Reference: Willson, P., & Pollard, C. (2009, Spring2009). Exploring IT Governance in Theory and Practice in a Large Multi-National Organisation in Australia. Information Systems Management, 26(2), 98-109.
Abstract: IT governance is critical to most organisations and has an influence on the value generated by IT investments. Unfortunately, IT governance is more aspiration than reality in many organisations. This research seeks to address the dearth of empirical evidence about IT governance in practice, presenting the findings of an IT governance case study in an Australian organisation. Recommendations are provided to assist organisations to maximise potential of IT governance and insights are provided for researchers.
In his book Secrets and Lies: Digital Security in a Networked World, author Bruce Schneier frequently addressed the following comment:
In theory there is no difference between theory and reality. In reality there is.
For this research the authors interviewed 28 senior IT and corporate managers at an Australian MNE in order to address two questions:
- What is the nature of IT governance in practice?
- What factors contribute to differences between theory and practice?
Their analysis of the interviews identified four major themes that do not entirely overlap with theoretical models of IT governance. For example, although IT governance models frequently deal with risk management of IT-related risks, the subject organization restricts risk management activities primarily to the area of project risk management. The research highlights the importance of visionary leadership and key players in IT-business alignment, and also introduces the importance of historical context in the governance of IT and its initiatives.
Researchers and industry frameworks, such as COBIT and ITIL, frequently document practices that have little relevance in most organizations. For example, during my implementations of CMDB at customer sites, I emphasize the importance of aligning IT service, logical, and phsysical assets with the organization through relationships in a top-down approach. In practice most organizations ignore this advice and build the CMDB bottom-up through the identification of physical assets. In other words, their most pressing concern is to manage the “thinks they can kick” in a way that won’t achieve benefits the CMDB may, in theory, provide. These differences between the theoretical and practical are important, and I would like to see more research like this that covers practical application.