How Boards Realise IT Governance Transparency: A Study Into Current Practice of the COBIT EDM05 Process

In our increasingly digitised economy, IT has become fundamental to support, sustain and grow organisations. Successful organisations leverage the potential of digital innovation and understand and manage the risk and constraints of technology.¹

Previously, the governing board could delegate, ignore or avoid IT-related decisions, but the disruptions from new technologies (e.g., cloud, Internet of Things, big data) are increasingly being felt at the board level. Emerging research calls for more board-level engagement in enterprise governance of IT and identifies serious consequences for digitised organisations in case the board is not involved.² Yet, it appears that enterprise-technology governance competence remains the ‘elephant in the boardroom’ for more than 80 percent of boards of directors (BoDs).³

In this context, a co-created research project was established by the Antwerp Management School, Cegeka, KPMG and Samsung, to focus on the role of the BoD in governance of enterprise IT (GEIT). The 2015–2018 research project explores contemporary best practices and competencies for BoD involvement in IT to realise technological innovation potential and ensure control over the associated risk. By offering BoDs a clearer path to reach their IT governance objectives, the project aims to strengthen their involvement and obtain a true end-to-end GEIT.

This article reports on one of the investigations being done, specifically, how nonexecutive boards are reporting on their accountability for IT in their yearly reports. As such, it immediately relates to the COBIT 5 Evaluate, Direct and Monitor (EDM) process EDM05 Ensure stakeholder transparency, which expects the board to ‘make sure that the communication (on IT governance) to stakeholders is effective and timely and that the basis for reporting is established to increase performance’.⁴

From this research, it appears that, notwithstanding the pervasive role of IT, the disclosure on IT governance is still limited and rather focused on reactive elements—for example, in response to IT-related risk events happening. More reporting in high IT-intense sectors, as well as in publicly listed companies was observed. The latter is probably a result of investors being more willing to invest more in organisations that have their digitised assets under control.

The research leads to the belief that as the dependency on IT continues to grow within all industries, IT governance disclosure might well become a critical piece of the nonfinancial information in most annual reports. As such, BoDs will become increasingly incentivised to disclose on the matter and will, therefore, demonstrate greater expectations for reporting by executive management toward them (e.g., IT performance/compliance reports, IT risk scenarios and events, IT value delivery). This research will supply examples from the field for boards and executive management to set up and operate an adequate disclosure strategy.

Why Governing Boards (Should) Provide Transparency Around IT Governance

In their 2014 empirical study, Turel and Bart⁵ concluded that ‘High levels of board-level IT governance, regardless of existing IT needs, increased organizational performance’, clearly demonstrating the importance of BoDs taking up their accountability for IT. They concluded that boards should not shy away from governing and controlling the IT assets for their organisations to approach IT more strategically, identify overlooked opportunities and, ultimately, achieve superior performance in the digitised economy.

Next to such empirical findings, more theoretical research in IT governance has clearly advocated for the importance of IT governance communications to external stakeholders of the firm.^{6, 7} This theoretical underpinning, rooted in voluntary disclosure theory and agency theory, predicts that firms can improve their liquidity and firm valuation through better information intermediation, enhance market reputation, and reduce both litigation costs and the cost of capital.⁸

Notwithstanding the empirically and theoretically demonstrated importance of IT governance disclosure, other studies point out that, on average, the involvement of boards in GEIT is low and that boards should become more IT-savvy to be able to govern the digitised organisation. Andriole published an article in this context in 2009 that reported on the ‘surprisingly’ low maturity of boards in this area.⁹ Valentine concluded that less than 20 percent of corporate boards worldwide report having enterprise-technology-capable directors.¹⁰ In conclusion, boards need to extend their governance accountability from a single focus on finance and legal as proxy to corporate governance to include technology. In this way, they can provide digital leadership and organisational capabilities to ensure that the enterprise’s IT sustains and extends the enterprise’s strategies and objectives.

How COBIT 5 Stresses the Need for IT Governance Transparency

This conclusion was confirmed by ISACA with the release of its COBIT 5 process model in 2012 (see COBIT 5: Enabling Processes). In this overarching approach, COBIT 5 identifies 37 processes spread over a governance and a management domain. The five governance processes (figure 1) are the board’s responsibilities in IT, covering setting the governance framework; handling responsibilities in terms of value (e.g., investment criteria), risk (e.g., risk appetite) and resources (e.g., resource optimisation); and providing transparency regarding IT to the stakeholders. The latter process addresses the key topic of this article, which COBIT describes as the process required ‘to ensure that enterprise IT performance and conformance measurement and reporting are transparent, with stakeholders approving the goals and metrics and the necessary remedial actions’.¹¹

Research on IT Governance Transparency in Belgium

To gain insight into current IT governance transparency practices, researchers analysed the publicly available annual reports of 12 Belgian companies. The nonfinancial information on these reports was expected to contain information on IT governance practices as part of the overall corporate governance measures.

As the IT governance disclosure rate would unavoidably vary among the companies selected, the companies were clustered (figure 2) to deduce whether those within transform industries, in which IT profoundly alters traditional ways of doing business by redefining business processes and relationships, disclose more on IT governance as opposed to organisations in nontransform industries.¹² Secondly, researchers observed whether those that are publicly listed disclose more than those that are not, because they are incentivised to do so by the market. While testing both propositions, examples of language and narratives that could be considered as a good practice of IT governance disclosure were captured.

With regard to the rate and content of IT governance disclosure, the researchers were interested in knowing which topics make it into the annual reports and which do not. The framework used to determine the rate and content of the IT governance disclosure is one recently proposed in academic literature.¹³ This disclosure framework proposes that nonexecutive boards can report on four areas of concern: IT strategic alignment, IT value delivery, IT risk management and IT performance management. In each of these domains, expected reporting items were derived from literature, as follows:

• For IT risk management, items on the information security plan and policy were expected.
• For IT performance management, explicit information on IT expenditure was captured.
• For IT value management, elements relating to IT project updates were sought.
• For IT strategic alignment, information was sought regarding the position of the chief information officer (CIO) and the existence of an IT steering committee.

Reporting rates were reviewed; hence, these results are by no means an indication of what really was present in the organisation, but only what was reported.

Research Observations

In general, a low average reporting rate on IT governance was observed. Firms report most in the domains of IT risk management and IT performance measurement (figure 3). Surprisingly, IT strategic alignment is the least disclosed category among the organisations in the sample. These results indicate that there is room for improvement in overall IT governance transparency in annual reports. Academic literature clearly suggests the potential benefits of disclosure on nonfinancial aspects in general and IT governance-related aspects in particular, providing firms with a clear incentive to consider increasing their IT governance disclosure.

As mentioned, the IT usage intensity within the industry (transform vs. nontransform) could have an impact on the IT governance disclosure rate. By comparing the transform and nontransform groups of companies (while keeping their reporting context the same—all listed companies in Belgium), a difference in the overall disclosure rate was determined. Transform listed companies had an average reporting rate of 35 percent, whereas nontransform listed companies were at 14 percent.

With an overall disclosure rate of 35 percent to 26 percent (all transform Belgian companies), listed companies have a better overall disclosure rate than companies not listed. The reasons for this can be found in prior research, which states that disclosing nonfinancial information can improve a firm’s valuation on the stock market. This incentivises companies to explicitly mention practices with a known valuation impact such as having a dedicated CIO¹⁴ or investing in IT (when in a transform industry).¹⁵

A Call to Action for Governing Boards

When considering the potential valuation impact of IT and the relatively unexplored nature of IT governance at the corporate level, this type of research can be valuable to governing boards and executive committees to establish the right questions to ask their direct reports. Chances are high that practices are in place that are not reported on, which is a missed opportunity to convince stakeholders of the governance system. Formalised practices will enable boards and executive committees to take preventive action, detect deficiencies and take mitigating action, enabling them to show that they are, indeed, in control of IT at a strategic level.

This research on the annual reports of Belgian companies showed that IT governance disclosure is generally rather low and might be indicative of the IT governance maturity at the executive and/or nonexecutive level. As IT risk and IT opportunities continually increase and stakeholders rely on nonfinancial information given to them to valuate the firm, BoDs and executive committees are incentivised to take up their IT governance role and report on it.

A high degree of board involvement in IT governance has a positive effect on organisational performance (internal perspective), and the general principle of reporting nonfinancial information, as well as certain IT governance practices, is known to have a positive effect on the valuation of a firm (external perspective). A convincing case can be made that further analysis will enable researchers to identify more good practices, provide benchmarking information to determine an ambition level suitable to the individual context of each firm, and establish a formal set of practices that can be implemented to enable better organisational performance and reporting that satisfies stakeholder needs.

Endnotes

¹ De Haes, S.; W. Van Grembergen; Enterprise Goverance of IT: Achieving Alignment and Value, 2^nd Edition, Springer, USA, 2015
² Turel, O.; C. Bart; “Board-level IT Governance and Organizational Performance,” European Journal of Information Systems, vol. 23, March 2014, p. 223-239
³ Valentine, E; Enterprise Business Technology Governance: New Core Competencies for Boards of Directors in Digital Leadership, Queensland University of Technology, Brisbane, Australia, 2015
⁴ ISACA, COBIT 5: Enabling Processes, USA, 2012
⁵ Op cit, Turel and Bart
⁶ Gordon, L. A.; M. P. Loeb; T. Sohail; “Market Value of Voluntary Disclosures Concerning Information Security,” MIS Quarterly, vol. 34, no. 3, 2010, p. 567-594
⁷ Raghupathi, W; “Corporate Governance of IT: A Framework for Development,” Communications of the ACM, vol. 50, no. 8, 2007, p. 94-99
⁸ Healy, P. M.; K. G. Palepu; “Information Asymmetry, Corporate Disclosure, and the Capital Markets: A Review of the Empirical Disclosure lLterature,” Journal of Accounting and eEconomics, vol. 31, iss. 1, 2001, p. 405-440
⁹ Andriole, Stephen J.; “Boards of Directors and Technology Governance: The Surprising State of the Practice,” Communications of the Association for Information Systems, vol. 24, article 22, March 2009
¹⁰ Op cit, Valentine
¹¹ ISACA, COBIT 5: Enabling Processes, USA, 2012
¹² Anderson, M. C.; R. D. Banker; S. Ravindran; “Value Implications of Investments in Information Technology,” Management Science, vol. 52, iss. 9, 1 September 2006, p. 1359-1376, http://pubsonline.informs.org/doi/abs/10.1287/mnsc.1060.0542
¹³ Joshi, A.; L. Bollen; H. Hassink; “An Empirical Assessment of IT Governance Transparency: Evidence From Commercial Banking,” Information Systems Management, vol. 30, iss. 2, 2013, p. 116-136
¹⁴ Chatterjee, D.; V. J. Richardson; R. W. Zmud; “Examining the Shareholder Wealth Effects of Announcements of Newly Created CIO Positions,” MIS Quarterly, vol. 25, no. 1, March 2001, p. 43-70
¹⁵ Dehning, B; V. J. Richardson; R. W. Zmud; “The Value Relevance of Announcements of Transformational Information Technology Investments,” MIS Quarterly, vol. 27, no. 4, December 2003, p. 637-656