The authors of IT Governance are academics at the Center for Information Systems Research (CISR), a research group at top business school, the MIT Sloan School of Management. Unlike a lot of articles and papers on IT governance (ours included!), this book builds directly on hard evidence gathered from scientific projects and case studies of more than 250 organizations including well-known major-league players such as JPMorgan Chase, DuPont, UNICEF, UPS, Old Mutual and Motorola. Paradoxically, though, that is simultaneously the book's strongest and weakest point: the studies give tremendous authority and credibility to the material, but also restrict the scope of the book somewhat to that of the underlying research. There is no mention of Sarbanes-Oxley, for instance.
Chapters 2 and 3 expound a theoretical model explaining the choices ("the five key IT decisions") organizations have in how to manage and control IT as an integral part of their general business management, and a blueprint for organizational design ("IT governance archetypes"). Later chapters use the model to analyze organizations using real-world data from the research projects, and presents numerous case studies to illustrate the range of options available and the choices made. This approach encourages business and IT executives to take a long hard look at their own day-to-day IT governance arrangements, and think about the higher-order design of their IT management systems.
The case studies and other research data build a compelling value case for sound IT governance. Comments in the preamble, back cover flaps and first chapter such as "firms with superior IT governance have at least 20 percent higher profits than firms with poor governance" are hooks to spark a manager's interest in the book. However, the academic style and length of the book restricts the potential readership considerably. Reading it demands concentration and time to think over the implications. MBA students and business/IT consultants seem more likely to read the book cover-to-cover than the stated target audience of CEOs, CFOs, COOs CIOs and other senior managers.
Chapter 8 is written in a much more accessible, pragmatic and action-oriented style than the rest. Even if you are a busy executive, make time to read chapter 8! It starts by describing common symptoms of ineffective IT governance, and then moves on to describe an action plan for reviewing and (re)designing your IT governance framework. The "top ten leadership principles of IT governance" are an excellent checklist for the steps involved bringing your framework up to best practice. Being information security awareness professionals (see [...] we particularly liked the 9th principle: "Provide transparency and education ... Communicating and supporting IT governance is the single most important IT role of senior leaders. The person or group who owns IT governance has a major responsibility for communication. Firms in our study with more effective governance also had more effective governance communication." This picks up on an important point in chapter 4: "The most important predictor of top governance performance was the percentage of managers in leadership positions who could accurately describe their enterprise's IT governance." Could you?