Weill has condensed the results of his research into a new book, IT Governance: How Top Performers Manage IT Decision Rights for Superior Results, co-authored with Jeanne W. Ross (Harvard Business School Press), scheduled for release on June 24. Contributing Web editor Howard Baldwin asked Professor Weill about the book's target audience (surprisingly, not CIOs) and what they can learn from the CISR survey's results.

Q: Why is IT governance so important?

A: When it works, IT governance is like organizational nirvana. It empowers people to be creative, but within a consistent vision. When it doesn't work, it's exactly the opposite—it's an organizational hell full of red tape, delays, endless meetings. I believe that IT governance will become as important as corporate governance over the next five years, because we will have to be both productive and transparent in how we make decisions about IT assets.

Q: In your book, you target not the CIO but any C-level executive. What was the thinking behind that?

A: Governance is a senior executive issue. The CIO working alone is not sufficient to pull off good governance. The CIO can be the champion, but to make it effective, we found that senior executives need to buy into it. At top-performing companies, more than 50% of the senior executives grasp their IT governance, while at poorly performing companies, less than 20% of senior executives understand the company's IT governance. Having senior executives understand governance, as well as follow it and challenge it, is the most important predictor of success.

Q: What do you mean, challenge it? How often does that happen?

A: Governance says, at a particular company, "Here's the way we handle IT." You need to follow this policy or challenge it to make it better. It actually happens quite regularly, because handling exceptions are how companies learn. There needs to be an exemption mechanism, a way to get a hearing. But it shouldn't be frivolous. Anyone asking for an exemption at State Street Corp. ends up in the CEO's office.

At UPS, what started out being an IT exception was actually a business-strategy decision that the CEO had to make. You know the square boxes with a display window that you sign when you get a package? The Europeans wanted to go to a different technology, but the CEO disagreed and thought we needed a uniform way of collecting data. If UPS had broadened its standard, then the new standard would have been integrated into the governance policy. If you don't have an exception process, sometimes the business does it anyway, and no one learns anything.

Q: I find the title of Chapter 1, "IT Governance Simultaneously Empowers and Controls," contradictory. Or is it just a question of establishing boundaries?

A: It is establishing boundaries, but also being consistent about what is desirable behavior within those boundaries. For example, we studied State Street Corp., a very successful financial-services organization with an innovative, entrepreneurial business-unit structure. In 2001, they decided to go to a model that meant sharing and reuse of technology, and how they dealt with common customers. That meant, in addition to being entrepreneurial, they also wanted to be consistent. Governance was a way to have the entrepreneurial vision implemented while still being creative. It allows individual business-unit leaders to be responsive and use technology to get the most value, while being consistent with the enterprise vision. That's why it's organizational nirvana.

Unlike corporate governance, there's a lot of variation in the way companies govern IT. Companies that lead their industries in growth have decentralized IT governance. But those who lead on profitability have centralized IT governance. There appears to be different types of governance suited for different performance goals.

Q: What else does IT governance bring?

A: Governance is a way to implement what the leadership had in mind, while not making leadership the hub of every decision. Leadership has limited bandwidth. If you make leadership the hub, you slow things done. The best synonym for hub is "bottleneck."

The good thing about governance is that it identifies who's going to make different decisions. Architectural decisions will have some strategic and technical aspects. State Street Corp. has both strategic players like CIOs and process owners who make strategic architecture decision. One of the beauties of a good governance model is that the tactical stuff is decided by experts. Everyone else doesn't have to reinvent the infrastructure every time. They can build applications and products on that infrastructure. You have to get the right people to make the right decisions.

A good governance model also institutionalizes tension. Marketing folks push toward products and services that uniquely serve their market. IT pulls for standards. The finance folks pull for allocating money a certain way in the IT portfolio. The senior executive team pushes for business principles to follow. That's a lot of tension, but the tiebreaker is the governing principle that everyone has decided on.