Involve senior management in major IT decisions. Senior management establishes strategic direction, and thus defines desirable behaviour for the management and use of IT. Top management involvement is such an old chestnut that we often forget how important it is. If senior management is not involved in IT decision-making, the organization is likely to experience a disconnect between business objectives and IT capabilities. In our study, top governance performers had more direct involvement by senior managers other than the CIO. The more involvement, the better the governance performance. "The Decision-Makers" (see page 26) lists managers in approximate order of their impact on governance when they join the CIO in decision-making. The numbers represent the relative degrees of impact for each executive compared to the CIO, who we assigned a baseline value of 1.0. Thus, engaging the CEO in IT governance has more than twice the impact as the CIO acting alone.

The United Nations Children's Fund provides evidence of the importance of senior management involvement. For many years, IT at UNICEF supported administrative tasks at headquarters but was very limited and locally managed in the field offices where the needs of children were directly addressed. UNICEF operates in remote and sometimes dangerous locations including sites affected by armed conflict, natural disasters and other tragedies. In the mid-1990s senior management recognized that the lack of IT in field offices was handcuffing operations. Led by CIO Andre Spatz, UNICEF equipped remote locations with online access to critical data involving important tradeoffs among features like cost, reliability, speed and accessibility.

The CIO worked with the other C-level managers to take ongoing governance responsibility for principles, architecture, infrastructure and investment decisions. For example, an important mechanism involving the CXO team was a global IT portfolio management process to coordinate and align IT investments with UNICEF objectives. Through the leadership of these CXOs, IT has fundamentally transformed the way UNICEF operates and has improved global knowledge, information flow, transparency and communication. Field offices can serve their constituents based on transaction-level and value-added information they could not access only a few years ago.

Design exception processes into governance processes. Technology, data and business process standards can help enterprises reduce IT and business process costs, increase systems reliability and enhance security. But allowing for exceptions to technology and business process standards is just as important as establishing and enforcing standards. Governance exception processes give individuals an audience when they feel that standards are limiting business success. More important, by revealing when standards are inappropriate or out of date, exceptions create learning opportunities. In our study, organizations with effective governance had fewer renegade exceptions, but more exceptions approved through a formal exception process.

Companies have different needs for exceptions. MeadWestvaco, a global paper manufacturer, allows few exceptions to technology standards because it is pursuing a strategy of operational excellence. Operating at low cost means adopting and complying with standards. Accordingly, the CIO handles exception requests. UPS, in contrast, expects to innovate through IT. UPS's layered exception process, described earlier, helps the business recognize opportunities for new technologies.

Change governance only when desirable behaviours change. The process of changing governance, communicating the changes and then institutionalizing the new approach is lengthy. Governance takes six months or longer to implement, according to our study. Top performers changed their governance on average less than once a year, and their intent was to do so even less frequently. Poorer performing organizations changed their governance method as much as three times a year. Because organizations need time to learn new governance mechanisms, changes should be rare. Once a company has designed a coherent set of mechanisms, governance can remain intact until a change in strategic direction redefines desirable behaviours.

For example, when JP Morgan Chase decided to seek synergies across its business units, management instituted governance structures to encourage the use of standardized technologies. With those mechanisms in place, the enterprise may occasionally tweak membership in decision-making structures, or enhance alignment processes or communication approaches. However, the basic set of governance mechanisms should be long-lasting.

Provide transparency and education. The most important predictor of top governance performance in our study was the percentage of managers in leadership positions who could accurately describe their enterprise's IT governance. The higher the percentage of managers who could describe governance, the higher the governance performance. When more managers can accurately describe governance, it is more likely to be part of the enterprise's management culture, and thus more likely to be followed - or better still, challenged and improved. Without an awareness of IT governance, there is no chance that it will be followed. Nearly half of all of the managers in the top 50 percent of governance performers could accurately describe their IT governance, while fewer than 30 percent of the managers could do so in the poorer performers. Proactively designing governance and then educating everyone in the enterprise as to how governance decisions are made reduces the mystery of IT and enables managers throughout the organization to accept responsibility for its effective use as a strategic asset.