discussion online
JOURNAL OF INFORMATION SYSTEMS American Accounting Association Vol. 31, No. 1 DOI: 10.2308/isys-51365 Spring 2017 pp. 59–77
IT Governance and the Maturity of IT Risk Management Practices
Nishani Edirisinghe Vincent The University of Tennessee at Chattanooga
Julia L. Higgs Robert E. Pinsker
Florida Atlantic University
ABSTRACT: The Securities and Exchange Commission’s enhanced disclosure rule on risk oversight, state laws requiring public disclosure of compromised customer information, and high-profile customer information breaches
have caused Information Technology (IT) risk management practices to be a major concern for boards of directors
and management. The Committee of Sponsoring Organizations of the Treadway Commission’s (COSO) Enterprise
Risk Management (ERM) framework emphasizes the importance of the board’s oversight role while also bringing
attention to the firm’s reporting structure. Consequently, our study examines whether the maturity of IT risk
management practices depends on Chief Information Officer (CIO) reporting structure and Chief Executive Officer
(CEO)/Chairman duality. We develop a scale to measure strategic and operational maturity under the larger auspice
of IT risk management and distribute a survey to high-level IT professionals. Our survey also captures the reporting
structure of their firms. Consistent with our hypothesis, we find that the maturity of strategic IT risk management
practices are higher when the CIO reports directly to the CEO. However, contrary to expectations, we do not find that
operational risk management is more mature when the CIO reports to the Chief Financial Officer (CFO). Instead,
operational risk management is higher when the CIO reports to the CEO. For public firms, the maturity of IT risk
management practices are higher when the CEO is also the chairman of the board of directors. As C-level officers
may have asymmetric access to the board, understanding reporting structures may inform firms, regulators, and
interested stakeholders on how well IT risk is managed and factors that affect IT governance.
Keywords: IT risk management; CIO reporting structure; board leadership structure; scale development; IT governance.
I. INTRODUCTION
I n December 2009, the Securities and Exchange Commission (SEC 2009) approved enhanced proxy disclosure
requirements for the board of directors’ role in risk oversight. 1
The rule requires firms to report the boards’ leadership
structure and the relationship between the board and C-suite executives when managing the material risks facing the firm.
With the increased dependence on Information Technology (IT), senior management and boards of directors have become
more aware of the need to manage and oversee IT risks (Turel and Bart 2014). However, a recent National Association of
Corporate Directors (NACD 2014a) survey indicates 36 percent of board members are not satisfied with the quality of
information provided by management on IT risk and 52 percent are not satisfied with the quantity of that information.
We thank the ISACA for hosting the survey on the association’s website and ISACA members for their enthusiastic participation.
Supplemental material can be accessed by clicking the link in Appendix A.
Editor’s note: Accepted by Roger S. Debreceny.
Submitted: March 2015 Accepted: December 2015
Published Online: December 2015
1 The requirements are based on SEC Release Nos. 33-9089; 34-61175; IC-29092; File No. S7-13-09 (SEC 2009; available at: http://www.sec.gov/ news/press/2009/2009-268.htm). The requirement represents a new disclosure requirement to Item 407 of Regulation S-K and a corresponding amendment to Item 7 of Schedule 14A.
59
We contend that a firm’s reporting structure is a significant determinant of how well IT risk is managed and communicated to
internal stakeholders (e.g., the board) (Information Systems Audit and Control Association, Inc. [ISACA] 2012). Consequently,
our study focuses on the following two issues related to firm structure and its effect on IT risk management practices. First, it
examines whether the Chief Information Officer (CIO) reporting structure affects the maturity (i.e., the extent to which
management performs particular activities to identify, assess, monitor, and respond to IT-related risks) (ISACA 2009a; KPMG
2013) of two types of IT risk management practices (benefit/value enablement and operations/service delivery). Second, it
examines whether Chief Executive Officer (CEO)/Chairman duality is associated with mature IT risk management practices.
Our study explores one of the areas that Wilkin and Chenhall (2010) identified in their taxonomy of information technology
governance (ITG). Specifically, of the five main areas within ITG that they describe (strategic alignment, risk management,
resource management, value delivery, and performance measurement), we delve into risk management practices. Most germane to
our study, Wilkin and Chenhall (2010) identify the roles of senior management and the board of directors as two key, yet
understudied, considerations within risk management. Thus, our study helps to address this issue by providing empirical evidence
related to the importance of CIO reporting structure and board leadership structure on the maturity of IT risk management practices.
Results from the NACD (2014a) survey provide a strong indication of an immediate need for firms to improve IT-related risk
management practices. In order to provide effective monitoring and advising, the board should receive adequate and timely
information on important issues such as the current IT risk exposure and the IT risk management and governance processes in the
firm (Hall, Keane, McConnell, and Becker 2005). The firm’s reporting structure may influence the extent to which the board is
informed of these matters; thus, impacting the effectiveness of board oversight. Conversely, the board leadership structure may also
influence the interactions among board members, affecting the board’s oversight of IT risk management. Relevant ITG frameworks
(e.g., COBIT 5, ISACA 2012) encourage board of director involvement through evaluating, directing, and monitoring IT. The
Committee of Sponsoring Organizations of the Treadway Commission’s Enterprise Risk Management (ERM) framework (COSO
2004) further emphasizes the importance of the board’s oversight role and the firm’s reporting structure in identifying events,
assessing risks, and providing reasonable assurance that the company achieves its objectives and goals.
Drawing upon upper echelon (Hambrick and Mason 1984) and agency (Hall et al. 2005) theories, we hypothesize that the
maturity of IT risk management practices will be higher for the benefit/value enablement (strategic) risk category when the CIO
reports to the CEO, and for the operations/service delivery (operational) risk category when the CIO reports to the Chief
Financial Officer (CFO). Further, we hypothesize that IT risk management practices will be more mature in firms where the
CEO and board chairman positions are separated. We developed a scale to measure IT risk management practices based on the
two critical risk categories identified and adapted from the Risk IT Framework (ISACA 2009a). Specifically, ten benefit/value
enablement and nine operations/service delivery items were identified to potentially represent these two categories of IT risk
management practices. In a survey completed by 158 senior U.S. IT professionals, we collected information on their firms’ CIO
reporting structure, board structure, and IT risk management activities related to the two risk categories.
Results indicate that the maturity of benefit/value enablement IT risk management practices is higher for firms when the
CIO reports to the CEO, rather than when the CIO reports to any other executive. Contrary to our hypothesis, we do not find the
maturity of operations/service delivery IT risk management practices to be higher when the CIO reports to the CFO; however,
we conduct additional analysis and find that this risk category is more mature when the CIO reports to the CEO. We also find
that the maturity of both types of IT risk management practices are higher for firms when the CEO is the chairman of the board
for publicly traded firms. In aggregate, our findings suggest that (1) the CEO is in the best position to oversee the management
of IT risks, and (2) that the communication of IT risk issues between management and the board may be enhanced when the
CEO is also the chairman of the board.
Our study explores firm reporting structures and their impact on risk management practices; thus, our findings make
multiple contributions to the growing ITG literature. The increasing use of IT by firms potentially leads to greater IT risk
exposure, which magnifies the importance of management’s IT risk assessments (representing a specific, but broad category of
firm risk) (Huff, Maher, and Munro 2004; Parent and Reich 2009; NACD 2013) and board oversight. Our results add to the
academic risk assessment literature, and also help firms establish effective reporting structures for senior management and
boards to mitigate the level of IT risk exposure.
Additional testing shows that the CIO reporting structure and the board leadership structure do not affect the maturity of all risk
management practices equally. This finding may help the C-suite executives to focus their attention on particular IT risk
management practices. Further, our study is the first to empirically test items from the risk management scenarios identified in the
Risk IT Practitioner Guide (ISACA 2009b). The 19 items identified can be used in future research exploring IT risk management.2
2 The Risk IT Practitioner Guide (ISACA 2009b) includes various detailed management best practices and procedures that firms can implement complimenting both the Risk IT Framework (ISACA 2009a) and the COBIT 5 Framework (ISACA 2012); both frameworks provide guidance at a highly conceptual level. Yet, the areas identified in both frameworks have not been empirically tested to identify whether a particular set of best practices can reliably measure the theoretical construct of IT risk management practices.
60 Vincent, Higgs, and Pinsker
Journal of Information Systems Volume 31, Number 1, 2017
Moreover, the results of our study inquire the aptness of taking an agency perspective in dealing with oversight and direct
governance research to explore alternative explanations.
The subsequent sections are organized as follows. The next section provides a literature review of IT governance and IT
risks followed by hypothesis development. Section III explains the method used in this study. After the ‘‘Results’’ section, a conclusion is provided discussing the key findings, future research and the limitations of the study.
II. LITERATURE REVIEW AND HYPOTHESIS DEVELOPMENT
IT Governance
Patel (2002, 34) defines IT governance (ITG) as the ‘‘organizational capacity to control the formulation and
implementation of IT strategy and [provide] . . . proper direction for the purpose of achieving competitive advantage for the corporation.’’
3 It aims to ensure ‘‘effective utilization of IT by focusing on strategic alignment, risk management, resource
management, value delivery and performance measurement’’ (Wilkin and Chenhall 2010, 107). ITG has recently been systematically adopted by larger firms. Further, investment in IT typically represents a significant proportion of current capital
spending in many industries (Debreceny 2013), making it critically important to have effective ITG practices. If effective, ITG
should lead to lower costs, satisfied customers, and better quality products or services (Wilkin and Chenhall 2010).
Issues related to ITG have gained the attention of practitioners in recent years as a result of increased regulatory
compliance, significance of the investment required, poor track record of IT investment, widely reported breach incidents, and
globalization. We focus on the role of firms’ reporting structures and board leadership structures on IT risk management
practices, consistent with their importance identified in Wilkin and Chenhall’s (2010, 118, 119, 121) taxonomy. Even if IT is
not a strategic enabler in a firm, IT risk management is an important topic to discuss because (1) boards of directors are
increasingly concerned with how to provide adequate risk oversight of IT (PwC 2013; NACD 2014b), and (2) IT risk
management is an essential element of the firms’ internal controls, as IT vulnerabilities have an effect on the reliability of the
financial statements, compliance with laws and regulations, and effectiveness and efficiency of operations.
IT Risk Management Practices
The Risk IT Framework (ISACA 2009a) is a comprehensive framework that provides best practice guidelines that are common to all firms. This framework defines IT risk as ‘‘the business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise. It consists of IT-related events and conditions that could
potentially impact the business. It can occur with both uncertain frequency and magnitude, and it creates challenges in meeting
strategic goals and objectives’’ (ISACA 2009a, 7).
Common risks included in the Risk IT Framework (ISACA 2009a) and similar frameworks (e.g., COBIT 5 [ISACA 2012]) typically assessed by firms are the following: (1) IT benefit/value enablement—risks associated with missed opportunities to
use technology to improve the effectiveness and efficiency of business processes; (2) IT program/project delivery—risks
associated with quality, relevance, and overrun of projects that tie into the IT investment portfolio management; and (3) IT
operations and service delivery risks—risks associated with the performance of IT systems and services such as service
interruptions, compliance, and security. Since IT program/project delivery risks are conjoined with strategic and operational IT
risks and already possess extensive research in the project management literature (Taylor, Artman, and Woelfer 2012), we
focus our attention on the two remaining and understudied IT risk categories of benefit/value enablement risks and operations/
service delivery risks.
IT risk should be managed properly for firms to effectively communicate internally and efficiently report material
information externally to interested stakeholders (e.g., owners/investors, creditors, and regulators [ISACA 2012]).Wilkin and
Chenhall (2010, 119–121) identify four focus areas in the IT risk management literature: (1) understanding the types of IT risks
in different contexts, (2) identifying strategies to manage risk, (3) establishing the role of the board, and (4) establishing the role
of the senior management. Our study subsumes the latter three areas. Prior research identifies numerous IT risk factors and
categories within the four areas identified above. For example, Sherer and Alter (2004) provide a detailed description of the IT
risk literature organized by work system elements (system participants, information, technology, work practices, product/
service, customers, environment, infrastructure, and strategy). Smith and McKeen (2009) explain that both external IT risk
factors (third-party vendors, legal regulatory environment, and general hazards) and internal IT risk factors (information,
3 Similarly, ITG is defined by Debreceny (2013, 129) as ‘‘the process by which organizations seek to ensure that their investment in information technology facilitates strategic and tactical goals.’’ Even though there are many definitions of ITG, they all focus on achieving a link between business and IT.
IT Governance and the Maturity of IT Risk Management Practices 61
Journal of Information Systems Volume 31, Number 1, 2017
people, culture, controls, etc.) can affect the firm. McKeen and Smith (2003) categorize IT risk into eight categories: financial
risk, technology risk, security, information and people, business process, management, external, and risk of success. Sutton,
Hampton, Khazanchi, and Arnold (2008) categorize business-to-business e-commerce risks into three categories: technical,
application user, and business risks. In aggregate, the differences in factors and categories listed above are based on context,
which causes a lack of consensus related to IT risk categories in the extant literature.
After identifying IT risks, firms engage in various risk management practices. To facilitate the risk management process,
various professional organizations have developed risk management frameworks. COSO’s Enterprise Risk Management (ERM),
the Internal Organization for Standardization’s (ISO) 27001 and 31000, and the ISACA’s COBIT framework are widely used
frameworks in practice. COSO ERM and ISO 31000 take an enterprise-wide approach to risk management and, conceptually,
include all aspects of risks a firm is faced with. Conversely, ISO 27001 focuses on information security risk management, whereas
COBIT generally takes an enterprise-wide holistic approach to IT governance. The Risk IT Framework (ISACA 2009a), a component of the latest version of COBIT (i.e., COBIT 5, ISACA 2012) focuses on IT-related risks and risk management practices.
Consequently, when considering the broad nature of IT risks, we look to the ISACA’s (2009a) Risk IT Framework and related IT Practitioner Guide (ISACA 2009b) for guidance in developing the IT risk management practices instrument.4
Finally, the Risk IT Framework (ISACA 2009a) suggests that the management and governance of IT risks within a firm depends on risk appetite, awareness, expectations, behavior toward risk taking, experience with negative outcomes, and policy
compliance of senior management. Consequently, firms may have varying methods for managing the same IT risk. Based on
prior literature (e.g., B. Raghunathan and T. Raghunathan 1989; Lindorff 2005; Ali, Green, and Robb 2013) that finds a
significant relationship between management reporting structure and firm performance, we contend that the reporting structure
is a significant determinant of effective management and oversight of IT risk management. Therefore, the next section develops
the hypotheses based upon this extant literature.
CIO Reporting Structure
Given the depth and breadth of what constitutes ‘‘IT risk’’ and the extent of the consequences of a vulnerability, firms are increasingly focusing on IT risk management practices and governance (Parent and Reich 2009; ISACA 2012). Consequently,
the firm’s burden of IT risk management has fallen to someone who possesses IT knowledge, the CIO. The CIO position was
created within the C-suite to facilitate and create a competitive advantage through technology development. The creation of a
CIO position is perceived as a value addition to the firm by market participants (Chatterjee, Richardson, and Zmud 2001).
Further, Stephens, Ledbetter, Mitra, and Ford (1992) conduct an observational study to examine whether a CIO operates as an
executive, rather than as a functional manager. They observe five CIOs from various industries over five days and compared the
length of scheduled/unscheduled meetings, interactions outside of the information technology unit, responsibilities, and
participation in strategic meetings to prior research findings. Based on the comparisons, Stephens et al. (1992) conclude that the
CIO operates as an executive.
After more clearly defining the CIO’s role in the literature, the extant research shifts to exploring whether the CIO
reporting structure is important to the strategic alignment of IT and business. 5
Gottschalk (1999) finds that firms with a formal
IT strategy are more likely to have a higher reporting level with more people reporting to the CIO, compared to firms without a
formal IT strategy. Furthermore, Banker, Hu, Pavlou, and Luftman (2011) find that a firm’s strategic position ( product/service
differentiation or cost leadership) determines the CIO reporting structure. CIOs are more likely to report to the CEO in firms
with a product/service differentiation focus, whereas cost leaders are more likely to have the CIO report to the CFO.
Raghunathan and Raghunathan (1989) examine whether the rank of the CIO (one, two, or three plus ranks below the CEO)
is important for various aspects of IT use. They find significant relationships between the rank of the IT manager and two
aspects of IT; namely, the strategic orientation of IT and the importance given to IT planning. Further, they find that the CIO
has an impact on IT strategy and IT planning only when (s)he reports directly to the CEO. However, when the CIO is at a lower
rank, the authors find that the CIO has no significant impact. Preston, Chen, and Leidner (2008) discover that the CIO’s
structural power (CIO rank) directly influences the CIO’s strategic decision-making authority. Luftman and Kempaiah (2007)
suggest that the CIO reporting structure is positively correlated with the maturity of business/IT alignment. These empirical
findings indicate that the CIO’s reporting structure is an important facet of the attention given to IT management in a firm.
4 COBIT 5 (ISACA 2012) integrates existing ISACA guidance into a single framework, which includes the Risk IT Framework (ISACA 2009a). Since we focus only on IT risks in this study, the Risk IT Framework enables us to disentangle the IT risk management components from the broad concepts of IT governance, IT management, and corporate risk management. Further, the Risk IT Practitioner Guide provides the necessary detail and comprehensive IT risk scenarios and management practices to provide us with a starting point for our survey (to be discussed more fully in the ‘‘Method’’ section).
5 IT/business strategic alignment is defined as the fit between the strategic orientation of the firm and the strategic orientation of the existing portfolio of IT applications (Johnson and Lederer 2010).
62 Vincent, Higgs, and Pinsker
Journal of Information Systems Volume 31, Number 1, 2017
Theoretical Underpinnings Related to CIO Reporting Structure
In order to understand the strategic choices made by firms, one must understand the biases and disposition of the most
powerful actors (Hambrick 2007). Upper echelon theory suggests that the firm outcomes, such as performance (IT/business
alignment in this case), cannot be explained by considering one actor (Hambrick and Mason 1984). Hambrick (2007, 334)
further suggests that the ‘‘leadership of a complex organization is a shared activity, and the collective cognitions, capabilities,
and interactions of the entire top management team (TMT) enter into strategic behaviors.’’ Additionally, strategic choice theory
states that firm leaders influence the design and structure of the firm (Child 1997). Based on these two theories, one can
presume that the rank of the CIO (i.e., the reporting structure) and the IT risk management practices are an outcome of the
complex interactions among the top management team and the board. However, there is no clear answer as to whether the
reporting structure drives the risk management process maturity or whether the need to manage risks drives the design of the
reporting structure. We do not attempt to establish causality, but rather, we seek to understand whether different reporting
structures lead to a greater focus on different risk management processes.
The information systems (IS) literature exploring the upper echelon theory perspective suggests that IT/business alignment
is achieved when the relationship between the CIO and the top management team is based on a shared understanding (Gupta
1991; Feeny, Edwards, and Simpson 1992; Jones, Taylor, and Spencer 1995; King 2013) and the CIO uses personal appeal
(appeal to target’s feelings of loyalty and friendship toward him/her) to gain commitment from peers (Enns, Huff, and Higgins
2003). More closely aligned to our study, Ali et al. (2013) find that communications among senior managers are strongly
associated with IT governance outcomes. Therefore, the person to whom the CIO reports influences the focus of the CIO
responsibilities and the type of IT risks managed, resulting in the maturity of certain risk management processes.
Johnson and Lederer (2007) indicate CEOs are more optimistic than CIOs about the current and future strategic role of IT.
Consequently, the CIO is likely to spend more time on strategic planning of IT when (s)he reports to the CEO. The more
involved the CIO is with business strategy, the more the firm is likely to take advantage of new technology to improve business
process efficiency and to undertake new business initiatives, such as using mobile technology and bring your own device to
work programs, to minimize lost opportunities (minimize benefit/value enablement risks). Thus, benefit/value enablement risk
management practices are expected to be more mature in firms where the CIO directly reports to the CEO than for firms where
the CIO reports to any other C-suite executive.
H1a: The maturity of IT risk management practices for benefit/value enablement risks is higher for firms in which the CIO reports directly to the CEO than it is for firms in which the CIO reports to any other C-suite executive.
CFOs are increasingly working together with CIOs in order to achieve regulatory compliance requirements (Lindorff
2005). Recently, the CIO-CFO relationship has been in the spotlight because of the necessary collaboration between the two
executives. Savidge (2008) identifies financial expertise as a required component of technology management and recommends
CFO involvement in areas such as ensuring effective service contracts, assisting system conversions, providing project
management, and managing technology vendors. Weismantel (2007) argues that CFOs are more focused on transaction
processing and regulatory compliance.
As suggested by upper echelon theory (Hambrick and Mason 1984; Hambrick 2007), when the CIO reports to the CFO,
increased interactions between the CIO and the CFO help build synergistic cognitive capabilities between the two executives.
Since the CFO is more inclined to be focused on internal controls, compliance, and security of information, the CIO will
develop a better understanding of these issues by working closely with the CFO. Hence, the CIO will be more inclined to focus
on IT risk areas that affect the firm’s financial reporting and operational performance. Therefore, the operations/service delivery
risk management process is expected to be more mature for firms in which the CIO reports to the CFO. 6
H1b: The maturity of IT risk management practices for operations/service delivery risks is higher for firms in which the CIO reports directly to the CFO than it is for firms in which the CIO reports to any other C-suite executive.
Board Leadership Structure—CEO/Chairman Duality
PwC (2013) surveyed 934 public company directors regarding the effectiveness of IT strategy and risk oversight. They find
that one-third of boards spent more time on IT strategy and risk in 2013 than was spent in 2012. Additionally, 61 percent of
6 Another factor that may be significant is that audit committees are charged, under specific regulations, with ensuring that the board has a risk oversight (RO) program. Although RO can be assigned to the entire board or other committees, the audit committee members will have some level of involvement. Further, because of regular interactions between the audit committee and the CFO, the reporting structure of the CIO may have an impact on board level and, specifically, audit committee awareness of IT risk issues. However, we do not explicitly examine this possibility.
IT Governance and the Maturity of IT Risk Management Practices 63
Journal of Information Systems Volume 31, Number 1, 2017
respondents indicated that they want to spend more time considering related risks in the coming year, and 35 percent report that
they receive advice from outside consultants on a project-specific basis. The survey finds that 32 percent of respondents
believed that they lack sufficient understanding of IT to support their company’s strategy and IT risk mitigation; however,
while the majority of directors were more engaged in overseeing traditional IT issues, such as IT implementation and IT
budgets, they were not confident about their understanding of issues related to emerging technologies.
The extant literature suggests that board members’ IT competency is positively associated with IT governance (Jewer and
McKay 2012); and the firm’s strategic use of IT influences the questions board members ask regarding IT governance (Bart and
Turel 2010; Turel and Bart 2014). However, the leadership of the board may influence IT risk issues discussions at the board
level. Since the SEC’s enhanced proxy disclosure requirement mandates firms to disclose the relationship between management
and the board in communicating risk issues, we explore the role of CEO duality on IT risk management.
Hall et al. (2005) argue that governance reforms to displace CEO-centric corporate cultures (i.e., when the CEO also chairs
the board of directors), is a result of large public company failures such as Enron and WorldCom. Corporate governance
reforms, based on an agency theory perspective, have moved toward separating the board chair position from the CEO (Hall et
al. 2005).
In a report to the United States District Court, Breeden (2003, 69–71) mentions that ‘‘under the ‘Chairman and CEO’
structure, independent board members are left leaderless unless there is a ‘lead director.’ This lack of board leadership makes it
more difficult and less likely at the margin that board members will develop independent consensus views on issues.’’ However,
Breeden (2003) also contends that having a lead director represent the independent board members has its own challenges. He
further advocates for creating a nonexecutive chairman separate from the CEO, as boards are often strongly supportive of
decisions made by the CEO and management team. Breeden (2003, 71) argues that having a chairman separate from the CEO
‘‘will facilitate adequate time being devoted at a very high level to board interaction and communication. [Having a chairman
who is separate from the CEO] should facilitate an active and involved board, which is essential to healthy governance.’’ Therefore, taking an agency theory perspective, when the CEO is separate from the chairman, the board will be more
aggressive and proactive rather than being a passive receiver of information (Huff et al. 2004). Extrapolating this argument to
an IT risk management context, the board will be able to provide better oversight of IT risk issues if the CEO is separate from
the chairman because the board will be less dependent on the CEO regarding IT risk oversight. Therefore, having a CEO
separate from the board chairman should lead to a higher level of IT risk management maturity, relative to when the CEO is
also the chairman of the board. Consequently, IT risk management practices for both IT risk categories will be higher for firms
when the CEO is separate from the board chairman position. 7
H2: The maturity of IT risk management practices for benefit/value enablement risks and operations/service delivery risks is higher for firms in which the CEO is separate from the board chairman than it is for firms in which the CEO is the
chairman of the board.
III. METHOD
Development of Latent Variables and Construct Measures
IT Risk Management Practices
Our main constructs of interest are the two categories of IT risk that need to be managed in our context: benefit/value
enablement and operations/service delivery. These theoretical constructs are neither directly observable nor measurable, but can
only be estimated by a set of indicators (observable variables). We develop a scale to measure these constructs, since there are
no established scales that identify these IT risk management practices other than those limited to a particular technology or
context. 8
In order to identify the risk management practices we looked to the Risk IT Framework (ISACA 2009a) and the Risk
7 Even though we hypothesize this direction based on agency theory, an alternative direction can be predicted using stewardship theory. We explain this further in the ‘‘Results’’ section.
8 There are various maturity models suggested in the literature (capability maturity model, software maintenance maturity model, etc.). The purpose of a maturity model is to provide guidance on the assessment of the firm’s processes against a set of best practices. Therefore, a maturity model acts as a diagnostic tool and helps firms identify areas of improvement. Consequently, after risk assessment the firm identifies a maturity level. These models imply that at any given level of maturity, the lower maturity levels were achieved (i.e., a firm with a Level-2 maturity has achieved Level-0 and Level-1 in order to get to Level-2). However, not all firms will aim for the highest maturity level. Therefore, the purpose of developing our scale is to understand the various dimensions that constitutes the theoretical construct, which is the IT risk management practices. Our scale is based on the risk scenarios and management practices provided at a highly conceptual level in the Risk IT Framework (ISACA 2009a) and at a more detailed level in the Risk IT Practitioner Guide (ISACA 2009b), which includes 36 IT risk scenarios. We use these scenarios and cull and modify them to develop the scale described in this section.
64 Vincent, Higgs, and Pinsker
Journal of Information Systems Volume 31, Number 1, 2017
IT Practitioner Guide (ISACA 2009b) for guidance. Our scale development approach is based on Hinkin’s (1998) survey scale development process. Hinkin (1998) suggests five methodological steps starting with item generation, followed by
questionnaire administration, item reduction, validity check, and generalization using an independent sample. The first two
steps are described below and the subsequent two steps (item reduction and validity check) are described in the ‘‘Results’’ section. As will be discussed shortly, our sample is not independent; thus, we cannot reproduce the final step, generalization.
A firm can carry out various IT risk management practices representing different categories of IT risks. As mentioned
above, this study focuses on two different types of IT risk categories and the corresponding IT risk scenarios and management
practices introduced in the Risk IT Framework (ISACA 2009a) and Risk IT Practitioner Guide (ISACA 2009b): benefit/ value enablement risk category and operations/service delivery risk category. The Risk IT Framework identifies best practice management activities that should be undertaken to manage certain types of IT risks. Given the varying categorizations in the
extant literature, the items used to measure the maturity of IT risk management practices are identified based on this framework
as it provides us with a well-defined item domain (i.e., a population of items from which a sample of items can be selected to
reliably represent the theoretical construct). The Framework’s Practitioner Guide provides 36 risk scenarios. Based on these scenarios, an initial list of 18 items was selected to represent the benefit/value enablement risk management practices and 15
items were selected to represent operations/service delivery risk management practices. Since some risk management practices
were applicable to both risk categories, those items were placed in the most prominent risk category. 9
However, items that had
an equal weight on both categories of risk management practices were disregarded. Further, some items were modified to reflect
broad activities that are not specific to an application or a situation. This process reduced the initial list to 24 items; 12 items
reflecting best practices that could be performed to mitigate benefit/value enablement risks and another 12 items reflecting best
practices that could be performed to mitigate operations/service delivery risks. 10
See Appendix A for a link to the downloadable
copy of the instrument including the scale items.
Consistent with the terminology outlined in the Risk IT Framework (ISACA 2009a), the maturity of IT risk management practices is defined as the extent to which management performs particular activities to identify, assess, monitor, and respond to
IT-related risks (KPMG 2013). The Risk IT Framework contains maturity-level profiles with descriptions of their possible states. There are six maturity levels (0¼Non-existent, 1¼Initial/ad hoc, 2¼Repeatable but intuitive, 3¼Defined process, 4¼ Managed and measurable, and 5¼Good practices are followed), representing an ordinal scale. Since the descriptions of levels may have different meanings to differing groups, a set of universally understood descriptions are required to measure the
maturity of the process and to eliminate ambiguity due to varying interpretations. 11
Further, by identifying a set of observable
variables that represent the theoretical construct and measuring them on a repeatable and less ambiguous scale, we can achieve
more consistency and reliability of the measurement instrument. Therefore, we used a seven-point Likert scale, ranging from
never to always, to measure the maturity of risk management processes (i.e., the extent to which the activities are carried out). 12
The respondents were asked to indicate how often a given management activity is performed and/or communicated.
Consequently, a management practice that is always performed implies a high level of maturity. The initial questionnaire was
administered to practitioners, faculty members, and doctoral students to review the items for accuracy, relevance, grammar, and
appearance of bias and/or offensive language. No major changes were made at this stage.
CIO Reporting Structure
The CIO reporting structure indicates the position to which the CIO directly reports. Raghunathan and Raghunathan (1989)
operationalize CIO reporting structure by dividing firms into three groups based on whether the CIO directly reports to the
CEO, whether the CIO is two ranks below the CEO, or whether the CIO is three or more ranks below the CEO. Since the actual
number of ranks the CIO is below the CEO or the CFO is not important in our study, the CIO reporting structure is
operationalized as a dummy variable (CIO_CEO) and set to 1 if the CIO reports to the CEO, and 0 if otherwise. Likewise, CIO_CFO is set to 1 if the CIO reports to the CFO, and 0 if otherwise.
9 The practitioner guide characterizes these items by risk category using primary and secondary risk classifications. For example, ‘‘involve other departments in the selection of IT investments’’ (ISACA 2009b) has benefit/value enablement as the primary category and operations/service delivery as a secondary category. Further, the use of the Risk IT Framework (ISACA 2009a) for item generation helps ensure construct validity regarding domain sampling and parsimony. We also tested for vagueness of the items by obtaining feedback from one IT faculty and two doctoral students.
10 Hinkin (1998) suggests that one issue in scale development is to maintain parsimony without restraining domain sampling. He suggests that scales with too many items may create problems. However, he does not provide a rule of thumb but, rather, suggests that the appropriate length should be based on the reliability of the construct.
11 The downside of using an ordinal scale in scale development is that they lack equidistance between the ranks (i.e., the distance between 0 and 1 is not the same as the distance between 1 and 2 [Crocker and Algina 2008]). Furthermore, the ordinal scale implies an end point as optimal. However, a Likert scale provides two end points in a continuum; thus, it is implied that the distance between any two given adjacent points is equal.
12 Hinkin (1998) mentions that Likert scales are the most frequently used and the most useful in behavioral research (relative to any other scale type) and suggests the use of a five or more point scale accessing the frequency in the use of behavior.
IT Governance and the Maturity of IT Risk Management Practices 65
Journal of Information Systems Volume 31, Number 1, 2017
Board Leadership Structure (BLS)
Board leadership structure is also operationalized using a dummy variable. BLS_C is set to 1 if the CEO is the chairman of the board, and 0 if otherwise.
Participants and Data Collection
The participant pool consists of experienced IT professionals. Participants were qualified to participate in the full study, in
part, based on whether the current or previous firm they work for has a board of directors. They were asked to report on IT risk
management practices of their current or previous firm (if they held the position within the past five years). Qualified
participants have titles such as IT manager, IT director, senior vice president of IT, chief technology officer, IT security officer,
etc. Further, each participant was asked to report his or her firm’s management reporting structure, the board leadership
structure, and demographic variables. A link to the online survey was made available to ISACA members on the association’s
website. 13
ISACA members were informed of the availability of the survey link via a monthly email newsletter. Additionally, a
personal email was sent through LinkedIn to ISACA members and other IT professionals requesting participation. Participation
in the survey was voluntary.
Approximately 2,000 emails were sent out and 265 people began the survey. 14
Responses were eliminated for the
following reasons: 5 participants did not qualify to complete the survey; 2 participants did not give consent; 71 responses were
incomplete; and 28 responses came from outside the U.S. Further, one response was deleted as the accuracy of the response
was questionable; the participant worked for a public company, but indicated there was no board of directors. The final sample
consists of 158 responses. On average, participants took 26 minutes to complete the survey.
IV. RESULTS
Descriptive Statistics
Table 1 presents the descriptive statistics of the participants based on the industry (Panel A), current position (Panel B),
type of firm (Panel C), firm size (Panel D), risk management and/or quality control frameworks implemented in the firm (Panel
E), and whether the firm has a board of directors (Panel F). The majority are from various service industries (30.4 percent),
followed by healthcare (22.8 percent), technology (16.5 percent) and banking (12.0 percent). Approximately 55 percent are
employed in an IT manager or a senior executive position such as a CIO, CTO, etc. Further, 24 participants (15.2 percent) work
as a consultant. The remaining participants reported various IT-related job titles such as systems analyst, internal/external IT
auditor, database administrator, business analyst, IT governance manager, and IT security officer.
Forty-five participants (33.6 percent) work for a public company, whereas 62 (46.3 percent) work in private firms. 15
Of
these 62 participants, 53 have a board of directors, as do 8 out of 12 respondents who work for a governmental agency. All nine
participants from the non-profit sector indicate that their firm has a board of directors. Overall, 140 of 158 (88.6 percent) report
that their workplace has a board. The majority of participants (67.7 percent) represent large firms with more than 1,000
employees (Panel D). This finding was expected, as the survey targeted people from firms with a board. Only 21 participants
(13.3 percent) work for a small firm (less than 100 employees). Further, 25 indicate that their firm has not implemented a risk
management or quality control framework. The COSO ERM framework (used by 60) is most commonly cited for risk
management, while ISO 27001 is the most commonly used as a quality control framework (33 participants). Some participants
work for firms that use multiple frameworks.
Table 2 presents descriptive statistics based on demographic information of the participants. As indicated in Panel A, 84.8
percent are male. The majority of participants (74.7 percent) have more than 15 years of IT-related work experience, as
represented in Panel B. As indicated in Panel C, 61 participants (38.6 percent) have completed some post-graduate work, and
all but six have completed at least an undergraduate degree. Panel D indicates that most participants do not have an accounting
degree. Overall, 88 indicate having an information systems or computer science-related education.
13 ISACA members are IT professionals covering a wide range of disciplines, such as IT assurance, control, security, governance, and risk. Thus, these participants should be familiar with the Risk IT Framework (ISACA 2009a) and IT risk management in general.
14 Based on the emails sent out the response rate is approximately 13.2 percent. The actual response rate is not known and may be considerably less. We do not know how many of the participants responded because the email was sent through ISACA. Walston, Lissitz, and Rudner (2006) and Fan and Yan (2010) provide a detailed analysis of response rates and conclude that web surveys yield lower response rates. The response rate may be due to the length of the survey, but it fits in the range of recent surveys of high-ranking IT professionals (e.g., Pinsker and Felden’s [2016] 0.95 percent response rate and Son and Benbasat’s [2007] 22 percent response rate).
15 The 24 consultants are not asked to report the type of firm for their employer. Instead, they are asked to report whether the most recent client has a board of directors. Twenty-one out of the 24 consultants report that the client has a board of directors.
66 Vincent, Higgs, and Pinsker
Journal of Information Systems Volume 31, Number 1, 2017
TABLE 1
Descriptive Statistics
Panel A: Participants by Industry
n %
Banking 19 12.0
Healthcare 36 22.8
Technology 26 16.5
Manufacturing 9 5.7
Retail 4 2.5
Construction 3 1.9
Utilities 4 2.5
Transportation 6 3.8
Distribution 3 1.9
Other 48 30.4
158 100.0
Panel B: Participants by Position
n %
Business Analyst 2 1.3
Consultant 24 15.2
Database Administrator 1 0.6
Internal Auditor 10 6.3
IT Manager 23 14.6
Network Analyst 5 3.2
Programmer 3 1.9
Senior IT Management (CIO, CTO, etc.) 64 40.5
Systems Analyst 4 2.5
Other 22 13.9
158 100.0
Panel C: Participants by Type of Firm
n %
Public 45 33.6
Private 62 46.3
Government 12 8.9
Non-Profit 9 6.7
Other 6 4.5
134 a
100.0
a 24 consultants are not included.
Panel D: Participants by Firm Size
n %
Less than 100 employees 21 13.3
Between 100 and 499 19 12.0
Between 500 and 999 11 7.0
Over 1,000 employees 107 67.7
158 100.0
(continued on next page)
IT Governance and the Maturity of IT Risk Management Practices 67
Journal of Information Systems Volume 31, Number 1, 2017
Scale Analysis
This section explains item correlations, factor analysis, reliability, and validity of scale development for the maturity of IT
risk management practices. The Pearson correlation matrices are presented in Tables 3, 4, and 5. Table 3 displays item
correlations between benefit/value enablement risk management practices; Table 4 displays item correlations between
operation/service delivery IT risk management practices; and Table 5 displays item correlations between benefit/value
enablement IT risk management practices and operations/service delivery IT risk management practices. All correlations are
significant ( p , 0.01). Since any one management practice can influence other management practices, the high correlation
among items is expected.
We conduct a common factor analysis ( principal axis factoring) in order to determine whether the items load as expected
on the two categories of risk management practices. The analysis was conducted on 158 responses using a pairwise deletion
and orthogonal rotation. Two factors emerge (Eigenvalue . 1) as expected for benefit/value enablement and operations/service
delivery risk management practices. 16
We conduct another common factor analysis using only the senior executives and IT manager responses (n¼87), as they are in a better position to evaluate the maturity of IT risk management practices. The item loadings are displayed in Table 6
(CIO and IT manager columns). The following five items do not load in either category and are removed from further analysis:
(1) analyze the adequacy of existing technology to meet operational needs (BV_1); (2) analyze emerging technologies and their
impact on operations (BV_5); (3) follow a formal process to select IT suppliers (OS_1); (4) follow a formal process to monitor
IT supplier service quality (OS_2); and (5) appropriately monitor and manage service desk activity (OS_10). The ten benefit/
value enablement and nine operations/service delivery items included in the subsequent analysis are BV_2, BV_3, BV_4, BV_
6, BV_7, BV_8, BV_9, BV_10, BV_11, BV_12, OS_3, OS_4, OS_5, OS_6, OS_7, OS_8, OS_9, OS_11, OS_12 (see Table 6
for variable names).
Total variance explained by the two factors is 62.92 percent. The operations/service delivery risk management practices
factor explains the majority of the variance (55.59 percent). This finding is consistent with managers paying more attention to
reducing straightforward IT risks related to operations/service delivery rather than the more complex and abstract IT risks
TABLE 1 (continued)
Panel E: Participants Working for a Firm that has Implemented a Risk Management and/or Quality Control Framework
n b
%
ERM 60 37.9
COSO Internal Control—Integrated Framework 36 22.8 COBIT 31 19.6
ISO 9000 15 9.5
ISO 27001 33 20.9
ISO 31000 8 5.1
Other 26 16.4
None 25 15.8
b The participants reported all frameworks implemented in their firm; thus, the total does not equal 158.
Panel F: Participants Representing Firms with or without a Board of Directors
n Percentage
Has a board of directors 140 88.6
No 17 10.8
Do not know 1 0.6
158 100.0
16 Total variance explained by the two factors is 61.63 percent. The operations/service delivery risk management practices factor explains the majority of the variance (55.69 percent). The Cronbach’s alpha values for benefit/value enablement and operations/service delivery risk management practices are 0.941 and 0.946, respectively.
68 Vincent, Higgs, and Pinsker
Journal of Information Systems Volume 31, Number 1, 2017
associated with strategy. Considering that the program/project related IT risk management practices are excluded, the variance
explained by the two factors is sizable.
The Cronbach’s alpha values for benefit/value enablement risk management practices and operations/service delivery risk
management practices are 0.929 and 0.947, respectively. The subsequent analysis is based on the factor structure derived from
analyzing the IT manager and senior IT executive responses. Thus, only the 19 items were selected to test the hypotheses.
Hypothesis Testing
We conduct a Univariate Analysis of Variance (ANOVA) in order to determine whether there are significant differences in
IT risk management practices for various reporting structures discussed in H1 and H2 (see Table 7). Then, we compare the
means to observe whether the maturity of IT risk management practices are significantly higher/lower for the given reporting
structures appearing in both hypotheses. Only the participants who work for a firm with a board of directors were selected for
this analysis (n¼140). The dependent variable, IT risk management practices (benefit/value enablement and operations/service delivery), was obtained by summing the item scores obtained from scale development and dividing by the number of items.
TABLE 2
Sample Distribution Based on Demographics
Panel A: Gender
n %
Male 134 84.8
Female 24 15.2
Total 158 100.0
Panel B: Number of Years of Work Experience
n %
1, to . 5 2 1.3
5, to . 10 13 8.2
10 , to .15 25 15.8
15, to . 30 91 57.6
30 or more 27 17.1
Total 158 100.0
Panel C: Highest Level of Education
n %
High School 6 3.8
Undergraduate Degree 40 25.3
Graduate Degree 51 32.3
Post Graduate Degree 56 35.4
Doctoral Degree 5 3.2
158 100.0
Panel D: Undergraduate Background
na
Undergraduate major/minor in accounting 15
Undergraduate major/minor in management 39
Undergraduate major/minor in engineering 29
Undergraduate major/minor in computer science/IT/MIS 88
Undergraduate major/minor in other 38
a The participants reported their undergraduate major and also minor if applicable; hence, the total does not equal 158.
IT Governance and the Maturity of IT Risk Management Practices 69
Journal of Information Systems Volume 31, Number 1, 2017
Therefore, the scores are based on ten benefit/value enablement items and nine operations/service delivery items (based on the
factor analysis [n ¼ 87] presented in Table 6). For H1a and H1b, we analyze the maturity of risk management practices and the individual that the CIO reports to. Among
our participants, 85 work for firms where the CIO reports to the CEO, 32 CIOs reported to the CFO, and 23 CIOs reported to
someone else. For H1a, the results indicate that the benefit/value enablement IT risk management practices are significantly
higher for firms where the CIO reports to the CEO versus when the CIO reports to any other executive (mean ¼ 5.635 and 5.033, respectively; F ¼ 8.437; p ¼ 0.004). The total variance explained by this model is 5.1 percent.
We conduct a multivariate analysis of variance (MANOVA) using the ten items and find that when the CIO reports to the
CEO, there is greater risk management maturity for seven of the ten items (BV_2 mean ¼ 5.707 and 5.151, p ¼ 0.060; BV_3 mean¼5.890 and 5.113, p¼0.006; BV_4 mean¼5.671 and 5.169, p¼0.084; BV_6 mean¼6.109 and 5.415, p¼0.005; BV_ 7 mean¼5.817 and 4.962, p¼0.002; BV_10 mean¼5.829 and 5.339, p¼0.036; BV_12 mean¼5.305 and 4.453, p¼0.005) at a 0.10 significance level. These untabulated results suggest that firms have better business/IT alignment when the CIO reports
to the CEO rather than any other executive and corroborate the ANOVA tests using the composite score and support H1a.
Overall, our evidence indicates that benefit/value enablement IT risk management practices are greater for firms where the CIO
reports to the CEO rather than any other executive.
When considering H1b, results in Table 7 indicate that there are no group differences in the maturity of operations/service
delivery IT risk management practices for firms in which the CIO reports to CFO (n ¼ 32) versus for firms in which the CIO reports to any other executive (n¼108, F¼2.164; p¼0.14). We conduct another MANOVA using the nine risk practices and
TABLE 3
Pearson Correlations Items for Benefit/Value Enablement Risk Management Practices
(n ¼ 158)a
Item Description BV_1 BV_2 BV_3 BV_4 BV_5 BV_6 BV_7 BV_8 BV_9 BV_10 BV_11
BV_1 Analyze the adequacy of existing
technology to meet operational
needs
1
BV_2 Assess the strategic alignment of IT
and IT risks
0.596
BV_3 Follow a formal process to prioritize
IT investments
0.500 0.652
BV_4 Involve other departments in the
selection of IT investments
0.413 0.517 0.480
BV_5 Analyze emerging technologies and
their impact on operations
0.790 0.629 0.506 0.418
BV_6 Have and follow a system of
accountability for managing IT
projects
0.602 0.739 0.655 0.477 0.611
BV_7 Use a technology infrastructure plan
that is in alignment with strategic
and tactical goals
0.704 0.639 0.563 0.445 0.626 0.598
BV_8 Communicate appropriately between
IT and other business units
0.595 0.575 0.421 0.479 0.536 0.484 0.678
BV_9 Facilitate a process where business
units can take ownership of the
system and data
0.533 0.590 0.453 0.464 0.471 0.535 0.568 0.690
BV_10 Supervise IT personnel to ensure that
roles and responsibilities are
properly exercised
0.569 0.585 0.439 0.463 0.579 0.612 0.672 0.650 0.612
BV_11 Clearly communicate IT objectives to
key users
0.524 0.569 0.472 0.442 0.566 0.562 0.651 0.686 0.594 0.562
BV_12 Use performance metrics to evaluate
IT investments
0.574 0.661 0.509 0.453 0.587 0.689 0.649 0.475 0.561 0.520 0.620
a All correlations are significant at the 0.01 level (two-tailed).
70 Vincent, Higgs, and Pinsker
Journal of Information Systems Volume 31, Number 1, 2017
TABLE 4
Pearson Correlations Items for Operations/Service Delivery Risk Management Practices
(n ¼ 158)a
Item Description OS_1 OS_2 OS_3 OS_4 OS_5 OS_6 OS_7 OS_8 OS_9 OS_10 OS_11
OS_1 Follow a formal process to select IT
suppliers
1
OS_2 Follow a formal process to monitor IT
supplier service quality
0.808
OS_3 Implement security measures to secure
physical IT assets
0.573 0.547
OS_4 Have and follow an established plan
for maintaining software
0.607 0.667 0.687
OS_5 Follow formal change management
procedures
0.531 0.548 0.498 0.601
OS_6 Periodically evaluate the integrity of
data configurations
0.448 0.582 0.468 0.595 0.555
OS_7 Follow a software quality assurance
plan
0.493 0.663 0.530 0.701 0.504 0.615
OS_8 Periodically test the validity of
transaction processes
0.565 0.643 0.594 0.604 0.511 0.647 0.675
OS_9 Verify that system outputs are handled
in an authorized manner
0.548 0.625 0.509 0.547 0.619 0.666 0.648 0.776
OS_10 Appropriately monitor and manage
service desk activity
0.397 0.401 0.532 0.453 0.467 0.365 0.507 0.485 0.515
OS_11 Monitor system performance against
established metrics
0.470 0.553 0.569 0.601 0.547 0.534 0.696 0.681 0.677 0.519
OS_12 Configure controls during hardware
and software updates
0.475 0.546 0.596 0.649 0.542 0.596 0.753 0.685 0.645 0.636 0.642
a All correlations are significant at the 0.01 level (two-tailed).
TABLE 5
Pearson Correlations among Benefit/Value Enablement and Operations/Service Delivery Risk Management Practices (n ¼ 158)a
BV_1 b
BV_2 BV_3 BV_4 BV_5 BV_6 BV_7 BV_8 BV_9 BV_10 BV_11 BV_12
OS_1 b
0.572 0.506 0.516 0.358 0.533 0.546 0.623 0.462 0.529 0.501 0.465 0.571
OS_2 0.570 0.557 0.481 0.330 0.536 0.642 0.622 0.496 0.583 0.543 0.470 0.620
OS_3 0.469 0.449 0.330 0.342 0.459 0.416 0.563 0.475 0.466 0.532 0.442 0.479
OS_4 0.574 0.548 0.400 0.300 0.586 0.519 0.634 0.528 0.508 0.601 0.528 0.554
OS_5 0.438 0.429 0.410 0.275 0.452 0.522 0.417 0.471 0.455 0.430 0.442 0.517
OS_6 0.462 0.596 0.424 0.378 0.580 0.601 0.474 0.535 0.453 0.533 0.507 0.542
OS_7 0.523 0.588 0.465 0.373 0.483 0.606 0.604 0.504 0.538 0.628 0.561 0.625
OS_8 0.478 0.506 0.413 0.364 0.537 0.538 0.556 0.436 0.499 0.555 0.500 0.554
OS_9 0.496 0.515 0.379 0.365 0.546 0.587 0.496 0.527 0.565 0.610 0.522 0.522
OS_10 0.613 0.375 0.424 0.319 0.533 0.462 0.484 0.434 0.384 0.527 0.458 0.432
OS_11 0.525 0.509 0.347 0.383 0.501 0.516 0.560 0.491 0.533 0.540 0.505 0.600
OS_12 0.584 0.523 0.492 0.399 0.572 0.559 0.611 0.492 0.459 0.625 0.515 0.489
a All correlations are significant at the 0.01 level (two-tailed).
b See Tables 3 and 4 for item descriptions.
IT Governance and the Maturity of IT Risk Management Practices 71
Journal of Information Systems Volume 31, Number 1, 2017
find that operations/service delivery is not greater when the CIO reports to any other executive except for one risk practice (OS_
12 mean¼5.000 and 5.620; p¼0.045). Therefore, we cannot conclude that risk maturity for operations/service delivery IT risk management practices is higher when the CIO reports to the CFO.
Recall for H2 that we predict that a CEO separate from the chairman of the board will result in more mature risk
management practices than if there is a dual role. We report ANOVA results in Table 7 for all 19 risk measures in one
composite score. We also separately analyze the benefit/value enablement and operations/service delivery risks. We do not find
differences in any aspect of maturity for firms that do and do not combine the CEO and chairman of the board roles (n¼116, F ¼ 0.16; p ¼ 0.69 for the composite risk; F ¼ 0.011; p ¼ 0.915 for benefit/value enablement and F ¼ 0.466; p ¼ 0.496 for
TABLE 6
Factor Loadings for Benefit/Value Enablement and Operations/Service Delivery
Item Description
Full Sample (n ¼ 158)
Senior IT Executives and IT Managers
(n ¼ 87)
Operations/ Service
Delivery
Benefit/ Value
Enablement
Operations/ Service
Delivery
Benefit/ Value
Enablement
BV_1 Analyze the adequacy of existing technology to meet
operational needs
0.407 0.666 0.195 0.368
BV_2 Assess the strategic alignment of IT and IT risks 0.336 0.757 0.322 0.712
BV_3 Follow a formal process to prioritize IT investments 0.244 0.661 0.202 0.624
BV_4 Involve other departments in the selection of IT
investments
0.205 0.569 0.110 0.660
BV_5 Analyze emerging technologies and their impact on
operations
0.426 0.640 0.314 0.420
BV_6 Have and follow a system of accountability for managing
IT projects
0.419 0.687 0.320 0.652
BV_7 Use a technology infrastructure plan that is in alignment
with strategic and tactical goals
0.438 0.702 0.332 0.571
BV_8 Communicate appropriately between IT and other business
units
0.378 0.642 0.294 0.569
BV_9 Facilitate a process where business units can take
ownership of the system and data
0.413 0.599 0.228 0.596
BV_10 Supervise IT personnel to ensure that roles and
responsibilities are properly exercised
0.511 0.574 0.454 0.563
BV_11 Clearly communicate IT objectives to key users 0.392 0.633 0.297 0.701
BV_12 Use performance metrics to evaluate IT investments 0.458 0.622 0.372 0.553
OS_1 Follow a formal process to select IT suppliers 0.522 0.493 0.295 0.236
OS_2 Follow a formal process to monitor IT supplier service
quality
0.627 0.472 0.484 0.316
OS_3 Implement security measures to secure physical IT assets 0.644 0.321 0.561 0.250
OS_4 Have and follow an established plan for maintaining
software
0.696 0.401 0.617 0.262
OS_5 Follow formal change management procedures 0.614 0.321 0.635 0.169
OS_6 Periodically evaluate the integrity of data configurations 0.603 0.419 0.778 0.264
OS_7 Follow a software quality assurance plan 0.712 0.411 0.722 0.393
OS_8 Periodically test the validity of transaction processes 0.786 0.298 0.766 0.264
OS_9 Verify that system outputs are handled in an authorized
manner
0.753 0.336 0.707 0.246
OS_10 Appropriately monitor and manage service desk activity 0.509 0.385 0.303 0.189
OS_11 Monitor system performance against established metrics 0.712 0.341 0.618 0.261
OS_12 Configure controls during hardware and software updates 0.714 0.387 0.698 0.373
Benefit/value enablement risks (BV)¼risks associated with missed opportunities to use technology to improve the effectiveness and efficiency of business processes; and operations and service delivery risks (OS)¼ risks associated with the performance of IT systems and services such as service interruptions, compliance, and security.
72 Vincent, Higgs, and Pinsker
Journal of Information Systems Volume 31, Number 1, 2017
operations/service delivery, untabulated). 17
To further understand the results we conduct a MANOVA (untabulated) and find
no differences for any of the 19 items.
Next, we analyze H2 using only participants who work for publicly traded companies. We have 24 observations where the
CEO is the chairman of the board, and 13 where the CEO is separate from the board. The maturity of risk management
practices is higher for firms in which the CEO is the chairman of the board versus for firms in which the CEO is separate from
the chairman of the board (mean¼5.602 and 4.765, respectively; n¼37; F¼4.518; p¼0.041) when we test a composite score for all risk practices. We also find that maturity of risk management practices for benefit/value enablement is higher when there
is CEO/Chairman duality versus when the CEO is separate from the chairman of the board (mean ¼ 5.475 and 4.669, respectively; F ¼ 3.2760.905; p ¼ 0.079). For operations/service delivery risk, we find that maturity is higher when there is duality versus separation (mean ¼ 5.748 and 4.871, respectively; F ¼ 5.234; p ¼ 0.028). Thus, H2 is not supported.
Alternative Explanation
Despite the findings being contrary to the agency perspective hypothesized earlier, and consistent with stewardship theory,
the findings suggests that managers’ intentions are pro-organizational, instead of self-serving (Abels and Martelli 2013).
Stewardship theory identifies management as motivated to operate in the best interest of the shareholders (Davis, Schoorman,
and Donaldson 1997). Thus, when the CEO serves as the chairman of the board of directors, (s)he is able to act in the best
interest of the firm. Adams and Ferreira’s (2007) theoretical model further suggests that having the CEO as the chairman of the
board of directors may have positive consequences on receiving advice from the board. They explain that the board has two
roles, a monitoring role and an advising role, and argue that the CEO faces a trade-off in disclosing information to the board,
because a more informed board is more likely to provide better advice but, at the same time, monitor the CEO more intensively.
Consequently, the CEO may be reluctant to share all information with the board since an independent board is a tougher
monitor. Therefore, Adams and Ferreira (2007) argue that having the CEO be the chairman of the board will lead to better
advising because (s)he will be more motivated to share information with the board of directors.
We argue that the H2 results indicate a stewardship perspective, where the CEO is at liberty to share information related to
IT risks and, hence, receive superior advising from the board to implement better IT risk management practices, which
translates into having more mature IT risk management practices in firms in which the CEO is the chairman of the board. To be
consistent with the earlier analysis, we perform another untabulated MANOVA for all 19 of the risk practices. We find
TABLE 7
Univariate Analysis of Variance
Hypothesis Variable Independent
Variable
Univariate Analysis ofVariance: Main Effect
Mean Difference
of Maturity F p
H1a Benefit/value enablement IT risk
management practice: average
of ten item scores
CIO reports to CEO (n ¼ 85) versus CIO reports to
Other (n ¼ 55)
0.602 8.437 0.004
H1b Operations/service delivery IT
risk management practices:
average of none item scores
CIO reports to CFO (n ¼ 32) versus CIO reports to
Other (n ¼ 108)
�0.344 2.164 0.144
H2 Both benefit/value and
operations/service delivery IT
risk management practices:
average of 19 item scores
CEO is chairman of the
board (n ¼ 74) versus CEO separate from the
chairman (n ¼ 42)
0.089 0.160 0.690
H2
Public
Companies
Both benefit/value and
operations/service delivery IT
risk management practices:
average of 19 item scores
CEO is chairman of the
board (n ¼ 24) versus CEO separate from the
chairman (n ¼ 13)
0.837 4.518 0.041
17 Our sample size is smaller for this test as some participants indicated that they did not know whether the CEO was also the chairman of the board. Those participants were excluded from the current analysis.
IT Governance and the Maturity of IT Risk Management Practices 73
Journal of Information Systems Volume 31, Number 1, 2017
significant differences for nine items (BV_4 mean ¼ 6.091 and 5.077, p ¼ 0.066; BV_6 mean ¼ 5.591 and 4.615, p ¼ 0.091; BV_10 mean ¼ 5.727 and 4.846, p ¼ 0.062; BV_11 mean ¼ 5.318 and 4.077, p ¼ 0.043; OS_4 mean ¼ 5.773 and 4.615, p ¼ 0.024; OS_5 mean¼6.136 and 5.077, p¼0.026; OS_6 mean¼5.682 and 4.692, p¼0.063; OS_7 mean¼5.500 and 4.231, p¼ 0.037; and OS_8 mean ¼ 5.682 and 4.692, p ¼ 0.074) at a 0.10 significance level. The common theme among most of these nine items is that they refer to following formal procedures. Hence we can infer that the firms with CEO/Chairman duality are
better at establishing and following formal IT risk management procedures than firms in which the CEO is separate from the
chairman.
Additional Analyses
This section explains multiple additional analyses for robustness purposes and to glean further insights from our testing. In
separate analyses, we retest our hypotheses by (1) excluding the 25 responses from people who work for firms that do not use a
risk management or quality control framework, (2) excluding the 24 responses from consultants, and (3) including the 28
responses from people working outside of North America. The results from all three analyses are qualitatively similar to our
earlier findings.
We next consider extending our findings with regard to the CIO/CEO reporting relationship. Although we predict that the
maturity of operations/service delivery risks will be greater when the CIO reports to the CFO, our results do not bear this out.
Our H1a results indicate that firms with more mature benefit/value enablement IT risk management practices have the CIO
reporting to the CEO. We now extrapolate the possibility of mature IT risk management practices for the second category of IT
risks: operations/service delivery activities. Interestingly, we find that the maturity of operations/service delivery IT risk
management practices is significantly higher (F ¼ 3.826; p ¼ 0.052) for firms in which the CIO reports to the CEO (n ¼ 85; mean¼5.644) versus any other executive (n¼55; mean¼5.253). This result indicates that attention by the CEO is the primary driver of IT risk maturity, regardless of risk type.
Data show mixed results for reporting structure differences attributed to the operations/service delivery IT risks.
MANOVA tests (untabulated) indicate that the differences are driven by only three of the risk practices (OS_6 mean ¼ 5.481 and 4.939, p¼0.064; OS_7 mean¼5.317 and 4.571, p¼0.012; and OS_12 mean¼5.772 and 5.020, p¼0.004). We speculate that given the regulatory changes brought on by the Sarbanes-Oxley Act and enhanced proxy disclosure requirements, firms
may be increasingly focusing on internal control-related IT risk management practices.
Finally, we re-examine our first set of hypotheses by including industry, type of firm ( public, private, government, non-
profit, and other) and the interaction effects, CIO reporting structure and the type of firm, and CIO reporting structure and
industry, in an attempt to provide more meaningful insights for future research. We find the type of industry a firm operates in
has a significant impact on operations/service delivery IT risk management practices regardless of whether the CIO reports to
the CFO (F¼2.757; p¼0.007) or the CIO reports to the CEO (F¼2.542; p¼0.012). This finding is intuitive since firms that operate in industries heavily reliant on IT are likely to have better operations/service delivery IT risk management practices. We
do not find an interaction effect between the type of firm and CIO/CEO reporting structure on benefit/value enablement risk
management practices ( p . 0.10), but we find a significant interaction effect (F ¼ 2.504; p ¼ 0.047) between the type of firm and CIO/CFO reporting structure for operations/service delivery risk management practices. Our context and research questions
limit the use of these findings; however, researchers interested in firm type differences, industry differences, and nonlinear
relationships related to IT risk management practices should take these initial findings and drill down deeper to provide further
insights.
V. CONCLUSIONS, LIMITATIONS, AND FUTURE RESEARCH
A 2009 SEC requirement mandates firms to report the boards’ leadership structure and the relationship between the board
and its senior management in managing the material risks facing the firm. Further, a recent NACD (2014a) survey indicates 36
percent of board members are not satisfied with the quality of information provided by management on IT risk, and 52 percent
are not satisfied with the quantity of that information. We contend that a firm’s reporting structure and board leadership
structure are major reasons for the communication problems involved when managing IT risk and, therefore, investigate
whether there are differences in the maturity of IT risk management practices based on the CIO reporting structure and CEO/
Chairman of the board duality. We rely on upper echelon theory and strategic choice theory (CIO reporting structure), and
agency theory (CEO/Chairman of the board duality) as our theoretical guidelines.
Before we conduct our testing, we first develop a scale to measure two IT risk management categories (benefit/value
enablement risks and operations/service delivery risks) that are based on conceptual best practices provided in the ISACA’s
(2009a) Risk IT Framework and specific scenarios identified in the Risk IT Practitioner Guide (ISACA 2009b). Ten benefit/ value enablement IT risk management practices and nine operations/service delivery IT risk management practices are
identified and confirmed via factor analysis and reliability testing to measure the maturity of the two IT risk categories using
74 Vincent, Higgs, and Pinsker
Journal of Information Systems Volume 31, Number 1, 2017
responses from IT professionals. We then statistically analyze the maturity of IT risk management practices with regard to
potential CIO reporting relationships and CEO/Chairman of the board duality.
Results indicate that the maturity of benefit/value enablement IT risk management practices is higher for firms where the
CIO reports to the CEO. Additionally, contrary to expectations, we find that the maturity of operations/service delivery risk
practices is higher when the CIO reports to the CEO than when the CIO reports to the CFO. Overall, the findings suggests the
CEO is in the best position to manage IT risks. In multivariate testing we find that specific risk management practices drive the
results of the univariate tests. This finding suggests that the CEO does not equally manage all risk scenarios. Additional
analysis produces two possible reasons why managers only focus on some of the risk management activities: the industry or the
IT dependency of operations. Future research should address ‘‘why’’ this is true by investigating these two possibilities in more
detail.
We do not find significant results when testing the role of CEO/Chairman of the board duality and maturity of IT risk
management practices using the full sample. When only including responses from participants who work for public companies,
we find that IT maturity is higher when there is CEO/Chairman of the board duality. This finding is contrary to the predictions of agency theory where CEO/Chairman duality is discouraged. Alternatively, the surprising finding supports the stewardship
view where the CEO is in a position to obtain better advice from the board. Investigating the reasons for this unexpected finding
represents another interesting opportunity for future research.
Finally, when conducting additional analyses, we find that in some of the risk management practices (four benefit/value
enablement and five operations/service delivery risk management practices) drive our earlier CEO/Chairman of the board
results. This result suggests that the maturity of IT risk management practices are not specific to one category of IT risks when
the CEO is the chairman of the board. Future research has the opportunity to delve deeper into finding out why certain practices
drive the results of each category. The Risk IT Framework (ISACA 2009a) is broad and implies no specific practice drives any other practice. Further investigation into this issue can help enhance that framework or provide additional detail to the Risk IT Practitioner Guide (ISACA 2009b).
Our study has some limitations. There is the possibility of a response bias, which is common to all surveys. Next, the
number of participants who work for public companies, where the boards will be most involved in risk management, is
relatively limited. Small sample sizes limit the analysis that can be done by firm type. Further, related to Hinkin’s (1998) fifth
step, we are not able to obtain an independent sample to validate the scale development. Thus, generalizability of the scale
development is limited.
In addition to the future research opportunities already mentioned, researchers should explore whether the board committee
that oversees IT risk drives the maturity of IT risk management. For example, if the audit committee has responsibility for risk
oversight, IT risk management maturity may be higher when the CIO reports to the CFO, as that CFO will have regular
meetings with the audit committee. Thus, the CIO reporting structure may have an impact on board level and, specifically, audit
committee awareness of IT risk issues. Related research should also investigate whether maturity is dependent on whether risk
oversight is assigned to specific committees (i.e., risk, technology, and audit) or to the entire board.
There are several implications of our research. Our initial contention is that reporting structure can impact how well IT risk
management practices are established in firms. In aggregate, our results support this contention. Specifically, we find that IT
maturity risks are highest when the CIO reports to the CEO. This finding suggests that top management attention is necessary to
establish better IT risk management practices. Further, our results from public companies suggest that IT issues are more likely
to get elevated to the board and, thus, receive greater oversight attention in firms where there is CEO/Chairman of the board
duality. Firms without CEO/Chairman of the board duality may need to implement practices to ensure IT risk issues are
included in the board agenda and in turn get appropriate attention. Finally, the scales developed in this research may be used to
evaluate the maturity of IT risk practices in other research contexts. For example, it may be used in research involving IT
controls and risk practices.
REFERENCES
Abels, P., and J. Martelli. 2013. CEO duality: How many hats are too many? Corporate Governance 13 (2): 135–147. Adams, R., and D. Ferreira. 2007. A theory of friendly boards. The Journal of Finance 62 (1): 217–250.
Ali, S., P. Green, and A. Robb. 2013. Measuring top management’s IT governance knowledge absorptive capacity. Journal of Information Systems 27 (1): 137–155.
Banker, R. D., N. Hu, P. A. Pavlou, and J. Luftman. 2011. CIO reporting structure, strategic positioning, and firm performance. MIS Quarterly 35 (2): 487.
Bart, C., and O. Turel. 2010. IT and the board of directors: An empirical investigation into the ‘‘governance questions’’ Canadian board
members ask about IT. Journal of Information Systems 24 (2): 147–172.
IT Governance and the Maturity of IT Risk Management Practices 75
Journal of Information Systems Volume 31, Number 1, 2017
Breeden, R. 2003. Restoring Trust. Report to the United States District Court for the Southern District of New York, NY. Available at: http://www.law.du.edu/images/uploads/restoring-trust.pdf
Chatterjee, D., V. J. Richardson, and R. W. Zmud. 2001. Examining the shareholder wealth effects of announcements of newly created
CIO positions. MIS Quarterly 25 (1): 43–70. Child, J. 1997. Strategic choice in the analysis of action, structure, organizations and environment: Retrospect and prospect. Organization
Studies 18 (1): 43–70. Committee of Sponsoring Organizations of the Treadway Commission (COSO). 2004. Enterprise Risk Management—Integrated
Framework. New York, NY: AICPA. Crocker, L., and J. Algina. 2008. Introduction to Classical & Modern Test Theory. Mason, OH: Cengage Learning. Davis, J. H., F. D. Schoorman, and L. Donaldson. 1997. Toward a stewardship theory of management. The Academy of Management
Review 22 (1): 20–47. Debreceny, R. 2013. Research on IT governance, risk, and value: Challenges and opportunities. (Guest editorial). Journal of Information
Systems 27 (1): 129–135. Enns, H. G., S. L. Huff, and C. A. Higgins. 2003. CIO lateral influence behaviors: Gaining peers’ commitment to strategic information
systems. MIS Quarterly 27 (1): 155–174. Fan, W., and Z. Yan. 2010. Factors affecting response rates of the web survey: A systematic review. Computers in Human Behavior 26:
132–139.
Feeny, D., B. Edwards, and K. Simpson. 1992. Understanding the CEO/CIO relationship. MIS Quarterly 16 (4): 435–448. Gottschalk, P. 1999. Strategic management of IS/IT functions: The role of the CIO in Norwegian organizations. International Journal of
Information Management 19 (5): 389–399. Gupta, Y. 1991. The chief executive officer and the chief information officer: The strategic partnership. Journal of Information
Technology 6: 128–139. Hall, R., T. Keane, C. McConnell, and S. Becker. 2005. The 21st century board: Structure, responsibility, assessment. Journal of
Leadership & Organizational Studies 11 (3): 62–71. Hambrick, D., and P. Mason. 1984. Upper echelons: The organization as a reflection of its top managers. Academy of Management
Review (April): 193–206. Hambrick, D. 2007. Upper echelon theory: An update. Academy of Management Review 32 (2): 334–343. Hinkin, T. 1998. A brief tutorial on the development of measures for use in survey questions. Organizational Research Methods 1: 104–
121.
Huff, S., M. Maher, and M. Munro. 2004. What boards don’t do—but must do—about information technology. Ivey Business Journal Online (September/October): 1–4.
Information Systems Audit and Control Association, Inc. (ISACA). 2009a. The Risk IT Framework. 1–106. Available at: www.isaca.org Information Systems Audit and Control Association, Inc. (ISACA). 2009b. The Risk IT Practitioner Guide. 1–136. Available at: www.
isaca.org
Information Systems Audit and Control Association, Inc. (ISACA). 2012. COBIT 5: A Business Framework for the Governance and Management of Enterprise IT. 1–94. Available at: www.isaca.org
Jewer, J., and K. McKay. 2012. Antecedents and consequences of board IT governance: Institutional and strategic choice perspective.
Journal of the Association for Information Systems 13 (7): 581–617. Johnson, A., and A. Lederer. 2007. The impact of communication between CEOs and CIOs on their shared views of the current and future
role of IT. Information Systems Management 24 (1): 85–90. Johnson, A., and A. Lederer. 2010. CEO/CIO mutual understanding, strategic alignment, and the contribution of IS to the organization.
Information & Management 47: 138–149. Jones, M., S. Taylor, and B. Spencer. 1995. The CEO/CIO relationship revisited: An empirical assessment of satisfaction with IS.
Information & Management 29: 123–130. King, W. 2013. Including the CIO in top management. Information Systems Management 25 (2): 188–189. KPMG. 2013. The Transformation of IT Risk Management. Available at: https://www.kpmg.com/US/en/IssuesAndInsights/
ArticlesPublications/Documents/transformating-it-risk-management.pdf
Lindorff, D. 2005. Teaming up to take on SOX. Treasury and Risk Management (May): 25–28. Luftman, J., and R. Kempaiah. 2007. An update on business-IT alignment: ‘‘A line’’ has been drawn. MIS Quarterly Executive 6 (3): 165–
177.
McKeen, J., and H. Smith. 2003. Making IT Happen: Critical Issues in IT Management. Chichester, U.K.: John Wiley & Sons. National Association of Corporate Directors (NACD). 2013. 2013–2014 NACD Public Company Governance Survey. Available at: http://
www.nacdonline.org/survey
National Association of Corporate Directors (NACD). 2014a. 2014–2015 Public Company Governance Survey. Available at: http:// NACDonline.org/Public
National Association of Corporate Directors (NACD). 2014b. Cyber-Risk Oversight Handbook. Available at: http://www.nacdonline.org/ cyber
Parent, M., and B. Reich. 2009. Governing information technology risk. California Management Review 51 (3): 134–152.
76 Vincent, Higgs, and Pinsker
Journal of Information Systems Volume 31, Number 1, 2017
Patel, N. 2002. Emergent forms of IT governance to support global e-business models. Journal of Information Technology Theory and Application 4 (2): 33–48.
Pinsker, R., and C. Felden. 2016. Professional role and normative pressure: The case of voluntary XBRL adoption in Germany. Journal of Emerging Technologies in Accounting (forthcoming).
Preston, D., D. Chen, and D. Leidner. 2008. Examining the antecedents and consequences of CIO strategic decision-making authority: An
empirical study. Decision Science 39 (4): 605–642. PricewaterhouseCoopers (PwC). 2013. PwC Brings Out 2013 Annual Corporate Directors Survey. Available at: http://www.
directorscenter.com/pwc-2013-annual-corporate-directors-survey/
Raghunathan, B., and T. Raghunathan. 1989. Relationship of the rank of information systems executive to the organizational role and
planning dimensions of information systems. Journal of Management Information Systems 6 (1): 111–126. Savidge, J. 2008. Financial aspects of technology management. The CPA Journal 78 (5): 46–48. Securities and Exchange Commission (SEC). 2009. Securities and Exchange Commission Proxy Disclosure Enhancements. Release Nos.
33-9089; 34-61175; IC-29092; File No. S7-13-09. Available at: http://www.sec.gov/news/press/2009/2009-268.htm
Sherer, S., and S. Alter. 2004. Information system risk and risk factors: Are they mostly about information systems? Communications of the Association for Information Systems 14: 29–64.
Smith, H., and J. McKeen. 2009. Developments in practice XXXIII: A holistic approach to managing IT-based risk. Communications of the Association for Information Systems 25: 519–530.
Son, J., and I. Benbasat. 2007. Organizational buyers’ adoption and use of B2B electronic marketplaces: Efficiency- and legitimacy-
oriented perspectives. Journal of Management Information Systems 24 (1): 55–99. Stephens, C. S., W. N. Ledbetter, A. Mitra, and F. N. Ford. 1992. Executive or functional manager? The nature of the CIO’s job. MIS
Quarterly 16 (4): 449. Sutton, S., C. Hampton, D. Khazanchi, and V. Arnold. 2008. Risk analysis in extended enterprise environments: Identification of critical
risk factors in B2B e-commerce relationships. Journal of the Association for Information Systems 9 (3/4): 151–174. Taylor, H., E. Artman, and J. Woelfer. 2012. Information technology project risk management: Bridging the gap between research and
practice. Journal of Information Technology 27: 17–34. Turel, O., and C. Bart. 2014. Board-level IT governance and organizational performance. European Journal of Information Systems 23:
223–239.
Walston, J., R. Lissitz, and L. Rudner. 2006. The influence of web-based questionnaire presentation variations on survey cooperation and
perceptions of survey quality. Journal of Official Statistics 22 (2): 271–291. Weismantel, G. 2007. Building CFO-CIO bonds through performance management. Business Performance Management (August): 14–
17.
Wilkin, C., and R. Chenhall. 2010. A review of IT governance: A taxonomy to inform accounting information systems. Journal of Information Systems 24 (2): 107–146.
APPENDIX A Measurement Items
Online Appendix: http://dx.doi.org/10.2308/isys-51365.s01
IT Governance and the Maturity of IT Risk Management Practices 77
Journal of Information Systems Volume 31, Number 1, 2017
Copyright of Journal of Information Systems is the property of American Accounting Association and its content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder's express written permission. However, users may print, download, or email articles for individual use.