure funds for a system implementation project. By so doing they can influence management foci and the quality of their decisions, and ultimately allow better orchestra- tion of external demands and resources with internal needs and capabilities. Second, taking an agent-theoretic perspective (Eisenhardt, 1989), the board can raise IT questions, and through this process reduce the infor- mation asymmetry between management (agents) and stakeholders (principals), and ultimately prevent oppor- tunistic behaviours of management (e.g., ensure that the executive management team invests in proper IT security measures, rather than giving themselves a bonus). Third, from a stewardship theory perspective (Donaldson, 1990), managers need less oversight, and more advice, because they are deemed to be trustworthy good stewards of the resources they manage. Boards can provide these services as well through the IT issues they discuss. For example, by discussing IT strategies and risks in board meetings they can direct management to consider IT risks and needs that were not previously known to the executive management team. Synthesizing these perspec- tives, board-level ITG can be a valuable capability.
Second, board-level ITG is not executed homoge- neously across firms and competitors; some boards do not discuss IT issues at all, and others have established dedicated IT committees that discuss many IT issues (Nolan & McFarlan, 2005; Bart & Turel, 2010). Thus, board-level ITG is plausibly heterogeneously distributed across competitors.
Third, board-level ITG can be imperfectly mobile. Even though there are prescriptive guidelines describing what the board should do (IT Governance Institute, 2003; CICA, 2004; ISO, 2008), board-level ITG is easier said than done. Many directors may lack the knowledge to discuss IT issues (Huff et al, 2004; Nolan & McFarlan, 2005) and consequently are afraid ‘to raise IT issues at meetings for fear of embarrassing themselves in front of their peers’ (Huff et al, 2004, p. 4). Considering the
abovementioned three criteria, board-level ITG can produce temporary and potentially sustained competitive advantage (Mata et al, 1995), which should ultimately translate to superior financial performance (Bharadwaj, 2000; Wiggins & Ruefli, 2002).
A similar picture emerges from using Wade and Hulland’s (2004) classification of resources and capabil- ities. Board-level ITG is close in scope to what they called ‘IS management/planning’, in that it is a spanning cap- ability that focuses on the capacity of IT management to understand how technologies should be used and IT-enabled processes should be changed in response to the strategic forces in the market. While previous studies assumed that this is the responsibility of the CIO and/or other executives (Armstrong & Sambamurthy, 1999; Wade & Hulland, 2004), we argue that such capabilities can be developed by boards of directors as well. Treated as a spanning resource, board-level ITG should help firms achieve at least a short-term competitive advantage – it is relatively rare (Bart & Turel, 2010) and valuable (Appleby, 2008). Thus, from this perspective too, board-level ITG can improve organizations’ competitive standing, and ultimately their performance. Hence:
H1: Higher levels of ITG by the board of directors increase organizational performance.
Boards of directors often base their foci and decisions on internal organizational contingencies (Zahra & Pearce, 1989). Following the contingency logic (Weill & Olson, 1989) and the strategic grid research as applied to IT managers (Raghunathan et al, 1999), the stronger the organization’s need for reliable IT and its need for new IT, the higher would be the level of ITG exercised by the board (Nolan & McFarlan, 2005). Boards have limited time and resources, and would therefore spend them as deemed necessary (Kroll et al, 2008; Laux, 2010), presumably also on IT matters. When boards perceive IT-related needs to be low, they will likely devote their time to what they perceive to be as more prominent issues for the organization.
Indeed, it has been shown that boards of companies with a high need along either one of these dimensions raise more IT issues (and hence engage in a higher level of ITG) than companies that have low needs for reliable IT or for new IT (Bart & Turel, 2010). Replicating these findings, but in a broader nomological network which allows further insight:
H2: Organizations’ IT use mode influences the ITG efforts exercised by the boards of directors.
H2a: Boards of organizations with high need for fast and reliable IT would engage in greater ITG than boards of organizations with low need for fast and reliable IT.
H2b: Boards of organizations with high need for new IT (using IT offensively) would engage in greater ITG than
Board-level IT governance and organizational performance Ofir Turel and Chris Bart 227
European Journal of Information Systems
boards of organizations with low need for new IT (using IT defensively).
Firm needs for new or for fast and reliable IT can have a broader role than merely determining the level of ITG the board of directors will choose to employ. Presumably, when the prescribed level of ITG meets the organi- zational situation, performance should be enhanced (Nolan & McFarlan, 2005). For example, when an organization uses IT offensively, the board is prescribed to discuss a large set of questions as a means to improve firm performance. That is, when there is fit between the board’s level of ITG and the IT needs of the organization, the board-level ITG efforts should be better translated into performance. In contrast, when there is misfit between IT needs and the exercised level of ITG, boards’ efforts should be less effective because the board has presumably misunderstood the situational contin- gencies of the organization. Thus:
H3: The fit between the IT needs of organizations and the level of ITG by the board of directors increases organizational performance, over and above the direct effect of the level of ITG by the board of directors on organizational performance.
H3a: Higher need for fast and reliable IT interacts with the level of ITG exercised by the board to increase organizational performance.
H3b: Higher need for new IT (using IT offensively) interacts with the level of ITG exercised by the board to increase organizational performance.
Methods A multi-method approach was taken. First, a paper-based survey was administered to board members of Canadian firms. It collected data for assessing the research model, as well as an open-ended question for content analysis. Second, content analysis was applied to director respon- ses, and structured email-based interviews were con- ducted with several directors and CEOs. The qualitative studies were used to enrich the insight yielded by the structural model, explain surprising findings, and pro- duce more focused practical recommendations for boards of directors.
Sample The survey was administered to 240 board members who attended a corporate director governance training programme in Canada. The training programme was directed by one of the researchers, and covered typical directorship issues such as accountability, leadership, strategy, financial literacy, and oversight. While the respondents as a whole were known casually to him, individual submissions were anonymous and could not be linked to particular individuals or firms. While it is
possible that the sample contained respondents from the same organization, these would be few in number, that is, less than 5%. Out of the participants who were ap- proached, 176 board members presumably representing 176 Canadian organizations turned in the survey. Five surveys were incomplete and were removed, and a sample of 171 board members (response rate of over 71%) was retained. Data pertaining mostly to board/organization actions and performance as perceived by the individual board member, as well as to board members’ gender, status (independent/external or non-independent /inter- nal) and the number of boards on which they serve were also obtained. The sample was male dominant (83%), and included mostly independent (outside) directors (78%) who served on average on 2.23 boards (1 to 10). Table 1 presents descriptive statistics regarding the participating organizations. As can be seen, the sample is heterogeneous in profit orientation, size (sales and number of employees), and the level of ITG executed by boards (the number of IT issues that were discussed by the boards). The average number of IT topics raised by the sampled boards was about 12 out of 27 potential IT issues (std.dev.¼7). While the sample is slightly dominated by non-profit firms, organizations with all combinations of IT needs are pre- sent. Owing to the anonymity of respondents we do not have the specific composition of the types of non-profits we have in the sample. Based on the composition of the group of board members who participated in the training, we can assume that non-profits in our sample included mostly two groups: (1) Associations and industry boards, hospitals, as well as provincial government boards (e.g., the ones that control gambling or alcohol sales in a province), and (2) federal government corporations, such as the Canadian Wheat Board and Canada Lands Com- pany.
First, it was examined whether respondents’ gender, status (independent vs non-independent director), and the number of boards on which they serve had any influence on the ways they perceived their companies. Gender (Po0.69), status (Po0.47), and their interaction (Po0.95) were modelled as fixed factors, the number of boards on which respondents serve (Po0.34) as a covariate, and the model’s constructs as dependent variables in multivariate analysis of variance. The model yielded non-significant Pillai’s Trace scores for these relationships (see parentheses next to predictor names). It was hence concluded that there are no indivi- dual-characteristic-based reporting differences in the data set.
Measures Because board members often serve on multiple boards (Mean¼2.23), we asked them to refer to a single organization with which they were most familiar. They were asked to self-report on behaviours as well as organizational performance perceptions of the larger board of directors. They hence provided organizational/ board-level data as they observe it.
Board-level IT governance and organizational performance Ofir Turel and Chris Bart228
European Journal of Information Systems
Performance The measurement of the impact of IT resources and capabilities is a debated issue in MIS research because there are many potential outcomes at different organizational levels (Ray et al, 2004; Wade & Hulland, 2004). In this study, we employed a perceptive measure of performance that captures how directors perceive their organization’s performance from a finan- cial standpoint. We did so for several reasons. First, the validity of such measures has been demonstrated (Tallon et al, 2000; Tallon, 2010) as well as their potential accur- acy (Tallon & Kraemer, 2007). Second, perceptive mea- sures can be advantageous because ‘Scaled perceptual measures of (performance) are considered more relevant than absolute measures y because the latter tend to be arbitrary and influenced by the type of industry’ (Bart, 1993, p. 349). Perceptions, on the other hand, are what ultimately influence board and senior management behaviours and decision making. Third, because partici- pants remained anonymous for the most part, links to the participating firms could not be established and objective performance measures could not be obtained.
The perceptive measure we used encapsulated primarily financial performance because directors often do not have access to operational-level data (Strebel, 2004) and often focus solely on financial measures (Gaa, 2009). Thus, they can best report on a holistic assessment of organizational financial performance, but may fail to adequately report on other dimensions or operational performance measures. We employed a self-developed three-item measure which includes implicit and explicit comparisons to competitors and to industry expecta- tions. These are important aspects that can be missing in direct measures of financial performance. Direct mea- sures may be impressive (e.g., growth rate of 50% a year) but they are not that meaningful without considering the performance of industry peers (e.g., an average growth rate of 200% in the sector). We therefore asked directors to report on (1) their board’s and (2) their own satis- faction with their organization’s current financial per- formance, using a 10-point Likert scale (1¼not at all satisfied; 10¼ extremely satisfied). They were also asked to report on the ‘relative performance standing’ of their organization in its particular industry, again using a 10- point Likert scale (1¼ significantly below; 10¼ significantly above).
Level of ITG by the board To capture the level of ITG exercised by the board, respondents were asked to indicate whether (yes/no) their boards raised each of the 27 ITG questions that were recommended by the Canadian Institute of Chartered Accountants (CICA) (CICA, 2004). The ITG questions were developed for inclusion in one of a series of monographs dealing with issues of importance to board members. Other topics in the series include risk, strategy, and executive compensation. Each monograph was designed to give corporate directors guidance on the types of questions they should be asking as part of their oversight responsibilities. Thus, the CICA’s ITG questions
T a b
le 1
D e sc
ri p
ti v e
st a ti
st ic
s fo
r th
e sa
m p
le a
P ro
fi t
o ri
en ta
ti o n
C o n ti
n g en
cy fa
ct o rs
n B o a rd
-l ev
el IT
G P er
fo rm
a n ce
S a le
s (m
ill io
n $
C A
D )
N u m
b er
o f
em p lo
ye es
N ee
d fo
r n ew
IT N
ee d
fo r
sp ee
d a n d
re lia
b ili
ty
N o t
fo r
p ro
fi t
(n ¼
1 1 8 ,
6 9 %
) Lo
w Lo
w 2 7
6 .4
8 6 .4
9 2 3 8 .2
5 3 1 4 9 .1
3 (7
.0 9 )
(1 .6
5 )
(3 3 9 .3
3 )
(1 0 ,9
7 6 .3
5 )
H ig
h 2 2
1 3 .0
9 6 .9
6 5 3 5 .0
0 1 3 8 1 .1
3 (7
.5 3 )
(1 .7
1 )
(4 0 6 .4
4 )
(2 2 7 8 .7
1 )
H ig
h Lo
w 2 9
1 3 .0
3 7 .2
2 1 0 6 6 .7
1 8 8 9 .2
7 (6
.3 4 )
(1 .5
2 )
(1 7 7 5 .7
4 )
(9 4 7 .6
4 )
H ig
h 4 0
1 4 .3
5 7 .3
6 1 2 8 1 .0
2 3 6 4 3 .7
7 (5
.8 6 )
(1 .5
6 )
(2 1 0 4 .3
5 )
(1 1 ,6
1 4 .8
0 )
Fo r
p ro
fi t
(n ¼
5 3 ,
3 1 %
) Lo
w Lo
w 1 6
1 0 .8
8 7 .2
1 8 0 4 .4
1 6 3 6 .2
5 (6
.7 7 )
(1 .5
2 )
(1 9 4 2 .4
0 )
(7 4 1 .8
8 )
H ig
h 1 1
1 3 .2
7 5 .8
5 3 0 9 .4
2 1 0 1 3 .3
9 (1
3 .4
0 )
(2 .5
3 )
(3 2 0 .0
4 )
(1 0 0 4 .2
9 )
H ig
h Lo
w 1 0
7 .8
8 6 .3
8 1 7 7 .3
9 3 6 5 .6
6 (6
.2 0 )
(1 .9
4 )
(2 6 1 .2
0 )
(6 3 6 .2
6 )
H ig
h 1 6
1 4 .2
2 6 .7
3 4 7 9 .2
9 7 0 3 .0
2 (8
.3 5 )
(1 .8
9 )
(1 1 7 6 .4
7 )
(1 2 3 2 .1
3 )
T o ta
l 1 7 1
1 2 .0
1 6 .9
1 7 3 8 .6
0 1 9 0 7 .3
1 (7
.7 7 )
(1 .7
3 )
(1 4 8 1 .7
3 )
(7 1 7 6 .4
7 )
a E a ch
ce ll
co n
ta in
s th
e m
e a n
o n
to p
, a n
d th
e st
a n
d a rd
d e vi
a ti o n
in p
a re
n th
e se
s o n
th e
b o tt
o m
.
Board-level IT governance and organizational performance Ofir Turel and Chris Bart 229
European Journal of Information Systems
presumably cover the spectrum of IT issues boards should discuss. While there are many governance frameworks that can be utilized by boards, they cover parallel topics and propose similar sets of ITG issues to be discussed in the boardroom (Bart & Turel, 2010; Wilkin & Chenhall, 2010). However, given the Canadian context of this study, the ITG questions proposed by the CICA seem most appro- priate (see Appendix A).
The reported total of the ITG issues raised by the board was used as a proxy for the level of ITG oversight provided. It is acknowledged that this measure captures only ITG breadth (the range of IT topics that were discussed by a board) and not depth (the amount of time, number of meetings or efforts devoted to IT issues in the boardroom). This measure was employed because ITG depth is difficult to operationalize using self-reported data. Nevertheless, boards are likely to discuss raised topics to the extent deemed necessary. Thus, the scope of ITG topics covered by the board can be a reasonable proxy for the level of ITG exercised by the board.
Contingency variables Two internal contingencies were conceptualized in this study: the need for new IT and the need for fast and reliable IT. While there are valid measures for the strategic grid position of firms (Raghunathan et al, 1999), they were only developed for and tested with IT managers, but not with boards of directors. We therefore employed the more board- targeted framework suggested by Nolan & McFarlan (2005) for assessing the firms’ position on the strategic grid from a board’s perspective.
The items proposed by Nolan & McFarlan (2005) were developed for classification purposes, and were accord- ingly used in the current study for binary classification (high vs low need along each one of the IT use mode dimensions). Specifically, respondents were queried – using a 7-point Likert scale (1¼ strongly disagree; 7¼ strongly agree) – on their level of agreement with the 14 questions depicted in Figure 1. For each respon- dent, the average level of agreement reported for the questions indicating a ‘high need for new IT’ (i.e., the questions in the right-hand column in Figure 1) was calculated and compared with the average level of agreement reported for the questions indicating a ‘low need for new IT’ (i.e., the questions in the left-hand column of Figure 1). Organizations were classified based on the highest column score as having either a low or high need for new IT. A binary variable corresponding with this classification was created (i.e., low need for new IT¼0; high need for new IT¼1). A similar comparison between the average level of agreement calculated for the questions in the top and bottom rows of Figure 1 was used for generating a dummy variable to capture each company’s need for fast and reliable IT (i.e., Low need¼ 0; High need¼1).
Control variables The data collected on each organiza- tion included its sales (revenue in millions of CAD$),
number of employees, and the type of firm orientation (i.e. for-profit or not-for-profit). The first two control variables are proxies for organization size, which often influences internal processes and resource utilization (Zahra & Pearce, 1989; Ray et al, 2004), as well as IT planning efforts (McFarlan et al, 1983). The third control variable can also be important. Non-profit organizations (e.g., government hospitals and schools) and for-profit companies (e.g., large retailers) can employ different governance styles (Fama & Jensen, 1983).
Analysis and results Correlations and reliability measures (for multi-item constructs) were calculated (see Table 2). The measure of performance was consistent and reliable.
Assessment of common method bias The potential effect of Common Method Variance (CMV) was assessed using multiple techniques (Turel et al, 2011). First, Harman’s single factor test was employed. The results of un-rotated principal component analysis ap- plied to the model’s constructs indicated the existence of more than one principal component. The first one explained 38% of the variation, and the second one explained another 28%. Thus, no single dominant (i.e., methods) factor exists (Harman, 1976). Second, an examination of correlation matrices as specified by Pavlou et al (2007) was conducted. The correlations ranged from 0.01 to 0.67, and all were below the 0.9 threshold. The fact that there are several very low correlations (close to zero) among some of the constructs further indicates that there is no single dominant CMV factor.
Third, we utilized an adjusted Lindell & Whitney (2001) procedure as described in Turel & Serenko (2012). The marker variable we used was the number of boards on which the reporting director is currently serving because it is theoretically unrelated to the model’s constructs. It was not correlated with the other variables, suggesting that there was no systematic bias in the data. Fourth, a Confirmatory Factor Analysis (CFA) model which included a CMV factor that draws variance from the observed indicators was estimated. While the model fit the data well [w2(7)¼11.05 (non-significant, Po0.14), CFI¼0.99, IFI¼ 0.99, RMSEA¼0.058 with P-close¼0.36, and SRMR¼ 0.040], the CMV effects were non-significant (Po0.84). Furthermore, when this model was contrasted with a CFA model without the CMV factor, the chi-square difference test statistic (w2diff (1)¼0.01) was not significant (Po0.92). This indicated that adding the CMV factor fails to produce a significant reduction in chi-square. Thus, the more parsimonious model, without the CMV factor, is superior. Overall, these analyses imply that CMV is unlikely to have a major influence on the data.
Model estimation The research model was estimated with the structural equation modelling facilities of AMOS 19. Initially, a CFA
Board-level IT governance and organizational performance Ofir Turel and Chris Bart230
European Journal of Information Systems
model was fit to the data, and produced good fit indices (w2(8)¼11.06 (non-significant, Po0.20), CFI¼0.99, IFI¼ 0.99, RMSEA¼ 0.047 with P-close¼ 0.46, and SRMR¼ 0.040). All loadings were significant (Po0.001). Conse- quently, we proceeded to estimate the structural model. In order to separate the direct and moderation effects, the model was estimated in a hierarchical fashion.
First, a model with only direct effects (i.e., a full-media- tion model) was estimated. It included the H1, H2a, and H2b paths. Initially, the model also included sales (revenue in millions of CAD$), number of employees, and profit orientation as control variables. While the data fit the model well [w2(14)¼ 19.42 (non-signifi- cant, Po0.15), CFI¼0.99, IFI¼ 0.99, RMSEA¼0.048 with P-close¼ 0.48, and SRMR¼0.037], and all hypothesized effects were significant, number of employees and profit orientation did not significantly influence the model and were removed from further analyses. Sales significantly increased the level of ITG by the board and it was therefore retained. Subsequently, the partial-mediation model with sales effect on the level of ITG was specified and estimated. The data fit this model well [w2(11)¼12.39 (non-signifi- cant, Po0.34), CFI¼0.99, IFI¼ 0.99, RMSEA¼0.027 with P-close¼ 0.66, and SRMR¼0.044], and all hypothesized paths were significant. This model therefore provided sup- port to H1 (b¼ 0.27, Po0.001), H2a (b¼0.16, Po0.05), H2b (b¼ 0.23, Po0.01), and the role of sales in board-level ITG enactment (b¼0.24, Po0.001). It explained 17% of the variation in board-level ITG efforts, and 7% of the variation in performance.
Second, a model that also included the hypothesized moderation-effects (H3a and H3b) was estimated. To operationalize these effects, the model included interac- tion terms (Level of ITG�Need for new IT, and Level of ITG�Need for fast and reliable IT), as well as direct effects of the IT use mode variables on performance. These were included because the interaction terms should be assessed after controlling for the direct effects of the variables that comprise the interaction terms. The model fit indices were adequate [w2(19)¼48.52, CFI¼ 0.97, IFI¼0.97, RMSEA¼0.090 with P-close¼0.02, and SRMR¼ 0.095]. Sales was no longer a significant control
variable (Po0.20), and hence was removed from this analysis. The model was re-estimated, and produced adequate fit indices [w2(12)¼ 28.24, CFI¼0.98, IFI¼0.98, RMSEA¼0.088 with P-close¼0.07, and SRMR¼ 0.090]. The standardized path coefficients, their levels of sig- nificance, and the variables’ Squared Multiple Correla- tions (explained variation) are depicted in Figure 3.
Figure 3 demonstrates that the full-mediation hypoth- eses (H1, H2a, and H2b) were still supported, but the hypothesized moderation effects (H3a and H3b) were not. This implies that while board members employ ITG based on their organizations’ IT needs, a high level of ITG increases performance regardless whether it is aligned with the level prescribed by an organization’s IT mode. The stronger the board-level ITG is, the better the per- formance is, regardless of the IT use mode the organiza- tion is in. Potential reasons for this deviation are examined in the qualitative study.
Post-hoc analyses First, the research model implies that the effects of the contingency variables on performance are fully mediated through the exercised level of ITG. To rule out the possibility that the contingencies also influence perfor- mance directly, a partial-mediation model (where the contingencies influence board-level ITG and perfor- mance) was contrasted with the full-mediation model. The partial-mediation path coefficients remained the same and significant. The path coefficients from the contingen- cies to performance were not significant (Po0.35). The chi-square difference test statistic (w2diff(2)¼0.87) was not significant (Po0.85). This indicated that estimating the additional paths does not improve the model, and that the full-mediation model is superior to the partial-mediation model. This further supports the theory we put forth.
Second, the model implies that a higher need for new as well as for fast and reliable IT leads boards to engage in higher levels of ITG. It is interesting to see if this increase in IT issues the board discusses focuses on particular sets of prescribed issues as outlined in Appendix A (strategy, control, and risk), or on all ITG domains. To this end, analyses of variance models were applied to the data,
Table 2 Variable correlationsa
Construct (1) (2) (3) (4) (5) (6) (7) (8)
Model (1) Need for new IT NA
(2) Need for fast and reliable IT 0.18* NA
(3) Interaction (new IT� fast and reliable IT) 0.64** 0.67** NA (4) Level of ITG by the board 0.19* 0.25** 0.21** NA
(5) Perceived organizational performance 0.11 0.01 0.10 0.29** 0.87
(0.88)
[0.72]
Control variables (6) Profit orientation �0.09 0.01 0.00 0.01 �0.10 NA (7) Sales (million CAD$) 0.17* 0.06 0.14 0.26* 0.04 �0.11 NA (8) Number of employees 0.01 0.05 0.08 0.09 �0.02 �0.11 0.26** NA
a Cronbach’s alphas (composite reliability), and [average variance extracted] are reported on the diagonal (bolded) for multi-item constructs.
*Po0.05, **Po0.01
Board-level IT governance and organizational performance Ofir Turel and Chris Bart 231
European Journal of Information Systems
with the counts of number of ITG questions pertaining to each set of issues (strategy, control, and risk) as depen- dent variables, and the contingency factors as indepen- dent variables. The results indicate that when the need for new IT was high, boards raised significantly more strategy (Po0.02) and risk (Po0.03), but not control (Po0.67) questions. When the need for fast and reliable IT was high, boards raised significantly more strategy (Po0.02), risk (Po0.004), and control (Po0.008) ques- tions. Thus, for the most part (except for one case), increases in the level of ITG in response to identified IT needs are done across ITG knowledge domains, and not in particular areas.
In order to supplement this analysis, we also ran a chi- square test for each one of the 27 questions, by using contingency tables with the counts of the number of boards that raised each question in each quadrant. The results of these analyses suggest that there were statisti- cally significant (at least at Po0.05) quadrant-based differences in 25 out of the 27 questions. For the most part, boards of companies in the strategic and turnaround modes raised more IT issues than others did. The same pattern was observed regarding questions #7 and #11 (Appendix A), but the differences in the case of these two questions were not statistically significant. Overall, it appears that the IT issues boards discuss differ across the quadrants of the IT strategic grid.
Qualitative analyses In order to understand, corroborate, and enrich the quantitative findings, three qualitative analyses were conducted.
Applicability checks Structured email-based interviews were employed for applicability checks (Rosemann & Vessey, 2008). A summary of the study’s findings was communicated to five senior directors (mostly presidents or chairmen of the board) who were known to one of the researchers. They were asked to comment on the research findings and to indicate their firm’s position on the IT strategic grid. Four out of five directors responded (see Table 3).
These comments lend support to the proposed rele- vance of ITG to organizational performance and the increasing need for board-level ITG research. They imply that, in retrospect, the findings can make sense. As these responses suggest, even companies in low-IT-need modes can benefit from higher levels of ITG by the board, because such efforts would be future-looking and enable organizations to explore likely future needs, which other firms in their sector ignore.
Can board-level ITG be easily replicated? The quantita- tive findings suggest that higher levels of ITG by the board may lead to improved performance. To enrich these findings, we sought to examine whether the obtained advantage can be sustainable, or board-level ITG can be easily replicated by competitors. To this end, we conducted a structured email-based interview with stakeholders who were known to one of the researchers. Two directors and a CEO were asked whether ITG practices can be easily mimicked. Their responses are provided in Table 4. The two directors believed and justified that ITG cannot be easily mimicked because ‘good governance is more about people than process’ (Respondent #1). The CEO was less supportive of the idea of low mobility of board-level ITG, but still implied that it may be challenging to mimic such practices. Overall, it
Table 3 Interview responses of directors for applicability checks
Low need for new IT (defensive use) High need for new IT (offensive use)
High need for
speed and
reliability
It is interesting to think that a firm with low IT
needs can still perform better with a high level
of IT governance. I would think that there would be
diminishing returns for firms in low-tech industries (y) vs, for example, Banks or Software Developers. On the other
hand, it may turn out that all firms will be high-tech in the
future.
The fact that boards seem to employ a contingency
approach with respect to ITG is not unexpected, and it is
often on an ad hoc basis. However, the conclusion that
broad, high-level ITG results in strategic and financial
benefits even for those companies with limited IT needs is
somewhat surprising. If one thinks about it though, IT is
pervasive and will only become more so. Therefore, it
behoves boards to develop sound ITG.
Low need for
speed and
reliability
It emphasizes the need to keep your head up,
and look at the horizon about what could benefit
your organization. There may be beneficial IT
options available that you are not aware of.
Given my experience, the findings made intuitive sense for
me and I think they ARE interesting and worthwhile.
Need for New IT (Low = Defensive, High = Offensive)
Need for Fast & Reliable IT (Low Need, High Need)
Level of ITG by the Board
Perceived Organizational Performance
0.30**
SMC=17%
0.15*
-0.06 NS
0. 20
** *
-0.04 N S
SMC=8%
Figure 3 Structural model.
Board-level IT governance and organizational performance Ofir Turel and Chris Bart232
European Journal of Information Systems
may be challenging and require practice to effectively replicate this spanning IT resource.
Ways to improve board-level ITG In order to enrich the implications for corporate governance practice, content analysis was applied to director suggestions for improving ITG practices in their boards. These data were collected as
part of the survey. One hundred and seventy-nine usable textual responses were obtained, and subjected to con- tent analysis following the guidelines by Krippendorff (1980). First, a codebook was developed and refined by one of the researchers (see Table 5). It was then used independently by two external raters to classify the responses into categories. The initial classification has yielded a raw agreement of 67.2% and a Cohen’s Kappa (agreement adjusted for agreement due to chance) of 0.61. The raters then met and discussed their differences. Agreement was achieved regarding all items, but three. The post-discussion raw agreement was 98.3% and the Cohen’s Kappa was 0.98. The frequencies in Table 5 therefore reflect a reliable categorization of director suggestions.
Table 5 shows that directors’ responses focused on three areas of improvement: (1) structural changes to facilitate ITG, (2) new ITG processes, and (3) closing the knowledge gap and learning about the strategic impact of IT and/or ITG. New ITG processes, such as asking for frequent updates from management on IT issues, and IT- related discussions in the boardroom were the most common line of suggestions (over 72%). Some suggested structural changes, such as creating an IT committee or assigning ITG responsibilities to an existing committee (over 14%), and others indicated that there is a need to improve the board’s ITG literacy by either better educat- ing directors regarding IT’s strategic role and current ITG practices, or by appointing more IT-savvy directors (over 11%). This implies that the current typical composition of the board is not optimized for dealing with IT issues. The bulk of respondents acknowledged the need to apply ITG at the board level, and only 1.7% of respondents thought that IT is not a discussion-worthy issue for their board.
Discussion Prior research suggests that managers should, and often do, employ a contingency approach for dispensing their responsibilities (Fiedler, 1964; Otley, 1980), including IT matters (Cash et al, 1988; Raghunathan & Raghunathan, 1990). Our study indicates that directors are not different, and as prescribed in previous studies (Nolan & McFarlan, 2005; Bart & Turel, 2010), they choose the level of ITG they exercise based on their organizations’ (1) need for new IT, and (2) need for fast and reliable IT. Boards of organizations with a high need for newer IT, presumably for strategically offensive manoeuvring in their competi- tive marketplace (strategic need), tend to raise more IT issues than their counterparts. Boards of companies that need fast and reliable IT to manage their operations (operational needs) also tend to have a higher level of ITG than their counterparts. These IT issues pertain, for the most part, to all ITG knowledge domains as outlined in Appendix A. Boards of companies with higher sales also exercised a higher level of ITG, at least when only full- mediation effects of the IT use mode were considered. This lends potential support to the proposition set by
Table 4 Director and CEO opinions regarding the mobility of ITG
Respondent Response
(1) Executive Vice President
(director) of a large
global construction firm
Corporations may make some of their
IT governance public by describing it
in shareholder communication or on
websites. Therefore, they could pro-
vide guidance to competitors which
can be copied (just like material we
had from (name removed for con-
fidentiality)). However, as we know
good governance is more about
people than process, so in the end
I don’t think it is easy to copy.
(2) President (director) of a
large public institution
for skill training
I think it would be (is) relatively ‘easy’
for competitors to copy general IT
governance practices and implement
some practices as required. However,
my limited experience with IT gov-
ernance suggests that each organiza-
tion/company has varied
requirements for IT governance –
that is, organizational differences
require a nuanced IT governance
approach that is not easily copied
(this is, of course, based on a very
small ‘n’). Or in other words, each
competitor will use and respond to
the 27 ITG [issues] in a unique, not
directly copied, way.
(3) CEO of an e-commerce
delivery company
In general, I don’t think Board adop-
tion of improved IT governance
would be necessarily mimicked by
industry competitors. There are a
couple of barriers to this. The first
would be the lack of awareness of the
risk of ITy. The second is the ‘sticki- ness’ of Board composition which
limits the speed in which IT skills can
be augmented. However, the factor
which might push competitive copy-
ing is the fact that much of current IT
governance is driven through the
audit committee. The oligopoly of
auditors quickly adopts best practices
and pushes them on clients (particu-
larly where it leads to increased audit
scope and fees).
Board-level IT governance and organizational performance Ofir Turel and Chris Bart 233
European Journal of Information Systems
McFarlan et al (1983) that larger firms will need to employ better and more formal IT planning processes. It may also be due to the proposition that in smaller firms, boards can be less scrutinizing and underutilized (Zahra & Pearce, 1989). Overall, these contingency factors influenced the execution of an important oversight practice, board-level ITG, and explained 17% of the variation in it.
In line with the resource-based view regarding IT management capabilities (Mata et al, 1995; Melville et al, 2004; Wade & Hulland, 2004) and corporate governance theories on the effects of board actions on organizational performance (Zahra & Pearce, 1989; Johnson et al, 1996), the level of ITG exercised by the board was found to improve performance. This suggests that board-level ITG is a valuable capability. Combined with the plausible evidence we provided for the heterogeneity of this cap- ability (see standard deviation in Table 1), its value, and its possible low mobility (see Table 4), our findings imply that the level of ITG exercised by the board can be a means to obtain strategic advantage and superior organizational performance. The level of ITG provided by a board expla- ined 8% of the variation in performance, which is impres- sive because there are many other variables (e.g., CEO competency, market forces, etc.) that can influence it.
Implications for theory Several implications emerge from this study. First, the findings supplement and enrich the resource-based view as applied to IT resources. They show that board-level ITG
can be an important IT management capability that is often overlooked in MIS research. Many studies that focus on such capabilities (Bharadwaj, 2000; Wilkin & Chenhall, 2010) emphasize the leadership of the IT unit and the organization’s executives. A similar view is implied in studies that focus on IT planning efforts (McFarlan et al, 1983; Raghunathan & Raghunathan, 1990; Raghunathan et al, 1998).
This study shows that the scope of IT management and planning capabilities could and should be extended to include additional organizational elite, namely the board of directors. Revisiting the scope of IT resources is worth- while because, as per the resource-based view, manage- ment capabilities can help explain organizational beha- viours and phenomena (Mata et al, 1995). The board’s IT focus diffuses to the rest of the organization, including the CEO and CIO, and can determine IT-related invest- ments, management foci and processes, and ultimately the value of IT to the organization. Boards can help improve organizational performance over and above the value added by executives’ IT-related actions through three services: controlling management actions (resolving agent-theoretic issues), providing consulting and guidance services to management, and providing access to external resources – all of which can focus on IT. Future research of IT value, IT planning, and the resource-based view of IT are therefore encouraged to pay closer attention to boards of directors as another source of IT competency.
Second, the findings indicate that the contingency view regarding IT planning prescribed by the IT stra- tegic grid research (Cash et al, 1988; Raghunathan & Raghunathan, 1990; Raghunathan et al, 1998; Nolan & McFarlan, 2005) can be suboptimal, at least in the case of boards of directors. While boards essentially cast their net around obvious and immediate IT needs as per their location in the strategic grid, they sometimes fail to see the bigger picture, longer-term and strategic forest for the trees. For example, boards of firms in support mode generally discussed, as prescribed, fewer IT issues com- pared with others; yet the ones that raised more IT issues in the boardroom had better performance. This may explain the inconsistent findings in prior research regard- ing the value of adhering to the IT planning prescribed by the IT strategic grid (Tukana & Weber, 1996). It also suggests that additional factors, beyond current needs, with a stronger future-looking emphasis should be considered by prescriptive ITG guidelines.
It is interesting to consider why having boards go beyond the prescribed level of ITG is valuable and drives performance. Several studies suggest that even firms that would normally be classified as utilizing IT in support or factory mode (e.g., retail or casino chains) can benefit from shifting to a more offensive mode of IT utilization (Hopkins & Brynjolfsson, 2010). By so doing, they increase their ‘information metabolism’, utilize IT more effectively than their competitors, and can strengthen or replace their existing IT utilization modes (McAfee & Brynjolfsson, 2008). Thus, it is possible that when boards of companies
Table 5 Code book and frequencies for director responsesa
Category Frequency
Structure (n¼25, 14.2%) 1.1. Setup an IT committee 10
1.2. Assign a board IT representative 13
1.3. Assign IT responsibilities to existing committees 2
Process (n¼127, 72.2%) 2.1. Reports/presentations/briefings on IT status delivered
to the board
23
2.2. Consider, develop, review, and monitor IT issues and
plans
76
2.3. Appraise IT risks 27
2.4. Survey IT users for needs and satisfaction 1
Close knowledge gap (n¼21, 11.9%) 3.1. Increase board expertise through training or
appointment
21
Other (n¼3, 1.7%) 4.1. IT is not sufficiently important/should not be
considered by the board
3
Total 176
a Includes only items for which agreement was obtained.
Board-level IT governance and organizational performance Ofir Turel and Chris Bart234
European Journal of Information Systems
that are traditionally defensive users of IT adjust their level of ITG to that typically found in a more offensive use mode, they help their organizations gain strategic advan- tage. This view is supported by comments from board members (see Table 3).
Lastly, the findings imply that board-level ITG can be associated with organizational performance. Consequen- tly, the focus on IT in the boardroom plausibly matters. Thus, corporate governance theories can be informed by including ITG by the board and its associated IT con- tingencies. This study focused on a limited set of contin- gencies. Hence, future research may expand this set, and include also other IT-relevant factors, such as the reporting relationship of the CIO (Banker et al, 2011), qualities of the IT function, etc. While it is acknowledged that technical expertise is a potentially important board characteristic (Vance, 1968), the ability of boards to engage in ITG has not received enough attention in the corporate govern- ance literature (Bart & Turel, 2010). Our findings suggest that this may be an additional board attribute to consider that, together with other board actions, can present a more complete picture of the influence of the board on firm performance (Zahra & Pearce, 1989).
Overall, IT management and planning capabilities were often too narrowly conceptualized in past MIS research as were board roles in corporate governance research. Given the increasing involvement of boards of directors in IT oversight (Nolan & McFarlan, 2005; Bart & Turel, 2010), MIS researchers should broaden and expand the hierarchy of the sources of IT competencies to include the board and its ITG practices. Corporate governance researchers should broaden the scope of board roles to include ITG. Consequently, many new questions regard- ing the antecedents, measurement, and outcomes of board-level ITG – and not just executive management – can and should be explored. This study serves as a plat- form for future research in this domain.
Practical implications This study extends the conceptual views taken in previous studies (e.g., Appleby, 2008) and suggests that board-level ITG can influence organizational perfor- mance. Hence, the first implication is that boards should not shy away from governing their organizations’ IT strategies and operations, a perspective that some boards take (Huff et al, 2004). In fact, the findings imply that boards of directors should attempt to cover the broad range of IT issues suggested by the CICA, or other ITG frameworks, regardless of the current and obvious IT needs. This would potentially allow their organizations to use IT more strategically, identify overlooked oppor- tunities, and ultimately achieve superior performance. This can be done through board training in ITG, through reviewing ITG frameworks and the IT issues they recom- mend to discuss, or by seeking help from consultants and IT experts who are familiar with ITG. As the con- tent analysis (Table 5) indicates, the training compo- nent (closing the knowledge gap) can be supplemented
with creating proper structures and processes for board-level ITG. Assigning ITG responsibilities to board members, whether in an existing committee or as a separate committee, may force them to explore and better understand IT issues. Receiving more frequent debriefs from management regarding IT matters can help board members better understand the IT situation, foresee future IT needs, and integrate IT with the strategic directions they chart.
A second implication is that given the potential impor- tance of board-level ITG and the growing prevalence of the practice, the MIS and corporate governance educa- tion communities should consider ways in which board members and business students can be better informed regarding the ITG responsibilities of the board and their impacts. Boards need domain knowledge and experience, beyond mere vigilance, to be effective (Kroll et al, 2008). However, they often lack the skills to provide IT oversight (Huff et al, 2005; Bart & Turel, 2010). The current IS curriculum guidelines for undergraduate students suggest a core course in ‘IS Strategy, Management & Acquisition’, which covers management and CIO IT-related responsi- bilities, but does not currently include references to the board (Topi et al, 2010). Board-level ITG should be incor- porated into IS strategy courses at both the under- graduate and graduate levels, and also covered in both corporate governance courses and director training pro- grammes.
Limitations and suggestions for future research Several limitations should be acknowledged. First, lim- ited-in-scope conceptualization and operationalization of contingency factors, board-level ITG, and performance were used in this study. There can be many other contingency factors that can affect board-level ITG (Zahra & Pearce, 1989). Accepting the two contingency factors implied by the IT strategic grid was a convenient choice because it has been heavily used in IS research (Raghunathan & Raghunathan, 1990; Raghunathan et al, 1999), but additional contingency factors should be explored in future research. Similarly, the level of ITG by the board was operationalized in this study as the range of IT-related issues that the board has discussed; and it relied on a single board-level ITG framework. While this may be a good starting point, future research may add more dimensions and depth to it. Moreover, our performance measure relied on financial-focused self- reported perceptions. It can therefore be extended by measuring other subjective and objective facets of performance. The study can also benefit from surveying all board members in each organization in order to increase the reliability of the self-reported board beha- viours and attitudes.
Second, the proposed model is a simplistic representa- tion of organizational reality. While we controlled for several factors such as sales and profit orientation, there may be many other factors that influence ITG practices and organizational performance (e.g., industry dynamics).
Board-level IT governance and organizational performance Ofir Turel and Chris Bart 235
European Journal of Information Systems
For parsimony reasons, such factors were not consid- ered in the current study, but may be the focus of future research. Moreover, caution should be exercised when interpreting the qualitative responses, because they can be susceptible to social desirability biases.
Third, the model assumed a direct effect of the level of ITG by the board on performance. However, there can be many factors that mediate this effect (Dehning & Richardson, 2002; Kohli & Grover, 2008) or moderate it. Mediators can include intermediate IT-driven value factors, such as process improvements, service quality enhancements, and increases in customer satisfaction. Moderators may include the structure and quality interac- tions among the board, top executives, and the IT function (Kohli & Grover, 2008; Banker et al, 2011). The current model can benefit from adding such variables in future research. Moreover, it is possible that the current effects are spurious. Both board-level ITG and organizational perfor- mance may be influenced by unmeasured factors, such as the board’s composition or competency. Future research should better explore this possibility.
Finally, this study was conducted in a specific context. For increasing the findings’ generalizability, the study should be replicated in multiple countries, using different types of organizations, and utilizing various board-level ITG frameworks.
Conclusion Board-level ITG is an important IT management cap- ability that can lead to superior organizational perfor- mance. Boards consider at least two contingency factors for determining their level of ITG: their organizations’ need for new IT and the need for fast and reliable IT. In contrast to the widely held belief that this practice is healthy, we show that a higher level of ITG by the board, regardless of these internal contingencies, may help organizations generate greater gains with IT. Ultimately, this study adds to the bodies of knowledge regarding IT value, IT resources, and corporate governance by focusing on a relatively new IT management capability, board- level ITG, and by extending the scope of IT leadership to include the board of directors.
About the authors
Dr. Ofir Turel is a professor of information systems and decision sciences at the College of Business and Economics, California State University, Fullerton. Before joining the academia, he held senior positions in the information technology and telecommunications indus- tries. His research interests include a broad range of behavioural and managerial issues in various information systems contexts. His work received several national and international awards, and was presented in many con- ferences. He published over 40 articles in journals such as MIS Quarterly, Journal of MIS, European Journal of Information Systems, Communications of the ACM, Infor- mation & Management, Journal of Information Systems, Behavior & Information Technology, Telecommunications
Policy, Group Decision and Negotiation, and Communications in Statistics.
Dr. Chris Bart is a professor of Strategic Market Leadership (Strategy and Governance) at the DeGroote School of Business, McMaster University, Hamilton, Ontario and the Principal with Corporate Missions Inc. (http://www.corpor- atemissionsinc.com). In 2003, he helped found The Direc- tors College, Canada’s first university accredited director education programme. He is the author of the Canadian Business #1 best seller, A Tale of Two Employees and the Person Who Wanted to Lead Them as well as the CICA Publication, 20 Questions for Directors About Strategy. He has also published over 100 other articles, cases and reviews.
References APPLEBY C (2008) IT & the board: taking responsibility. Trustee 61(2),
14–17, 1. ARMSTRONG CP and SAMBAMURTHY V (1999) Information technology
assimilation in firms: the influence of senior leadership and it infrastructures. Information Systems Research 10(4), 304–327.
BANKER RD, HU N, PAVLOU PA and LUFTMAN J (2011) Cio reporting structure, strategic positioning, and firm performance. MIS Quarterly 35(2), 487–504.
BART CK (1993) General managers control new and existing products differently. Journal of Business Venturing 8(4), 341–361.
BART CK and TUREL O (2010) IT and the board of directors: an empirical investigation into the ‘GOVERNANCE QUESTIONS’ canadian directors ask about it. Journal of Information Systems 24(2), 147–172.
BHARADWAJ AS (2000) A resource-based perspective on information technology capability and firm performance: an empirical investiga- tion. MIS Quarterly 24(1), 169–196.
BRYNJOLFSSON E (1993) The productivity paradox of information technology. Communications of the ACM 36(12), 67–77.
BYRD TA, LEWIS BR and BRADLEY RV (2006) Is infrastructure: the influence of senior it leadership and strategic information systems planning. Journal of computer information systems 47(1), 101–113.
CANNELLA AA and HAMBRICK D (2001) Upper echelons: Donald Hambrick on executives and strategy. Academy of Management Executive 15(3), 36–44.
CASH JI, MCFARLAN FW, MCKENNEY JL and VITALE MR (1988) Corporate Information Systems Management: Text and Cases. Irwin, Homewood, IL.
CHATTERJEE D, RICHARDSON VJ and ZMUD RW (2001) Examining the shareholder wealth effects of announcements of newly created cio positions. MIS Quarterly 25(1), 43–70.
CHEN DQ, PRESTON DS and XIA WD (2010) Antecedents and effects of cio supply-side and demand-side leadership: a staged maturity model. Journal of Management Information Systems 27(1), 231–272.
Board-level IT governance and organizational performance Ofir Turel and Chris Bart236
European Journal of Information Systems
CICA (2004) 20 Questions Directors Should Ask About It. Canadian Institute of Chartered accountants (CICA), Toronto, ON, pp 1–16.
DAILY CM, DALTON DR and CANNELLA AA (2003a) Introduction to special topic forum corporate governance: decades of dialogue and data. Academy of Management Review 28(3), 371–382.
DAILY CM, DALTON DR and RAJAGOPALAN N (2003b) Governance through ownership: centuries of practice, decades of research. Academy of Management Journal 46(2), 151–158.
DEHNING B and RICHARDSON VJ (2002) Returns on investments in information technology: a research synthesis. Journal of Information Systems 16(1), 7–30.
DEVARAJ S and KOHLI R (2000) Information technology payoff in the health-care industry: a longitudinal study. Journal of Management Information Systems 16(4), 41–67.
DEVARAJ S and KOHLI R (2003) Performance impacts of information technology: is actual usage the missing link? Management Science 49(3), 273–289.
DONALDSON L (1990) The ethereal hand: organizational economics and management theory. Academy of Management Review 15(3), 369–381.
EISENHARDT KM (1989) Agency theory: an assessment and review. Academy of Management Review 14(1), 57–74.
FAMA EF and JENSEN MC (1983) Separation of ownership and control. Journal of Law and Economics 26(2), 301–325.
FIEDLER FE (1964) A contingency model of leadership effectiveness. In Advances in Experimental Social Psychology. (BERKOWITZ L, Ed.), Academic Press, New York pp 149–190.
GAA JC (2009) Corporate governance and the responsibility of the board of directors for strategic financial reporting. Journal of Business Ethics 90(2), 179–197.
HABBERSHON TG, WILLIAMS M and MACMILLAN IC (2003) A unified systems perspective of family firm performance. Journal of Business Venturing 18(4), 451–465.
HARMAN HH (1976) Modern Factor Analysis. The University of Chicago Press, Chicago, IL.
HART SL (1995) A natural resource-based view of the firm. Academy of Management Review 20(4), 986–1014.
HITT LM and BRYNJOLFSSON E (1996) Productivity, business profitability, and consumer surplus: three different measures of information technology value. MIS Quarterly 20(2), 121–142.
HOPKINS MS and BRYNJOLFSSON E (2010) The four ways it is revolutionizing innovation. MIT Sloan Management Review 51(3), 51–56.
HUFF SL, MAHER M and MUNRO MC (2004) What boards don’t know – but must do – about information technology. Ivey Business Journal (September/October), 1–4.
HUFF SL, MAHER M and MUNRO MC (2005) Adding value: the case for adding it-savvy directors to the board. Ivey Business Journal (November/ December), 1–5.
ISO (2008) ISO/IEC Standard 38500: Corporate Governance of Information Technology. International Organization for Standardization (ISO), Geneva, Switzerland.
IT GOVERNANCE INSTITUTE (2003) Board Briefing on it Governance. IT Governance Institute, Rolling Meadows, IL.
JOHNSON AM and LEDERER AL (2010) Ceo/cio mutual understanding, strategic alignment, and the contribution of is to the organization. Information & Management 47(3), 138–149.
JOHNSON JL, DAILY CM and ELLSTRAND AE (1996) Boards of directors: a review and research agenda. Journal of Management 22(3), 409–438.
KOHLI R and DEVARAJ S (2003) Measuring information technology payoff: a meta-analysis of structural variables in firm-level empirical research. Information Systems Research 14(2), 127–145.
KOHLI R and GROVER V (2008) Business value of it: an essay on expanding research directions to keep up with the times. Journal of the Association for Information Systems 9(1), 23–39.
KRIPPENDORFF K (1980) Content Analysis: An Introduction to its Methodol- ogy. Sage Publications, Beverly Hills, CA.
KROLL M, WALTERS BA and WRIGHT P (2008) Board vigilance, director experience, and corporate outcomes. Strategic Management Journal 29(4), 363–382.
LAUX V (2010) Effects of litigation risk on board oversight and ceo incentive pay. Management Science 56(6), 938–948.
LEWIS BR and BYRD TA (2003) Development of a measure for the information technology infrastructure construct. European Journal of Information Systems 12(2), 93–109.
LINDELL MK and WHITNEY DJ (2001) Accounting for common method variance in cross-sectional research designs. Journal of Applied Psychology 86(1), 114–121.
MATA FJ, FUERST WL and BARNEY JB (1995) Information technology and sustained competitive advantage: a resource-based analysis. MIS Quarterly 19(4), 487–505.
MCAFEE A and BRYNJOLFSSON E (2008) Investing in the it that makes a competitive difference. Harvard Business Review 86(7–8), 98–107.
MCFARLAN FW, MCKENNEY JL and PYBURN P (1983) Information archipe- lago: plotting a course. Harvard Business Review 61(1), 145–161.
MCGUIRE JB, SUNDGREN A and SCHNEEWEIS T (1988) Corporate social responsibility and firm financial performance. Academy of Management Journal 31(4), 854–872.
MELVILLE N, KRAEMER K and GURBAXANI V (2004) Review: information technology and organizational performance: an integrative model of it business value. MIS Quarterly 28(2), 283–322.
MINICHILLI A, ZATTONI A and ZONA F (2009) Making boards effective: an empirical examination of board task performance. British Journal of Management 20(1), 55–74.
MUELLER GC and BARKER VL (1997) Upper echelons and board characteristics of turnaround and nonturnaround declining firms. Journal of Business Research 39(2), 119–134.
MUKHOPADHYAY T, KEKRE S and KALATHUR S (1995) Business value of information technology: a study of electronic data interchange. MIS Quarterly 19(2), 137–156.
NOLAN R and MCFARLAN FW (2005) Information technology and the board of directors. Harvard Business Review 83(10), 96–106.
O’DONNELL E (2004) Discussion of director responsibility for it govern- ance: a perspective on strategy. International Journal of Accounting Information Systems 5(2), 101–104.
O’SHANNASSY T (2010) Board and ceo practice in modern stra- tegy-making: how is strategy developed, who is the boss and in what circumstances? Journal of Management & Organization 16(2), 280–298.
OTLEY DT (1980) The contingency theory of management accounting: achievement and prognosis. Accounting, Organizations and Society 5(4), 413–428.
PAVLOU PA, LIANG HG and XUE YJ (2007) Understanding and mitigating uncertainty in online exchange relationships: a principal-agent perspective. MIS Quarterly 31(1), 105–136.
PETERAF MA (1993) The cornerstone of competitive advantage: a resource-based view. Strategic Management Journal 14(3), 179–191.
PRESTON DS, LEIDNER DE and CHEN D (2008) Cio leadership profiles: implications of matching cio authority and leadership on it impact. MIS Quarterly Executive 7(2), 57–69.
RAGHUNATHAN B and RAGHUNATHAN TS (1990) Planning implications of the information-systems strategic grid: an empirical investigation. Decision Sciences 21(2), 287–300.
RAGHUNATHAN B, RAGHUNATHAN TS and TU Q (1998) An empirical analysis of the organizational commitment of information systems executives. Omega - International Journal of Management Science 26(5), 569–580.
RAGHUNATHAN B, RAGHUNATHAN TS and TU Q (1999) Dimensionality of the strategic grid framework: the construct and its measurement. Information Systems Research 10(4), 343–355.
RAGHUPATHI W (2007) Corporate governance of it: a framework for development. Communications of the ACM 50(8), 94–99.
RAVICHANDRAN T and LERTWONGSATIEN C (2005) Effect of information systems resources and capabilities on firm performance: a resource- based perspective. Journal of Management Information Systems 21(4), 237–276.
RAY G, BARNEY JB and MUHANNA WA (2004) Capabilities, business processes, and competitive advantage: choosing the dependent variable in empirical tests of the resource-based view. Strategic Management Journal 25(1), 23–37.
READ TJ (2004) Discussion of director responsibility for it governance. International Journal of Accounting Information Systems 5(2), 105–107.
ROSEMANN M and VESSEY I (2008) Toward improving the relevance of information systems research to practice: the role of applicability checks. MIS Quarterly 32(1), 1–22.
Board-level IT governance and organizational performance Ofir Turel and Chris Bart 237
European Journal of Information Systems
SANTHANAM R and HARTONO E (2003) Issues in linking information technology capability to firm performance. MIS Quarterly 27(1), 125–153.
STREBEL P (2004) The case for contingent governance. MIT Sloan Management Review 45(2), 59–66.
TALLON PP (2010) A service science perspective on strategic choice, it, and performance in us banking. Journal of Management Information Systems 26(4), 219–252.
TALLON PP and KRAEMER KL (2007) Fact or fiction? A sensemaking perspective on the reality behind executives’ perceptions of it business value. Journal of Management Information Systems 24(1), 13–54.
TALLON PP, KRAEMER KL and GURBAXANI V (2000) Executives’ perceptions of the business value of information technology: a process-oriented approach. Journal of Management Information Systems 16(4), 145–173.
TOPI H, VALACICH JS, WRIGHT RT, KAISER K, NUNAMAKER Jr. JF, SIPIOR JC and DE VREEDE GJ (2010) Is 2010: curriculum guidelines for undergraduate degree programs in information systems. Communications of the Association for Information Systems 26(Article 18), 359–428.
TRITES G (2004) Director responsibility for it governance. International Journal of Accounting Information Systems 5(2), 89–99.
TUKANA S and WEBER R (1996) An empirical test of the strategic-grid model of information systems planning. Decision Sciences 27(4), 735–765.
TUREL O, SERENKO A and GILES P (2011) Integrating technology addiction and use: an empirical investigation of online auction users. MIS Quarterly 35(4), 1043–1061.
TUREL O and SERENKO A (2012) The benefits and dangers of enjoyment with social networking websites. European Journal of Information Systems 21(5), 512–528.
VANCE SC (1968) The Corporate Director: A Critical Evaluation. Dow Jones- Irwin, Homewood, IL.
WADE M and HULLAND J (2004) Review: the resource-based view and information systems research: review, extension, and suggestions for future research. MIS Quarterly 28(1), 107–142.
WEILL P (2004) Don’t just lead, govern: how top-performing firms govern it. CISR WP No. 341, Center for Information Systems Research, Massachusetts Institute of Technology, Sloan School of Management, Cambridge, MA, pp 1–21.
WEILL P and OLSON MH (1989) An assessment of the contingency theory of management information systems. Journal of Management Informa- tion Systems 6(1), 59–85.
WEILL P and ROSS JW (2004) It Governance: How Top Performers Manage it Decision Rights for Superior Results. Harvard Business School Press, Boston, MA.
WIGGINS RR and RUEFLI TW (2002) Sustained competitive advantage: temporal dynamics and the incidence and persistence of superior economic performance. Organization Science 13(1), 82–105.
WILKIN CL and CHENHALL RH (2010) A review of it governance: a taxonomy to inform accounting information systems. Journal of Information Systems 24(2), 107–146.
WILKINSON D (2004) The cica’s it competency model. International Journal of Accounting Information Systems 5(2), 245–250.
ZAHRA SA and PEARCE JA (1989) Boards of directors and corporate financial performance: a review and integrative model. Journal of Management 15(2), 291–334.
Appendix A
Recommended IT issues to be discussed by the board (CICA, 2004) For each question/issue please state whether the board of directors of the organization you selected raised or considered this question/issue (or a similar one) (Yes/No)
IT STRATEGIC ISSUES
1. Does management have a strategic information systems plan in place that is monitored and updated as required?
2. Does this strategic information systems plan form the basis for the annual plans, annual and long-term budgets and the prioritization of
information technology projects?
3. Have appropriate procedures been established to ensure that the organization is aware of technology trends, periodically assessing them
and taking them into consideration when determining how it can better position itself?
4. Have key performance indicators and drivers of the IT department been determined?
5. Are they monitored from time to time and are they benchmarked against industry standards?
6. Have relevant indicators been defined and monitored to manage the performance of the organization’s third-party information technology
service providers?
7. How has management identified the required information technology expertise?
8. How is top information technology talent attracted?
9. Does management have appropriate procedures to address information technology employee turnover, training and project assignment?
IT INTERNAL CONTROL ISSUES
10. Has the board considered the creation of an IT subcommittee or assigned a board member specific responsibility for the organization’s
investment in, and use of, information technology?
11. Has the responsibility for IT corporate governance been assigned to a person in a sufficiently senior management position?
12. How does management communicate their IT policies to personnel?
13. What procedures are in place to ensure that the company’s information systems and management are in compliance with Sarbanes-Oxley
and/or CSA Investor Confidence rules, as appropriate?
IT RISK ISSUES
14. Does management have a plan to periodically conduct risk assessments covering the organization’s use of information technology,
including internal systems and processes, outsourced services and the use of third-party communications and other services?
15. If management does have a risk assessment plan, are the results of the assessments acted on where appropriate or required?
Board-level IT governance and organizational performance Ofir Turel and Chris Bart238
European Journal of Information Systems
16. How does management ensure data integrity, including relevance, completeness, accuracy and timeliness, and its appropriate use within
the organization?
17. What arrangements does the organization have for the regular review and audit of its systems to ensure risks are sufficiently mitigated and
controls are in place to support the major processes of the business?
18. Has the organization assigned someone the responsibility for privacy policy, privacy legislation and compliance therewith?
19. Has the organization identified the set of legislative and regulatory requirements for protecting personal information and developed a
policy and procedures for monitoring compliance with them?
20. If the organization uses e-business to buy or sell products or services, has there been a specific review of the risks and controls over the
e-business activities?
21. Are the organization’s e-business activities appropriately protected from external and internal attack by unauthorized persons or others
that, if successful, would result in loss of customer satisfaction or public embarrassment?
22. Has the organization adopted formal availability policies?
23. Has the organization implemented effective controls to provide reasonable assurance that systems and data are available in conformity with
availability policies?
24. Does the organization understand the impact of an interruption in service and are there plans in place to deal with potential interruptions?
25. Has a business continuity plan been adopted? And if so, is it tested regularly and are the results used to improve the plan?
26. Has management considered and addressed legal implications that pertain to the use of software, hardware, service agreements, and
copyright laws?
27. Have policies covering licenses, agreements, copyright, and acceptable use been formulated and disseminated to all personnel?
Board-level IT governance and organizational performance Ofir Turel and Chris Bart 239
European Journal of Information Systems
Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.