IT Security Governance Book Review

Book Review of IT Governance

IT Governance. 2004. Peter Weill and Jeanne Ross

by Kathy Bergsma

What is IT Governance

Weill and Ross define IT governance as, "Specifying the decision rights and accountability framework to encourage desirable behavior in the use of IT." If desirable behavior involves independent business units, IT investment decisions will be with the unit heads. If desirable behavior involves an enterprise-wide view of the customer with a single point-of-contact, then central IT control works best.

Three Functions of Governance

  1. What decisions must be made to ensure effective management and use of IT?
    1. IT principles - clarifying the business role of IT
    2. IT architecture - standardization and integration requirements
    3. IT infrastructure - shared services that provide the foundation for IT capability
    4. Business application needs - specifying the business need for purchased and internally developed IT applications
    5. IT investment and prioritization - choosing what initiatives to fund and how much to spend
  2. Who should make decisions? Archetypes for allocating decision rights.
    1. Business monarchy - senior business executives (excluding IT) make the decisions
    2. IT monarchy - IT executives make the decisions
    3. Feudal - each business unit makes independent decisions
    4. Federal - a combination of corporate center and business units, with or without IT, make decisions
    5. IT duopoly - IT and one other group, such as senior executives or business unit leaders, make decisions
    6. Anarchy - individual users make independent decisions for themselves
  3. How will these decisions be made and monitored?

Why is IT Governance Important

IT Governance Challenges


Governance Archetypes

Weill and Ross use political archetypes to describes people or groups who have decision rights.

Different types of decisions might use different archetypes.


IT Principles

IT Architecture

IT Infrastructure

Business Applications

IT Investment







Business Monarchy



IT Monarchy






IT Duopoly




Don't know

What Governance Arrangements Work Best

Governance Mechanisms

Governance is implemented using the following mechanisms.

Decision-Making Structures

Organizational units and roles responsible for making IT decisions, such as committees, executive teams, and business/IT relationship managers.

Alignments Processes

Formal processes for ensuring that daily behaviors are consistent with policies and provide input back to decisions. These include IT investment proposal and evaluation processes, architectural exception processes, service-level agreements, chargeback, and metrics.

Communications Approaches

Announcements, advocates, channels, and education efforts that disseminate IT governance principles and policies and outcomes of IT decision-making processes.

Mechanisms should be:

Principles for Establishing a Set of Effective Mechanisms


Characteristics of Top Governance Performers

Top performing institutions are transparent about the tensions around IT decisions such as standardization vs innovation.

Aligning IT Governance with Strategy and Performance

Six Components of Effective IT Governance Design

  1. Enterprise strategy and organization. Strategy focuses employee attention on simple and achievable messages. Governance reinforces and transcends organization structure in defining responsibilities for implementing strategies.
    1. Competitive thrust of the enterprise
    2. Relationships among business units (autonomy vs. synergy or centralized vs. decentralized)
    3. Intentions for the role and management of information and IT
  2. IT governance arrangements. Identifies the archetypes used for each type of IT decision.
  3. Business performance goals. Clear objectives for the governing bodies and benchmarks for assessing the success of governance efforts.
  4. IT organization and desirable behaviors. Enterprise strategy and organization provide the direction for organization and desirable behaviors. Desirable behaviors must be in harmony with strategic direction or an enterprise cannot achieve its performance goals.
  5. IT metrics and accountability. Who is responsible and how they will be evaluated.
  6. IT governance mechanisms. Well designed mechanisms reinforce and encourage desirable behaviors and lead to outcomes specified in metrics and accountability.

Strategies for IT Governance

Management Principles for Designing Governance to Address Strategic Objectives

Top 10 Leadership Principles for IT Governance

  1. Actively design IT governance
  2. Know when to redesign
  3. Involve senior managers
  4. Make choices
  5. Clarify the exception-handling process
  6. Provide the right incentives
  7. Assign ownership and accountability for IT governance
  8. Design governance at multiple organizational levels
  9. Provide transparency and education
  10. Implement common mechanisms across the six key assets
    1. Human
    2. Financial
    3. Physical
    4. Intellectual property
    5. Information and IT assets
    6. Relationship assets

IT Governance for Nonprofits and Government

More focus on consensus, transparency and equity in nonprofits and government impact IT governance design. Successful IT governance relies more on partnerships and joint decisions between business and IT leaders. Formal mechanisms such as committees are also important.


How Top Performers Govern IT in Nonprofits and Government

Mechanisms for top performers

Symptoms of Ineffective Governance

Questions or comments? Contact us.

Except where otherwise noted, this work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License (CC BY-NC-SA 4.0).