Controlling Shadow IT: Case Study from a Turkish Bank

Abstract

it is common to encounter formations of IT processes tliat locate in and are operated by business units, outside of IT units' control, so called shadow I T . Although it has several advantages, it also brings us a grey area that needs to be controlled properly. Otherwise, it can lead to high risks, flnancial and reputational losses. In this paper, we present the development of an IT governance and management system including an accompanying control approach for shadow IT in Kuveyt Turk Participation Bank based on the two main projects experienced by the bank. After defining shadow IT for the bank, we deliver the problem with a risk aspect, then, elaborate on selected control approach with its reasoning, convey establishment of related governance model and processes and finally discuss on the topic with general terms, to further give insights to organizations in the similar context. Controlling shadow IT has largely been under-emphasized so far in the literature, especially for the finance sector. Hopefully, this study sheds light on both practitioners and researchers by filling this gap, a bit. © 2022 Elsevier B.V., All rights reserved.