Communications of the ACM

Internet of things). 2, 14, 17, 19 Figure 1 outlines the differences among the three categories of technology, partly based on Weill and Broadbent, 25 Weill and Ross, 26 and Andriole. 2, 3

In the 1970s and 1990s, infrastructure, in-house-developed applications, and databases were often centralized under the command of an enterprise chief information officer (CIO). Part of this command structure can be explained by the relative scarcity of hardware and software diversity at the time, unlike today, when there are many more hardware, software, communications, and delivery options than the popular “command and control” approach to managing corporate assets.

Over time, centralization yielded to decentralization and then federation. Enterprise CIOs countered with “technology standardization,” believing even if the lines of business had some control, so long as they controlled the technology standards around primary devices—servers, desktops, and communications—they were still essentially in charge, even if they did not select every one of the organization’s business applications. The centralization/decen-tralization/federation game persisted until the Web arrived in the early 1990s, when control was influenced by technology “consumers” who no longer viewed themselves only as end users.

During the mid-to-late 1990s, governance changed due largely to the “ irrational exuberance” of the dot-com era and temporary determination that technology was more strategic than tactical. Following the dot-com crash of 2000, governance returned to operational cost control, staying that way until 2003 when technology budgets began to increase again. In the mid-2000s, governance changed again when it was shared by enterprise CIOs and business-unit CIOs (assuming the structure recognized business-unit CIOs) or just “business-unit technology directors,” as they are sometimes called. Companies continued on this path until the financial world melted down again in 2008, and governance changed again, when it was centralized in the hands of a few—or even just one—senior executive(s), the CFO, the COO, or, infrequently after 2008, the CEO.

As more and more business proc-
esses and models were converted or
sponsibilities among different stake-
holders in the enterprise, and defines
the procedures and mechanisms for
making and monitoring strategic IT
decisions.” Technology governance,
as in all aspects of corporate gov-
ernance, concerns decision rights
often organized in responsible/ac-
countable/consultative/informed, or
RACI, playbooks that describe who is
allowed to acquire, deploy, and sup-
port business technology. 12, 20

In centralized IT organizations, decision rights involved in the acquisition, deployment, and support of technology belong to a central group reporting to a corporate executive, increasingly the CFO. In decentralized organizations, decision rights are shared across the enterprise and business units; in federated organizations, rights are coordinated across the corporate IT group, the business units, and even specific corporate functions. 1, 5–8, 11, 18, 21, 23, 25 The evolution of research about technology governance is instructive here. Years ago, researchers, including Brown and Magill, 7 Rockart et al., 18 and Weill and Broadbent, 25 discussed technology governance in the context of organizational realities and the reality of choice, where hardware, software, and communications options were limited. But as organizations changed, especially with the federation of business units, and technology options increased, research on governance offered alternative insights into how companies redefined governance, as well as the role of technology in all business processes and models. 11, 20, 21, 23

Research on technology alignment and governance is extensive. 3, 6, 13, 24, 28 We also know a lot about structures and processes. 26 We know differences across governance structures are often explained through the formalization of arrangements. Historically, technology governance has been more explicit and formalized around operational technology (such as laptops, desktops, networks, storage, and security) than strategic technology (such as business applications and special-purpose hardware) or especially around emerging technology (such as social media, location-based services, wearables, and the