Poor IT governance can be even worse than no IT governance. Managing IT risk as part of governance of enterprise IT (GEIT) is a key factor to IT governance success, as discussed in Guy Pearce’s ISACA Journal, volume 3, article, “The Sheer Gravity of Underestimating Culture as an IT Governance Risk.” Since poor IT governance can be attributed to many IT failures, organizations need to examine not only their GEIT plan itself, but also the culture they create to foster improved IT governance. Enterprises need to embrace culture around GEIT as a critical success factor (CSF) to prevent future IT failures.
The Merriam-Webster Dictionary defines culture as, “… shared attitudes, values, goals, and practices that characterizes an institution or organization.” In short, it is about how the organization behaves and how it does things. While not comprehensive, figure 1 lists 4 types of negative organizational behaviors with which to be concerned.
Many may have experienced any or all of these behaviors when developing their GEIT policies, processes, standards and guidelines. In alignment with figure 1, risk management will certainly be ineffective if people are in denial about risk, could not care less about risk, do not understand why risk is important or continually find ways not to perform the risk control processes that are established to support the new IT governance program.
Given the complexity of institutionalizing change, there are at least 4 drivers of change that help encourage changes in mind-set and that help address undesirable behavior:
- Fostering understanding and conviction to ensure that what is being asked is understood
- Role modeling and ensuring that leaders behave differently
- Developing talent and skills to enable behaving in the new way
- Reinforcing with formal mechanisms where structures, processes and systems support the change
Of these, it was found that role modeling is the greatest driver of successful transformation. In terms of the rest of these, communication, especially regarding progress, was found to be the next most important consideration, raising further questions about why some in the business community do not see communication as a risk CSF.
The significance of culture as a CSF adds to the matters the practitioner needs to consider in developing and sustaining their enterprise IT governance initiatives, especially with respect to the change management that is clearly every bit as important to successful GEIT as are its 5 documented domains. While there could be items in the GEIT implementation plan pertaining to competency development (training), fostering understanding (communication) and reinforcement (e.g., deploying supporting technology), there is often nothing in the plan about identifying role models. Leadership role models address one of the greatest drivers of effective risk management (i.e., tone at the top) through a chain of activity as illustrated in figure 2. Quite simply, if leadership does not live the change they are advocating, if they do not set the example, then their IT governance efforts will be ineffective.
With culture clearly so critically important to the success of risk management and, ultimately, GEIT, and with “increasing interest in better understanding the role of culture in IT governance,” it is concerning that only 15 academic research studies looked into the role of culture in IT governance and, of those, only 1 study explicitly looked into the impact of culture on the risk domain of IT governance. There is clearly both a pressing need and an opportunity for more work to be done in this area.
Read more about GEIT success and its dependence on good IT risk management, including the correct organizational culture, in Pearce’s ISACA Journal article “The Sheer Gravity of Underestimating Culture as an IT Governance Risk.”