A comment about ISACA's new COBIT and Val IT survey on Dan Swanson's GOV_DG list got me thinking about where the buck stops with IT governance. A common strain of thought says IT should be a board-level issue. After all, IT is big money and data breaches have increasingly material potential—as the still-rising tolls from the Heartland and TJX failures illustrate. But is IT, in concept and practice, still too mechanical for board-level attention? Should it be?

The answer to the first question is certainly yes. Even the most strategic IT governance standards—ISO/IEC 8500, COBIT*, and Val IT—live squarely in the domain of How. Val IT might come closest to corporate governance in its coverage of IT investment management, which implies the evaluation of the value of business processes enabled by technology. In this sense, it's similar to GAO-04-394G: Information Technology Investment Management.

Still, even the value-oriented frameworks are insular and inward-looking. In their world view, IT investment is governed by the CIO. The bigger picture—integration of IT risk and value into business process (and process performance) risk and opportunity is still outside of the sphere.

Because of this insularity, IT itself should not and cannot be the purview of the board. The board's concern is with the performance of business: market relevance, business performance, high-level strategy, financial processes, risk posturing, etc. While IT can enable these business concerns, whether it does (or doesn't) and how are relatively atomic considerations that, from the board's perspective, should remain "under the hood."

Of course, boards are concerned with the oversight of large investments (and IT is nothing if not a large investment), as well as risk and compliance issues—two areas where the IT governance substratum is closest to the surface of general corporate governance:

• In the case of investment management, the board should primarily respond to management (and audit) evaluations about how well IT expenditures represent good-value responses to business-process opportunities or risks. This consideration is subsidiary to whether particular business processes (e.g., tailored approaches to ERP, CRM, SCM) are good-value responses to business performance opportunities and risks. And the business-process consideration is itself subsidiary to the consideration of whether identified business performance opportunities and risks represent market-relevant and market-responsive business goals. So, even in this context, you can see how IT governance would still exist at a line-item level in the board's considerations.
• In the case of risk and compliance management, business factors such as market timeliness requirements; reporting integrity and timeliness; and general information integrity risks and regulations also deserve the board's attention. But, again, that attention should be at the policy and business-impact level. Information security is subsidiary to information protection; which is subsidiary to information CIA; which is subsidiary to the issues that should be top-of-mind board concerns, such as brand reputation, innovation, agility/flexibility, reporting obligations, and speed to market.

IT is a complex and powerful function that needs governance; however, confusing IT and business governance supports neither function. It's like confusing the body with the person. Yes, "what am I going to do today" is somewhat dependent on "what are my physical capabilities and limitations." But our decisions to cook, ski, job hut, buy a new television, etc. don't begin—and usually don't end—with the consideration of our physical capacity to do them.

Between IT governance and corporate governance, there are also other process layers that deserve more refinement and attention than they're getting. IMHO, business performance measurement and management, business process measurement and management, and information assessment and governance (including, but not limited to electronic information) top this list.

Your thoughts?