IT Governance: Who Cares More? First Evidence from EU Banks and Supervisors

Even if first scientific research regarding the concept of IT governance was developed in the 1960s, only in the late 1990s did this topic obtain systematic attention from scholars. From then on, the concept of IT governance has become an object of greater attention and has been analysed in the broader context of corporate governance mechanisms. The literature provides various definitions and a range of constructs to describe the concept of IT governance in the form of different structures, processes, domains, facets, and elements, analogous to the study of corporate governance in general. It is important to note however that IT governance merits distinct attention within other corporate governance mechanisms for two reasons: – most organizations in today’s complex and competitive business environment rely heavily on IT to improve operating efficiency and sustain competitive advantage (Mata et al. 1995); – IT governance can help firms to arrange and specify an efficient IT decision making structure for a range of IT-related topics, such as IT investment, IT principles, and IT infrastructure management (Sambamurthy and Zmud 1999; Weill and Ross 2004; Xue et al. 2008, 2011). Therefore, the effective governance of IT can support organizations in generating value-added objectives on top of IT, thereby contributing to the broader objectives of corporate governance (Weill and Ross 2004). IT, as for other industries, is an intrinsic component of banks’ operational functioning too; and has become the backbone of almost all banking processes considering the growing role assumed in: a) supporting management in strategic decisions; b) facilitating the automated control environment on which core banking data are based; c) developing new products and services to compete in the financial markets; and d) the improvement of distribution channels. While IT has emerged as a strategic resource in today’s banking business environment, it can also raise critical issues, such as effective IT decision making and management control, IT investment priorities, and IT risk management. Regarding the latter, one lesson learned from the financial crisis that began in 2008 was that banks’ IT and data architectures were, on the one hand, necessary to improve banks’ efficiency and risk management process, and, on the other, deeply inadequate to support the broad management of financial risks. Banks’ capacity to capture robust data for timely and automated risk identification increasingly relies on data and technology infrastructures. Two are the relationships between risk management and IT that are most relevant: – risk management in banks is increasingly supported by IT: for instance, databases allow the recording and analysis of risk events, systems support models for risk quantification, internal rating models, etc.; – the more that IT penetrates the banking processes, the greater the dependence of business activities on IT, which, in turn, increases the relevance of IT risk management. The lack of the ability of many banks to efficiently and effectively provide Senior Management with a true picture of the risks the organization faces-more evident during the global financial crisis has led to a renewed attention on IT management from regulators. For instance, at the international level BCBS and EBA have intervened defining a set of new rules (e.g. Basel III framework) and guidelines (e.g. Principles for effective risk data aggregation and risk reporting) which affect—albeit indirectly— IT governance. However, regulators do not specifically address banks requisites for effective IT governance and risk management systems, even so these changes likely result in strategy overhaul, process review and IT systems impact on the banking industry. Given the awareness that risk management systems have failed in many cases due to inadequate corporate governance mechanism rather than the failure of IT systems strictu sensu, in this chapter we wish to highlight if banks have begun to ascribe greater importance to the coordinated management of all IT resources, in other words to IT governance. We explore the attention payed to IT governance in four EU countries by a sample of banks and national Supervisors, to point out if, after the crisis, the interest on this topic as well as the level of investments in IT has increased. In contrast to previous studies which use case studies and/or questionnaires to investigate IT governance practices, we base our analysis on banks’ public disclosure. We root our research on the largely shared assumptions that firms with good IT governance tend to disclose more on related mechanisms (e.g. Clarkson et al. 2004). To observe if the attention to IT governance has increased in the last few years, we develop an original descriptive framework of IT governance (ITGF) disclosure tailored to the banking sector. Using the ITGF we perform a content analysis to measure the level of attention on IT governance through the years (2008–2015) and cross countries from both banks and Supervisors. This study, to the extent that constitutes a pilot study, provides several insights into the academic debate within the macro strand of literature on corporate governance mechanisms, and more specifically on the less analysed topic of IT governance focusing on the banking sector. The chapter is organized as follows: Sect. 4.2 provides the background of the research, including the existing literature and development of research questions, Sect. 4.3 describes the research methodology and the sample and data collection, the main results are presented in Sect. 4.4; finally, Sect. 4.5, presents the conclusions and outlines areas for future research.