By David Pultorak and Jim Kerrigan
Governance should extend out from the
board in three directions: conformance, per-
formance, and rapport (CPR). These three
dimensions are a necessary part of good gov-
ernance because governance, properly con-
strued, cannot be just about mitigating risks,
about avoiding the pain of lack of compliance
with regulatory authorities (conformance). No
business would survive that had as its sole gov-
ernance focus the avoidance of risk and pain.
What all businesses must do is go towards gain
(performance) in financial and other relevant
dimensions, while conducting itself in such a
way that good relations (rapport) are main-
tained with relevant stakeholders.
The three-part CPR framework of gover-
nance applies to all parts of the corporation,
because corporate departments—finance, man-
ufacturing, marketing, sales, engineering, Infor-
mation Services, etc.—must conform to relevant
regulatory authorities and perform financially
and in other ways, and do so in a way that
maintains rapport with relevant stakeholders.
The CPR framework for governance high-
lights the importance of employing robust gov-
ernance mechanisms. This article addresses a
few such mechanisms—the balanced scorecard
(BSC), CobiT (control objectives for informa-
tion and related technology), and ITIL
®
(Infor-
mation Technology Infrastructure Library)—
to illustrate how one might employ them to
contribute to the implementation of the three
dimensions of governance. The case of the
information technology (IT) function and IT
governance is used to further illustrate how the
CPR framework can be employed. In so doing,
we hope to extend Schumann and Chinoy’s
August 2004 Directors Monthly article on IT
governance.
Corporate Governance
After years of stable development, corpo-
rate governance is receiving significant atten-
tion. Historically, there was a strong emphasis
on finance. Corporate governance was virtu-
ally synonymous with the measuring, moni-
toring, and reporting of the financial condition
of the enterprise.
But that has changed. About a decade ago it
became clear that focusing on financial perfor-
mance alone was not enough to ensure sustain-
able results. This fact was highlighted by Robert
S. Kaplan and David P. Norton and summarized
in their research. Kaplan and Norton recom-
mended a “balanced scorecard” of governance
dimensions, including, in addition to financial
performance, business process, customer fulfill-
ment, and learning and growth. The balanced
scorecard dramatically extended the factors to
be considered in corporate governance.
In the nine years since Kaplan and Norton
first published their research, the number of
authorities, pieces of legislation, and industry
regulations and standards that corporations
must comply with has increased dramatically.
And many corporations have stumbled even as
they worked towards a balanced scorecard of
results because the way they conducted them-
selves “turned off” rather than “turned on” rel-
evant stakeholders.
And while business fundamentals remain the
same, the landscape upon which business is
played out has changed drastically since 1996,
when business use of the Internet was still in its
infancy. Today, enterprises are thoroughly net-
worked entities operating in massively net-
worked marketplaces. A corporation’s cus-
tomers, competition, and colleagues are all
NACD – Directors Monthly
February 2005 – 15
Conformance, Performance,
and Rapport: A Framework for
Corporate and IT Governance
Technology
Director Summary:
Using the governance of informa-
tion technology as an example, the authors illustrate
that boards should strive for regulatory conformance,
financial performance, and rapport with stakeholders to
provide a good governance framework.
pg_0002
deeply interconnected. The result of a networked market-
place is an increase in both the frequency and variability
of demands on the business, including opportunities and
threats.
An example may help illustrate: imagine yourself as
a medieval king presiding over a backward country with
no good road system to speak of interconnecting its vil-
lages. You take the bold stroke of building roads inter-
connecting the villages. As a result of your actions, ven-
dors now have a realistic opportunity to sell their wares
in not just one market, but several markets. And high-
waymen now have a realistic opportunity of robbing peo-
ple on more than just one road. The end result is that by
networking the villages with a system of roads, you have
increased both the frequency and variability of opportu-
nities and threats. This is precisely what has happened
with our economy with the “Internet highway.” This sit-
uation creates a requirement for corporate directors to
broaden the foundation of corporate governance.
The balanced scorecard provides the board and cor-
porate management with four primary perspectives on
conformance:
• Financial. Statistical treatment of the economic con-
sequences of actions already taken.
• Internal business process. Activities that must be
done well to deliver value to customers and satisfy
shareholder expectations.
• Learning and growth. Procedures that focus on long
term corporate growth and improvement.
• Customer. Measurement of customer satisfaction,
acquisition/retention, profitability, and business vol-
ume share by market and account.
While it remains a useful tool, the BSC does not focus
on the rapport and conformance dimensions of gover-
nance.
The CPR Governance Framework
A corporate entity has an obligation to meet recognized
goals in an organized way with regard to a wide range of
stakeholders. The CPR governance framework divides gov-
ernance into three dimensions: conformance, performance,
and rapport.
Conformance
Conformance is about ensuring compliance. It is estab-
lishing and managing the control objectives. Confor-
mance activities consist of documenting what you plan
to do, doing it, and accumulating evidence that you are
doing it. The goal of conformance is compliance with rel-
evant authorities. The instrument for measuring confor-
mance results is the audit.
All business must conform to relevant:
• Regulatory authorities, such as the IRS and the FDA
• Legal requirements, such as the Sarbanes-Oxley Act
• Industry specific rules, such as HIPAA
• Market expectations of customers and professional
associations, such as hotel ratings
• Professional codes of behavior and ethics
Some of these conformance areas are mandatory. Oth-
ers are optional theoretically but necessary for business
purposes—for example, while there is no legal require-
ment for a hotel to maintain a 3–5 star rating, customers
will avoid hotels without such ratings. And while there
is no legal requirement for members of an industry asso-
ciation to abide by its code of ethics, compliance with
such codes makes good business sense.
Performance
Performance is about ensuring efficiency and effec-
tiveness. It is doing the right things, right. The goal of per-
formance is efficiency and effectiveness. Performance is
about ensuring the predictable, sustainable creation of
customer value and company profit. The instrument for
measuring performance results is the assessment review.
All businesses must measure, monitor, and report on
relevant performance indicators, including financial,
product capabilities, employee productivity, internal busi-
ness process, customer fulfillment, learning and growth,
and agility.
These areas extend further the balanced scorecard idea
of governing beyond financial performance indicators as
a means to sustainable results.
Rapport
Rapport is about ensuring that the business relates
to relevant stakeholders in a consistent and responsible
way. Rapport covers social values and standards, pro-
viding transparent performance statistics, demonstrating
integrity, and balancing the interests of stakeholders.
It is about ensuring how you do things (the means)
“turns on” and does not “turn off” relevant stakehold-
ers. The goal of rapport is good relations with relevant
stakeholders. The instrument for measuring rapport
results is the survey.
16 – February 2005
NACD – Directors Monthly
Performance is about
ensuring efficiency and
effectiveness. It is doing
the right things, right.
pg_0003
These three governance dimensions—conformance,
performance, and rapport—are like two-way radio
channels. The board and each corporate department
simultaneously monitors, transmits, and receives on all
three channels. For example, the board might:
• Monitor status on environmental compliance from
manufacturing.
• Transmit a request to engineering to map projected
product development in a context of fiscal perfor-
mance against the corporate business plan
• Receive a description from IT describing the value it
brings to the corporation in terms of the services it
provides to corporate departments.
To ensure alignment and efficiency, no department
should have a private communications link with its own
protocol, terminology, and timing. All departments must
strive to describe their activities with the same business-
oriented, goal-based vocabulary. In all cases, the board
should reasonably expect to receive timely, descriptive,
and jargon-free replies.
To illustrate the CPR governance framework, the sec-
tions that follow apply it to the issues of information tech-
nology governance.
The CPR Framework Applied to Information
Technology Governance
Governance is an activity performed jointly by the
board and corporate departments. The board sets direc-
tion and policy and departments execute and contribute
their best advice and judgment. The IT function cannot
be an exception. Where information technology really
matters to the corporation’s future, it makes sense to
involve corporate directors in infrastructure concerns.
Like corporate governance, IT governance is under-
going rapid evolution after years of inattention. Recent
emphasis has been on the two primary standards for IT
governance: CobiT and ITIL.
CobiT
The Control Objectives for Information and Related
Technology (CobiT) framework focuses on compliance
and control. The guidance comes from an IT perspective,
this time from the perspective of IT auditors. It is detailed,
prescriptive, and complete, and provides a standardized
approach to IT accountability.
CobiT provides a durable structure for IT auditors to
approach the conformance issues of governance. It groups
processes into four domains:
• Planning and organization. Strategy and tactics for IT
to contribute to business objectives.
• Acquisition and implementation. Identify IT solutions,
developed or acquired, implemented and integrated.
• Delivery and support. Creation and delivery of nec-
essary support services.
• Monitoring. Periodic, regular assessment of IT
processes for quality and compliance.
CobiT’s strength is conformance but more coverage
is needed for governance in the areas of performance and
rapport.
ITIL
®
The Information Technology Infrastructure Library
(ITIL) is a collection of best practices for IT service man-
agement. ITIL’s guidance is written from the perspective
of the IT professional, aimed at alignment with the busi-
ness, and focused on efficient and effective IT services.
ITIL is and has been developed and widely implemented
globally over the last 20 years. ITIL is appropriate for
corporations because it is vendor neutral, non-propriety
and scalable. That is, no matter how large or small your
corporation, national or international in scope, ITIL “fits”
with whatever technology you have put in place. Over
10,000 companies are using ITIL, and over 100,000 IT
professionals, worldwide, are certified in ITIL practices.
ITIL provides guidance and mechanisms for managing
performance and rapport. While ITIL is not focused on
conformance, it enables it by specifying the management
domains required to carry out the business of IT, which is
a necessary basis for ensuring compliance with codes pro-
duced by relevant authorities. Together, CobiT and ITIL
are a powerful combination addressing each dimension
of governance: conformance, performance, and rapport.
ITIL is a service management framework, and services
are the heart of IT service management. Service manage-
ment is organizing around services—not technology or
the customer by themselves. It is a powerful concept to
guide the use of information technology. It allows IT to
align and synchronize with the business mission of the
corporation and satisfy internal customers rather than
concentrate on technology issues.
In service management, IT has an essential role: enter-
prise service provider. The corporation’s expectation of IT
is based on services, not technology. That is, IT delivers ser-
vices to the corporation that result from the management
NACD – Directors Monthly
February 2005 – 17
The board should
reasonably expect to
receive timely, descriptive,
and jargon-free replies.
pg_0004
of an underlying computer and network infrastructure. IT’s
contribution is not the operation of that infrastructure, it
is using that infrastructure to create and deliver services
for enduring business value.
Each individual ITIL process has a specific aim. For
example, ITIL calls the process dedicated to improving
business and IT alignment “Service Level Management,”
and the process for helping users get back to work again
after a system failure “Incident Management,” etc. Such
a document drives all of the other ITIL processes. Like a
menu or a set of specifications, it is the common ground
between corporate departments and IT. It establishes the
boundaries of conformance because it has the business
and IT work together to plan what to do, do it, and accu-
mulate evidence that it has been done. It records the
mutual understanding of quality whose measurement
brings performance characteristics to the fore. Lastly, it
sets the cost parameters — what the business can afford
and IT can spend — reflecting the balance of supply and
demand the underscores rapport.
IT service management is not a cure-all for infusing
IT with the three-part framework of governance, but it
takes the first step by elevating the dialogue where busi-
ness goals and objectives are the nouns, service is the verb,
and all the gory details that constitute the technical infra-
structure are secondary.
Guidance for Boards on Effective Governance over Information Technology
18 – February 2005
NACD – Directors Monthly
While boards have traditionally
reviewed business strategy and strate-
gic risks, few boards have focused on
IT, despite the large investments and
vast risks.
This divide may exist because
IT requires deeper technical insight than
other disciplines. Generally, board
members have expertise in areas other
than IT, and it has not always been made
clear to the board how IT enables the
enterprise and creates risks and oppor-
tunities. IT has been traditionally treated
as an extended member of the corpo-
rate family—related to, but somewhat
separated from, the core business. IT
is also complex, especially in globally
extended enterprises operating in a net-
worked model.
Board Role in IT Governance
To ensure IT governance initiatives
are focused on the most effective areas,
the board should ensure an effective
action plan is developed and followed.
With the goal of taking appropriate
ownership of IT governance and setting
management direction, a board should:
• Ensure IT is on its agenda.
• Challenge management’s activities
regarding IT so IT issues are uncov-
ered.
• Guide management in aligning IT ini-
tiatives with real business needs.
• Insist that IT performance be mea-
sured and reported to the board.
• Consider establishing an IT strategy
committee with responsibility for
communicating IT issues between
board and management.
• Insist that management implement
a framework for IT governance, such
as control objectives for information
and related technology (CobiT).
Top management issues for the over-
sight of IT have moved from technology
to management-related arenas. These
issues clearly map to the IT governance
areas of strategic alignment, value deliv-
ery, risk management, resource man-
agement, and performance measure-
ment. A board’s role in these areas
focuses on the following responsibilities.
Strategic alignment. Boards should
ensure management has put in place
an effective strategic planning process,
ratify the aligned business and IT strat-
egy, and ensure the IT organizational
structure complements the business
model and direction.
Value delivery. Boards should
ascertain that management has put
processes and practices in place that
enable IT to deliver provable value to
the business, and ensure IT investments
represent a balance of risk and benefit,
with acceptable budgets.
IT resource management. Boards
should monitor how management
determines the resources needed to
achieve strategic goals, and ensure a
proper balance of IT investments for
sustaining and growing the enterprise.
Risk management. Boards should
be aware of IT risk exposures and their
containment, and evaluate the effec-
tiveness of management’s monitoring
of IT risks.
Performance management. Boards
should assess senior management’s
performance on IT strategies in opera-
tion, and work with executives to define
and monitor high-level IT performance.
An effective IT governance frame-
work will help boards understand the
issues and strategic importance of IT. It
will also assist in ensuring that the
enterprise can sustain its operations
and implement the strategies required
to continue its business into the future.
The framework also provides assurance
to the board that expectations for IT are
met and IT risks are addressed.
Because IT is an integral part of the
business, boards need to ensure that IT
governance is an integral part of their
governance over the entire enterprise.
Michael P. Cangemi is former presi-
dent and CEO of Etienne Aigner Group,
Inc., and past president of the Informa-
tion Systems Audit and Control Associ-
ation (ISACA). He has been editor-in-
chief of the Information Systems Con-
trol Journal since 1987. For more infor-
mation, visit http://accounting.rut-
gers.edu/raw/isaca/cangemi/.
pg_0005
NACD – Directors Monthly
February 2005 – 19
ADESA, Inc.
Carmel, IN
David G. Gartzke,
Chairman
Thomas L.
Cunningham
Brenda Flayton
Dennis O. Green
George J. Lawrence
Angel Rodolfo Sales
Nick Smith
W. Van Bussmann
Donald C. Wegmiller
Deborah L. Weinstein
Blue Cross Blue
Shield-Kansas City
Kansas City, MO
Tom Bowser, President
& CEO
David R. Bywaters
Melvin L. Glazer, MD
Anita B. Gorman
Karon Harris Hicks
Rick Kastner
Garry K. Kemp
Janice C. Kreamer
Ben D. McCallister, MD
Travis D.L. Newsome
L. Keith Querry
Sam R. Reda
James R. Roath
Larry A. Rues, MD
Danley K. Sheldon
Capital District
Physicians’ Health
Plan
Albany, NY
John D. Bennett, M.D.,
Chairman
William Cromie, M.D.,
President & CEO
J. Michael Brennan
Peter T. Burk art, M.D.
M. Bruce Cohen
Gennaro A. Daniels,
M.D.
Barbara Downs
Robert H. Dropkin,
M.D.
Daniel Frasca
Robert C. Griffin
Douglas P. Larsen, D.O.
James C. Leyhane,
M.D.
Kelly A. Lovell
William M. Notis, M.D.
Martha H. Pofit
Stuart A. Rosenberg,
M.D.
Stephen C. Simmons
Cell Therapeutics,
Inc.
Seattle, WA
James Bianco,
Founder, President &
CEO
John Fluke
Vartan Gregorian
Richard Leigh
Max Link
Phillip M. Nudelman
Mary Mundinger
Erich Platzer
Jack Singer
Silvano Spinelli
Insight
Enterprises, Inc.
Tempe, AZ
Timothy A. Crown,
Chairman
Eric J. Crown,
Chairman Emeritus
Bennett Dorrance
Michael M. Fisher
Larry A. Gunning
Robertson C. Jones
Stanley Laybourne
Mark Rogers
Johnson Controls,
Inc.
Milwaukee, WI
John M. Barth,
President & CEO
Dennis W. Archer
Robert L. Barnett
Natalie A. Black
Paul A. Brunner
Robert A. Cornog
Willie D. Davis
Jeffrey A. Joerres
William H. Lacy
Southwood J. Morcott
Jerome D. Okarma
Steven A. Roell
Richard F. Teerlink
North American
Scientific, Inc.
Chatsworth, CA
Michael Cutrer,
President & CEO
Irwin Gruverman,
Chairman
Donald N. Ecker
John Friede
Jonathan Gertler
David King
John W. Manzetti
Mitchell Saranow
Gary Wilner
Mancy Wysenski
OGE Energy
Corporation
Oklahoma City, OK
Steven E. Moore,
Chairman, President
& CEO
Carla D. Brockman
Herbert H. Champlin
Luke Corbett
William E. Durrett
Martha Griffin
John D. Groendyke
Robert Kelley
Linda Petree Lambert
Ronald H. White
J.D. Williams
O.I. Corporation
College Station, TX
William Botts,
President, CEO, &
Chariman
Jack S. Anderson
Richard W. K.
Chapman
Edwin B. King
Craig R. Whited
Pfizer, Inc.
New York, NY
Henry A. McKinnell,
Chairman & CEO
William C. Steere,
Chairman Emeritus
Michael S. Brown
M. Anthony Burns
Robert N. Burt
W. Don Cornwell
Margaret Foran
William H. Gray, III
Constance J. Horner
William R. Howell
Stanley O. Ikenberry
George A. Lorch
Jeffrey B. Kinder
John L. LaMattina
Dana G. Mead
Franklin D. Raines
D. L. Shedlarz
Ruth J. Simmons
Jean-Paul Valles
Semtech
Corporation
Camarillo, CA
Jason L. Carlson,
President & CEO
John D. Poe, Chairman
Glen M. Antle
James P. Burra
Rockell N. Hankin
James T. Lindstrom
John L. Piotrowski
James T. Schraith
Sprint Corporation
Overland Park, KS
Gary D. Forsee,
Chairman & CEO
DuBose Ausley
Gordon M. Bethume
E. Linn Draper, Jr.
Deborah A. Henretta
Irvine O. Hockaday
Linda Koch Lorimer
Charles E. Rice
Louis W. Smith
Gerald L. Storch
William H. Swanson
The Williams
Companies, Inc.
Tulsa, OK
Steven J. Malcolm,
President, Chairman
& CEO
Hugh M. Chapman
William E. Green
Juanita H. Hinshaw
William R. Howell
Charles M. Lillis
George A. Lorch
William G. Lowrie
Frank T. MacInnis
Janice D. Stoney
Joseph H. Williams
John H. Williams
Welcome New Members
The guidance contained in CobiT are certainly sig-
nificant tools and contributions to the industry and focus
on conformance. ITIL champions efficiency and effec-
tiveness, and relating responsibly with relevant stake-
holders; while it enables control and compliance, it does
not focus there. One should begin to see that using CobiT
and ITIL together forms the basis for a more complete
IT governance mechanism.
Each of the bodies of work cited above comes from
the perspective of IT, and not that of the corporate board.
The CPR framework is proposed as the basis for a gov-
ernance framework that:
• Describes the key dimensions of governance: confor-
mance, performance, and rapport.
• Ensures complete coverage of key indicators of sus-
tained business results.
• Is compatible with prescriptive, function-specific gov-
ernance mechanisms like ITIL and CobiT.
Call to Action
Governance requires action. It suggests behaviors to
guide relationships between and among corporations and
their constitute parts. While governance can sometimes
be viewed as formal rules and procedures, there are things
you can you do tomorrow to shape your board’s view
of IT governance:
• Suggest a discussion on governance be placed on the
board agenda to gain concurrence on your board’s
thinking on the matter.
• Have the wider definition of governance broadcast
throughout the corporation.
• Propose that the wider definition of governance fil-
ter out to key customers and suppliers.
• Ask company management to discuss vital business
drivers with IT management to further business and
IT alignment.
• Invite IT management to report on the effectiveness
of service level agreements already in place within the
corporation.
• Seek support from NACD for white papers and train-
ing on governance in the large and IT governance in
particular.
In the long run, governance is strongly oriented
towards sustainability: ensuring that the corporation is
successful today and positioned for tomorrow. Corpo-
rate governance, including IT governance, is simultane-
ously the scout and sentry on the frontier of company
growth.
¦
David Pultorak is president of Fox IT, LLC, and CEO of
Pultorak & Associates. Jim Kerrigan is senior manager
at Fox IT. Both have served on private and nonprofit
boards.
NEW CORPORATE BOARD MEMBERS