The first step, and we argue the most critical step, in dealing with the IT risks that the organization faces is to establish a coherent framework for leadership and management of IT – an IT governance framework. This ensures that the board, senior management and all managers who have responsibilities for making IT decisions have a common understanding of how the organization deals with IT risk. But the governance framework is not concerned simply with risk – the benefits, opportunities and effectiveness of IT investments are of equal status.

IT is frequently about new and emerging technologies, that boards can never be expected to be on top of. So how can they approve projects involving these new technologies? How can they be sure that senior staff are up to the job?

Board members should not be in effect delegating governance issues to line management.

The most spectacular examples of IT governance failure in recent years have been the 'investments' that many organizations made into e-business. Whenever a claim is made of a 'significant investment' then the board is implicated. The failure of the project is simply an investment that failed. Every major project failure – the literature abounds – has an element (at least) of IT governance failure.

This chapter sets out why you need to have an IT governance framework and how to design and implement an effective framework for your organization.

Governance over IT, as with all other facets of an organization, ...