IT Governance: Who Cares More? First Evidence from EU Banks and Supervisors
Even if first scientific research regarding the concept of IT governance was developed in the 1960s, only in the late 1990s did this topic obtain systematic attention from scholars. From then on, the concept of IT governance has become an object of greater attention and has been analysed in the broader context of corporate governance mechanisms. The literature provides various definitions and a range of constructs to describe the concept of IT governance in the form of different structures, processes, domains, facets, and elements, analogous to the study of corporate governance in general. It is important to note however that IT governance merits distinct attention within other corporate governance mechanisms for two reasons:
– most organizations in today’s complex and competitive business environment rely heavily on IT to improve operating efficiency and sustain competitive advantage (Mata et al. 1995);
– IT governance can help firms to arrange and specify an efficient IT decision making structure for a range of IT-related topics, such as IT investment, IT principles, and IT infrastructure management (Sambamurthy and Zmud 1999; Weill and Ross 2004; Xue et al. 2008, 2011).
Therefore, the effective governance of IT can support organizations in generating value-added objectives on top of IT, thereby contributing to the broader objectives of corporate governance (Weill and Ross 2004). IT, as for other industries, is an intrinsic component of banks’ operational functioning too; and has become the backbone of almost all banking processes considering the growing role assumed in: a) supporting management in strategic decisions; b) facilitating the automated control environment on which core banking data are based; c) developing new products and services to compete in the financial markets; and d) the improvement of distribution channels. While IT has emerged as a strategic resource in today’s banking business environment, it can also raise critical issues, such as effective IT decision making and management control, IT investment priorities, and IT risk management. Regarding the latter, one lesson learned from the financial crisis that began in 2008 was that banks’ IT and data architectures were, on the one hand, necessary to improve banks’ efficiency and risk management process, and, on the other, deeply inadequate to support the broad management of financial risks. Banks’ capacity to capture robust data for timely and automated risk identification increasingly relies on data and technology infrastructures. Two are the relationships between risk management and IT that are most relevant:
– risk management in banks is increasingly supported by IT: for instance, databases allow the recording and analysis of risk events, systems support models for risk quantification, internal rating models, etc.;
– the more that IT penetrates the banking processes, the greater the dependence of business activities on IT, which, in turn, increases the relevance of IT risk management.
The lack of the ability of many banks to efficiently and effectively provide Senior Management with a true picture of the risks the organization faces-more evident during the global financial crisis has led to a renewed attention on IT management from regulators. For instance, at the international level BCBS and EBA have intervened defining a set of new rules (e.g. Basel III framework) and guidelines (e.g. Principles for effective risk data aggregation and risk reporting) which affect—albeit indirectly— IT governance. However, regulators do not specifically address banks requisites for effective IT governance and risk management systems, even so these changes likely result in strategy overhaul, process review and IT systems impact on the banking industry. Given the awareness that risk management systems have failed in many cases due to inadequate corporate governance mechanism rather than the failure of IT systems str