First let’s clarify two terms we are going to use extensively in this book: enterprise and governance.

Enterprise (n) is the term used to describe a range of different organisations: a commercial business (often called a corporation) that may, or may not, be quoted on a stock exchange; a public sector organisation such as a local or national government department, or a not-for-profit organisation such as a non-governmental organisation (NGO) or a charity. Enterprise is a more generic term than business since business often implies there is commercial interest. Perhaps the term organisation could also have been used since it, too, covers the full range of different enterprises just discussed and the term organisation chart is commonly used in all types of enterprises². However, enterprise has become the term frequently used in the 21^st century when discussing governance of organisations: that is, enterprise governance.

Governance (n) is ‘the action, manner or fact of governing; controlling or regulating influence or good order³’.

Clearly, governance applied to enterprises is expressing the view that directors (or top management) of enterprises are tasked with governing, controlling and regulating their enterprise using best practices. Shareholders who appoint directors, as well as citizens who elect governments, expect this to take place but in some enterprises this has not happened and legal actions have had to be taken against many directors and top management over the centuries. Imprisonment and huge fines was not the only answer; what was needed was advice and guidance through regulations that must be obeyed – that is, corporate governance codes.

It was following Robert Maxwell's death in 1990 that a £4 billion fraud at Maxwell Communication Corporation and Mirror Group Newspapers was revealed. Maxwell was both chairman and chief executive – now considered not ideal and segregation of duties for these two roles is now best practice. Other frauds in enterprises quoted on the London Stock Exchange (LSE) around this time were Bank of Credit and Commerce International (BCCI) in 1991 and Polly Peck in 1990. These enterprises are all known in the UK as corporations – a word that implies stock market quoted enterprises. Consequently in 1991, the LSE and the accountancy profession appointed Sir Adrian Cadbury to chair a committee to recommend a code of best practice for corporate governance. The resulting Cadbury Report: Financial Aspects of Corporate Governance (December 1992)⁴ is often seen as the point at which formally defined corporate governance emerged. The Cadbury Report identified the key responsibilities of boards of directors to be setting strategy, providing leadership, supervising management and reporting to shareholders about board stewardship (i.e. properly running the corporation in a fiduciary, i.e. trustworthy, way that the shareholders requested and expected).

Barger (2004)⁵, see Figure 1.1, explained corporate governance very succinctly, stating there are three parts: ownership, governance and management. She indicated that shareholders had ownership of a corporation and appointed directors to govern the corporation. The directors’ duty was to protect the shareholders’ investment in the corporation by working with management to develop a corporate strategy and by directing management to run the corporation. Management’s job was ‘to develop business capabilities’ and ‘run business operations’. The directors would also request the management to provide reports so they could monitor whether their management was meeting directives.

Corporate governance is now well established in the world, for example, all G-20 countries and, in total, more than 90 countries have their own corporate governance recommendations known as corporate governance codes (ECGI, 2013)⁶.

The International Federation of Accountants (IFAC, 2004)⁷ used the term enterprise governance and indicated this includes two parts: Business Governance (i.e. performance) and Corporate Governance (i.e. conformance). Performance covers activities for value creation, resource utilisation and risk management. Conformance covers accountability and assurance. However, much earlier, Tricker, in his seminal textbook Corporate Governance – first written in 1984 when ‘the term corporate governance was not then in use’ (Tricker, 2008)⁸ – indicated that corporate governance includes compliance (i.e. conformance) and performance. So enterprise governance means corporate governance. Interestingly, the Chartered Institute of Management Accountants (CIMA) who also used to say Enterprise Governance is made up of Corporate Governance and Business Governance has now removed both those terms and just talks about Enterprise Governance as performance and conformance (CIMA, 2010)⁹.

As Weill and Ross, 2004¹⁰, indicated in the preface to their seminal textbook, IT Governance, the point at which the importance of conducting IT Governance became clear is not well defined like that of corporate governance but emerged over a period of years from multiple research studies and discussions between managers. As early as 1998-9 Weill with Michael Vitale at the Melbourne Business School conducted an exploratory study of IT governance. Much of the work on business and IT alignment (BITA) in the 1990s contributed to IT governance, too. The earliest I have been able to find the term IT governance was in an article on strategic alignment of business and IT by Henderson and Venkatraman in 1992 in Chapter 7 of the book Transforming Organisations (Kochan and Useem)¹¹.

IT governance took off as a discipline once the COBIT framework evolved from an IT audit to an IT governance framework with the release of COBIT®3.0 in 2000. COBIT was, and still is, widely adopted as the de facto framework to meet the IT governance requirements of Section 404 of the Sarbanes-Oxley Act of 2002. It is worth pointing out that COBIT recognised that IT governance was concerned with ensuring both conformance and performance, that is, compliance and value delivery to the business.

In Australia between 2003 and 2005, Standards Australia developed Australian Standard AS 8015-2005 for the Corporate Governance of Information and Communication Technology. This complemented the set of Australian Corporate Governance Standards – the first of which had been published in 2003. AS 8015 was fast-tracked into an ISO Standard as ISO/IEC 38500, Corporate Governance of IT, published in May 2008. Unlike the free, comprehensive resources within the COBIT framework, ISO/IEC 38500 was a slim, 12-page, easy-to-understand Standard aimed at directors of businesses to guide them in their governance in the use of IT – however, it has to be purchased at around $100.

Clearly COBIT needed to take on board the ISO/IEC 38500 Standard and this was to happen with COBIT 5.

Now people are starting to discuss Enterprise Governance of IT rather than IT Governance; notably Wim Van Grembergen and Steven De Haes at the University of Antwerp Management School (UAMS). They have been long-term researchers for ISACA/ITGI and advocates of approaches to implementation of IT governance that have contributed much to the development of the COBIT framework. In their book Enterprise Governance of Information Technology¹², published in 2009, they begin by pointing out that Enterprise Governance of IT is a relatively new term and they go on to explain that because of the ‘IT’ in the naming of IT governance, discussion did not generally reach the boardrooms of organisations. Clearly the involvement of business is crucial and they indicate there has been a shift of emphasis (largely due to the publication of ISO/IEC 38500, I feel) to focus on business involvement, that is, Enterprise Governance of IT. As they put it, ‘Enterprise Governance of IT is an integral part of corporate governance and addresses the definition and implementation of processes, structures and relational mechanisms in the organisation that enables both business and IT people to execute their responsibilities in support of business/IT alignment and the creation of business value from IT-enabled investments.’

In 2009, ISACA created a new certificate called Certified in the Governance of Enterprise IT (CGEIT®) that is a person qualification based on passing an examination and having sufficient professional experience of the governance of enterprise IT. Notice that the term Governance of Enterprise IT (GEIT) is a rephrasing of Van Grembergen and De Haes’ term ‘Enterprise Governance of IT’. GEIT is now the conventional term for what earlier was, and still is, referred to as IT governance.

So from 2010, the COBIT 5 Task Force worked on COBIT®5 that was released in April 2012. It is aligned with ISO/IEC 38500 and it fully addresses the ‘Governance of Enterprise IT’. That is the subject of this book.