Risk management is one of the most important components in empowering an organization to achieve its ultimate vision. With proper risk management culture and knowledge, team members will be “speaking”
JOURNAL OF INFORMATION SYSTEMSAmerican Accounting AssociationVol. 31, No. 1DOI: 10.2308/isys-51365
Spring 2017
pp. 59–77
IT Governance and the Maturity of IT Risk Management
Practices
Nishani Edirisinghe Vincent
The University of Tennessee at Chattanooga
Julia L. Higgs
Robert E. Pinsker
Florida Atlantic University
ABSTRACT:The Securities and Exchange Commission’s enhanced disclosure rule on risk oversight, state laws
requiring public disclosure of compromised customer information, and high-profile customer information breaches
have caused Information Technology (IT) risk management practices to be a major concern for boards of directors
and management. The Committee of Sponsoring Organizations of the Treadway Commission’s (COSO) Enterprise
Risk Management (ERM) framework emphasizes the importance of the board’s oversight role while also bringing
attention to the firm’s reporting structure. Consequently, our study examines whether the maturity of IT risk
management practices depends on Chief Information Officer (CIO) reporting structure and Chief Executive Officer
(CEO)/Chairman duality. We develop a scale to measure strategic and operational maturity under the larger auspice
of IT risk management and distribute a survey to high-level IT professionals. Our survey also captures the reporting
structure of their firms. Consistent with our hypothesis, we find that the maturity of strategic IT risk management
practices are higher when the CIO reports directly to the CEO. However, contrary to expectations, we do not find that
operational risk management is more mature when the CIO reports to the Chief Financial Officer (CFO). Instead,
operational risk management is higher when the CIO reports to the CEO. For public firms, the maturity of IT risk
management practices are higher when the CEO is also the chairman of the board of directors. As C-level officers
may have asymmetric access to the board, understanding reporting structures may inform firms, regulators, and
interested stakeholders on how well IT risk is managed and factors that affect IT governance.
Keywords:IT risk management; CIO reporting structure; board leadership structure; scale development; IT
governance.
I. INTRODUCTION
I
n December 2009, the Securities and Exchange Commission (SEC 2009) approved enhanced proxy disclosure
requirements for the board of directors’ role in risk oversight. 1The rule requires rms to report the boards’ leadership
structure and the relationship between the board and C-suite executives when managing the material risks facing the rm.
With the increased dependence on Information Technology (IT), senior management and boards of directors have become
more aware of the need to manage and oversee IT risks (Turel and Bart 2014). However, a recent National Association of
Corporate Directors (NACD 2014a) survey indicates 36 percent of board members are not satis ed with the quality of
information provided by management on IT risk and 52 percent are not satis ed with the quantity of that information.
We thank the ISACA for hosting the survey on the association’s website and ISACA members for their enthusiastic participation.
Supplemental material can be accessed by clicking the link in Appendix A.
Editor’s note: Accepted by Roger S. Debreceny.
Submitted: March 2015
Accepted: December 2015
Published Online: December 2015
1The requirements are based on SEC Release Nos. 33-9089; 34-61175; IC-29092; File No. S7-13-09 (SEC 2009; available at:http://www.sec.gov/
news/press/2009/2009-268.htm). The requirement represents a new disclosure requirement to Item 407 of Regulation S-K and a corresponding
amendment to Item 7 of Schedule 14A.
59 We contend that a rm’s reporting structure is a signi cant determinant of how well IT risk is managed and communicated to
internal stakeholders (e.g., the board) (Information Systems Audit and Control Association, Inc. [ISACA] 2012). Consequently,
our study focuses on the following two issues related to rm structure and its effect on IT risk management practices. First, it
examines whether the Chief Information Of cer (CIO) reporting structure affects the maturity (i.e., the extent to which
management performs particular activities to identify, assess, monitor, and respond to IT-related risks) (ISACA 2009a;KPMG
2013) of two types of IT risk management practices (bene t/value enablement and operations/service delivery). Second, it
examines whether Chief Executive Of cer (CEO)/Chairman duality is associated with mature IT risk management practices.
Our study explores one of the areas thatWilkin and Chenhall (2010)identi ed in their taxonomy of information technology
governance (ITG). Speci cally, of the ve main areas within ITG that they describe (strategic alignment, risk management,
resource management, value delivery, and performance measurement), we delve into risk management practices. Most germane to
our study,Wilkin and Chenhall (2010)identify the roles of senior management and the board of directors as two key, yet
understudied, considerations within risk management. Thus, our study helps to address this issue by providing empirical evidence
related to the importance of CIO reporting structure and board leadership structure on the maturity of IT risk management practices.
Results from theNACD (2014a)survey provide a strong indication of an immediate need for rms to improve IT-related risk
management practices. In order to provide effective monitoring and advising, the board should receive adequate and timely
information on important issues such as the current IT risk exposure and the IT risk management and governance processes in the
rm (Hall, Keane, McConnell, and Becker 2005). The rm’s reporting structure may in uence the extent to which the board is
informed of these matters; thus, impacting the effectiveness of board oversight. Conversely, the board leadership structure may also
in uence the interactions among board members, affecting the board’s oversight of IT risk management. Relevant ITG frameworks
(e.g., COBIT 5,ISACA 2012) encourage board of director involvement through evaluating, directing, and monitoring IT. The
Committee of Sponsoring Organizations of the Treadway Commission’s Enterprise Risk Management (ERM) framework (COSO
2004) further emphasizes the importance of the board’s oversight role and the rm’s reporting structure in identifying events,
assessing risks, and providing reasonable assurance that the company achieves its objectives and goals.
Drawing upon upper echelon (Hambrick and Mason 1984) and agency (Hall et al. 2005) theories, we hypothesize that the
maturity of IT risk management practices will be higher for the bene t/value enablement (strategic) risk category when the CIO
reports to the CEO, and for the operations/service delivery (operational) risk category when the CIO reports to the Chief
Financial Of cer (CFO). Further, we hypothesize that IT risk management practices will be more mature in rms where the
CEO and board chairman positions are separated. We developed a scale to measure IT risk management practices based on the
two critical risk categories identi ed and adapted from the Risk IT Framework (ISACA 2009a). Speci cally, ten bene t/value
enablement and nine operations/service delivery items were identi ed to potentially represent these two categories of IT risk
management practices. In a survey completed by 158 senior U.S. IT professionals, we collected information on their rms’ CIO
reporting structure, board structure, and IT risk management activities related to the two risk categories.
Results indicate that the maturity of bene t/value enablement IT risk management practices is higher for rms when the
CIO reports to the CEO, rather than when the CIO reports to any other executive. Contrary to our hypothesis, we do not nd the
maturity of operations/service delivery IT risk management practices to be higher when the CIO reports to the CFO; however,
we conduct additional analysis and nd that this risk category is more mature when the CIO reports to the CEO. We also nd
that the maturity of both types of IT risk management practices are higher for rms when the CEO is the chairman of the board
for publicly traded rms. In aggregate, our ndings suggest that (1) the CEO is in the best position to oversee the management
of IT risks, and (2) that the communication of IT risk issues between management and the board may be enhanced when the
CEO is also the chairman of the board.
Our study explores rm reporting structures and their impact on risk management practices; thus, our ndings make
multiple contributions to the growing ITG literature. The increasing use of IT by rms potentially leads to greater IT risk
exposure, which magni es the importance of management’s IT risk assessments (representing a speci c, but broad category of
rm risk) (Huff, Maher, and Munro 2004;Parent and Reich 2009;NACD 2013) and board oversight. Our results add to the
academic risk assessment literature, and also help rms establish effective reporting structures for senior management and
boards to mitigate the level of IT risk exposure.
Additional testing shows that the CIO reporting structure and the board leadership structure do not affect the maturity of all risk
management practices equally. This nding may help the C-suite executives to focus their attention on particular IT risk
management practices. Further, our study is the rst to empirically test items from the risk management scenarios identi ed in the
Risk IT Practitioner Guide(ISACA 2009b). The 19 items identi ed can be used in future research exploring IT risk management.
2
2TheRisk IT Practitioner Guide(ISACA 2009b) includes various detailed management best practices and procedures that rms can implement
complimenting both theRisk IT Framework(ISACA 2009a) and theCOBIT 5 Framework(ISACA 2012); both frameworks provide guidance at a
highly conceptual level. Yet, the areas identi ed in both frameworks have not been empirically tested to identify whether a particular set of best
practices can reliably measure the theoretical construct of IT risk management practices.
60Vincent, Higgs, and Pinsker
Journal of Information Systems
Volume 31, Number 1, 2017 Moreover, the results of our study inquire the aptness of taking an agency perspective in dealing with oversight and direct
governance research to explore alternative explanations.
The subsequent sections are organized as follows. The next section provides a literature review of IT governance and IT
risks followed by hypothesis development. Section III explains the method used in this study. After the‘‘Results’’section, a
conclusion is provided discussing the key ndings, future research and the limitations of the study.
II. LITERATURE REVIEW AND HYPOTHESIS DEVELOPMENT
IT Governance
Patel (2002, 34 ) de nes IT governance (ITG) as the‘‘organizational capacity to control the formulation and
implementation of IT strategy and [provide]...proper direction for the purpose of achieving competitive advantage for the
corporation.’’
3It aims to ensure‘‘effective utilization of IT by focusing on strategic alignment, risk management, resource
management, value delivery and performance measurement’’(Wilkin and Chenhall 2010, 107 ). ITG has recently been
systematically adopted by larger rms. Further, investment in IT typically represents a signi cant proportion of current capital
spending in many industries (Debreceny 2013), making it critically important to have effective ITG practices. If effective, ITG
should lead to lower costs, satis ed customers, and better quality products or services (Wilkin and Chenhall 2010).
Issues related to ITG have gained the attention of practitioners in recent years as a result of increased regulatory
compliance, signi cance of the investment required, poor track record of IT investment, widely reported breach incidents, and
globalization. We focus on the role of rms’ reporting structures and board leadership structures on IT risk management
practices, consistent with their importance identi ed inWilkin and Chenhall’s (2010, 118, 119, 121) taxonomy. Even if IT is
not a strategic enabler in a rm, IT risk management is an important topic to discuss because (1) boards of directors are
increasingly concerned with how to provide adequate risk oversight of IT (PwC 2013;NACD 2014b), and (2) IT risk
management is an essential element of the rms’ internal controls, as IT vulnerabilities have an effect on the reliability of the
nancial statements, compliance with laws and regulations, and effectiveness and ef ciency of operations.
IT Risk Management Practices
TheRisk IT Framework(ISACA 2009a) is a comprehensive framework that provides best practice guidelines that are
common to all rms. This framework de nes IT risk as‘‘the business risk associated with the use, ownership, operation,
involvement, in uence and adoption of IT within an enterprise. It consists of IT-related events and conditions that could
potentially impact the business. It can occur with both uncertain frequency and magnitude, and it creates challenges in meeting
strategic goals and objectives’’(ISACA 2009a,7).
Common risks included in theRisk IT Framework(ISACA 2009a) and similar frameworks (e.g., COBIT 5 [ISACA 2012])
typically assessed by rms are the following: (1) IT bene t/value enablement—risks associated with missed opportunities to
use technology to improve the effectiveness and ef ciency of business processes; (2) IT program/project delivery—risks
associated with quality, relevance, and overrun of projects that tie into the IT investment portfolio management; and (3) IT
operations and service delivery risks—risks associated with the performance of IT systems and services such as service
interruptions, compliance, and security. Since IT program/project delivery risks are conjoined with strategic and operational IT
risks and already possess extensive research in the project management literature (Taylor, Artman, and Woelfer 2012), we
focus our attention on the two remaining and understudied IT risk categories of bene t/value enablement risks and operations/
service delivery risks.
IT risk should be managed properly for rms to effectively communicate internally and ef ciently report material
information externally to interested stakeholders (e.g., owners/investors, creditors, and regulators [ISACA 2012]).Wilkin and
Chenhall (2010, 119–121) identify four focus areas in the IT risk management literature: (1) understanding the types of IT risks
in different contexts, (2) identifying strategies to manage risk, (3) establishing the role of the board, and (4 ) establishing the role
of the senior management. Our study subsumes the latter three areas. Prior research identi es numerous IT risk factors and
categories within the four areas identi ed above. For example,Sherer and Alter (2004 )provide a detailed description of the IT
risk literature organized by work system elements (system participants, information, technology, work practices, product/
service, customers, environment, infrastructure, and strategy).Smith and McKeen (2009)explain that both external IT risk
factors (third-party vendors, legal regulatory environment, and general hazards) and internal IT risk factors (information,
3Similarly, ITG is de ned byDebreceny (2013, 129) as‘‘the process by which organizations seek to ensure that their investment in information
technology facilitates strategic and tactical goals.’’Even though there are many de nitions of ITG, they all focus on achieving a link between business
and IT.
IT Governance and the Maturity of IT Risk Management Practices61
Journal of Information Systems
Volume 31, Number 1, 2017 people, culture, controls, etc.) can affect the rm.McKeen and Smith (2003)categorize IT risk into eight categories: nancial
risk, technology risk, security, information and people, business process, management, external, and risk of success.Sutton,
Hampton, Khazanchi, and Arnold (2008)categorize business-to-business e-commerce risks into three categories: technical,
application user, and business risks. In aggregate, the differences in factors and categories listed above are based on context,
which causes a lack of consensus related to IT risk categories in the extant literature.
After identifying IT risks, rms engage in various risk management practices. To facilitate the risk management process,
various professional organizations have developed risk management frameworks. COSO’s Enterprise Risk Management (ERM),
the Internal Organization for Standardization’s (ISO) 27001 and 31000, and the ISACA’s COBIT framework are widely used
frameworks in practice. COSO ERM and ISO 31000 take an enterprise-wide approach to risk management and, conceptually,
include all aspects of risks a rm is faced with. Conversely, ISO 27001 focuses on information security risk management, whereas
COBIT generally takes an enterprise-wide holistic approach to IT governance. TheRisk IT Framework(ISACA 2009a), a
component of the latest version of COBIT (i.e., COBIT 5,ISACA 2012) focuses on IT-related risks and risk management practices.
Consequently, when considering the broad nature of IT risks, we look to theISACA’s (2009a)Risk IT Frameworkand relatedIT
Practitioner Guide(ISACA 2009b) for guidance in developing the IT risk management practices instrument.
4
Finally, theRisk IT Framework(ISACA 2009a) suggests that the management and governance of IT risks within a rm
depends on risk appetite, awareness, expectations, behavior toward risk taking, experience with negative outcomes, and policy
compliance of senior management. Consequently, rms may have varying methods for managing the same IT risk. Based on
prior literature (e.g., B. Raghunathan and T. Raghunathan 1989;Lindorff 2005;Ali, Green, and Robb 2013) that nds a
signi cant relationship between management reporting structure and rm performance, we contend that the reporting structure
is a signi cant determinant of effective management and oversight of IT risk management. Therefore, the next section develops
the hypotheses based upon this extant literature.
CIO Reporting Structure
Given the depth and breadth of what constitutes‘‘IT risk’’and the extent of the consequences of a vulnerability, rms are
increasingly focusing on IT risk management practices and governance (Parent and Reich 2009;ISACA 2012). Consequently,
the rm’s burden of IT risk management has fallen to someone who possesses IT knowledge, the CIO. The CIO position was
created within the C-suite to facilitate and create a competitive advantage through technology development. The creation of a
CIO position is perceived as a value addition to the rm by market participants (Chatterjee, Richardson, and Zmud 2001).
Further,Stephens, Ledbetter, Mitra, and Ford (1992)conduct an observational study to examine whether a CIO operates as an
executive, rather than as a functional manager. They observe ve CIOs from various industries over ve days and compared the
length of scheduled/unscheduled meetings, interactions outside of the information technology unit, responsibilities, and
participation in strategic meetings to prior research ndings. Based on the comparisons,Stephens et al. (1992)conclude that the
CIO operates as an executive.
After more clearly de ning the CIO’s role in the literature, the extant research shifts to exploring whether the CIO
reporting structure is important to the strategic alignment of IT and business.
5Gottschalk (1999) nds that rms with a formal
IT strategy are more likely to have a higher reporting level with more people reporting to the CIO, compared to rms without a
formal IT strategy. Furthermore,Banker, Hu, Pavlou, and Luftman (2011) nd that a rm’s strategic position ( product/service
differentiation or cost leadership) determines the CIO reporting structure. CIOs are more likely to report to the CEO in rms
with a product/service differentiation focus, whereas cost leaders are more likely to have the CIO report to the CFO.
Raghunathan and Raghunathan (1989)examine whether the rank of the CIO (one, two, or three plus ranks below the CEO)
is important for various aspects of IT use. They nd signi cant relationships between the rank of the IT manager and two
aspects of IT; namely, the strategic orientation of IT and the importance given to IT planning. Further, they nd that the CIO
has an impact on IT strategy and IT planning only when (s)he reports directly to the CEO. However, when the CIO is at a lower
rank, the authors nd that the CIO has no signi cant impact.Preston, Chen, and Leidner (2008)discover that the CIO’s
structural power (CIO rank) directly in uences the CIO’s strategic decision-making authority.Luftman and Kempaiah (2007 )
suggest that the CIO reporting structure is positively correlated with the maturity of business/IT alignment. These empirical
ndings indicate that the CIO’s reporting structure is an important facet of the attention given to IT management in a rm.
4COBIT 5 (ISACA 2012) integrates existing ISACA guidance into a single framework, which includes theRisk IT Framework(ISACA 2009a). Since
we focus only on IT risks in this study, theRisk IT Frameworkenables us to disentangle the IT risk management components from the broad concepts
of IT governance, IT management, and corporate risk management. Further, theRisk IT Practitioner Guideprovides the necessary detail and
comprehensive IT risk scenarios and management practices to provide us with a starting point for our survey (to be discussed more fully in the
‘‘Method’’section).
5IT/business strategic alignment is de ned as the t between the strategic orientation of the rm and the strategic orientation of the existing portfolio of
IT applications (Johnson and Lederer 2010).
62Vincent, Higgs, and Pinsker
Journal of Information Systems
Volume 31, Number 1, 2017 Theoretical Underpinnings Related to CIO Reporting Structure
In order to understand the strategic choices made by rms, one must understand the biases and disposition of the most
powerful actors (Hambrick 2007). Upper echelon theory suggests that the rm outcomes, such as performance (IT/business
alignment in this case), cannot be explained by considering one actor (Hambrick and Mason 1984).Hambrick (2007, 334 )
further suggests that the‘‘leadership of a complex organization is a shared activity, and the collective cognitions, capabilities,
and interactions of the entire top management team (TMT) enter into strategic behaviors.’’Additionally, strategic choice theory
states that rm leaders in uence the design and structure of the rm (Child 1997). Based on these two theories, one can
presume that the rank of the CIO (i.e., the reporting structure) and the IT risk management practices are an outcome of the
complex interactions among the top management team and the board. However, there is no clear answer as to whether the
reporting structure drives the risk management process maturity or whether the need to manage risks drives the design of the
reporting structure. We do not attempt to establish causality, but rather, we seek to understand whether different reporting
structures lead to a greater focus on different risk management processes.
The information systems (IS) literature exploring the upper echelon theory perspective suggests that IT/business alignment
is achieved when the relationship between the CIO and the top management team is based on a shared understanding (Gupta
1991;Feeny, Edwards, and Simpson 1992;Jones, Taylor, and Spencer 1995;King 2013) and the CIO uses personal appeal
(appeal to target’s feelings of loyalty and friendship toward him/her) to gain commitment from peers (Enns, Huff, and Higgins
2003). More closely aligned to our study,Ali et al. (2013) nd that communications among senior managers are strongly
associated with IT governance outcomes. Therefore, the person to whom the CIO reports in uences the focus of the CIO
responsibilities and the type of IT risks managed, resulting in the maturity of certain risk management processes.
Johnson and Lederer (2007 )indicate CEOs are more optimistic than CIOs about the current and future strategic role of IT.
Consequently, the CIO is likely to spend more time on strategic planning of IT when (s)he reports to the CEO. The more
involved the CIO is with business strategy, the more the rm is likely to take advantage of new technology to improve business
process ef ciency and to undertake new business initiatives, such as using mobile technology and bring your own device to
work programs, to minimize lost opportunities (minimize bene t/value enablement risks). Thus, bene t/value enablement risk
management practices are expected to be more mature in rms where the CIO directly reports to the CEO than for rms where
the CIO reports to any other C-suite executive.
H1a:The maturity of IT risk management practices for bene t/value enablement risks is higher for rms in which the CIO
reports directly to the CEO than it is for rms in which the CIO reports to any other C-suite executive.
CFOs are increasingly working together with CIOs in order to achieve regulatory compliance requirements (Lindorff
2005). Recently, the CIO-CFO relationship has been in the spotlight because of the necessary collaboration between the two
executives.Savidge (2008)identi es nancial expertise as a required component of technology management and recommends
CFO involvement in areas such as ensuring effective service contracts, assisting system conversions, providing project
management, and managing technology vendors.Weismantel (2007 )argues that CFOs are more focused on transaction
processing and regulatory compliance.
As suggested by upper echelon theory (Hambrick and Mason 1984;Hambrick 2007), when the CIO reports to the CFO,
increased interactions between the CIO and the CFO help build synergistic cognitive capabilities between the two executives.
Since the CFO is more inclined to be focused on internal controls, compliance, and security of information, the CIO will
develop a better understanding of these issues by working closely with the CFO. Hence, the CIO will be more inclined to focus
on IT risk areas that affect the rm’s nancial reporting and operational performance. Therefore, the operations/service delivery
risk management process is expected to be more mature for rms in which the CIO reports to the CFO.
6
H1b:The maturity of IT risk management practices for operations/service delivery risks is higher for rms in which the
CIO reports directly to the CFO than it is for rms in which the CIO reports to any other C-suite executive.
Board Leadership Structure—CEO/Chairman Duality
PwC (2013)surveyed 934 public company directors regarding the effectiveness of IT strategy and risk oversight. They nd
that one-third of boards spent more time on IT strategy and risk in 2013 than was spent in 2012. Additionally, 61 percent of
6Another factor that may be signi cant is that audit committees are charged, under speci c regulations, with ensuring that the board has a risk oversight
(RO) program. Although RO can be assigned to the entire board or other committees, the audit committee members will have some level of
involvement. Further, because of regular interactions between the audit committee and the CFO, the reporting structure of the CIO may have an impact
on board level and, speci cally, audit committee awareness of IT risk issues. However, we do not explicitly examine this possibility.
IT Governance and the Maturity of IT Risk Management Practices63
Journal of Information Systems
Volume 31, Number 1, 2017 respondents indicated that they want to spend more time considering related risks in the coming year, and 35 percent report that
they receive advice from outside consultants on a project-speci c basis. The survey nds that 32 percent of respondents
believed that they lack suf cient understanding of IT to support their company’s strategy and IT risk mitigation; however,
while the majority of directors were more engaged in overseeing traditional IT issues, such as IT implementation and IT
budgets, they were not con dent about their understanding of issues related to emerging technologies.
The extant literature suggests that board members’ IT competency is positively associated with IT governance (Jewer and
McKay 2012); and the rm’s strategic use of IT in uences the questions board members ask regarding IT governance (Bart and
Turel 2010;Turel and Bart 2014). However, the leadership of the board may in uence IT risk issues discussions at the board
level. Since the SEC’s enhanced proxy disclosure requirement mandates rms to disclose the relationship between management
and the board in communicating risk issues, we explore the role of CEO duality on IT risk management.
Hall et al. (2005)argue that governance reforms to displace CEO-centric corporate cultures (i.e., when the CEO also chairs
the board of directors), is a result of large public company failures such as Enron and WorldCom. Corporate governance
reforms, based on an agency theory perspective, have moved toward separating the board chair position from the CEO (Hall et
al. 2005).
In a report to the United States District Court,Breeden (2003, 69–71) mentions that‘‘under the ‘Chairman and CEO’
structure, independent board members are left leaderless unless there is a ‘lead director.’ This lack of board leadership makes it
more dif cult and less likely at the margin that board members will develop independent consensus views on issues.’’However,
Breeden (2003)also contends that having a lead director represent the independent board members has its own challenges. He
further advocates for creating a nonexecutive chairman separate from the CEO, as boards are often strongly supportive of
decisions made by the CEO and management team.Breeden (2003, 71) argues that having a chairman separate from the CEO
‘‘will facilitate adequate time being devoted at a very high level to board interaction and communication. [Having a chairman
who is separate from the CEO] should facilitate an active and involved board, which is essential to healthy governance.’’
Therefore, taking an agency theory perspective, when the CEO is separate from the chairman, the board will be more
aggressive and proactive rather than being a passive receiver of information (Huff et al. 2004). Extrapolating this argument to
an IT risk management context, the board will be able to provide better oversight of IT risk issues if the CEO is separate from
the chairman because the board will be less dependent on the CEO regarding IT risk oversight. Therefore, having a CEO
separate from the board chairman should lead to a higher level of IT risk management maturity, relative to when the CEO is
also the chairman of the board. Consequently, IT risk management practices for both IT risk categories will be higher for rms
when the CEO is separate from the board chairman position.
7
H2:The maturity of IT risk management practices for bene t/value enablement risks and operations/service delivery risks
is higher for rms in which the CEO is separate from the board chairman than it is for rms in which the CEO is the
chairman of the board.
III. METHOD
Development of Latent Variables and Construct Measures
IT Risk Management Practices
Our main constructs of interest are the two categories of IT risk that need to be managed in our context: bene t/value
enablement and operations/service delivery. These theoretical constructs are neither directly observable nor measurable, but can
only be estimated by a set of indicators (observable variables). We develop a scale to measure these constructs, since there are
no established scales that identify these IT risk management practices other than those limited to a particular technology or
context.
8In order to identify the risk management practices we looked to theRisk IT Framework(ISACA 2009a) and theRisk
7Even though we hypothesize this direction based on agency theory, an alternative direction can be predicted using stewardship theory. We explain this
further in the‘‘Results’’section.
8There are various maturity models suggested in the literature (capability maturity model, software maintenance maturity model, etc.). The purposeof a
maturity model is to provide guidance on the assessment of the rm’s processes against a set of best practices. Therefore, a maturity model acts as a
diagnostic tool and helps rms identify areas of improvement. Consequently, after risk assessment the rm identi es a maturity level. These models
imply that at any given level of maturity, the lower maturity levels were achieved (i.e., a rm with a Level-2 maturity has achieved Level-0 and Level-1
in order to get to Level-2). However, not all rms will aim for the highest maturity level. Therefore, the purpose of developing our scale is to
understand the various dimensions that constitutes the theoretical construct, which is the IT risk management practices. Our scale is based on the risk
scenarios and management practices provided at a highly conceptual level in theRisk IT Framework(ISACA 2009a) and at a more detailed level in the
Risk IT Practitioner Guide(ISACA 2009b), which includes 36 IT risk scenarios. We use these scenarios and cull and modify them to develop the scale
described in this section.
64Vincent, Higgs, and Pinsker
Journal of Information Systems
Volume 31, Number 1, 2017 IT Practitioner Guide(ISACA 2009b) for guidance. Our scale development approach is based onHinkin’s (1998)survey scale
development process.Hinkin (1998)suggests ve methodological steps starting with item generation, followed by
questionnaire administration, item reduction, validity check, and generalization using an independent sample. The rst two
steps are described below and the subsequent two steps (item reduction and validity check) are described in the‘‘Results’’
section. As will be discussed shortly, our sample is not independent; thus, we cannot reproduce the nal step, generalization.
A rm can carry out various IT risk management practices representing different categories of IT risks. As mentioned
above, this study focuses on two different types of IT risk categories and the corresponding IT risk scenarios and management
practices introduced in theRisk IT Framework(ISACA 2009a) andRisk IT Practitioner Guide(ISACA 2009b): bene t/ value
enablement risk category and operations/service delivery risk category.The Risk IT Frameworkidenti es best practice
management activities that should be undertaken to manage certain types of IT risks. Given the varying categorizations in the
extant literature, the items used to measure the maturity of IT risk management practices are identi ed based on this framework
as it provides us with a well-de ned item domain (i.e., a population of items from which a sample of items can be selected to
reliably represent the theoretical construct). The Framework’sPractitioner Guideprovides 36 risk scenarios. Based on these
scenarios, an initial list of 18 items was selected to represent the bene t/value enablement risk management practices and 15
items were selected to represent operations/service delivery risk management practices. Since some risk management practices
were applicable to both risk categories, those items were placed in the most prominent risk category.
9However, items that had
an equal weight on both categories of risk management practices were disregarded. Further, some items were modi ed to re ect
broad activities that are not speci c to an application or a situation. This process reduced the initial list to 24 items; 12 items
re ecting best practices that could be performed to mitigate bene t/value enablement risks and another 12 items re ecting best
practices that could be performed to mitigate operations/service delivery risks.
10See Appendix A for a link to the downloadable
copy of the instrument including the scale items.
Consistent with the terminology outlined in theRisk IT Framework(ISACA 2009a), the maturity of IT risk management
practices is de ned as the extent to which management performs particular activities to identify, assess, monitor, and respond to
IT-related risks (KPMG 2013). TheRisk IT Frameworkcontains maturity-level pro les with descriptions of their possible
states. There are six maturity levels (0¼Non-existent, 1¼Initial/ad hoc,2¼Repeatable but intuitive, 3¼De ned process, 4¼
Managed and measurable, and 5¼Good practices are followed), representing an ordinal scale. Since the descriptions of levels
may have different meanings to differing groups, a set of universally understood descriptions are required to measure the
maturity of the process and to eliminate ambiguity due to varying interpretations.
11 Further, by identifying a set of observable
variables that represent the theoretical construct and measuring them on a repeatable and less ambiguous scale, we can achieve
more consistency and reliability of the measurement instrument. Therefore, we used a seven-point Likert scale, ranging from
never to always, to measure the maturity of risk management processes (i.e., the extent to which the activities are carried out).
12
The respondents were asked to indicate how often a given management activity is performed and/or communicated.
Consequently, a management practice that is always performed implies a high level of maturity. The initial questionnaire was
administered to practitioners, faculty members, and doctoral students to review the items for accuracy, relevance, grammar, and
appearance of bias and/or offensive language. No major changes were made at this stage.
CIO Reporting Structure
The CIO reporting structure indicates the position to which the CIO directly reports.Raghunathan and Raghunathan (1989)
operationalize CIO reporting structure by dividing rms into three groups based on whether the CIO directly reports to the
CEO, whether the CIO is two ranks below the CEO, or whether the CIO is three or more ranks below the CEO. Since the actual
number of ranks the CIO is below the CEO or the CFO is not important in our study, the CIO reporting structure is
operationalized as a dummy variable (CIO_CEO) and set to 1 if the CIO reports to the CEO, and 0 if otherwise. Likewise,
CIO_CFOis set to 1 if the CIO reports to the CFO, and 0 if otherwise.
9The practitioner guide characterizes these items by risk category using primary and secondary risk classi cations. For example,‘‘involve other
departments in the selection of IT investments’’(ISACA 2009b) has bene t/value enablement as the primary category and operations/service delivery
as a secondary category. Further, the use of theRisk IT Framework(ISACA 2009a) for item generation helps ensure construct validity regarding
domain sampling and parsimony. We also tested for vagueness of the items by obtaining feedback from one IT faculty and two doctoral students.
10 Hinkin (1998)suggests that one issue in scale development is to maintain parsimony without restraining domain sampling. He suggests that scales with
too many items may create problems. However, he does not provide a rule of thumb but, rather, suggests that the appropriate length should be based on
the reliability of the construct.
11 The downside of using an ordinal scale in scale development is that they lack equidistance between the ranks (i.e., the distance between 0 and 1 is not
the same as the distance between 1 and 2 [Crocker and Algina 2008]). Furthermore, the ordinal scale implies an end point as optimal. However, a Likert
scale provides two end points in a continuum; thus, it is implied that the distance between any two given adjacent points is equal.
12 Hinkin (1998)mentions that Likert scales are the most frequently used and the most useful in behavioral research (relative to any other scale type) and
suggests the use of a ve or more point scale accessing the frequency in the use of behavior.
IT Governance and the Maturity of IT Risk Management Practices65
Journal of Information Systems
Volume 31, Number 1, 2017 Board Leadership Structure (BLS)
Board leadership structure is also operationalized using a dummy variable.BLS_Cis set to 1 if the CEO is the chairman of
the board, and 0 if otherwise.
Participants and Data Collection
The participant pool consists of experienced IT professionals. Participants were quali ed to participate in the full study, in
part, based on whether the current or previous rm they work for has a board of directors. They were asked to report on IT risk
management practices of their current or previous rm (if they held the position within the past ve years). Quali ed
participants have titles such as IT manager, IT director, senior vice president of IT, chief technology of cer, IT security of cer,
etc. Further, each participant was asked to report his or her rm’s management reporting structure, the board leadership
structure, and demographic variables. A link to the online survey was made available to ISACA members on the association’s
website.
13ISACA members were informed of the availability of the survey link via a monthly email newsletter. Additionally, a
personal email was sent through LinkedIn to ISACA members and other IT professionals requesting participation. Participation
in the survey was voluntary.
Approximately 2,000 emails were sent out and 265 people began the survey.
14 Responses were eliminated for the
following reasons: 5 participants did not qualify to complete the survey; 2 participants did not give consent; 71 responses were
incomplete; and 28 responses came from outside the U.S. Further, one response was deleted as the accuracy of the response
was questionable; the participant worked for a public company, but indicated there was no board of directors. The nal sample
consists of 158 responses. On average, participants took 26 minutes to complete the survey.
IV. RESULTS
Descriptive Statistics
Table 1 presents the descriptive statistics of the participants based on the industry (Panel A), current position (Panel B),
type of rm (Panel C ), rm size (Panel D), risk management and/or quality control frameworks implemented in the rm (Panel
E ), and whether the rm has a board of directors (Panel F). The majority are from various service industries (30.4 percent),
followed by healthcare (22.8 percent), technology (16.5 percent) and banking (12.0 percent). Approximately 55 percent are
employed in an IT manager or a senior executive position such as a CIO, CTO, etc. Further, 24 participants (15.2 percent) work
as a consultant. The remaining participants reported various IT-related job titles such as systems analyst, internal/external IT
auditor, database administrator, business analyst, IT governance manager, and IT security of cer.
Forty- ve participants (33.6 percent) work for a public company, whereas 62 (46.3 percent) work in private rms.
15 Of
these 62 participants, 53 have a board of directors, as do 8 out of 12 respondents who work for a governmental agency. All nine
participants from the non-pro t sector indicate that their rm has a board of directors. Overall, 140 of 158 (88.6 percent) report
that their workplace has a board. The majority of participants (67.7 percent) represent large rms with more than 1,000
employees (Panel D). This nding was expected, as the survey targeted people from rms with a board. Only 21 participants
(13.3 percent) work for a small rm (less than 100 employees). Further, 25 indicate that their rm has not implemented a risk
management or quality control framework. The COSO ERM framework (used by 60) is most commonly cited for risk
management, while ISO 27001 is the most commonly used as a quality control framework (33 participants). Some participants
work for rms that use multiple frameworks.
Table 2 presents descriptive statistics based on demographic information of the participants. As indicated in Panel A, 84.8
percent are male. The majority of participants (74.7 percent) have more than 15 years of IT-related work experience, as
represented in Panel B. As indicated in Panel C, 61 participants (38.6 percent) have completed some post-graduate work, and
all but six have completed at least an undergraduate degree. Panel D indicates that most participants do not have an accounting
degree. Overall, 88 indicate having an information systems or computer science-related education.
13 ISACA members are IT professionals covering a wide range of disciplines, such as IT assurance, control, security, governance, and risk. Thus, these
participants should be familiar with theRisk IT Framework(ISACA 2009a) and IT risk management in general.
14 Based on the emails sent out the response rate is approximately 13.2 percent. The actual response rate is not known and may be considerably less. We
do not know how many of the participants responded because the email was sent through ISACA.Walston, Lissitz, and Rudner (2006 )andFan and
Yan (2010)provide a detailed analysis of response rates and conclude that web surveys yield lower response rates. The response rate may be due to the
length of the survey, but it ts in the range of recent surveys of high-ranking IT professionals (e.g.,Pinsker and Felden’s [2016]0.95 percent response
rate andSon and Benbasat’s [2007]22 percent response rate).
15 The 24 consultants are not asked to report the type of rm for their employer. Instead, they are asked to report whether the most recent client has a board
of directors. Twenty-one out of the 24 consultants report that the client has a board of directors.
66Vincent, Higgs, and Pinsker
Journal of Information Systems
Volume 31, Number 1, 2017 TABLE 1
Descriptive Statistics
Panel A: Participants by Industry
n%
Banking 19 12.0
Healthcare 36 22.8
Technology 26 16.5
Manufacturing 9 5.7
Retail 4 2.5
Construction 3 1.9
Utilities 4 2.5
Transportation 6 3.8
Distribution 3 1.9
Other 48 30.4
158 100.0
Panel B: Participants by Position
n%
Business Analyst 2 1.3
Consultant 24 15.2
Database Administrator 1 0.6
Internal Auditor 10 6.3
IT Manager 23 14.6
Network Analyst 5 3.2
Programmer 3 1.9
Senior IT Management (CIO, CTO, etc.) 64 40.5
Systems Analyst 4 2.5
Other 22 13.9
158 100.0
Panel C: Participants by Type of Firm
n%
Public 45 33.6
Private 62 46.3
Government 12 8.9
Non-Pro t 9 6.7
Other 6 4.5
134
a 100.0
a24 consultants are not included.
Panel D: Participants by Firm Size
n%
Less than 100 employees 21 13.3
Between 100 and 499 19 12.0
Between 500 and 999 11 7.0
Over 1,000 employees 107 67.7
158 100.0
(continued on next page)
IT Governance and the Maturity of IT Risk Management Practices67
Journal of Information Systems
Volume 31, Number 1, 2017 Scale Analysis
This section explains item correlations, factor analysis, reliability, and validity of scale development for the maturity of IT
risk management practices. The Pearson correlation matrices are presented in Tables 3, 4, and 5. Table 3 displays item
correlations between bene t/value enablement risk management practices; Table 4 displays item correlations between
operation/service delivery IT risk management practices; and Table 5 displays item correlations between bene t/value
enablement IT risk management practices and operations/service delivery IT risk management practices. All correlations are
signi cant ( p,0.01). Since any one management practice can in uence other management practices, the high correlation
among items is expected.
We conduct a common factor analysis ( principal axis factoring) in order to determine whether the items load as expected
on the two categories of risk management practices. The analysis was conducted on 158 responses using a pairwise deletion
and orthogonal rotation. Two factors emerge (Eigenvalue.1) as expected for bene t/value enablement and operations/service
delivery risk management practices.
16
We conduct another common factor analysis using only the senior executives and IT manager responses (n¼87 ), as they
are in a better position to evaluate the maturity of IT risk management practices. The item loadings are displayed in Table 6
(CIO and IT manager columns). The following ve items do not load in either category and are removed from further analysis:
(1) analyze the adequacy of existing technology to meet operational needs (BV_1); (2) analyze emerging technologies and their
impact on operations (BV_5); (3) follow a formal process to select IT suppliers (OS_1); (4 ) follow a formal process to monitor
IT supplier service quality (OS_2); and (5) appropriately monitor and manage service desk activity (OS_10). The ten bene t/
value enablement and nine operations/service delivery items included in the subsequent analysis are BV_2, BV_3, BV_4, BV_
6, BV_7, BV_8, BV_9, BV_10, BV_11, BV_12, OS_3, OS_4, OS_5, OS_6, OS_7, OS_8, OS_9, OS_11, OS_12 (see Table 6
for variable names).
Total variance explained by the two factors is 62.92 percent. The operations/service delivery risk management practices
factor explains the majority of the variance (55.59 percent). This nding is consistent with managers paying more attention to
reducing straightforward IT risks related to operations/service delivery rather than the more complex and abstract IT risks
TABLE 1 (continued)
Panel E: Participants Working for a Firm that has Implemented a Risk Management and/or Quality Control
Framework
nb %
ERM 60 37.9
COSOInternal Control—Integrated Framework36 22.8
COBIT 31 19.6
ISO 9000 15 9.5
ISO 27001 33 20.9
ISO 31000 8 5.1
Other 26 16.4
None 25 15.8
bThe participants reported all frameworks implemented in their rm; thus, the total does not equal 158.
Panel F: Participants Representing Firms with or without a Board of Directors
n Percentage
Has a board of directors 140 88.6
No 17 10.8
Do not know 1 0.6
158 100.0
16 Total variance explained by the two factors is 61.63 percent. The operations/service delivery risk management practices factor explains the majority of
the variance (55.69 percent). The Cronbach’s alpha values for bene t/value enablement and operations/service delivery risk management practicesare
0.941 and 0.946, respectively.
68Vincent, Higgs, and Pinsker
Journal of Information Systems
Volume 31, Number 1, 2017 associated with strategy. Considering that the program/project related IT risk management practices are excluded, the variance
explained by the two factors is sizable.
The Cronbach’s alpha values for bene t/value enablement risk management practices and operations/service delivery risk
management practices are 0.929 and 0.947, respectively. The subsequent analysis is based on the factor structure derived from
analyzing the IT manager and senior IT executive responses. Thus, only the 19 items were selected to test the hypotheses.
Hypothesis Testing
We conduct a Univariate Analysis of Variance (ANOVA) in order to determine whether there are signi cant differences in
IT risk management practices for various reporting structures discussed in H1 and H2 (see Table 7 ). Then, we compare the
means to observe whether the maturity of IT risk management practices are signi cantly higher/lower for the given reporting
structures appearing in both hypotheses. Only the participants who work for a rm with a board of directors were selected for
this analysis (n¼140). The dependent variable, IT risk management practices (bene t/value enablement and operations/service
delivery), was obtained by summing the item scores obtained from scale development and dividing by the number of items.
TABLE 2
Sample Distribution Based on Demographics
Panel A: Gender
n%
Male 134 84.8
Female 24 15.2
Total 158 100.0
Panel B: Number of Years of Work Experience
n%
1,to.5 2 1.3
5,to.10 13 8.2
10,to.15 25 15.8
15,to.30 91 57.6
30 or more 27 17.1
Total 158 100.0
Panel C: Highest Level of Education
n%
High School 6 3.8
Undergraduate Degree 40 25.3
Graduate Degree 51 32.3
Post Graduate Degree 56 35.4
Doctoral Degree 5 3.2
158 100.0
Panel D: Undergraduate Background
na
Undergraduate major/minor in accounting 15
Undergraduate major/minor in management 39
Undergraduate major/minor in engineering 29
Undergraduate major/minor in computer science/IT/MIS 88
Undergraduate major/minor in other 38
aThe participants reported their undergraduate major and also minor if applicable; hence, the total does not equal 158.
IT Governance and the Maturity of IT Risk Management Practices69
Journal of Information Systems
Volume 31, Number 1, 2017 Therefore, the scores are based on ten bene t/value enablement items and nine operations/service delivery items (based on the
factor analysis [n¼87] presented in Table 6 ).
For H1a and H1b, we analyze the maturity of risk management practices and the individual that the CIO reports to. Among
our participants, 85 work for rms where the CIO reports to the CEO, 32 CIOs reported to the CFO, and 23 CIOs reported to
someone else. For H1a, the results indicate that the bene t/value enablement IT risk management practices are signi cantly
higher for rms where the CIO reports to the CEO versus when the CIO reports to any other executive (mean¼5.635 and
5.033, respectively; F¼8.437; p¼0.004 ). The total variance explained by this model is 5.1 percent.
We conduct a multivariate analysis of variance (MANOVA) using the ten items and nd that when the CIO reports to the
CEO, there is greater risk management maturity for seven of the ten items (BV_2 mean¼5.707 and 5.151, p¼0.060; BV_3
mean¼5.890 and 5.113, p¼0.006; BV_4 mean¼5.671 and 5.169, p¼0.084; BV_6 mean¼6.109 and 5.415, p¼0.005; BV_
7 mean¼5.817 and 4.962, p¼0.002; BV_10 mean¼5.829 and 5.339, p¼0.036; BV_12 mean¼5.305 and 4.453, p¼0.005)
at a 0.10 signi cance level. These untabulated results suggest that rms have better business/IT alignment when the CIO reports
to the CEO rather than any other executive and corroborate the ANOVA tests using the composite score and support H1a.
Overall, our evidence indicates that bene t/value enablement IT risk management practices are greater for rms where the CIO
reports to the CEO rather than any other executive.
When considering H1b, results in Table 7 indicate that there are no group differences in the maturity of operations/service
delivery IT risk management practices for rms in which the CIO reports to CFO (n¼32) versus for rms in which the CIO
reports to any other executive (n¼108, F¼2.164; p¼0.14 ). We conduct another MANOVA using the nine risk practices and
TABLE 3
Pearson Correlations
Items for Bene t/Value Enablement Risk Management Practices
(n¼158)
a
Item Description BV_1 BV_2 BV_3 BV_4 BV_5 BV_6 BV_7 BV_8 BV_9 BV_10 BV_11
BV_1 Analyze the adequacy of existing
technology to meet operational
needs1
BV_2 Assess the strategic alignment of IT
and IT risks0.596
BV_3 Follow a formal process to prioritize
IT investments0.500 0.652
BV_4 Involve other departments in the
selection of IT investments0.413 0.517 0.480
BV_5 Analyze emerging technologies and
their impact on operations0.790 0.629 0.506 0.418
BV_6 Have and follow a system of
accountability for managing IT
projects0.602 0.739 0.655 0.477 0.611
BV_7 Use a technology infrastructure plan
that is in alignment with strategic
and tactical goals0.704 0.639 0.563 0.445 0.626 0.598
BV_8 Communicate appropriately between
IT and other business units0.595 0.575 0.421 0.479 0.536 0.484 0.678
BV_9 Facilitate a process where business
units can take ownership of the
system and data0.533 0.590 0.453 0.464 0.471 0.535 0.568 0.690
BV_10 Supervise IT personnel to ensure that
roles and responsibilities are
properly exercised0.569 0.585 0.439 0.463 0.579 0.612 0.672 0.650 0.612
BV_11 Clearly communicate IT objectives to
key users0.524 0.569 0.472 0.442 0.566 0.562 0.651 0.686 0.594 0.562
BV_12 Use performance metrics to evaluate
IT investments0.574 0.661 0.509 0.453 0.587 0.689 0.649 0.475 0.561 0.520 0.620
aAll correlations are signi cant at the 0.01 level (two-tailed).
70Vincent, Higgs, and Pinsker
Journal of Information Systems
Volume 31, Number 1, 2017 TABLE 4
Pearson Correlations
Items for Operations/Service Delivery Risk Management Practices
(n¼158)
a
Item Description OS_1 OS_2 OS_3 OS_4 OS_5 OS_6 OS_7 OS_8 OS_9 OS_10 OS_11
OS_1 Follow a formal process to select IT
suppliers1
OS_2 Follow a formal process to monitor IT
supplier service quality0.808
OS_3 Implement security measures to secure
physical IT assets0.573 0.547
OS_4 Have and follow an established plan
for maintaining software0.607 0.667 0.687
OS_5 Follow formal change management
procedures0.531 0.548 0.498 0.601
OS_6 Periodically evaluate the integrity of
data con gurations0.448 0.582 0.468 0.595 0.555
OS_7 Follow a software quality assurance
plan0.493 0.663 0.530 0.701 0.504 0.615
OS_8 Periodically test the validity of
transaction processes0.565 0.643 0.594 0.604 0.511 0.647 0.675
OS_9 Verify that system outputs are handled
in an authorized manner0.548 0.625 0.509 0.547 0.619 0.666 0.648 0.776
OS_10 Appropriately monitor and manage
service desk activity0.397 0.401 0.532 0.453 0.467 0.365 0.507 0.485 0.515
OS_11 Monitor system performance against
established metrics0.470 0.553 0.569 0.601 0.547 0.534 0.696 0.681 0.677 0.519
OS_12 Con gure controls during hardware
and software updates0.475 0.546 0.596 0.649 0.542 0.596 0.753 0.685 0.645 0.636 0.642
aAll correlations are signi cant at the 0.01 level (two-tailed).
TABLE 5
Pearson Correlations among Bene t/Value Enablement and Operations/Service Delivery Risk Management Practices
(n¼158)
a
BV_1 b BV_2 BV_3 BV_4 BV_5 BV_6 BV_7 BV_8 BV_9 BV_10 BV_11 BV_12
OS_1
b 0.572 0.506 0.516 0.358 0.533 0.546 0.623 0.462 0.529 0.501 0.465 0.571
OS_2 0.570 0.557 0.481 0.330 0.536 0.642 0.622 0.496 0.583 0.543 0.470 0.620
OS_3 0.469 0.449 0.330 0.342 0.459 0.416 0.563 0.475 0.466 0.532 0.442 0.479
OS_4 0.574 0.548 0.400 0.300 0.586 0.519 0.634 0.528 0.508 0.601 0.528 0.554
OS_5 0.438 0.429 0.410 0.275 0.452 0.522 0.417 0.471 0.455 0.430 0.442 0.517
OS_6 0.462 0.596 0.424 0.378 0.580 0.601 0.474 0.535 0.453 0.533 0.507 0.542
OS_7 0.523 0.588 0.465 0.373 0.483 0.606 0.604 0.504 0.538 0.628 0.561 0.625
OS_8 0.478 0.506 0.413 0.364 0.537 0.538 0.556 0.436 0.499 0.555 0.500 0.554
OS_9 0.496 0.515 0.379 0.365 0.546 0.587 0.496 0.527 0.565 0.610 0.522 0.522
OS_10 0.613 0.375 0.424 0.319 0.533 0.462 0.484 0.434 0.384 0.527 0.458 0.432
OS_11 0.525 0.509 0.347 0.383 0.501 0.516 0.560 0.491 0.533 0.540 0.505 0.600
OS_12 0.584 0.523 0.492 0.399 0.572 0.559 0.611 0.492 0.459 0.625 0.515 0.489
aAll correlations are signi cant at the 0.01 level (two-tailed).bSee Tables 3 and 4 for item descriptions.
IT Governance and the Maturity of IT Risk Management Practices71
Journal of Information Systems
Volume 31, Number 1, 2017 nd that operations/service delivery is not greater when the CIO reports to any other executive except for one risk practice (OS_
12 mean¼5.000 and 5.620; p¼0.045). Therefore, we cannot conclude that risk maturity for operations/service delivery IT risk
management practices is higher when the CIO reports to the CFO.
Recall for H2 that we predict that a CEO separate from the chairman of the board will result in more mature risk
management practices than if there is a dual role. We report ANOVA results in Table 7 for all 19 risk measures in one
composite score. We also separately analyze the bene t/value enablement and operations/service delivery risks. We do not nd
differences in any aspect of maturity for rms that do and do not combine the CEO and chairman of the board roles (n¼116, F
¼0.16; p¼0.69 for the composite risk; F¼0.011; p¼0.915 for bene t/value enablement and F¼0.466; p¼0.496 for
TABLE 6
Factor Loadings for Bene t/Value Enablement and Operations/Service Delivery
Item DescriptionFull Sample
(n¼158)Senior IT Executives
and IT Managers
(n¼87 )
Operations/
Service
DeliveryBene t/
Value
EnablementOperations/
Service
DeliveryBene t/
Value
Enablement
BV_1 Analyze the adequacy of existing technology to meet
operational needs0.407 0.666 0.195 0.368
BV_2 Assess the strategic alignment of IT and IT risks 0.336 0.757 0.322 0.712
BV_3 Follow a formal process to prioritize IT investments 0.244 0.661 0.202 0.624
BV_4 Involve other departments in the selection of IT
investments0.205 0.569 0.110 0.660
BV_5 Analyze emerging technologies and their impact on
operations0.426 0.640 0.314 0.420
BV_6 Have and follow a system of accountability for managing
IT projects0.419 0.687 0.320 0.652
BV_7 Use a technology infrastructure plan that is in alignment
with strategic and tactical goals0.438 0.702 0.332 0.571
BV_8 Communicate appropriately between IT and other business
units0.378 0.642 0.294 0.569
BV_9 Facilitate a process where business units can take
ownership of the system and data0.413 0.599 0.228 0.596
BV_10 Supervise IT personnel to ensure that roles and
responsibilities are properly exercised0.511 0.574 0.454 0.563
BV_11 Clearly communicate IT objectives to key users 0.392 0.633 0.297 0.701
BV_12 Use performance metrics to evaluate IT investments 0.458 0.622 0.372 0.553
OS_1 Follow a formal process to select IT suppliers 0.522 0.493 0.295 0.236
OS_2 Follow a formal process to monitor IT supplier service
quality0.627 0.472 0.484 0.316
OS_3 Implement security measures to secure physical IT assets 0.644 0.321 0.561 0.250
OS_4 Have and follow an established plan for maintaining
software0.696 0.401 0.617 0.262
OS_5 Follow formal change management procedures 0.614 0.321 0.635 0.169
OS_6 Periodically evaluate the integrity of data con gurations 0.603 0.419 0.778 0.264
OS_7 Follow a software quality assurance plan 0.712 0.411 0.722 0.393
OS_8 Periodically test the validity of transaction processes 0.786 0.298 0.766 0.264
OS_9 Verify that system outputs are handled in an authorized
manner0.753 0.336 0.707 0.246
OS_10 Appropriately monitor and manage service desk activity 0.509 0.385 0.303 0.189
OS_11 Monitor system performance against established metrics 0.712 0.341 0.618 0.261
OS_12 Con gure controls during hardware and software updates 0.714 0.387 0.698 0.373
Bene t/value enablement risks (BV )¼risks associated with missed opportunities to use technology to improve the effectiveness and ef ciency of business
processes; and operations and service delivery risks (OS)¼risks associated with the performance of IT systems and services such as service interruptions,
compliance, and security.
72Vincent, Higgs, and Pinsker
Journal of Information Systems
Volume 31, Number 1, 2017 operations/service delivery, untabulated). 17 To further understand the results we conduct a MANOVA (untabulated) and nd
no differences for any of the 19 items.
Next, we analyze H2 using only participants who work for publicly traded companies. We have 24 observations where the
CEO is the chairman of the board, and 13 where the CEO is separate from the board. The maturity of risk management
practices is higher for rms in which the CEO is the chairman of the board versus for rms in which the CEO is separate from
the chairman of the board (mean¼5.602 and 4.765, respectively; n¼37; F¼4.518; p¼0.041) when we test a composite score
for all risk practices. We also nd that maturity of risk management practices for bene t/value enablement is higher when there
is CEO/Chairman duality versus when the CEO is separate from the chairman of the board (mean¼5.475 and 4.669,
respectively; F¼3.2760.905; p¼0.079). For operations/service delivery risk, we nd that maturity is higher when there is
duality versus separation (mean¼5.748 and 4.871, respectively; F¼5.234; p¼0.028). Thus, H2 is not supported.
Alternative Explanation
Despite the ndings being contrary to the agency perspective hypothesized earlier, and consistent with stewardship theory,
the ndings suggests that managers’ intentions are pro-organizational, instead of self-serving (Abels and Martelli 2013).
Stewardship theory identi es management as motivated to operate in the best interest of the shareholders (Davis, Schoorman,
and Donaldson 1997). Thus, when the CEO serves as the chairman of the board of directors, (s)he is able to act in the best
interest of the rm.Adams and Ferreira’s (2007 )theoretical model further suggests that having the CEO as the chairman of the
board of directors may have positive consequences on receiving advice from the board. They explain that the board has two
roles, a monitoring role and an advising role, and argue that the CEO faces a trade-off in disclosing information to the board,
because a more informed board is more likely to provide better advice but, at the same time, monitor the CEO more intensively.
Consequently, the CEO may be reluctant to share all information with the board since an independent board is a tougher
monitor. Therefore,Adams and Ferreira (2007 )argue that having the CEO be the chairman of the board will lead to better
advising because (s)he will be more motivated to share information with the board of directors.
We argue that the H2 results indicate a stewardship perspective, where the CEO is at liberty to share information related to
IT risks and, hence, receive superior advising from the board to implement better IT risk management practices, which
translates into having more mature IT risk management practices in rms in which the CEO is the chairman of the board. To be
consistent with the earlier analysis, we perform another untabulated MANOVA for all 19 of the risk practices. We nd
TABLE 7
Univariate Analysis of Variance
Hypothesis VariableIndependent
VariableUnivariate Analysis ofVariance: Main Effect
Mean
Difference
of Maturity F p
H1a Bene t/value enablement IT risk
management practice: average
of ten item scoresCIO reports to CEO (n¼
85) versus CIO reports to
Other (n¼55)0.602 8.437 0.004
H1b Operations/service delivery IT
risk management practices:
average of none item scoresCIO reports to CFO (n¼
32) versus CIO reports to
Other (n¼108) 0.344 2.164 0.144
H2 Both bene t/value and
operations/service delivery IT
risk management practices:
average of 19 item scoresCEO is chairman of the
board (n¼74 ) versus
CEO separate from the
chairman (n¼42)0.089 0.160 0.690
H2
Public
CompaniesBoth bene t/value and
operations/service delivery IT
risk management practices:
average of 19 item scoresCEO is chairman of the
board (n¼24 ) versus
CEO separate from the
chairman (n¼13)0.837 4.518 0.041
17 Our sample size is smaller for this test as some participants indicated that they did not know whether the CEO was also the chairman of the board.
Those participants were excluded from the current analysis.
IT Governance and the Maturity of IT Risk Management Practices73
Journal of Information Systems
Volume 31, Number 1, 2017 signi cant differences for nine items (BV_4 mean¼6.091 and 5.077, p¼0.066; BV_6 mean¼5.591 and 4.615, p¼0.091;
BV_10 mean¼5.727 and 4.846, p¼0.062; BV_11 mean¼5.318 and 4.077, p¼0.043; OS_4 mean¼5.773 and 4.615, p¼
0.024; OS_5 mean¼6.136 and 5.077, p¼0.026; OS_6 mean¼5.682 and 4.692, p¼0.063; OS_7 mean¼5.500 and 4.231, p¼
0.037; and OS_8 mean¼5.682 and 4.692, p¼0.074 ) at a 0.10 signi cance level. The common theme among most of these
nine items is that they refer to following formal procedures. Hence we can infer that the rms with CEO/Chairman duality are
better at establishing and following formal IT risk management procedures than rms in which the CEO is separate from the
chairman.
Additional Analyses
This section explains multiple additional analyses for robustness purposes and to glean further insights from our testing. In
separate analyses, we retest our hypotheses by (1) excluding the 25 responses from people who work for rms that do not use a
risk management or quality control framework, (2) excluding the 24 responses from consultants, and (3) including the 28
responses from people working outside of North America. The results from all three analyses are qualitatively similar to our
earlier ndings.
We next consider extending our ndings with regard to the CIO/CEO reporting relationship. Although we predict that the
maturity of operations/service delivery risks will be greater when the CIO reports to the CFO, our results do not bear this out.
Our H1a results indicate that rms with more mature bene t/value enablement IT risk management practices have the CIO
reporting to the CEO. We now extrapolate the possibility of mature IT risk management practices for the second category of IT
risks: operations/service delivery activities. Interestingly, we nd that the maturity of operations/service delivery IT risk
management practices is signi cantly higher (F¼3.826; p¼0.052) for rms in which the CIO reports to the CEO (n¼85;
mean¼5.644 ) versus any other executive (n¼55; mean¼5.253). This result indicates that attention by the CEO is the primary
driver of IT risk maturity, regardless of risk type.
Data show mixed results for reporting structure differences attributed to the operations/service delivery IT risks.
MANOVA tests (untabulated) indicate that the differences are driven by only three of the risk practices (OS_6 mean¼5.481
and 4.939, p¼0.064; OS_7 mean¼5.317 and 4.571, p¼0.012; and OS_12 mean¼5.772 and 5.020, p¼0.004 ). We speculate
that given the regulatory changes brought on by the Sarbanes-Oxley Act and enhanced proxy disclosure requirements, rms
may be increasingly focusing on internal control-related IT risk management practices.
Finally, we re-examine our rst set of hypotheses by including industry, type of rm ( public, private, government, non-
pro t, and other) and the interaction effects, CIO reporting structure and the type of rm, and CIO reporting structure and
industry, in an attempt to provide more meaningful insights for future research. We nd the type of industry a rm operates in
has a signi cant impact on operations/service delivery IT risk management practices regardless of whether the CIO reports to
the CFO (F¼2.757; p¼0.007 ) or the CIO reports to the CEO (F¼2.542; p¼0.012). This nding is intuitive since rms that
operate in industries heavily reliant on IT are likely to have better operations/service delivery IT risk management practices. We
do not nd an interaction effect between the type of rm and CIO/CEO reporting structure on bene t/value enablement risk
management practices ( p.0.10), but we nd a signi cant interaction effect (F¼2.504; p¼
0.047 ) between the type of rm
and CIO/CFO reporting structure for operations/service delivery risk management practices. Our context and research questions
limit the use of these ndings; however, researchers interested in rm type differences, industry differences, and nonlinear
relationships related to IT risk management practices should take these initial ndings and drill down deeper to provide further
insights.
V. CONCLUSIONS, LIMITATIONS, AND FUTURE RESEARCH
A 2009 SEC requirement mandates rms to report the boards’ leadership structure and the relationship between the board
and its senior management in managing the material risks facing the rm. Further, a recentNACD (2014a)survey indicates 36
percent of board members are not satis ed with the quality of information provided by management on IT risk, and 52 percent
are not satis ed with the quantity of that information. We contend that a rm’s reporting structure and board leadership
structure are major reasons for the communication problems involved when managing IT risk and, therefore, investigate
whether there are differences in the maturity of IT risk management practices based on the CIO reporting structure and CEO/
Chairman of the board duality. We rely on upper echelon theory and strategic choice theory (CIO reporting structure), and
agency theory (CEO/Chairman of the board duality) as our theoretical guidelines.
Before we conduct our testing, we rst develop a scale to measure two IT risk management categories (bene t/value
enablement risks and operations/service delivery risks) that are based on conceptual best practices provided in theISACA’s
(2009a)Risk IT Frameworkand speci c scenarios identi ed in theRisk IT Practitioner Guide(ISACA 2009b). Ten bene t/
value enablement IT risk management practices and nine operations/service delivery IT risk management practices are
identi ed and con rmed via factor analysis and reliability testing to measure the maturity of the two IT risk categories using
74Vincent, Higgs, and Pinsker
Journal of Information Systems
Volume 31, Number 1, 2017 responses from IT professionals. We then statistically analyze the maturity of IT risk management practices with regard to
potential CIO reporting relationships and CEO/Chairman of the board duality.
Results indicate that the maturity of bene t/value enablement IT risk management practices is higher for rms where the
CIO reports to the CEO. Additionally, contrary to expectations, we nd that the maturity of operations/service delivery risk
practices is higher when the CIO reports to the CEO than when the CIO reports to the CFO. Overall, the ndings suggests the
CEO is in the best position to manage IT risks. In multivariate testing we nd that speci c risk management practices drive the
results of the univariate tests. This nding suggests that the CEO does not equally manage all risk scenarios. Additional
analysis produces two possible reasons why managers only focus on some of the risk management activities: the industry or the
IT dependency of operations. Future research should address‘‘why’’this is true by investigating these two possibilities in more
detail.
We do not nd signi cant results when testing the role of CEO/Chairman of the board duality and maturity of IT risk
management practices using the full sample. When only including responses from participants who work for public companies,
we nd that IT maturity ishigherwhen there is CEO/Chairman of the board duality. This nding is contrary to the predictions
of agency theory where CEO/Chairman duality is discouraged. Alternatively, the surprising nding supports the stewardship
view where the CEO is in a position to obtain better advice from the board. Investigating the reasons for this unexpected nding
represents another interesting opportunity for future research.
Finally, when conducting additional analyses, we nd that in some of the risk management practices (four bene t/value
enablement and ve operations/service delivery risk management practices) drive our earlier CEO/Chairman of the board
results. This result suggests that the maturity of IT risk management practices are not speci c to one category of IT risks when
the CEO is the chairman of the board. Future research has the opportunity to delve deeper into nding out why certain practices
drive the results of each category. TheRisk IT Framework(ISACA 2009a) is broad and implies no speci c practice drives any
other practice. Further investigation into this issue can help enhance that framework or provide additional detail to theRisk IT
Practitioner Guide(ISACA 2009b).
Our study has some limitations. There is the possibility of a response bias, which is common to all surveys. Next, the
number of participants who work for public companies, where the boards will be most involved in risk management, is
relatively limited. Small sample sizes limit the analysis that can be done by rm type. Further, related toHinkin’s (1998) fth
step, we are not able to obtain an independent sample to validate the scale development. Thus, generalizability of the scale
development is limited.
In addition to the future research opportunities already mentioned, researchers should explore whether the board committee
that oversees IT risk drives the maturity of IT risk management. For example, if the audit committee has responsibility for risk
oversight, IT risk management maturity may be higher when the CIO reports to the CFO, as that CFO will have regular
meetings with the audit committee. Thus, the CIO reporting structure may have an impact on board level and, speci cally, audit
committee awareness of IT risk issues. Related research should also investigate whether maturity is dependent on whether risk
oversight is assigned to speci c committees (i.e., risk, technology, and audit) or to the entire board.
There are several implications of our research. Our initial contention is that reporting structure can impact how well IT risk
management practices are established in rms. In aggregate, our results support this contention. Speci cally, we nd that IT
maturity risks are highest when the CIO reports to the CEO. This nding suggests that top management attention is necessary to
establish better IT risk management practices. Further, our results from public companies suggest that IT issues are more likely
to get elevated to the board and, thus, receive greater oversight attention in rms where there is CEO/Chairman of the board
duality. Firms without CEO/Chairman of the board duality may need to implement practices to ensure IT risk issues are
included in the board agenda and in turn get appropriate attention. Finally, the scales developed in this research may be used to
evaluate the maturity of IT risk practices in other research contexts. For example, it may be used in research involving IT
controls and risk practices.
REFERENCES
Abels, P., and J. Martelli. 2013. CEO duality: How many hats are too many?Corporate Governance13 (2): 135–147.
Adams, R., and D. Ferreira. 2007. A theory of friendly boards.The Journal of Finance62 (1): 217–250.
Ali, S., P. Green, and A. Robb. 2013. Measuring top management’s IT governance knowledge absorptive capacity.Journal of
Information Systems27 (1): 137–155.
Banker, R. D., N. Hu, P. A. Pavlou, and J. Luftman. 2011. CIO reporting structure, strategic positioning, and rm performance.MIS
Quarterly35 (2): 487.
Bart, C., and O. Turel. 2010. IT and the board of directors: An empirical investigation into the‘‘governance questions’’Canadian board
members ask about IT.Journal of Information Systems24 (2): 147–172. IT Governance and the Maturity of IT Risk Management Practices75
Journal of Information Systems
Volume 31, Number 1, 2017 Breeden, R. 2003.Restoring Trust. Report to the United States District Court for the Southern District of New York, NY. Available at:
http://www.law.du.edu/images/uploads/restoring-trust.pdf
Chatterjee, D., V. J. Richardson, and R. W. Zmud. 2001. Examining the shareholder wealth effects of announcements of newly created
CIO positions.MIS Quarterly25 (1): 43–70.
Child, J. 1997. Strategic choice in the analysis of action, structure, organizations and environment: Retrospect and prospect.Organization
Studies18 (1): 43–70.
Committee of Sponsoring Organizations of the Treadway Commission (COSO). 2004.Enterprise Risk Management—Integrated
Framework. New York, NY: AICPA.
Crocker, L., and J. Algina. 2008.Introduction to Classical & Modern Test Theory. Mason, OH: Cengage Learning.
Davis, J. H., F. D. Schoorman, and L. Donaldson. 1997. Toward a stewardship theory of management.The Academy of Management
Review22 (1): 20–47.
Debreceny, R. 2013. Research on IT governance, risk, and value: Challenges and opportunities. (Guest editorial).Journal of Information
Systems27 (1): 129–135.
Enns, H. G., S. L. Huff, and C. A. Higgins. 2003. CIO lateral in uence behaviors: Gaining peers’ commitment to strategic information
systems.MIS Quarterly27 (1): 155–174.
Fan, W., and Z. Yan. 2010. Factors affecting response rates of the web survey: A systematic review.Computers in Human Behavior26:
132–139.
Feeny, D., B. Edwards, and K. Simpson. 1992. Understanding the CEO/CIO relationship.MIS Quarterly16 (4 ): 435–448.
Gottschalk, P. 1999. Strategic management of IS/IT functions: The role of the CIO in Norwegian organizations.International Journal of
Information Management19 (5): 389–399.
Gupta, Y. 1991. The chief executive of cer and the chief information of cer: The strategic partnership.Journal of Information
Technology6: 128–139.
Hall, R., T. Keane, C. McConnell, and S. Becker. 2005. The 21st century board: Structure, responsibility, assessment.Journal of
Leadership & Organizational Studies11 (3): 62–71.
Hambrick, D., and P. Mason. 1984. Upper echelons: The organization as a re ection of its top managers.Academy of Management
Review(April): 193–206.
Hambrick, D. 2007. Upper echelon theory: An update.Academy of Management Review32 (2): 334–343.
Hinkin, T. 1998. A brief tutorial on the development of measures for use in survey questions.Organizational Research Methods1: 104–
121.
Huff, S., M. Maher, and M. Munro. 2004. What boards don’t do—but must do—about information technology.Ivey Business Journal
Online(September/October): 1–4.
Information Systems Audit and Control Association, Inc. (ISACA). 2009a.The Risk IT Framework. 1–106. Available at:www.isaca.org
Information Systems Audit and Control Association, Inc. (ISACA). 2009b.The Risk IT Practitioner Guide. 1–136. Available at:www.
isaca.org
Information Systems Audit and Control Association, Inc. (ISACA). 2012.COBIT 5: A Business Framework for the Governance and
Management of Enterprise IT. 1–94. Available at:www.isaca.org
Jewer, J., and K. McKay. 2012. Antecedents and consequences of board IT governance: Institutional and strategic choice perspective.
Journal of the Association for Information Systems13 (7 ): 581–617.
Johnson, A., and A. Lederer. 2007. The impact of communication between CEOs and CIOs on their shared views of the current and future
role of IT.Information Systems Management24 (1): 85–90.
Johnson, A., and A. Lederer. 2010. CEO/CIO mutual understanding, strategic alignment, and the contribution of IS to the organization.
Information & Management47: 138–149.
Jones, M., S. Taylor, and B. Spencer. 1995. The CEO/CIO relationship revisited: An empirical assessment of satisfaction with IS.
Information & Management29: 123–130.
King, W. 2013. Including the CIO in top management.Information Systems Management25 (2): 188–189.
KPMG. 2013.The Transformation of IT Risk Management. Available at:https://www.kpmg.com/US/en/IssuesAndInsights/
ArticlesPublications/Documents/transformating-it-risk-management.pdf
Lindorff, D. 2005. Teaming up to take on SOX.
Treasury and Risk Management(May): 25–28.
Luftman, J., and R. Kempaiah. 2007. An update on business-IT alignment:‘‘A line’’has been drawn.MIS Quarterly Executive6 (3): 165–
177.
McKeen, J., and H. Smith. 2003.Making IT Happen: Critical Issues in IT Management. Chichester, U.K.: John Wiley & Sons.
National Association of Corporate Directors (NACD). 2013.2013–2014 NACD Public Company Governance Survey. Available at:http://
www.nacdonline.org/survey
National Association of Corporate Directors (NACD). 2014a.2014–2015 Public Company Governance Survey. Available at:http://
NACDonline.org/Public
National Association of Corporate Directors (NACD). 2014b.Cyber-Risk Oversight Handbook. Available at:http://www.nacdonline.org/
cyber
Parent, M., and B. Reich. 2009. Governing information technology risk.California Management Review51 (3): 134–152. 76Vincent, Higgs, and Pinsker
Journal of Information Systems
Volume 31, Number 1, 2017 Patel, N. 2002. Emergent forms of IT governance to support global e-business models.Journal of Information Technology Theory and
Application4 (2): 33–48.
Pinsker, R., and C. Felden. 2016. Professional role and normative pressure: The case of voluntary XBRL adoption in Germany.Journal of
Emerging Technologies in Accounting(forthcoming).
Preston, D., D. Chen, and D. Leidner. 2008. Examining the antecedents and consequences of CIO strategic decision-making authority: An
empirical study.Decision Science39 (4 ): 605–642.
PricewaterhouseCoopers (PwC ). 2013.PwC Brings Out 2013 Annual Corporate Directors Survey. Available at:http://www.
directorscenter.com/pwc-2013-annual-corporate-directors-survey/
Raghunathan, B., and T. Raghunathan. 1989. Relationship of the rank of information systems executive to the organizational role and
planning dimensions of information systems.Journal of Management Information Systems6 (1): 111–126.
Savidge, J. 2008. Financial aspects of technology management.The CPA Journal78 (5): 46–48.
Securities and Exchange Commission (SEC ). 2009.Securities and Exchange Commission Proxy Disclosure Enhancements. Release Nos.
33-9089; 34-61175; IC-29092; File No. S7-13-09. Available at:http://www.sec.gov/news/press/2009/2009-268.htm
Sherer, S., and S. Alter. 2004. Information system risk and risk factors: Are they mostly about information systems?Communications of
the Association for Information Systems14: 29–64.
Smith, H., and J. McKeen. 2009. Developments in practice XXXIII: A holistic approach to managing IT-based risk.Communications of
the Association for Information Systems25: 519–530.
Son, J., and I. Benbasat. 2007. Organizational buyers’ adoption and use of B2B electronic marketplaces: Ef ciency- and legitimacy-
oriented perspectives.Journal of Management Information Systems24 (1): 55–99.
Stephens, C. S., W. N. Ledbetter, A. Mitra, and F. N. Ford. 1992. Executive or functional manager? The nature of the CIO’s job.MIS
Quarterly16 (4 ): 449.
Sutton, S., C. Hampton, D. Khazanchi, and V. Arnold. 2008. Risk analysis in extended enterprise environments: Identi cation of critical
risk factors in B2B e-commerce relationships.Journal of the Association for Information Systems9 (3/4 ): 151–174.
Taylor, H., E. Artman, and J. Woelfer. 2012. Information technology project risk management: Bridging the gap between research and
practice.Journal of Information Technology27: 17–34.
Turel, O., and C. Bart. 2014. Board-level IT governance and organizational performance.European Journal of Information Systems23:
223–239.
Walston, J., R. Lissitz, and L. Rudner. 2006. The in uence of web-based questionnaire presentation variations on survey cooperation and
perceptions of survey quality.Journal of Of cial Statistics22 (2): 271–291.
Weismantel, G. 2007. Building CFO-CIO bonds through performance management.Business Performance Management(August): 14–
17.
Wilkin, C., and R. Chenhall. 2010. A review of IT governance: A taxonomy to inform accounting information systems.Journal of
Information Systems24 (2): 107–146.
APPENDIX A
Measurement Items
Online Appendix:http://dx.doi.org/10.2308/isys-51365.s01
IT Governance and the Maturity of IT Risk Management Practices77
Journal of Information Systems
Volume 31, Number 1, 2017 Copyright
ofJournal ofInformation Systemsisthe property ofAmerican Accounting
Association
anditscontent maynotbecopied oremailed tomultiple sitesorposted toa
listserv
without thecopyright holder'sexpresswrittenpermission. However,usersmayprint,
download,
oremail articles forindividual use.
